Fix: use build(credentials=creds) instead of creds.authorize() for google-auth compatibility; add traceback logging

agentclaw/app/agent_claw_main/tools/google_workspace.py

@@ -8,6 +8,7 @@ Credential secret: agent-claw/google-credentials/{actor_id.replace(':', '-')}
 Contains: token, refresh_token, token_uri, client_id, client_secret, scopes
 """
 import json
+import traceback
 import boto3
 import httplib2
 from strands import tool
@@ -77,11 +78,10 @@ _current_actor_id: str = ''
 
 
 def _svc(api: str, version: str, creds: Credentials):
-    # Pass ONLY the authorized http (with timeout) — do NOT also pass credentials.
-    # When both http= and credentials= are given, google-api-python-client creates a
-    # new un-timed Http() from credentials for API calls, ignoring our timeout.
-    http = creds.authorize(httplib2.Http(timeout=_HTTP_TIMEOUT))
-    return build(api, version, http=http, cache_discovery=False)
+    # Standard google-auth pattern: pass credentials= directly to build().
+    # google.oauth2.credentials.Credentials is natively supported by googleapiclient.
+    # (creds.authorize() is oauth2client only — not available here)
+    return build(api, version, credentials=creds, cache_discovery=False)
 
 
 @tool
@@ -98,6 +98,8 @@ def list_calendars() -> str:
             for c in items
         )
     except Exception as e:
+        tb = traceback.format_exc()
+        print(f'[google] list_calendars error: {e}\n{tb}')
         return f'Error listing calendars: {e}'
 
 
@@ -145,6 +147,8 @@ def get_calendar_events(
             lines.append(f'- "{e.get("summary", "No Title")}" (Starts: {start}, Ends: {end}) ID: {eid}')
         return f'Retrieved {len(events)} events from "{calendar_id}":\n' + '\n'.join(lines)
     except Exception as e:
+        tb = traceback.format_exc()
+        print(f'[google] get_calendar_events error: {e}\n{tb}')
         return f'Error fetching calendar events: {e}'
 
 
@@ -177,6 +181,8 @@ def list_gmail_messages(max_results: int = 10, query: str = 'in:inbox') -> str:
             out += f'\n(more results available)'
         return out
     except Exception as e:
+        tb = traceback.format_exc()
+        print(f'[google] list_gmail_messages error: {e}\n{tb}')
         return f'Error listing Gmail messages: {e}'
 
 

cdk/cdk.out/AgentClawStack.assets.json

@@ -61,16 +61,16 @@
         }
       }
     },
-    "7cdf99af915f7191eec65aef2668994abc0bff90a30effd9c6f67d7723bcfad0": {
+    "91a55dffd35b78473e5145ec4ffe46cfbab25239665de853966d1a1d64a186ec": {
       "displayName": "AgentClawStack Template",
       "source": {
         "path": "AgentClawStack.template.json",
         "packaging": "file"
       },
       "destinations": {
-        "495395224548-us-east-1-41667eab": {
+        "495395224548-us-east-1-27a7d4e2": {
           "bucketName": "cdk-hnb659fds-assets-495395224548-us-east-1",
-          "objectKey": "7cdf99af915f7191eec65aef2668994abc0bff90a30effd9c6f67d7723bcfad0.json",
+          "objectKey": "91a55dffd35b78473e5145ec4ffe46cfbab25239665de853966d1a1d64a186ec.json",
           "region": "us-east-1",
           "assumeRoleArn": "arn:${AWS::Partition}:iam::495395224548:role/cdk-hnb659fds-file-publishing-role-495395224548-us-east-1"
         }

cdk/cdk.out/AgentClawStack.metadata.json

@@ -572,7 +572,7 @@
     {
       "type": "aws:cdk:creationStack",
       "data": [
-        "...SecretBase.grantRead in aws-cdk-lib...",
+        "...environmentFromArn.grantRead in aws-cdk-lib...",
         "new AgentClawStack (/Users/daniel/agent-claw/cdk/lib/agent-claw-stack.ts:199:29)",
         "<anonymous> (/Users/daniel/agent-claw/cdk/bin/agent-claw.ts:8:1)",
         "...node internals, ts-node, ts-node, ts-node..."
@@ -715,7 +715,7 @@
     {
       "type": "aws:cdk:creationStack",
       "data": [
-        "...SecretBase.grantRead in aws-cdk-lib...",
+        "...environmentFromArn.grantRead in aws-cdk-lib...",
         "new AgentClawStack (/Users/daniel/agent-claw/cdk/lib/agent-claw-stack.ts:251:29)",
         "<anonymous> (/Users/daniel/agent-claw/cdk/bin/agent-claw.ts:8:1)",
         "...node internals, ts-node, ts-node, ts-node..."

