aws-sdk-bedrockagentcorecontrol 1.50.0 → 1.52.0

data/lib/aws-sdk-bedrockagentcorecontrol/types.rb

@@ -555,11 +555,26 @@ module Aws::BedrockAgentCoreControl
     #   authenticate your application.
     #   @return [String]
     #
+    # @!attribute [rw] client_secret_config
+    #   A reference to the AWS Secrets Manager secret that stores the client
+    #   secret. This includes the secret ID and the JSON key used to extract
+    #   the client secret value from the secret. Required when
+    #   `clientSecretSource` is set to `EXTERNAL`.
+    #   @return [Types::SecretReference]
+    #
+    # @!attribute [rw] client_secret_source
+    #   The source type of the client secret for the Atlassian OAuth2
+    #   provider. Use `MANAGED` if the secret is managed by the service, or
+    #   `EXTERNAL` if you manage the secret yourself in AWS Secrets Manager.
+    #   @return [String]
+    #
     # @see http://docs.aws.amazon.com/goto/WebAPI/bedrock-agentcore-control-2023-06-05/AtlassianOauth2ProviderConfigInput AWS API Documentation
     #
     class AtlassianOauth2ProviderConfigInput < Struct.new(
       :client_id,
-      :client_secret)
+      :client_secret,
+      :client_secret_config,
+      :client_secret_source)
       SENSITIVE = [:client_secret]
       include Aws::Structure
     end
@@ -1181,16 +1196,46 @@ module Aws::BedrockAgentCoreControl
     #   The API key secret provided by Coinbase Developer Platform.
     #   @return [String]
     #
+    # @!attribute [rw] api_key_secret_source
+    #   The source type of the API key secret for the Coinbase Developer
+    #   Platform. Use `MANAGED` if the secret is managed by the service, or
+    #   `EXTERNAL` if you manage the secret yourself in AWS Secrets Manager.
+    #   @return [String]
+    #
+    # @!attribute [rw] api_key_secret_config
+    #   A reference to the AWS Secrets Manager secret that stores the API
+    #   key secret. This includes the secret ID and the JSON key used to
+    #   extract the API key secret value from the secret. Required when
+    #   `apiKeySecretSource` is set to `EXTERNAL`.
+    #   @return [Types::SecretReference]
+    #
     # @!attribute [rw] wallet_secret
     #   The wallet secret provided by Coinbase Developer Platform.
     #   @return [String]
     #
+    # @!attribute [rw] wallet_secret_source
+    #   The source type of the wallet secret for the Coinbase Developer
+    #   Platform. Use `MANAGED` if the secret is managed by the service, or
+    #   `EXTERNAL` if you manage the secret yourself in AWS Secrets Manager.
+    #   @return [String]
+    #
+    # @!attribute [rw] wallet_secret_config
+    #   A reference to the AWS Secrets Manager secret that stores the wallet
+    #   secret. This includes the secret ID and the JSON key used to extract
+    #   the wallet secret value from the secret. Required when
+    #   `walletSecretSource` is set to `EXTERNAL`.
+    #   @return [Types::SecretReference]
+    #
     # @see http://docs.aws.amazon.com/goto/WebAPI/bedrock-agentcore-control-2023-06-05/CoinbaseCdpConfigurationInput AWS API Documentation
     #
     class CoinbaseCdpConfigurationInput < Struct.new(
       :api_key_id,
       :api_key_secret,
-      :wallet_secret)
+      :api_key_secret_source,
+      :api_key_secret_config,
+      :wallet_secret,
+      :wallet_secret_source,
+      :wallet_secret_config)
       SENSITIVE = [:api_key_secret, :wallet_secret]
       include Aws::Structure
     end
@@ -1205,16 +1250,42 @@ module Aws::BedrockAgentCoreControl
     #   Contains information about a secret in AWS Secrets Manager.
     #   @return [Types::Secret]
     #
+    # @!attribute [rw] api_key_secret_json_key
+    #   The JSON key used to extract the API key secret value from the AWS
+    #   Secrets Manager secret.
+    #   @return [String]
+    #
+    # @!attribute [rw] api_key_secret_source
+    #   The source type of the API key secret. Either `MANAGED` if the
+    #   secret is managed by the service, or `EXTERNAL` if managed by the
+    #   user in AWS Secrets Manager.
