daniel/agent-claw
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
ac5bd78d5a3185042abbd7dc09761a55a45d64aa
agent-claw/cdk/cdk.out/AgentClawStack.template.json
daniel ac5bd78d5a multi-tenant Phase 2: per-user Google OAuth 
- workspace-mcp: add proxy.py (port 8080) that reads X-Actor-Id header,
  fetches per-user Google credentials from Secrets Manager, writes creds
  file, sets USER_GOOGLE_EMAIL, proxies to workspace-mcp on port 8081
- workspace-mcp: update bootstrap to start workspace-mcp on 8081 + proxy on 8080
- workspace-mcp: update Dockerfile to include proxy.py
- oauth-handler Lambda: new Lambda with /oauth/start + /oauth/callback
  routes; exchanges Google auth code, stores tokens in Secrets Manager
  at agent-claw/google-credentials/{actor_id_safe}, updates DynamoDB
- CDK: add OAuthHandler Lambda + GET /oauth/start + /oauth/callback routes
- CDK: remove shared google-workspace-credentials secret; add per-user
  secret IAM grants (agent-claw/google-credentials/*) for workspace-mcp
  role, runtime1 role, and oauth-handler role
- CDK: output OAuthStartUrl + OAuthRedirectUri
- agent-runner: pass google_email in user_profile payload
- main.py: pass actor_id as X-Actor-Id header in workspace-mcp MCP calls;
  skip workspace-mcp if user has no google_email; add connect_google_account
  tool that generates OAuth URL for the current user
- main.py: include google_email in user_context for system prompt
- agentcore.json: add OAUTH_START_URL env var for agent runtime
2026-05-06 21:42:33 -05:00

1217 lines
28 KiB
JSON
Raw Blame History

{
"Description": "agent-claw: serverless personal assistant on AgentCore",
"Resources": {
"SessionStore8C86EEFE": {
"Type": "AWS::DynamoDB::Table",
"Properties": {
"AttributeDefinitions": [
{
"AttributeName": "actor_id",
"AttributeType": "S"
}
],
"BillingMode": "PAY_PER_REQUEST",
"KeySchema": [
{
"AttributeName": "actor_id",
"KeyType": "HASH"
}
],
"TableName": "agent-claw-sessions",
"TimeToLiveSpecification": {
"AttributeName": "ttl",
"Enabled": true
}
},
"UpdateReplacePolicy": "Retain",
"DeletionPolicy": "Retain",
"Metadata": {
"aws:cdk:path": "AgentClawStack/SessionStore/Resource"
}
},
"UsersTable9725E9C8": {
"Type": "AWS::DynamoDB::Table",
"Properties": {
"AttributeDefinitions": [
{
"AttributeName": "actor_id",
"AttributeType": "S"
}
],
"BillingMode": "PAY_PER_REQUEST",
"KeySchema": [
{
"AttributeName": "actor_id",
"KeyType": "HASH"
}
],
"TableName": "agent-claw-users"
},
"UpdateReplacePolicy": "Retain",
"DeletionPolicy": "Retain",
"Metadata": {
"aws:cdk:path": "AgentClawStack/UsersTable/Resource"
}
},
"MessageQueue7A3BF959": {
"Type": "AWS::SQS::Queue",
"Properties": {
"ContentBasedDeduplication": false,
"FifoQueue": true,
"QueueName": "agent-claw-messages.fifo",
"ReceiveMessageWaitTimeSeconds": 20,
"VisibilityTimeout": 900
},
"UpdateReplacePolicy": "Delete",
"DeletionPolicy": "Delete",
"Metadata": {
"aws:cdk:path": "AgentClawStack/MessageQueue/Resource"
}
},
"TgIngestServiceRoleB96980B6": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"Service": "lambda.amazonaws.com"
