Description
When a project defines credentials in agentcore.json, agentcore deploy currently creates or updates AgentCore Identity credential providers from local secret values in agentcore/.env.local or matching process environment variables.
This works for CLI-managed secrets, but it makes it difficult to use credential providers that are already managed outside the project, such as providers created through the AgentCore console, another AgentCore project, or internal IaC/security workflows.
Some deploy/CDK-managed resources need a credential provider ARN at synthesis/deploy time. For example, gateway target outbound auth maps a configured credential name to an Identity credential provider ARN.
Desired behavior
If local secret values are present, deploy should keep the existing create/update behavior.
If local secret values are absent, deploy should be able to resolve an existing AgentCore Identity credential provider by name and record its ARN in deployed state for CDK wiring.
Scope
This is not intended to change the agent runtime credential retrieval path. Agent code can already request credentials by provider name.
The goal is to support deploy/CDK wiring for resources that require providerArn, while allowing the underlying credential provider secret to remain externally managed.
Related PR
Proposed implementation: #973
Description
When a project defines
credentialsinagentcore.json,agentcore deploycurrently creates or updates AgentCore Identity credential providers from local secret values inagentcore/.env.localor matching process environment variables.This works for CLI-managed secrets, but it makes it difficult to use credential providers that are already managed outside the project, such as providers created through the AgentCore console, another AgentCore project, or internal IaC/security workflows.
Some deploy/CDK-managed resources need a credential provider ARN at synthesis/deploy time. For example, gateway target outbound auth maps a configured credential name to an Identity credential provider ARN.
Desired behavior
If local secret values are present, deploy should keep the existing create/update behavior.
If local secret values are absent, deploy should be able to resolve an existing AgentCore Identity credential provider by name and record its ARN in deployed state for CDK wiring.
Scope
This is not intended to change the agent runtime credential retrieval path. Agent code can already request credentials by provider name.
The goal is to support deploy/CDK wiring for resources that require
providerArn, while allowing the underlying credential provider secret to remain externally managed.Related PR
Proposed implementation: #973