+    #   @return [String]
+    #
     # @!attribute [rw] wallet_secret_arn
     #   Contains information about a secret in AWS Secrets Manager.
     #   @return [Types::Secret]
     #
+    # @!attribute [rw] wallet_secret_json_key
+    #   The JSON key used to extract the wallet secret value from the AWS
+    #   Secrets Manager secret.
+    #   @return [String]
+    #
+    # @!attribute [rw] wallet_secret_source
+    #   The source type of the wallet secret. Either `MANAGED` if the secret
+    #   is managed by the service, or `EXTERNAL` if managed by the user in
+    #   AWS Secrets Manager.
+    #   @return [String]
+    #
     # @see http://docs.aws.amazon.com/goto/WebAPI/bedrock-agentcore-control-2023-06-05/CoinbaseCdpConfigurationOutput AWS API Documentation
     #
     class CoinbaseCdpConfigurationOutput < Struct.new(
       :api_key_id,
       :api_key_secret_arn,
-      :wallet_secret_arn)
+      :api_key_secret_json_key,
+      :api_key_secret_source,
+      :wallet_secret_arn,
+      :wallet_secret_json_key,
+      :wallet_secret_source)
       SENSITIVE = []
       include Aws::Structure
     end
@@ -1711,6 +1782,19 @@ module Aws::BedrockAgentCoreControl
     #   stored securely.
     #   @return [String]
     #
+    # @!attribute [rw] api_key_secret_config
+    #   A reference to the AWS Secrets Manager secret that stores the API
+    #   key. This includes the secret ID and the JSON key used to extract
+    #   the API key value from the secret. Required when
+    #   `apiKeySecretSource` is set to `EXTERNAL`.
+    #   @return [Types::SecretReference]
+    #
+    # @!attribute [rw] api_key_secret_source
+    #   The source type of the API key secret. Use `MANAGED` if the secret
+    #   is managed by the service, or `EXTERNAL` if you manage the secret
+    #   yourself in AWS Secrets Manager.
+    #   @return [String]
+    #
     # @!attribute [rw] tags
     #   A map of tag keys and values to assign to the API key credential
     #   provider. Tags enable you to categorize your resources in different
@@ -1722,6 +1806,8 @@ module Aws::BedrockAgentCoreControl
     class CreateApiKeyCredentialProviderRequest < Struct.new(
       :name,
       :api_key,
+      :api_key_secret_config,
+      :api_key_secret_source,
       :tags)
       SENSITIVE = [:api_key]
       include Aws::Structure
@@ -1731,6 +1817,17 @@ module Aws::BedrockAgentCoreControl
     #   The Amazon Resource Name (ARN) of the secret containing the API key.
     #   @return [Types::Secret]
     #
+    # @!attribute [rw] api_key_secret_json_key
+    #   The JSON key used to extract the API key value from the AWS Secrets
+    #   Manager secret.
+    #   @return [String]
+    #
+    # @!attribute [rw] api_key_secret_source
+    #   The source type of the API key secret. Either `MANAGED` if the
+    #   secret is managed by the service, or `EXTERNAL` if managed by the
+    #   user in AWS Secrets Manager.
+    #   @return [String]
+    #
     # @!attribute [rw] name
     #   The name of the created API key credential provider.
     #   @return [String]
@@ -1744,6 +1841,8 @@ module Aws::BedrockAgentCoreControl
     #
     class CreateApiKeyCredentialProviderResponse < Struct.new(
       :api_key_secret_arn,
+      :api_key_secret_json_key,
+      :api_key_secret_source,
       :name,
       :credential_provider_arn)
       SENSITIVE = []
@@ -2088,15 +2187,24 @@ module Aws::BedrockAgentCoreControl
     end
 
     # @!attribute [rw] client_token
-    #   Optional idempotency token.
+    #   A unique, case-sensitive identifier to ensure that the API request
+    #   completes no more than one time. If you don't specify this field, a
+    #   value is randomly generated for you. If this token matches a
+    #   previous request, the service ignores the request, but doesn't
+    #   return an error. For more information, see [Ensuring
+    #   idempotency][1].
     #
     #   **A suitable default value is auto-generated.** You should normally
     #   not need to pass this option.
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/AWSEC2/latest/APIReference/Run_Instance_Idempotency.html
     #   @return [String]
     #
     # @!attribute [rw] dataset_name
-    #   Human-readable name for the dataset. Unique within the account
-    #   (case-insensitive). Immutable after creation.
+    #   Human-readable name for the dataset. Must be unique within the
+    #   account. Immutable after creation.
