fix: Gateway target expects an AgentCore API key credential provider ARN, not a Secrets Manager secret ARN

Author: clareliguori

DEVELOP.md

@@ -211,6 +211,17 @@ cdk deploy --app 'node lib/dictionary-mcp-server.js'
 
 Deploy the 'zen' Bedrock AgentCore Gateway.
 
+First, create a Bedrock AgentCore API key credential provider:
+
+```bash
+aws bedrock-agentcore-control create-api-key-credential-provider \
+  --name zen-quotes-api-key \
+  --api-key "dummy-key" \
+  --region us-west-2
+```
+
+Then deploy the gateway:
+
 ```bash
 cd examples/servers/zen/
 

examples/servers/zen/README.md

@@ -9,6 +9,17 @@ specification for the [ZenQuotes](https://zenquotes.io/) API.
 - Authentication: OAuth
 - Endpoint: Bedrock AgentCore Gateway
 
+### Prerequisites
+
+Before deploying, you need to create a Bedrock AgentCore API key credential provider:
+
+```bash
+aws bedrock-agentcore-control create-api-key-credential-provider \
+  --name zen-quotes-api-key \
+  --api-key "dummy-key" \
+  --region us-west-2
+```
+
 ### Deploy
 
 ```bash

examples/servers/zen/cdk_stack.py

@@ -4,10 +4,8 @@
     CfnOutput,
     Environment,
     Fn,
-    SecretValue,
     Stack,
     aws_bedrockagentcore as bedrockagentcore,
-    aws_secretsmanager as secretsmanager,
 )
 from cdk_nag import AwsSolutionsChecks, NagSuppressions
 from constructs import Construct
@@ -54,18 +52,6 @@ def __init__(
             exception_level="DEBUG",
         )
 
-        # Create secret for API key
-        api_key_secret = secretsmanager.Secret(
-            self,
-            "ZenQuotesApiKey",
-            secret_string_value=SecretValue.unsafe_plain_text("hello world")
-        )
-
-        NagSuppressions.add_resource_suppressions(
-            api_key_secret,
-            [{"id": "AwsSolutions-SMG4", "reason": "Placeholder API key for demo purposes"}]
-        )
-
         bedrockagentcore.CfnGatewayTarget(
             self,
             "GatewayTarget",
@@ -83,7 +69,7 @@ def __init__(
                     "credentialProviderType": "API_KEY",
                     "credentialProvider": {
                         "apiKeyCredentialProvider": {
-                            "providerArn": api_key_secret.secret_arn,
+                            "providerArn": f"arn:aws:bedrock-agentcore:{self.region}:{self.account}:token-vault/default/apikeycredentialprovider/zen-quotes-api-key",
                             "credentialLocation": "HEADER",
                             "credentialParameterName": "X-Ignore-This"
                         }