Describe the feature
The validateRequestHeaderConfiguration method in @aws-cdk/aws-bedrock-agentcore-alpha uses an outdated regex pattern that only allows Authorization and X-Amzn-Bedrock-AgentCore-Runtime-Custom-* headers. The CloudFormation schema for AWS::BedrockAgentCore::Runtime has been updated (deployed all regions) to accept any valid HTTP header name matching ^[A-Za-z][A-Za-z0-9_-]{0,255}$. The CDK L2 construct's client-side validation should be relaxed to match.
The restrictive pattern is at runtime.ts#L554-L559:
const patternErrors = validateFieldPattern(
header,
'Request header',
/(Authorization|X-Amzn-Bedrock-AgentCore-Runtime-Custom-[a-zA-Z0-9-]+)/,
'Request header must contain only letters, numbers, and hyphens',
);
Use Case
We expanded the AgentCore Runtime Request Header Allowlist feature to support arbitrary valid HTTP headers (e.g., X-Custom-Auth, X-Request-Signature). Policy enforcement (blocking restricted headers) is handled server-side in the control plane.
Customers using the L2 construct hit InvalidRequestHeaderConfiguration when trying to allowlist headers that the service fully supports:
new Runtime(stack, 'MyRuntime', {
// ...
requestHeaderConfiguration: {
allowlistedHeaders: ['X-Custom-Auth', 'X-Request-Signature'],
},
});
// Throws: InvalidRequestHeaderConfigurationProposed Solution
Update the regex to match the deployed CFN schema:
const patternErrors = validateFieldPattern(
header,
'Request header',
/^[A-Za-z][A-Za-z0-9_-]{0,255}$/,
'Request header must start with a letter and contain only letters, numbers, underscores, and hyphens (max 256 characters)',
);Current workaround is a CFN escape hatch:
const cfnRuntime = runtime.node.defaultChild as CfnRuntime;
cfnRuntime.addPropertyOverride('RequestHeaderConfiguration', {
RequestHeaderAllowlist: ['X-Custom-Auth'],
});Other Information
Acknowledgements
AWS CDK Library version (aws-cdk-lib)
2.243.0
AWS CDK CLI version
2.243.0
Environment details (OS name and version, etc.)
macOS Darwin 25.4.0, Node.js 22.x
Describe the feature
The
validateRequestHeaderConfigurationmethod in@aws-cdk/aws-bedrock-agentcore-alphauses an outdated regex pattern that only allowsAuthorizationandX-Amzn-Bedrock-AgentCore-Runtime-Custom-*headers. The CloudFormation schema forAWS::BedrockAgentCore::Runtimehas been updated (deployed all regions) to accept any valid HTTP header name matching^[A-Za-z][A-Za-z0-9_-]{0,255}$. The CDK L2 construct's client-side validation should be relaxed to match.The restrictive pattern is at runtime.ts#L554-L559:
Use Case
We expanded the AgentCore Runtime Request Header Allowlist feature to support arbitrary valid HTTP headers (e.g.,
X-Custom-Auth,X-Request-Signature). Policy enforcement (blocking restricted headers) is handled server-side in the control plane.Customers using the L2 construct hit
InvalidRequestHeaderConfigurationwhen trying to allowlist headers that the service fully supports:Proposed Solution
Update the regex to match the deployed CFN schema:
Current workaround is a CFN escape hatch:
Other Information
HeaderNamepattern:^[A-Za-z][A-Za-z0-9_-]{0,255}$Acknowledgements
AWS CDK Library version (aws-cdk-lib)
2.243.0
AWS CDK CLI version
2.243.0
Environment details (OS name and version, etc.)
macOS Darwin 25.4.0, Node.js 22.x