Description
When a gateway target uses targetType "lambda" with a compute block (CDK-managed Lambda, as opposed to lambdaFunctionArn), the CDK construct passes credentialProviderConfigurations: undefined to the underlying CfnGatewayTarget CloudFormation resource. However, the CloudFormation resource handler requires this field for Lambda targets, resulting in a deployment failure.
I managed to fix it, i put it on the Additional Context section.
Im sorry if this is a already known error, since im using the 0.9.1 version by default
Steps to Reproduce
- Define a gateway in agentcore.json with targetType: "lambda" and a compute block (no outboundAuth).
- Run agentcore deploy.
- CloudFormation fails with
CredentialProviderConfigurations is required for Lambda targets.
Expected Behavior
When deploying a gateway target of type lambda using a CDK-managed compute block (without an explicit outboundAuth configuration), the CDK construct should automatically apply GATEWAY_IAM_ROLE as the credentialProviderType — consistent with the behavior of lambdaFunctionArn and apiGateway target types. The CfnGatewayTarget resource should always receive a valid credentialProviderConfigurations array, and the CloudFormation deployment should succeed.
Actual Behavior
The CfnGatewayTarget is created with credentialProviderConfigurations: undefined. CloudFormation rejects the request with:
Invalid request provided: CredentialProviderConfigurations is required for Lambda targets
The stack enters ROLLBACK_FAILED state, requiring manual cleanup.
CLI Version
0.9.1
Operating System
Windows
Additional Context
I managed to fix it for me by applying the GATEWAY_IAM_ROLE fallback at the final CfnGatewayTarget creation (the compute-backed path), that for me is C:\Users\{myuser}\OneDrive - Straumann Group\Documents\Automacoes\Neoson Reborn\neoson-agentcore\NeosonTestAgentCore\agentcore\cdk\node_modules\@aws\agentcore-cdk\dist\cdk\constructs\components\mcp\Gateway.js:
// Before:
credentialProviderConfigurations: buildCredentialConfig(target),
// After:
credentialProviderConfigurations: buildCredentialConfig(target) ?? [{ credentialProviderType: 'GATEWAY_IAM_ROLE' }],
Alternatively, i updated the TARGET_TYPE_AUTH_CONFIG to set iamRoleFallback: true for lambda, consistent with how lambdaFunctionArn and apiGateway behave
Description
When a gateway target uses targetType "lambda" with a compute block (CDK-managed Lambda, as opposed to lambdaFunctionArn), the CDK construct passes credentialProviderConfigurations: undefined to the underlying CfnGatewayTarget CloudFormation resource. However, the CloudFormation resource handler requires this field for Lambda targets, resulting in a deployment failure.
I managed to fix it, i put it on the Additional Context section.
Im sorry if this is a already known error, since im using the 0.9.1 version by default
Steps to Reproduce
CredentialProviderConfigurationsis required for Lambda targets.Expected Behavior
When deploying a gateway target of type lambda using a CDK-managed compute block (without an explicit outboundAuth configuration), the CDK construct should automatically apply GATEWAY_IAM_ROLE as the credentialProviderType — consistent with the behavior of lambdaFunctionArn and apiGateway target types. The CfnGatewayTarget resource should always receive a valid credentialProviderConfigurations array, and the CloudFormation deployment should succeed.
Actual Behavior
The CfnGatewayTarget is created with credentialProviderConfigurations: undefined. CloudFormation rejects the request with:
Invalid request provided: CredentialProviderConfigurations is required for Lambda targetsThe stack enters ROLLBACK_FAILED state, requiring manual cleanup.
CLI Version
0.9.1
Operating System
Windows
Additional Context
I managed to fix it for me by applying the GATEWAY_IAM_ROLE fallback at the final CfnGatewayTarget creation (the compute-backed path), that for me is
C:\Users\{myuser}\OneDrive - Straumann Group\Documents\Automacoes\Neoson Reborn\neoson-agentcore\NeosonTestAgentCore\agentcore\cdk\node_modules\@aws\agentcore-cdk\dist\cdk\constructs\components\mcp\Gateway.js:Alternatively, i updated the TARGET_TYPE_AUTH_CONFIG to set iamRoleFallback: true for lambda, consistent with how lambdaFunctionArn and apiGateway behave