fix(e2e): reap stale OAuth2 credential providers alongside API key providers#1679
Conversation
The e2e globalSetup already reaps stale API key credential providers, but OAuth2 providers are a separate resource type with their own List/Delete APIs — they do NOT appear in ListApiKeyCredentialProviders, so the existing cleanup can never see them. The CUSTOM_JWT harness test registers a managed OAuth2 provider (`<name>-oauth`) created outside the CloudFormation stack, so teardown leaves it behind. These accumulate against the account's 50-provider OAuth2 quota (L-431051DC) until every CUSTOM_JWT deploy fails with "The number of agent identity Oauth2 credential providers in this account has reached its limit", failing the E2E suite. Add cleanupStaleOAuth2CredentialProviders (mirrors the API key reaper, using ListOauth2CredentialProviders / DeleteOauth2CredentialProvider) and wire it into globalSetup alongside the existing stack / API key / recommendation cleanups.
Package TarballHow to installgh release download pr-1679-tarball --repo aws/agentcore-cli --pattern "*.tgz" --dir /tmp/pr-tarball
npm install -g /tmp/pr-tarball/aws-agentcore-0.21.1.tgz |
|
Claude Security Review: no high-confidence findings. (run) |
agentcore-cli-automation
left a comment
There was a problem hiding this comment.
Reviewed the changes. This is a clean, low-risk test-infra fix that mirrors the existing cleanupStaleCredentialProviders pattern almost exactly, only against the OAuth2 List/Delete APIs. The rationale is well-documented in both the code comment and PR description, and the author reports live-verifying against the E2E account that (a) OAuth2 providers don't appear in ListApiKeyCredentialProviders and (b) the new reaper successfully deletes a seeded E2e-prefixed OAuth2 provider.
The 30-minute minAgeMs and E2e prefix match the existing reapers, so no in-flight run will get its provider yanked. Pagination and filter logic are identical to the API-key path.
Nothing blocking. LGTM.
Coverage Report
|
…Providers Fold the OAuth2 reaping into cleanupStaleCredentialProviders rather than a separate function + second globalSetup call. From the caller's view "reap stale credential providers" is one job; splitting it by resource type is what let OAuth2 providers go unreaped in the first place. The function now walks both the API key and OAuth2 list APIs. globalSetup reverts to a single call (no longer changed vs main).
|
Claude Security Review: no high-confidence findings. (run) |
| } | ||
| ): Promise<void> { | ||
| const cutoff = new Date(Date.now() - options.minAgeMs); | ||
| const isStale = (p: { name?: string; createdTime?: Date }): boolean => |
There was a problem hiding this comment.
nit: the helper function is called isStale but includes prefix matching logic which feels unrelated.
Description
The E2E suite's
globalSetupreaps stale credential providers before each run viacleanupStaleCredentialProviders, but it only walked the API key list. OAuth2 credential providers are a separate resource type with their own List/Delete APIs — they do not appear inListApiKeyCredentialProviders— so they were never reaped.The CUSTOM_JWT harness test (
harness-custom-jwt.test.ts) registers a managed OAuth2 provider named<harness>-oauth, created imperatively outside the CloudFormation stack. Stack teardown doesn't remove it and nothing else reaped it, so every run leaked oneE2eHrnsJwt<ts>-oauthprovider. These accumulate against the account's 50-provider OAuth2 quota (L-431051DC). Once full, every CUSTOM_JWT deploy fails with:which fails the
E2E Tests (Full Suite)CUSTOM_JWT shard (the account was at exactly 50/50, allE2eHrnsJwt*-oauth).This is a test-infra fix. (The underlying CLI-side leak — the CLI orphaning providers it creates on teardown, which affects real users too — is addressed separately in #1675.)
Changes
Single-file change in
e2e-tests/utils/credential-provider-cleanup.ts:cleanupStaleCredentialProvidersnow reaps both provider types in one call — it walks the API key list and the OAuth2 list (ListOauth2CredentialProvidersCommand/DeleteOauth2CredentialProviderCommand). Splitting cleanup by resource type is exactly what let OAuth2 providers go unreaped; from the caller's view "reap stale credential providers" is one job, so it's one function.deleteOAuth2CredentialProviderhelper (mirrors the existingdeleteCredentialProvider).globalSetupis unchanged — it already callscleanupStaleCredentialProviders, which now covers OAuth2 too.Related Issue
Closes #1674
Documentation PR
N/A — internal E2E test infrastructure only.
Type of Change
Testing
How have you tested the change?
npm run test:unitandnpm run test:integnpm run typechecknpm run lintsrc/assets/, I rannpm run test:update-snapshotsand committed the updated snapshotsAdditional verification (live, against the E2E account):
ListApiKeyCredentialProviders(only inListOauth2CredentialProviders), proving the old single-list cleanup could never reap them.E2e-prefixed API key provider and one OAuth2 provider, ran the unifiedcleanupStaleCredentialProviders, and confirmed it deleted both (Deleted credential provider: ...+Deleted OAuth2 credential provider: ...), leaving none behind.E2eHrnsJwt*-oauthproviders to unblock the suite immediately.Checklist
By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the
terms of your choice.