Skip to content

test(e2e): use managed memory for CUSTOM_JWT harness invoke#1627

Closed
aidandaly24 wants to merge 1 commit into
mainfrom
fix/harness-custom-jwt-managed-memory
Closed

test(e2e): use managed memory for CUSTOM_JWT harness invoke#1627
aidandaly24 wants to merge 1 commit into
mainfrom
fix/harness-custom-jwt-managed-memory

Conversation

@aidandaly24

@aidandaly24 aidandaly24 commented Jun 23, 2026

Copy link
Copy Markdown
Contributor

Description

e2e-tests/harness-custom-jwt.test.ts > invokes with bearer token successfully fails on the full-suite E2E run (shard 2/5) with:

runtimeClientError: AccessDeniedException calling ListEvents:
... is not authorized to perform: bedrock-agentcore:ListEvents
on resource: .../memory/harness_E2eHrnsJwt..._...
because no identity-based policy allows the bedrock-agentcore:ListEvents action

This surfaced after #1624 turned that test into a real positive assertion (exitCode === 0). The auth flow now works end-to-end — the invoke reaches the runtime and then fails on a missing memory permission.

Root cause — test fixture, not the CDK. The CDK already grants bedrock-agentcore:ListEvents to the harness execution role, but only when memory is managed:

// agentcore-l3-cdk-constructs — AgentCoreHarnessEnvironment.ts
const managedMemory = props.spec ? props.spec.memory?.mode !== 'disabled' : harness.managedMemory;

The test added the harness with --no-memory, which the CLI maps to memory.mode: 'disabled' → the CDK correctly skips the ListEvents grant (disabled memory shouldn't need memory perms). But the harness still calls ListEvents on a service-managed memory at invoke time, so it 403s.

The passing harness suites (harness-bedrock/openai/gemini via harness-e2e-helper) all run with the default managed memory, which gets the grant and invokes successfully. The CUSTOM_JWT test was the only harness E2E using --no-memory.

Fix: Drop --no-memory so the CUSTOM_JWT harness uses managed memory like every other passing harness E2E. Test-only change; no shippable CLI or CDK behavior changes.

Related Issue

Closes #1626

Documentation PR

N/A — test-only change.

Type of Change

  • Bug fix
  • New feature
  • Breaking change
  • Documentation update
  • Other (please describe):

Testing

How have you tested the change?

  • I ran npm run test:unit and npm run test:integ
  • I ran npm run typecheck (tsc --noEmit — clean)
  • I ran npm run lint (eslint + prettier --check — clean)
  • If I modified src/assets/, I ran npm run test:update-snapshots and committed the updated snapshots

Also confirmed vitest list --project e2e collects all 5 cases. The E2E runs against real AWS (Cognito + harness deploy) in CI on this PR.

Checklist

  • I have read the CONTRIBUTING document
  • I have added any necessary tests that prove my fix is effective or my feature works
  • I have updated the documentation accordingly
  • I have added an appropriate example to the documentation to outline the feature, or no new docs are needed
  • My changes generate no new warnings
  • Any dependent changes have been merged and published

By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.

@aidandaly24
test(e2e): use managed memory for CUSTOM_JWT harness invoke
95e3fe1 
The bearer-token invoke in harness-custom-jwt.test.ts failed with
AccessDenied on bedrock-agentcore:ListEvents after #1624 made it a real
positive assertion. The harness was added with --no-memory, which the CLI
maps to memory.mode 'disabled'. The CDK only grants ListEvents to the
harness execution role when memory is managed (managedMemory = mode !==
'disabled' in AgentCoreHarnessEnvironment), so a disabled-memory harness
that still calls ListEvents at invoke time 403s.

Drop --no-memory so the CUSTOM_JWT harness uses the default managed memory,
matching the passing harness-bedrock/openai/gemini suites. Test-only change;
no shippable CLI or CDK behavior changes.

Closes #1626
@aidandaly24 aidandaly24 requested a review from a team June 23, 2026 21:04
@github-actions github-actions Bot added the size/xs PR size: XS label Jun 23, 2026
@github-actions github-actions Bot added the agentcore-harness-reviewing AgentCore Harness review in progress label Jun 23, 2026
@agentcore-devx-automation agentcore-devx-automation Bot added the claude-security-reviewing Claude Code /security-review in progress label Jun 23, 2026
@agentcore-devx-automation

agentcore-devx-automation Bot commented Jun 23, 2026

Copy link
Copy Markdown
Contributor

Claude Security Review: no high-confidence findings. (run)

