From 2ae6bffe45130f939c2b411588735494dfb31703 Mon Sep 17 00:00:00 2001
From: Phil Merrell <philmerrell@boisestate.edu>
Date: Sun, 26 Apr 2026 23:28:01 -0600
Subject: [PATCH] fix: grant CreateTokenVault and wire OAuth providers table to
 app-api
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The first CreateOauth2CredentialProvider call in a region implicitly
provisions the `default` token vault, so the AppApi task role needs
`bedrock-agentcore:CreateTokenVault` in addition to the provider CRUD
actions. Without it, creating the very first connector returned a 500
with `AccessDeniedException` from bedrock-agentcore-control.

Also pass `DYNAMODB_OAUTH_PROVIDERS_TABLE_NAME` to the container env.
The IAM grant and SSM lookup were already in place; only the env wiring
was missing, which caused the OAuth provider repository to silently
disable itself and would have failed the DB write after AgentCore
succeeded — triggering the orphan-rollback path.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
---
 infrastructure/lib/app-api-stack.ts | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/infrastructure/lib/app-api-stack.ts b/infrastructure/lib/app-api-stack.ts
index b3176944..6541e5e5 100644
--- a/infrastructure/lib/app-api-stack.ts
+++ b/infrastructure/lib/app-api-stack.ts
@@ -445,6 +445,7 @@ export class AppApiStack extends cdk.Stack {
         DYNAMODB_API_KEYS_TABLE_NAME: apiKeysTableName,
         OAUTH_TOKEN_ENCRYPTION_KEY_ARN: oauthTokenEncryptionKeyArn,
         OAUTH_CLIENT_SECRETS_ARN: oauthClientSecretsArn,
+        DYNAMODB_OAUTH_PROVIDERS_TABLE_NAME: oauthProvidersTableName,
         DYNAMODB_AUTH_PROVIDERS_TABLE_NAME: authProvidersTableName,
         AUTH_PROVIDER_SECRETS_ARN: authProviderSecretsArn,
         DYNAMODB_USER_SETTINGS_TABLE_NAME: userSettingsTableName,
@@ -921,11 +922,14 @@ export class AppApiStack extends cdk.Stack {
     // Admin CRUD for OAuth2 credential providers stored in AgentCore Identity.
     // Provider-scoped actions are scoped to the default token vault; List
     // requires a broader resource since it enumerates the vault itself.
+    // CreateTokenVault is required because the first CreateOauth2CredentialProvider
+    // call in a region implicitly provisions the `default` token vault.
     taskDefinition.taskRole.addToPrincipalPolicy(
       new iam.PolicyStatement({
         sid: 'AgentCoreCredentialProviderAdmin',
         effect: iam.Effect.ALLOW,
         actions: [
+          'bedrock-agentcore:CreateTokenVault',
           'bedrock-agentcore:CreateOauth2CredentialProvider',
           'bedrock-agentcore:UpdateOauth2CredentialProvider',
           'bedrock-agentcore:DeleteOauth2CredentialProvider',