}
}
],
"Version": "2012-10-17"
},
"ManagedPolicyArns": [
{
"Fn::Join": [
"",
[
"arn:",
{
"Ref": "AWS::Partition"
},
":iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
]
]
}
]
},
"Metadata": {
"aws:cdk:path": "AgentClawStack/TgIngest/ServiceRole/Resource"
}
},
"TgIngestServiceRoleDefaultPolicyCC51E135": {
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyDocument": {
"Statement": [
{
"Action": [
"sqs:SendMessage",
"sqs:GetQueueAttributes",
"sqs:GetQueueUrl"
],
"Effect": "Allow",
"Resource": {
"Fn::GetAtt": [
"MessageQueue7A3BF959",
"Arn"
]
}
},
{
"Action": [
"secretsmanager:GetSecretValue",
"secretsmanager:DescribeSecret"
],
"Effect": "Allow",
"Resource": "arn:aws:secretsmanager:us-east-1:495395224548:secret:agent-claw/telegram-bot-token-Oq3in3"
}
],
"Version": "2012-10-17"
},
"PolicyName": "TgIngestServiceRoleDefaultPolicyCC51E135",
"Roles": [
{
"Ref": "TgIngestServiceRoleB96980B6"
}
]
},
"Metadata": {
"aws:cdk:path": "AgentClawStack/TgIngest/ServiceRole/DefaultPolicy/Resource"
}
},
"TgIngest4CB35C2F": {
"Type": "AWS::Lambda::Function",
"Properties": {
"Code": {
"S3Bucket": "cdk-hnb659fds-assets-495395224548-us-east-1",
"S3Key": "8da48fd743d1e2cb70d8d1935cee795b6f8cf02609db05e2b8f28449be9ef875.zip"
},
"Environment": {
"Variables": {
"MESSAGE_QUEUE_URL": {
"Ref": "MessageQueue7A3BF959"
},
"TELEGRAM_BOT_TOKEN_SECRET_ARN": "arn:aws:secretsmanager:us-east-1:495395224548:secret:agent-claw/telegram-bot-token-Oq3in3",
"TELEGRAM_WEBHOOK_SECRET": ""
}
},
"FunctionName": "agent-claw-tg-ingest",
"Handler": "handler.handler",
"MemorySize": 128,
"Role": {
"Fn::GetAtt": [
"TgIngestServiceRoleB96980B6",
"Arn"
]
},
"Runtime": "python3.12",
"Timeout": 10
},
"DependsOn": [
"TgIngestServiceRoleDefaultPolicyCC51E135",
"TgIngestServiceRoleB96980B6"
],
"Metadata": {
"aws:cdk:path": "AgentClawStack/TgIngest/Resource",
"aws:asset:path": "asset.8da48fd743d1e2cb70d8d1935cee795b6f8cf02609db05e2b8f28449be9ef875",
"aws:asset:is-bundled": false,
"aws:asset:property": "Code"
}
},
"AgentRunnerServiceRole40CA0A00": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"Service": "lambda.amazonaws.com"
}
}
],
"Version": "2012-10-17"
},
"ManagedPolicyArns": [
{
"Fn::Join": [
"",
[
"arn:",
{
"Ref": "AWS::Partition"
},
":iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
]
]
}
]
},
"Metadata": {
"aws:cdk:path": "AgentClawStack/AgentRunner/ServiceRole/Resource"
}
},
"AgentRunnerServiceRoleDefaultPolicyA584A5CF": {
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyDocument": {
"Statement": [
{
"Action": [
"dynamodb:BatchGetItem",
"dynamodb:Query",
"dynamodb:GetItem",
"dynamodb:Scan",
"dynamodb:ConditionCheckItem",
"dynamodb:BatchWriteItem",
"dynamodb:PutItem",
"dynamodb:UpdateItem",
"dynamodb:DeleteItem",
"dynamodb:DescribeTable"
],
"Effect": "Allow",
"Resource": [
{
"Fn::GetAtt": [
"SessionStore8C86EEFE",
"Arn"
]
}
]
},
{
"Action": [
"dynamodb:GetRecords",
"dynamodb:GetShardIterator"
],
"Effect": "Allow",
"Resource": [
{
"Fn::GetAtt": [
"SessionStore8C86EEFE",
"Arn"
]
}
]
},
{
"Action": [