@agentcore-devx-automation agentcore-devx-automation Bot removed the claude-security-reviewing Claude Code /security-review in progress label Jun 23, 2026
@github-actions

github-actions Bot commented Jun 23, 2026

Copy link
Copy Markdown
Contributor

Package Tarball

aws-agentcore-0.20.2.tgz

How to install

gh release download pr-1627-tarball --repo aws/agentcore-cli --pattern "*.tgz" --dir /tmp/pr-tarball
npm install -g /tmp/pr-tarball/aws-agentcore-0.20.2.tgz

agentcore-cli-automation
agentcore-cli-automation suggested changes Jun 23, 2026
View reviewed changes

@agentcore-cli-automation agentcore-cli-automation left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Test-only change looks correct as a CI unblocker — the fix targets exactly the test that regressed in #1624 and the inline comment clearly documents the AccessDenied root cause.

One concern below about masking a real product bug that should be tracked before this gets buried as "just a flaky-test fix."

Comment thread e2e-tests/harness-custom-jwt.test.ts
'--no-memory',
// Use the default managed memory (no --no-memory): a disabled-memory harness still
// calls bedrock-agentcore:ListEvents at invoke, but the CDK only grants that action on
// the execution role when memory is managed — so --no-memory invokes fail with AccessDenied.

@agentcore-cli-automation agentcore-cli-automation Jun 23, 2026

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This change masks (rather than fixes) a real user-facing bug: any user who runs add harness --no-memory and then invoke will hit the same AccessDeniedException on ListEvents at runtime, because the harness still calls ListEvents on a service-managed memory even when the CLI/CDK has skipped the IAM grant.

The PR description acknowledges this ("the harness still calls ListEvents on a service-managed memory at invoke time, so it 403s"), but #1626 is being closed by this fix and there's no follow-up tracking the actual product bug. After this merges, the only E2E coverage we had for the --no-memory invoke path is gone, and the next time someone reports this from the field there'll be no signal in CI.

A few ways to handle this — please pick one before merging:

  1. (Preferred) Open a follow-up bug for "harness with --no-memory fails at invoke with AccessDenied on ListEvents" (CDK should grant the action even when memory is disabled, or the harness runtime should not call ListEvents when memory is disabled — that's for the harness/CDK owners to decide), reference it from CI Failure: harness-custom-jwt bearer-token invoke fails with AccessDenied on ListEvents #1626 so CI Failure: harness-custom-jwt bearer-token invoke fails with AccessDenied on ListEvents #1626 isn't closed without the underlying issue being tracked, and link it from the inline comment here (lines 138–140) so future readers see it.
  2. Keep one E2E case on --no-memory — e.g., split the suite so the deploy/auth-config assertions still run against a --no-memory harness (those don't invoke and won't 403), and only the invoke-based assertions use managed memory. That preserves coverage of the --no-memory add/deploy path.
  3. If the harness runtime calling ListEvents under --no-memory is considered expected and the user-facing remediation is "don't use --no-memory with a harness" (or --no-memory is being deprecated for harnesses), document that in the --no-memory flag help text on add harness so users discover it at CLI time rather than at AccessDenied time.

The cheapest thing is probably (1) — it costs nothing in this PR and keeps the bug visible.

Tangential nit on the PR description (not a blocker): the quoted CDK snippet (const managedMemory = props.spec ? props.spec.memory?.mode !== 'disabled' : harness.managedMemory;) doesn't exist in AgentCoreHarnessEnvironment.ts in agentcore-l3-cdk-constructs on main. The actual ListEvents grant is in AgentCoreApplication.wireMemoriesToHarnesses (src/cdk/constructs/l3/AgentCoreApplication.ts:235-262), gated on harness.memoryName being set — which --no-memory doesn't set, so the effective behavior matches your description, just citing the wrong source location.

@github-actions github-actions Bot removed the agentcore-harness-reviewing AgentCore Harness review in progress label Jun 23, 2026
@github-actions

github-actions Bot commented Jun 23, 2026

Copy link
Copy Markdown
Contributor

Coverage Report

Status Category Percentage Covered / Total
🔵 Lines 37.03% 13554 / 36601
🔵 Statements 36.3% 14411 / 39696
🔵 Functions 31.69% 2327 / 7343
🔵 Branches 30.78% 8926 / 28992
Generated in workflow #3787 for commit 95e3fe1 by the Vitest Coverage Report Action

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@agentcore-cli-automation agentcore-cli-automation agentcore-cli-automation requested changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

size/xs PR size: XS

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

CI Failure: harness-custom-jwt bearer-token invoke fails with AccessDenied on ListEvents

2 participants

@aidandaly24 @agentcore-cli-automation