fix(bedrock-agentcore-alpha): relax allowlistedHeaders pattern to match CFN schema#37969
Open
naviret wants to merge 2 commits into
Open
fix(bedrock-agentcore-alpha): relax allowlistedHeaders pattern to match CFN schema#37969naviret wants to merge 2 commits into
naviret wants to merge 2 commits into
Conversation
github-actions
Bot
added
the
beginning-contributor
aws-cdk-automation
previously requested changes
May 21, 2026
github-actions
Bot
added
the
feature-request
…ch CFN schema
The `validateRequestHeaderConfiguration` method rejected valid headers
that the service and CloudFormation schema already accept. Update the
regex from the old restrictive pattern (only `Authorization` and
`X-Amzn-Bedrock-AgentCore-Runtime-Custom-*`) to `^[A-Za-z][A-Za-z0-9_-]{0,255}$`,
matching the deployed CFN schema for `AWS::BedrockAgentCore::Runtime`.
Policy enforcement (restricted headers, internal-only headers) is handled
server-side in the control plane service layer.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
naviret
force-pushed
the
fix/bedrock-agentcore-runtime-header-pattern
branch
from
d67e342 to
ab66d46
Compare
aws-cdk-automation
dismissed
their stale review
✅ Updated pull request passes all PRLinter validations. Dismissing previous PRLinter review.
…owlist Adds integration test that creates a Runtime with headers beyond the X-Amzn-Bedrock-AgentCore-Runtime-Custom- prefix (e.g. X-Twilio-Signature, X-Api-Key) to verify the relaxed pattern produces valid CFN templates. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
naviret
force-pushed
the
fix/bedrock-agentcore-runtime-header-pattern
branch
from
0054f68 to
590177d
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Issue # (if applicable)
Closes #37964.
Reason for this change
The
validateRequestHeaderConfigurationmethod in@aws-cdk/aws-bedrock-agentcore-alphauses an outdated regex that only allowsAuthorizationandX-Amzn-Bedrock-AgentCore-Runtime-Custom-*headers. The CloudFormation schema forAWS::BedrockAgentCore::Runtimehas been updated and deployed to all regions to accept^[A-Za-z][A-Za-z0-9_-]{0,255}$(any valid HTTP header name).This causes
cdk synthto throwInvalidRequestHeaderConfigurationfor valid headers that the service fully supports. Customers must use a CFN escape hatch to work around this.Description of changes
validateRequestHeaderConfigurationfrom/(Authorization|X-Amzn-Bedrock-AgentCore-Runtime-Custom-[a-zA-Z0-9-]+)/to/^[A-Za-z][A-Za-z0-9_-]{0,255}$/to match the deployed CFN schemaDescribe any new or updated permissions being added
N/A — no IAM permission changes.
Description of how you validated changes
X-Amzn-Bedrock-AgentCore-Runtime-Custom-prefix (should pass)Checklist
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license