"dynamodb:BatchGetItem",
"dynamodb:Query",
"dynamodb:GetItem",
"dynamodb:Scan",
"dynamodb:ConditionCheckItem",
"dynamodb:BatchWriteItem",
"dynamodb:PutItem",
"dynamodb:UpdateItem",
"dynamodb:DeleteItem",
"dynamodb:DescribeTable"
],
"Effect": "Allow",
"Resource": [
{
"Fn::GetAtt": [
"UsersTable9725E9C8",
"Arn"
]
}
]
},
{
"Action": [
"dynamodb:GetRecords",
"dynamodb:GetShardIterator"
],
"Effect": "Allow",
"Resource": [
{
"Fn::GetAtt": [
"UsersTable9725E9C8",
"Arn"
]
}
]
},
{
"Action": [
"s3:GetObject*",
"s3:GetBucket*",
"s3:List*"
],
"Effect": "Allow",
"Resource": [
{
"Fn::Join": [
"",
[
"arn:",
{
"Ref": "AWS::Partition"
},
":s3:::agent-claw-workspace-495395224548"
]
]
},
{
"Fn::Join": [
"",
[
"arn:",
{
"Ref": "AWS::Partition"
},
":s3:::agent-claw-workspace-495395224548/*"
]
]
}
]
},
{
"Action": [
"secretsmanager:GetSecretValue",
"secretsmanager:DescribeSecret"
],
"Effect": "Allow",
"Resource": "arn:aws:secretsmanager:us-east-1:495395224548:secret:agent-claw/telegram-bot-token-Oq3in3"
},
{
"Action": [
"secretsmanager:GetSecretValue",
"secretsmanager:DescribeSecret"
],
"Effect": "Allow",
"Resource": "arn:aws:secretsmanager:us-east-1:495395224548:secret:agent-claw/brave-api-key-uUSgzi"
},
{
"Action": [
"sqs:ReceiveMessage",
"sqs:ChangeMessageVisibility",
"sqs:GetQueueUrl",
"sqs:DeleteMessage",
"sqs:GetQueueAttributes"
],
"Effect": "Allow",
"Resource": {
"Fn::GetAtt": [
"MessageQueue7A3BF959",
"Arn"
]
}
},
{
"Action": "bedrock-agentcore:InvokeAgentRuntime",
"Effect": "Allow",
"Resource": "*"
}
],
"Version": "2012-10-17"
},
"PolicyName": "AgentRunnerServiceRoleDefaultPolicyA584A5CF",
"Roles": [
{
"Ref": "AgentRunnerServiceRole40CA0A00"
}
]
},
"Metadata": {
"aws:cdk:path": "AgentClawStack/AgentRunner/ServiceRole/DefaultPolicy/Resource"
}
},
"AgentRunnerBDE3FA56": {
"Type": "AWS::Lambda::Function",
"Properties": {
"Code": {
"S3Bucket": "cdk-hnb659fds-assets-495395224548-us-east-1",
"S3Key": "6f6fdf79f33a947f3e50ffd783a72d04ab5f29ba299a5d51b3ecd2c2eb311370.zip"
},
"Environment": {
"Variables": {
"SESSION_TABLE_NAME": {
"Ref": "SessionStore8C86EEFE"
},
"WORKSPACE_BUCKET_NAME": "agent-claw-workspace-495395224548",
"TELEGRAM_BOT_TOKEN_SECRET_ARN": "arn:aws:secretsmanager:us-east-1:495395224548:secret:agent-claw/telegram-bot-token-Oq3in3",
"BRAVE_API_KEY_SECRET_ARN": "arn:aws:secretsmanager:us-east-1:495395224548:secret:agent-claw/brave-api-key-uUSgzi",
"RUNTIME_1_ARN": "arn:aws:bedrock-agentcore:us-east-1:495395224548:runtime/agentclaw_agent_claw_main-vTRGIEG6ON",
"AWS_REGION_NAME": "us-east-1",
"USERS_TABLE_NAME": {
"Ref": "UsersTable9725E9C8"
},
"WORKSPACE_MCP_URL": "https://25hugrzw4uwtueeg77jsmft6lq0wunmd.lambda-url.us-east-1.on.aws/mcp"
}
},
"FunctionName": "agent-claw-agent-runner",
"Handler": "handler.handler",
"MemorySize": 256,
"Role": {
"Fn::GetAtt": [
"AgentRunnerServiceRole40CA0A00",
"Arn"
]
},
"Runtime": "python3.12",
"Timeout": 900
},
"DependsOn": [
"AgentRunnerServiceRoleDefaultPolicyA584A5CF",
"AgentRunnerServiceRole40CA0A00"
],
"Metadata": {
"aws:cdk:path": "AgentClawStack/AgentRunner/Resource",
