[BUG] create_mcp_gateway_target not actually creating credential provider #34
Description
Describe the bug
GatewayClient.create_mcp_gateway_target is not creating credential provider correctly
To Reproduce
Here's my code:
from bedrock_agentcore_starter_toolkit.operations.gateway import GatewayClient
import logging
gateway_client = GatewayClient(endpoint_url="https://bedrock-agentcore-control.us-east-1.amazonaws.com",
region_name="us-east-1")
gateway_client.logger.setLevel(logging.DEBUG)
cognito_response = gateway_client.create_oauth_authorizer_with_cognito(
"TestGateway")
gateway = gateway_client.create_mcp_gateway(
authorizer_config=cognito_response["authorizer_config"])
openapi_target = gateway_client.create_mcp_gateway_target(
gateway=gateway,
target_type="openApiSchema",
target_payload={
"s3": {
"uri": "s3://xxxxx/xxxxx.yaml"
}
},
credentials={
"api_key": "Basic xxxxx",
"credential_location": "HEADER",
"credential_parameter_name": "Authorization"
})
From logs, the credential provider, gateway and gateway target all created successfully:
Creating credential provider
2025-07-16 16:04:52,075 - bedrock_agentcore.gateway - INFO - ✓ Added credential provider successfully (ARN: arn:aws:bedrock-agentcore:us-east-1:xxxxx:token-vault/default/apikeycredentialprovider/TestGatewayTargetbca21012-ApiKey-d3377fea)
...
2025-07-16 16:04:52,077 - bedrock_agentcore.gateway - INFO - Creating Target
2025-07-16 16:04:52,077 - bedrock_agentcore.gateway - INFO - {'gatewayIdentifier': 'testgatewaybdea4e9b-hejtz9s0hk', 'name': 'TestGatewayTargetbca21012', 'targetConfiguration': <redacted but I see that providerArn is filled in correctly in here> ...
2025-07-16 16:04:52,742 - bedrock_agentcore.gateway - INFO - ✓ Added target successfully (ID: Z3TMO9HXTS)
However, when I go to AWS console, I do not see this credential provider in Identity -> Outbound Auth. I do see a new secret in Secret Manager with the correct value.
When I try to use any of the tools on my gateway, I get the below error:
{
"_meta": {
"debug": {
"type": "text",
"text": "Failed to fetch outbound api key. Resource Credential Provider not found (Service: AgentCredentialProvider, Status Code: 404, Request ID: 9167e4bb-ff54-40fb-b2f9-8833674ac611) (SDK Attempt Count: 1)"
}
},
"content": [
{
"type": "text",
"text": "InternalServerException - An internal server occurred. Please retry later."
}
],
"isError": true
}
I created a different gateway with low-level boto3 client and a providerArn I created from AWS Console, which works fine.
boto_client = boto3.client(
"bedrock-agentcore-control",
region_name="us-east-1",
endpoint_url="https://bedrock-agentcore-control.us-east-1.amazonaws.com",
)
create_target_request = {
"gatewayIdentifier": gateway["gatewayId"],
"name": gateway["name"],
"targetConfiguration": {
"mcp": {
"openApiSchema": {
"s3": {
"uri": "s3://xxxxx/xxxxx.yaml"
}
}
}
},
"credentialProviderConfigurations": [{
"credentialProviderType": "API_KEY",
"credentialProvider": {
"apiKeyCredentialProvider": {
"providerArn": "arn:aws:bedrock-agentcore:us-east-1:xxxxx:token-vault/default/apikeycredentialprovider/resource-provider-api-key-2ykv2",
"credentialLocation": "HEADER",
"credentialParameterName": "Authorization",
}
},
}],
}
openapi_iam_target = boto_client.create_gateway_target(**create_target_request)
Expected behavior
Gateway should be able to find the Resource Credential Provider created using the high-level client.
Error Output
Paste any error messages or stack traces here
Environment:
- OS: [e.g. Ubuntu 22.04, macOS 13.0, Windows 11]
- Python version: [e.g. 3.10.5]
- Package version: [e.g. 0.1.0]
- Installation method: [pip, conda, from source]
Additional context
Add any other context about the problem here.