fix(unit-only): Add a secretless link path in pre-deploy-identity.ts: in ... (#1032)

[aidandaly24]

Refs aws#1032

Issues

• Support linking existing AgentCore Identity credential providers during deploy aws/agentcore-cli#1032 — When a project references an AgentCore Identity credential provider that is managed outside the project (created in the console, another project, or IaC) and there is no matching local secret in agentcore/.env.local, agentcore deploy cannot wire that provider's ARN. If a gateway target's outbound auth references such a credential, deploy fails at CDK synth with Credential "X" not found in deployed state. This is an enhancement gap, not a regression: the normal create/update-from-local-secret path works, and putting the secret in .env.local is a workaround.

Root cause

CLI-side, confirmed by reading v0.20.2. setupApiKeyCredentialProvider returns status:'skipped' with no credentialProviderArn when the local secret is absent (src/cli/operations/deploy/pre-deploy-identity.ts:175-181); same for OAuth at lines 405-411 (missing client id/secret) and 415-423 (no discoveryUrl). The ARN-collection loops only persist a credential when result.credentialProviderArn is truthy: src/cli/commands/deploy/actions.ts:287-293 (API key) and 323-331 (OAuth), and src/cli/tui/hooks/useCdkPreflight.ts:819-825 and 864-872. So a 'skipped' credential never reaches deployed-state. The throw the user actually sees is in the CDK construct (consumer): agentcore-l3-cdk-constructs src/cdk/constructs/components/mcp/Gateway.ts:282-284 looks up this.credentials?.[credentialName] and throws Credential "X" not found in deployed state when the ARN is missing. The CDK is correctly rejecting incomplete state; the missing-ARN root cause is purely CLI. Note: getOAuth2Provider already exists and is already exported (src/cli/operations/identity/oauth2-credential-provider.ts:122 and index.ts:9); only an analogous getApiKeyProvider must be added.

The fix

Add a secretless link path in pre-deploy-identity.ts: in the three skip branches, before skipping, attempt to resolve an existing provider's ARN by name (new getApiKeyProvider helper wrapping the existing GetApiKeyCredentialProviderCommand at api-key-credential-provider.ts:54; reuse the already-present getOAuth2Provider for OAuth). On success, return a new status 'linked' carrying credentialProviderArn (and clientSecretArn/callbackUrl for OAuth) so the existing ARN-collection loops persist it to deployed-state.json for CDK wiring. Keep create/update behavior unchanged when a local secret is present. Surface a clear error only when neither a local secret nor a remote provider exists. This is exactly PR aws#973 (OPEN, +204/-19). Recommendation: review and merge aws#973; the design decision to settle is the not-found failure mode (error vs continue) — PR makes it fail clearly. Minor: the brief overstates the change set (getOAuth2Provider already exists/exported; OAuth needs wiring, not a new function).

Files touched: src/cli/operations/deploy/pre-deploy-identity.ts (setupApiKeyCredentialProvider skip branch 175-181; setupSingleOAuth2Provider skip branches 405-411 and 415-423); src/cli/operations/identity/api-key-credential-provider.ts (add getApiKeyProvider using GetApiKeyCredentialProviderCommand at line 54); src/cli/operations/identity/index.ts (export getApiKeyProvider; getOAuth2Provider already exported at line 9); src/cli/tui/hooks/useCdkPreflight.ts (handle new 'linked' status ~802/845, ARN collection 819-825/864-872); src/cli/commands/deploy/actions.ts (287-293/323-331). Consumers requiring no change: src/assets/cdk/lib/cdk-stack.ts:100-114 forwards credentials map; agentcore-l3-cdk-constructs src/cdk/constructs/components/mcp/Gateway.ts:282-284 is the throw site (pinned ^0.1.0-alpha.19; the brief's cited Gateway.ts:227-229 is the IAM grant block, not the throw).

Validation evidence

The fix was verified by reproducing the original symptom and re-running after the change:

BEFORE (reverted production source to original, kept new tests): the 6 pass-condition unit tests fail. setupApiKeyCredentialProvider/setupSingleOAuth2Provider return status 'skipped' with NO credentialProviderArn when no local secret exists but a remote provider does (AssertionError: expected 'skipped' to be 'linked'). The secretless+no-remote case returned a silent skip (hasErrors=false -> 'expected false to be true'). getApiKeyProvider did not exist. This is the exact root cause: a 'skipped' result with no ARN is never persisted by the ARN-collection loops in commands/deploy/actions.ts:317-323 and 353-361, so the CDK Gateway throws 'Credential X not found'. AFTER (fix restored): all 33 identity-related tests pass (npx vitest run pre-deploy-identity.test.ts + api-key-credential-provider.test.ts -> Tests 33 passed). (a) no local secret + remote exists -> status 'linked' with non-undefined credentialProviderArn for both API key (new getApiKeyProvider wrapping GetApiKeyCredentialProviderCommand) and OAuth2 (existing getOAuth2Provider carrying clientSecretArn/callbackUrl); the actions.ts loops persist any result with an ARN and hasErrors only trips on status==='error', so 'linked' reaches deployedCredentials. (b) local secret present -> create/update unchanged. (c) no local secret AND no remote -> clear MissingCredentialsError ('...no existing AgentCore Identity ... credential provider named ... was found') with status 'error', no silent skip.

Test suite: green.

---

Staged on the fork as a draft for human review. Promote to aws/agentcore-cli after vetting.

[github-actions]

Coverage Report

Status	Category	Percentage	Covered / Total
🔵	Lines	37.19%	13613 / 36596
🔵	Statements	36.46%	14472 / 39686
🔵	Functions	31.83%	2336 / 7337
🔵	Branches	31.12%	9008 / 28944

Generated in workflow #118 for commit 48c859b by the Vitest Coverage Report Action