"aws:asset:path": "asset.6f6fdf79f33a947f3e50ffd783a72d04ab5f29ba299a5d51b3ecd2c2eb311370",
"aws:asset:is-bundled": false,
"aws:asset:property": "Code"
}
},
"AgentRunnerSqsEventSourceAgentClawStackMessageQueue9AF4DF234671B32B": {
"Type": "AWS::Lambda::EventSourceMapping",
"Properties": {
"BatchSize": 10,
"Enabled": true,
"EventSourceArn": {
"Fn::GetAtt": [
"MessageQueue7A3BF959",
"Arn"
]
},
"FunctionName": {
"Ref": "AgentRunnerBDE3FA56"
}
},
"Metadata": {
"aws:cdk:path": "AgentClawStack/AgentRunner/SqsEventSource:AgentClawStackMessageQueue9AF4DF23/Resource"
}
},
"WebhookApi28122C53": {
"Type": "AWS::ApiGatewayV2::Api",
"Properties": {
"Name": "agent-claw-webhook",
"ProtocolType": "HTTP"
},
"Metadata": {
"aws:cdk:path": "AgentClawStack/WebhookApi/Resource"
}
},
"WebhookApiDefaultStageC0BC9CA5": {
"Type": "AWS::ApiGatewayV2::Stage",
"Properties": {
"ApiId": {
"Ref": "WebhookApi28122C53"
},
"AutoDeploy": true,
"StageName": "$default"
},
"Metadata": {
"aws:cdk:path": "AgentClawStack/WebhookApi/DefaultStage/Resource"
}
},
"WebhookApiPOSTtelegramTgIngestIntegration9EE5BB85": {
"Type": "AWS::ApiGatewayV2::Integration",
"Properties": {
"ApiId": {
"Ref": "WebhookApi28122C53"
},
"IntegrationType": "AWS_PROXY",
"IntegrationUri": {
"Fn::GetAtt": [
"TgIngest4CB35C2F",
"Arn"
]
},
"PayloadFormatVersion": "2.0"
},
"Metadata": {
"aws:cdk:path": "AgentClawStack/WebhookApi/POST--telegram/TgIngestIntegration/Resource"
}
},
"WebhookApiPOSTtelegramTgIngestIntegrationPermissionFEBC2E3B": {
"Type": "AWS::Lambda::Permission",
"Properties": {
"Action": "lambda:InvokeFunction",
"FunctionName": {
"Fn::GetAtt": [
"TgIngest4CB35C2F",
"Arn"
]
},
"Principal": "apigateway.amazonaws.com",
"SourceArn": {
"Fn::Join": [
"",
[
"arn:",
{
"Ref": "AWS::Partition"
},
":execute-api:us-east-1:495395224548:",
{
"Ref": "WebhookApi28122C53"
},
"/*/*/telegram"
]
]
}
},
"Metadata": {
"aws:cdk:path": "AgentClawStack/WebhookApi/POST--telegram/TgIngestIntegration-Permission"
}
},
"WebhookApiPOSTtelegramF7127CFF": {
"Type": "AWS::ApiGatewayV2::Route",
"Properties": {
"ApiId": {
"Ref": "WebhookApi28122C53"
},
"AuthorizationType": "NONE",
"RouteKey": "POST /telegram",
"Target": {
"Fn::Join": [
"",
[
"integrations/",
{
"Ref": "WebhookApiPOSTtelegramTgIngestIntegration9EE5BB85"
}
]
]
}
},
"Metadata": {
"aws:cdk:path": "AgentClawStack/WebhookApi/POST--telegram/Resource"
}
},
"WebhookApiGEToauthstartOAuthStartIntegrationA546443F": {
"Type": "AWS::ApiGatewayV2::Integration",
"Properties": {
"ApiId": {
"Ref": "WebhookApi28122C53"
},
"IntegrationType": "AWS_PROXY",
"IntegrationUri": {
"Fn::GetAtt": [
"OAuthHandlerC97C2476",
"Arn"
]
},
"PayloadFormatVersion": "2.0"
},
"Metadata": {
"aws:cdk:path": "AgentClawStack/WebhookApi/GET--oauth--start/OAuthStartIntegration/Resource"
}
},
"WebhookApiGEToauthstartOAuthStartIntegrationPermission38BAEF6D": {
"Type": "AWS::Lambda::Permission",
"Properties": {
"Action": "lambda:InvokeFunction",
"FunctionName": {
"Fn::GetAtt": [
"OAuthHandlerC97C2476",
"Arn"
]
},
"Principal": "apigateway.amazonaws.com",
"SourceArn": {