cdk/cdk.out/AgentClawStack.template.json

@@ -941,18 +941,7 @@
         "secretsmanager:DescribeSecret"
        ],
        "Effect": "Allow",
-       "Resource": {
-        "Fn::Join": [
-         "",
-         [
-          "arn:",
-          {
-           "Ref": "AWS::Partition"
-          },
-          ":secretsmanager:us-east-1:495395224548:secret:agent-claw/google-oauth-client-??????"
-         ]
-        ]
-       }
+       "Resource": "arn:aws:secretsmanager:us-east-1:495395224548:secret:agent-claw/google-oauth-client-subXHl"
       },
       {
        "Action": "secretsmanager:GetSecretValue",
@@ -1012,18 +1001,7 @@
         "secretsmanager:DescribeSecret"
        ],
        "Effect": "Allow",
-       "Resource": {
-        "Fn::Join": [
-         "",
-         [
-          "arn:",
-          {
-           "Ref": "AWS::Partition"
-          },
-          ":secretsmanager:us-east-1:495395224548:secret:agent-claw/google-oauth-client-??????"
-         ]
-        ]
-       }
+       "Resource": "arn:aws:secretsmanager:us-east-1:495395224548:secret:agent-claw/google-oauth-client-subXHl"
       },
       {
        "Action": "secretsmanager:GetSecretValue",
@@ -1088,18 +1066,7 @@
         "secretsmanager:DescribeSecret"
        ],
        "Effect": "Allow",
-       "Resource": {
-        "Fn::Join": [
-         "",
-         [
-          "arn:",
-          {
-           "Ref": "AWS::Partition"
-          },
-          ":secretsmanager:us-east-1:495395224548:secret:agent-claw/google-oauth-client-??????"
-         ]
-        ]
-       }
+       "Resource": "arn:aws:secretsmanager:us-east-1:495395224548:secret:agent-claw/google-oauth-client-subXHl"
       },
       {
        "Action": [
@@ -1186,18 +1153,7 @@
     },
     "Environment": {
      "Variables": {
-      "GOOGLE_OAUTH_CLIENT_SECRET_ARN": {
-       "Fn::Join": [
-        "",
-        [
-         "arn:",
-         {
-          "Ref": "AWS::Partition"
-         },
-         ":secretsmanager:us-east-1:495395224548:secret:agent-claw/google-oauth-client"
-        ]
-       ]
-      },
+      "GOOGLE_OAUTH_CLIENT_SECRET_ARN": "arn:aws:secretsmanager:us-east-1:495395224548:secret:agent-claw/google-oauth-client-subXHl",
       "USERS_TABLE_NAME": {
        "Ref": "UsersTable9725E9C8"
       },

cdk/cdk.out/manifest.json

@@ -18,7 +18,7 @@
         "validateOnSynth": false,
         "assumeRoleArn": "arn:${AWS::Partition}:iam::495395224548:role/cdk-hnb659fds-deploy-role-495395224548-us-east-1",
         "cloudFormationExecutionRoleArn": "arn:${AWS::Partition}:iam::495395224548:role/cdk-hnb659fds-cfn-exec-role-495395224548-us-east-1",
-        "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-495395224548-us-east-1/7cdf99af915f7191eec65aef2668994abc0bff90a30effd9c6f67d7723bcfad0.json",
+        "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-495395224548-us-east-1/91a55dffd35b78473e5145ec4ffe46cfbab25239665de853966d1a1d64a186ec.json",
         "requiresBootstrapStackVersion": 6,
         "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version",
         "additionalDependencies": [

cdk/lib/agent-claw-stack.ts

@@ -188,8 +188,8 @@ export class AgentClawStack extends cdk.Stack {
     // and fed back as context param runtime1Arn.
 
     // ── Google Workspace MCP ──────────────────────────────────────────────
-    const googleOAuthClientSecret = secretsmanager.Secret.fromSecretNameV2(
-      this, 'GoogleOAuthClient', 'agent-claw/google-oauth-client'
+    const googleOAuthClientSecret = secretsmanager.Secret.fromSecretCompleteArn(
+      this, 'GoogleOAuthClient', 'arn:aws:secretsmanager:us-east-1:495395224548:secret:agent-claw/google-oauth-client-subXHl'
     );
 
     // workspace-mcp Lambda execution role (import existing — created during initial setup)