Fix Google OAuth: explicit IAM policy + strip OIDC scopes from credentials

2026-05-08 16:57:40 -05:00
parent d68ddab8a2
commit 9b56aa83df
11 changed files with 288 additions and 36 deletions
--- a/cdk/cdk.out/AgentClawStack.assets.json
+++ b/cdk/cdk.out/AgentClawStack.assets.json
@@ -31,16 +31,16 @@
        }
      }
    },
-    "a6d7ca10ce41a486503b8ea9f109a54841bb31af9548c618fdca79ac13b34c6a": {
+    "b45b92872bd4af9d3688817f862e6574ff6b4903e68b140bcee6fe0b2678c645": {
      "displayName": "OAuthHandler/Code",
      "source": {
-        "path": "asset.a6d7ca10ce41a486503b8ea9f109a54841bb31af9548c618fdca79ac13b34c6a",
+        "path": "asset.b45b92872bd4af9d3688817f862e6574ff6b4903e68b140bcee6fe0b2678c645",
        "packaging": "zip"
      },
      "destinations": {
-        "495395224548-us-east-1-77bd44d3": {
+        "495395224548-us-east-1-d4c72dd0": {
          "bucketName": "cdk-hnb659fds-assets-495395224548-us-east-1",
-          "objectKey": "a6d7ca10ce41a486503b8ea9f109a54841bb31af9548c618fdca79ac13b34c6a.zip",
+          "objectKey": "b45b92872bd4af9d3688817f862e6574ff6b4903e68b140bcee6fe0b2678c645.zip",
          "region": "us-east-1",
          "assumeRoleArn": "arn:${AWS::Partition}:iam::495395224548:role/cdk-hnb659fds-file-publishing-role-495395224548-us-east-1"
        }
@@ -61,16 +61,16 @@
        }
      }
    },
-    "6c96ac78834e047807c02e9e41e5a6f43de9b760bc3954d97cb2c3df560d71e7": {
+    "7cdf99af915f7191eec65aef2668994abc0bff90a30effd9c6f67d7723bcfad0": {
      "displayName": "AgentClawStack Template",
      "source": {
        "path": "AgentClawStack.template.json",
        "packaging": "file"
      },
      "destinations": {
-        "495395224548-us-east-1-014f016d": {
+        "495395224548-us-east-1-41667eab": {
          "bucketName": "cdk-hnb659fds-assets-495395224548-us-east-1",
-          "objectKey": "6c96ac78834e047807c02e9e41e5a6f43de9b760bc3954d97cb2c3df560d71e7.json",
+          "objectKey": "7cdf99af915f7191eec65aef2668994abc0bff90a30effd9c6f67d7723bcfad0.json",
          "region": "us-east-1",
          "assumeRoleArn": "arn:${AWS::Partition}:iam::495395224548:role/cdk-hnb659fds-file-publishing-role-495395224548-us-east-1"
        }