"Fn::Join": [
"",
[
"arn:",
{
"Ref": "AWS::Partition"
},
":execute-api:us-east-1:495395224548:",
{
"Ref": "WebhookApi28122C53"
},
"/*/*/oauth/start"
]
]
}
},
"Metadata": {
"aws:cdk:path": "AgentClawStack/WebhookApi/GET--oauth--start/OAuthStartIntegration-Permission"
}
},
"WebhookApiGEToauthstart6DCA713A": {
"Type": "AWS::ApiGatewayV2::Route",
"Properties": {
"ApiId": {
"Ref": "WebhookApi28122C53"
},
"AuthorizationType": "NONE",
"RouteKey": "GET /oauth/start",
"Target": {
"Fn::Join": [
"",
[
"integrations/",
{
"Ref": "WebhookApiGEToauthstartOAuthStartIntegrationA546443F"
}
]
]
}
},
"Metadata": {
"aws:cdk:path": "AgentClawStack/WebhookApi/GET--oauth--start/Resource"
}
},
"WebhookApiGEToauthcallbackOAuthCallbackIntegrationCFBBEB09": {
"Type": "AWS::ApiGatewayV2::Integration",
"Properties": {
"ApiId": {
"Ref": "WebhookApi28122C53"
},
"IntegrationType": "AWS_PROXY",
"IntegrationUri": {
"Fn::GetAtt": [
"OAuthHandlerC97C2476",
"Arn"
]
},
"PayloadFormatVersion": "2.0"
},
"Metadata": {
"aws:cdk:path": "AgentClawStack/WebhookApi/GET--oauth--callback/OAuthCallbackIntegration/Resource"
}
},
"WebhookApiGEToauthcallbackOAuthCallbackIntegrationPermission6BA3A5AD": {
"Type": "AWS::Lambda::Permission",
"Properties": {
"Action": "lambda:InvokeFunction",
"FunctionName": {
"Fn::GetAtt": [
"OAuthHandlerC97C2476",
"Arn"
]
},
"Principal": "apigateway.amazonaws.com",
"SourceArn": {
"Fn::Join": [
"",
[
"arn:",
{
"Ref": "AWS::Partition"
},
":execute-api:us-east-1:495395224548:",
{
"Ref": "WebhookApi28122C53"
},
"/*/*/oauth/callback"
]
]
}
},
"Metadata": {
"aws:cdk:path": "AgentClawStack/WebhookApi/GET--oauth--callback/OAuthCallbackIntegration-Permission"
}
},
"WebhookApiGEToauthcallbackFC1F6BCD": {
"Type": "AWS::ApiGatewayV2::Route",
"Properties": {
"ApiId": {
"Ref": "WebhookApi28122C53"
},
"AuthorizationType": "NONE",
"RouteKey": "GET /oauth/callback",
"Target": {
"Fn::Join": [
"",
[
"integrations/",
{
"Ref": "WebhookApiGEToauthcallbackOAuthCallbackIntegrationCFBBEB09"
}
]
]
}
},
"Metadata": {
"aws:cdk:path": "AgentClawStack/WebhookApi/GET--oauth--callback/Resource"
}
},
"Runtime1RoleA7A82078": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"Service": "bedrock-agentcore.amazonaws.com"
}
}
],
"Version": "2012-10-17"
},
"Description": "Execution role for agent-claw Runtime 1 (main assistant)"
},
"Metadata": {
"aws:cdk:path": "AgentClawStack/Runtime1Role/Resource"
}
},
"Runtime1RoleDefaultPolicy1A3D5ACF": {
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyDocument": {
"Statement": [
{
"Action": [
"bedrock:InvokeModel",
"bedrock:InvokeModelWithResponseStream"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"s3:GetObject*",
"s3:GetBucket*",
"s3:List*"
],
"Effect": "Allow",
"Resource": [
{
"Fn::Join": [
"",
[
"arn:",
{
"Ref": "AWS::Partition"
},
":s3:::agent-claw-workspace-495395224548"
]
]
},
{
"Fn::Join": [
"",
[
"arn:",
{
"Ref": "AWS::Partition"
},
":s3:::agent-claw-workspace-495395224548/*"
]
]
}
]
},
{
"Action": [
"secretsmanager:GetSecretValue",
"secretsmanager:DescribeSecret"
],
"Effect": "Allow",
