Summary
The new e2e-tests/harness-custom-jwt.test.ts (added in #1609) fails on the full-suite E2E run, shard 2/5.
Root cause
The test fixture is misconfigured, surfaced by the harness auto-fetch flow that landed in the main+preview merge (#1598, #1611):
- The harness is deployed with
--allowed-audience <clientId>, so the service validates the token's aud claim.
- The test authenticates via Cognito client_credentials (M2M), whose tokens carry a
client_id claim and no aud.
- The fixture also registers a managed OAuth credential (
--client-id/--client-secret), so a default invoke (no --bearer-token) now auto-fetches a JWT instead of doing SigV4 (canFetchHarnessToken() → true).
- The service rejects the fetched token:
403 \"*** missing required audience claim.\" — which doesn't match the test's expected client-side customJWTRejectMsgRegex.
The sibling byo-custom-jwt.test.ts passes only because it patches agentcore.json with no credential, so it hits the client-side SigV4 fast-fail the regex expects. The same aud misconfiguration is latent there, hidden by a weak not.toMatch assertion.
Fix
- Use
--allowed-clients (matches the client_id claim Cognito M2M tokens carry) instead of --allowed-audience.
- Update the deploy assertion to check
AllowedClients.
- Reframe the invoke tests to assert the real post-merge behavior (default invoke auto-fetches a JWT and is accepted; bearer-token invoke returns exitCode 0).
This is a test-only fix — no shippable CLI behavior changes.
Summary
The new
e2e-tests/harness-custom-jwt.test.ts(added in #1609) fails on the full-suite E2E run, shard 2/5.rejects SigV4 invocation (auth method mismatch)Root cause
The test fixture is misconfigured, surfaced by the harness auto-fetch flow that landed in the main+preview merge (#1598, #1611):
--allowed-audience <clientId>, so the service validates the token'saudclaim.client_idclaim and noaud.--client-id/--client-secret), so a defaultinvoke(no--bearer-token) now auto-fetches a JWT instead of doing SigV4 (canFetchHarnessToken()→ true).403 \"*** missing required audience claim.\"— which doesn't match the test's expected client-sidecustomJWTRejectMsgRegex.The sibling
byo-custom-jwt.test.tspasses only because it patchesagentcore.jsonwith no credential, so it hits the client-side SigV4 fast-fail the regex expects. The sameaudmisconfiguration is latent there, hidden by a weaknot.toMatchassertion.Fix
--allowed-clients(matches theclient_idclaim Cognito M2M tokens carry) instead of--allowed-audience.AllowedClients.This is a test-only fix — no shippable CLI behavior changes.