fix(cli): Populate the runtime invoke URL for AWS_IAM agents in `ag... (#1593)#67
Draft
aidandaly24 wants to merge 1 commit into
Draft
fix(cli): Populate the runtime invoke URL for AWS_IAM agents in `ag... (#1593)#67aidandaly24 wants to merge 1 commit into
aidandaly24 wants to merge 1 commit into
Conversation
…#1593) The fetch access TUI listed IAM-authenticated agents in the resource picker but dead-ended on selection: the runtime path hard-coded url:'' so neither the invoke URL nor the example command rendered. Add fetchRuntimeAccess, which reads the deployed runtimeArn + target region and builds the invocation URL via buildRuntimeInvocationUrl, bringing the AWS_IAM agent path to parity with the AWS_IAM gateway path. Route runtime selection in useFetchAccessFlow through the new function and add unit coverage.
github-actions
Bot
added
size/m
Coverage Report
|
github-actions
Bot
removed
the
agentcore-harness-reviewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Refs aws#1593
Issues
agentcore fetch accesslists IAM-authenticated agents and gateways in the resource picker, then on selecting an IAM agent shows only "Auth: IAM" plus a SigV4 message — no token (expected, IAM has none) and, worse, no invoke URL and no example command, because the IAM agent path hard-codes url:''. Users see resources they expect to "fetch" only to be told there is nothing to fetch. Cosmetic/UX friction; the resources still work via SigV4.Root cause
By design, the list functions return all deployed resources including IAM ones. listAgents pushes every deployed runtime and defaults authType to 'AWS_IAM' (src/cli/operations/fetch-access/list-agents.ts:25-28); listGateways includes AWS_IAM gateways (list-gateways.ts:27-31), which list-gateways.test.ts:60-64 asserts as intended ('gw-iam' returned). useFetchAccessFlow.ts:64-67 merges both into one picker; FetchAccessScreen.tsx:108-119 renders them with [IAM] labels (authLabel line 13). On selecting an IAM AGENT, fetchAgentAccess returns url:'' + SigV4 message + no token (useFetchAccessFlow.ts:9-15); the empty url suppresses the URL block (FetchAccessScreen.tsx:159) and Example block (line 208), so the result screen is near-empty. IAM GATEWAYS fare better — fetch-gateway-token.ts:51-56 returns a non-empty gatewayUrl, so the URL +
aws curlexample DO render (the strictly-degraded case is the IAM agent). Code introduced by aws#657 (runtime inbound auth) atop the fetch command from aws#627; unchanged and unfixed at v0.20.2. No PR/commit references aws#1593. Entire trace is local CLI code reading ConfigIO; no backend call reached on the IAM path.The fix
Design decision required. Option (a): filter AWS_IAM resources out of the picker (skip authType==='AWS_IAM' in useFetchAccessFlow.ts:64-67 or in list-agents/list-gateways) — but this hides legitimate resources users may still want the invoke URL for, and would require updating list-gateways.test.ts and the non-interactive availableGateways path in action.ts:24-31. Option (b, recommended): keep IAM resources but make selection useful — populate the runtime invoke URL for IAM agents instead of url:'' (useFetchAccessFlow.ts:10) so the URL +
aws curlexample render exactly as the IAM-gateway path already does, and optionally dim/annotate IAM rows in the picker (FetchAccessScreen.tsx:117) as "SigV4, no token". Option (b) brings the agent path to parity with the gateway path and is the higher-value, low-risk fix. CLI-only, small.Files touched: src/cli/tui/screens/fetch-access/useFetchAccessFlow.ts:8-15,64-67; src/cli/tui/screens/fetch-access/FetchAccessScreen.tsx:108-119,159,208-219; src/cli/operations/fetch-access/list-agents.ts:21-29; src/cli/operations/fetch-access/list-gateways.ts:23-43; src/cli/operations/fetch-access/fetch-gateway-token.ts:51-56 (reference for parity); and src/cli/commands/fetch/action.ts:22-40 if IAM filtering (option a) is chosen. Tests: src/cli/operations/fetch-access/tests/list-gateways.test.ts.
Validation evidence
The fix was verified by reproducing the original symptom and re-running after the change:
AFTER: The fix adds src/cli/operations/fetch-access/fetch-runtime-access.ts (fetchRuntimeAccess) which reads deployed runtimeArn + targetConfig.region and builds the URL via the existing buildRuntimeInvocationUrl(region, runtimeArn) (status/constants.ts:18). useFetchAccessFlow.ts now routes runtime selection to fetchRuntimeAccess(resource.name). New unit test fetch-runtime-access.test.ts (mock ConfigIO with runtimeArn+region) PASSES: result.url === 'https://bedrock-agentcore.us-east-1.amazonaws.com/runtimes//invocations', result.authType === 'AWS_IAM', result.token === undefined, message contains 'SigV4'. With url populated, FetchAccessScreen renders the URL block and the
aws curl <url>/AWS_IAM Example block — parity with the gateway path, no token shown (correct for IAM).Test suite: green.
Staged on the fork as a draft for human review. Promote to aws/agentcore-cli after vetting.