"Resource": "arn:aws:secretsmanager:us-east-1:495395224548:secret:agent-claw/telegram-bot-token-Oq3in3"
},
{
"Action": [
"secretsmanager:GetSecretValue",
"secretsmanager:DescribeSecret"
],
"Effect": "Allow",
"Resource": "arn:aws:secretsmanager:us-east-1:495395224548:secret:agent-claw/brave-api-key-uUSgzi"
},
{
"Action": [
"bedrock-agentcore:CreateEvent",
"bedrock-agentcore:ListEvents",
"bedrock-agentcore:RetrieveMemoryRecords"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "lambda:InvokeFunctionUrl",
"Condition": {
"StringEquals": {
"lambda:FunctionUrlAuthType": "AWS_IAM"
}
},
"Effect": "Allow",
"Resource": {
"Fn::Join": [
"",
[
"arn:",
{
"Ref": "AWS::Partition"
},
":lambda:us-east-1:495395224548:function:agent-claw-workspace-mcp"
]
]
},
"Sid": "WorkspaceMcpInvoke"
},
{
"Action": [
"secretsmanager:GetSecretValue",
"secretsmanager:DescribeSecret"
],
"Effect": "Allow",
"Resource": {
"Fn::Join": [
"",
[
"arn:",
{
"Ref": "AWS::Partition"
},
":secretsmanager:us-east-1:495395224548:secret:agent-claw/google-oauth-client-??????"
]
]
}
},
{
"Action": "secretsmanager:GetSecretValue",
"Effect": "Allow",
"Resource": "arn:aws:secretsmanager:us-east-1:495395224548:secret:agent-claw/google-credentials/*",
"Sid": "PerUserGoogleCredentialsReadRuntime"
}
],
"Version": "2012-10-17"
},
"PolicyName": "Runtime1RoleDefaultPolicy1A3D5ACF",
"Roles": [
{
"Ref": "Runtime1RoleA7A82078"
}
]
},
"Metadata": {
"aws:cdk:path": "AgentClawStack/Runtime1Role/DefaultPolicy/Resource"
}
},
"WorkspaceMcpRolePolicy5B8B0072": {
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyDocument": {
"Statement": [
{
"Action": [
"secretsmanager:GetSecretValue",
"secretsmanager:DescribeSecret"
],
"Effect": "Allow",
"Resource": {
"Fn::Join": [
"",
[
"arn:",
{
"Ref": "AWS::Partition"
},
":secretsmanager:us-east-1:495395224548:secret:agent-claw/google-oauth-client-??????"
]
]
}
},
{
"Action": "secretsmanager:GetSecretValue",
"Effect": "Allow",
"Resource": "arn:aws:secretsmanager:us-east-1:495395224548:secret:agent-claw/google-credentials/*",
"Sid": "PerUserGoogleCredentialsRead"
}
],
"Version": "2012-10-17"
},
"PolicyName": "WorkspaceMcpRolePolicy5B8B0072",
"Roles": [
"agent-claw-workspace-mcp-role"
]
},
"Metadata": {
"aws:cdk:path": "AgentClawStack/WorkspaceMcpRole/Policy/Resource"
}
},
"OAuthHandlerServiceRole9CDCCF9E": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"Service": "lambda.amazonaws.com"
}
}
],
"Version": "2012-10-17"
},
"ManagedPolicyArns": [
{
"Fn::Join": [
"",
[
"arn:",
{
"Ref": "AWS::Partition"
},
":iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
]
]
}
]
},
"Metadata": {
"aws:cdk:path": "AgentClawStack/OAuthHandler/ServiceRole/Resource"
}
},
"OAuthHandlerServiceRoleDefaultPolicy69D90416": {
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyDocument": {
"Statement": [
{
"Action": [
"secretsmanager:GetSecretValue",
"secretsmanager:DescribeSecret"
],
"Effect": "Allow",
"Resource": {
"Fn::Join": [
"",
[
"arn:",
{
"Ref": "AWS::Partition"
},
":secretsmanager:us-east-1:495395224548:secret:agent-claw/google-oauth-client-??????"
]
]
}
},
{
"Action": [
"dynamodb:BatchGetItem",
"dynamodb:Query",
"dynamodb:GetItem",
"dynamodb:Scan",
"dynamodb:ConditionCheckItem",
"dynamodb:BatchWriteItem",
"dynamodb:PutItem",
"dynamodb:UpdateItem",
"dynamodb:DeleteItem",
"dynamodb:DescribeTable"
],
"Effect": "Allow",
"Resource": [
{
"Fn::GetAtt": [
"UsersTable9725E9C8",
"Arn"
]
}
]
},
{
"Action": [
"dynamodb:GetRecords",
"dynamodb:GetShardIterator"
],
"Effect": "Allow",
"Resource": [
{
"Fn::GetAtt": [
"UsersTable9725E9C8",
"Arn"
]
}
]
},
{
"Action": [
"secretsmanager:CreateSecret",
"secretsmanager:PutSecretValue",
"secretsmanager:GetSecretValue"
],
"Effect": "Allow",
"Resource": "arn:aws:secretsmanager:us-east-1:495395224548:secret:agent-claw/google-credentials/*",
"Sid": "PerUserGoogleCredentialsWrite"
}
],
"Version": "2012-10-17"
},
"PolicyName": "OAuthHandlerServiceRoleDefaultPolicy69D90416",
"Roles": [
{
"Ref": "OAuthHandlerServiceRole9CDCCF9E"
}
]
},
"Metadata": {
"aws:cdk:path": "AgentClawStack/OAuthHandler/ServiceRole/DefaultPolicy/Resource"
}
},
"OAuthHandlerC97C2476": {
"Type": "AWS::Lambda::Function",
"Properties": {
"Code": {
"S3Bucket": "cdk-hnb659fds-assets-495395224548-us-east-1",
"S3Key": "5be87975e51a6859dfad098b3d998a0bcd09a4f9a437bbf38923338fb559eb9e.zip"
},
"Environment": {
"Variables": {
"GOOGLE_OAUTH_CLIENT_SECRET_ARN": {
"Fn::Join": [
"",
[
"arn:",
{
"Ref": "AWS::Partition"
},
":secretsmanager:us-east-1:495395224548:secret:agent-claw/google-oauth-client"
]
]
},
"USERS_TABLE_NAME": {
"Ref": "UsersTable9725E9C8"
},
"OAUTH_REDIRECT_URI": {
"Fn::Join": [
"",
[
"https://",
{
"Ref": "WebhookApi28122C53"
},
".execute-api.us-east-1.",
{
"Ref": "AWS::URLSuffix"
},
"/oauth/callback"
]
]
}
}
},
"FunctionName": "agent-claw-oauth-handler",
"Handler": "handler.handler",
"MemorySize": 128,
"Role": {
"Fn::GetAtt": [
"OAuthHandlerServiceRole9CDCCF9E",
"Arn"
]
},
"Runtime": "python3.12",
"Timeout": 30
},
"DependsOn": [
"OAuthHandlerServiceRoleDefaultPolicy69D90416",
"OAuthHandlerServiceRole9CDCCF9E"
],
"Metadata": {
"aws:cdk:path": "AgentClawStack/OAuthHandler/Resource",
"aws:asset:path": "asset.5be87975e51a6859dfad098b3d998a0bcd09a4f9a437bbf38923338fb559eb9e",
"aws:asset:is-bundled": false,
"aws:asset:property": "Code"
}
},
"CDKMetadata": {
"Type": "AWS::CDK::Metadata",
"Properties": {
"Analytics": "v2:deflate64:H4sIAAAAAAAA/22PwU7DMAyGn2X31IxuPMCGQHBAjI775KZela1NSu1sqqK8O0rKOCBO/+ff+WO7hPKhhOUCr1zo5lx0poawF9RnVRE7P2pSeOVD4BVsvT6TbJFJNZPF3jU1hE+sO1KPR5shKv5iCB+efDYzRNVhXzcI4dlbLcbZ1PrlpwtZ2edRbzgMxrap/b+7o7E3zCl2y6d9ojLYQ6jcvErWneuMnnIoU1S8OiAzCcMmicLBtCh0xelSQngRGTaDSYEkqdwLtvnDGZJVOS8zvVqhdsTbOX/K/C5GlSel+M8B714GL1FZ1xCc+O5SruF+DcvFiY0pRm/F9ATVrN8RDS1cnQEAAA=="
},
"Metadata": {
"aws:cdk:path": "AgentClawStack/CDKMetadata/Default"
}
}
},
"Outputs": {
"WorkspaceMcpFunctionUrl": {
"Description": "workspace-mcp Lambda Function URL (MCP endpoint for Gmail/Calendar)",
"Value": "https://25hugrzw4uwtueeg77jsmft6lq0wunmd.lambda-url.us-east-1.on.aws"
},
"OAuthStartUrl": {
"Description": "Google OAuth start URL — set as OAUTH_START_URL in agentcore.json",
"Value": {
"Fn::Join": [
"",
[
"https://",
{
"Ref": "WebhookApi28122C53"
},
".execute-api.us-east-1.",
{
"Ref": "AWS::URLSuffix"
},
"/oauth/start"
]
]
}
},
"OAuthRedirectUri": {
"Description": "Google OAuth redirect URI — register in Google Cloud Console",
"Value": {
"Fn::Join": [
"",
[
"https://",
{
"Ref": "WebhookApi28122C53"
},
".execute-api.us-east-1.",
{
"Ref": "AWS::URLSuffix"
},
"/oauth/callback"
]
]
}
},
"WebhookUrl": {
"Description": "Register this URL with Telegram BotFather as webhook endpoint",
"Value": {
"Fn::Join": [
"",
[
"https://",
{
"Ref": "WebhookApi28122C53"
},
".execute-api.us-east-1.",
{
"Ref": "AWS::URLSuffix"
},
"/telegram"
]
]
}
},
"WorkspaceBucketName": {
"Description": "S3 bucket containing agent workspace files",
"Value": "agent-claw-workspace-495395224548"
},
"SessionTableName": {
"Description": "DynamoDB table for session mapping",
"Value": {
"Ref": "SessionStore8C86EEFE"
}
},
"UsersTableName": {
"Description": "DynamoDB user registry table",
"Value": {
"Ref": "UsersTable9725E9C8"
}
},
"MessageQueueUrl": {
"Description": "SQS FIFO queue for incoming messages",
"Value": {
"Ref": "MessageQueue7A3BF959"
}
},
"Runtime1RoleArn": {
"Description": "IAM execution role ARN for AgentCore Runtime 1",
"Value": {
"Fn::GetAtt": [
"Runtime1RoleA7A82078",
"Arn"
]
}
}
},
"Parameters": {
"BootstrapVersion": {
"Type": "AWS::SSM::Parameter::Value<String>",
"Default": "/cdk-bootstrap/hnb659fds/version",
"Description": "Version of the CDK Bootstrap resources in this environment, automatically retrieved from SSM Parameter Store. [cdk:skip]"
}
},
"Rules": {
"CheckBootstrapVersion": {
"Assertions": [
{
"Assert": {
"Fn::Not": [
{
"Fn::Contains": [
[
"1",
"2",
"3",
"4",
"5"
],
{
"Ref": "BootstrapVersion"
}
]
}
]
},
"AssertDescription": "CDK bootstrap stack version 6 required. Please run 'cdk bootstrap' with a recent version of the CDK CLI."
}
]
}
}
}
Reference in New Issue View Git Blame Copy Permalink