     #   @return [String]
     #
     # @!attribute [rw] description
@@ -2114,7 +2222,8 @@ module Aws::BedrockAgentCoreControl
     #   @return [String]
     #
     # @!attribute [rw] kms_key_arn
-    #   Optional AWS KMS key ARN for SSE-KMS on service S3 writes.
+    #   Optional KMS key ARN for server-side encryption on service Amazon S3
+    #   writes.
     #   @return [String]
     #
     # @!attribute [rw] tags
@@ -2144,8 +2253,8 @@ module Aws::BedrockAgentCoreControl
     #   @return [String]
     #
     # @!attribute [rw] status
-    #   Always CREATING immediately after this call. Poll GetDataset until
-    #   status == ACTIVE (draftStatus=MODIFIED) or CREATE\_FAILED.
+    #   Always CREATING immediately after this call. Poll `GetDataset` until
+    #   status transitions to ACTIVE or CREATE\_FAILED.
     #   @return [String]
     #
     # @!attribute [rw] created_at
@@ -2201,12 +2310,12 @@ module Aws::BedrockAgentCoreControl
     #   @return [String]
     #
     # @!attribute [rw] status
-    #   Always UPDATING immediately after this call. Poll GetDataset until
-    #   status == ACTIVE (draftStatus=UNMODIFIED) or UPDATE\_FAILED.
+    #   Always UPDATING immediately after this call. Poll `GetDataset` until
+    #   status transitions to ACTIVE or UPDATE\_FAILED.
     #   @return [String]
     #
     # @!attribute [rw] dataset_version
-    #   The version being created.
+    #   The version number being created.
     #   @return [String]
     #
     # @!attribute [rw] created_at
@@ -3058,6 +3167,17 @@ module Aws::BedrockAgentCoreControl
     #   Manager.
     #   @return [Types::Secret]
     #
+    # @!attribute [rw] client_secret_json_key
+    #   The JSON key used to extract the client secret value from the AWS
+    #   Secrets Manager secret.
+    #   @return [String]
+    #
+    # @!attribute [rw] client_secret_source
+    #   The source type of the client secret. Either `MANAGED` if the secret
+    #   is managed by the service, or `EXTERNAL` if managed by the user in
+    #   AWS Secrets Manager.
+    #   @return [String]
+    #
     # @!attribute [rw] name
     #   The name of the OAuth2 credential provider.
     #   @return [String]
@@ -3084,6 +3204,8 @@ module Aws::BedrockAgentCoreControl
     #
     class CreateOauth2CredentialProviderResponse < Struct.new(
       :client_secret_arn,
+      :client_secret_json_key,
+      :client_secret_source,
       :name,
       :credential_provider_arn,
       :callback_url,
@@ -4427,16 +4549,18 @@ module Aws::BedrockAgentCoreControl
     #   The client secret for the custom OAuth2 provider.
     #   @return [String]
     #
-    # @!attribute [rw] private_endpoint
-    #   The default private endpoint for the custom OAuth2 provider,
-    #   enabling secure connectivity through a VPC Lattice resource
-    #   configuration.
-    #   @return [Types::PrivateEndpoint]
+    # @!attribute [rw] client_secret_config
+    #   A reference to the AWS Secrets Manager secret that stores the client
+    #   secret. This includes the secret ID and the JSON key used to extract
+    #   the client secret value from the secret. Required when
+    #   `clientSecretSource` is set to `EXTERNAL`.
+    #   @return [Types::SecretReference]
     #
-    # @!attribute [rw] private_endpoint_overrides
-    #   The private endpoint overrides for the custom OAuth2 provider
-    #   configuration.
-    #   @return [Array<Types::PrivateEndpointOverride>]
+    # @!attribute [rw] client_secret_source
+    #   The source type of the client secret. Use `MANAGED` if the secret is
+    #   managed by the service, or `EXTERNAL` if you manage the secret
+    #   yourself in AWS Secrets Manager.
+    #   @return [String]
     #
     # @!attribute [rw] on_behalf_of_token_exchange_config
     #   The configuration for on-behalf-of token exchange. This enables
@@ -4449,16 +4573,29 @@ module Aws::BedrockAgentCoreControl
     #   token endpoint.
     #   @return [String]
     #
+    # @!attribute [rw] private_endpoint
+    #   The default private endpoint for the custom OAuth2 provider,
+    #   enabling secure connectivity through a VPC Lattice resource
+    #   configuration.
+    #   @return [Types::PrivateEndpoint]
+    #
+    # @!attribute [rw] private_endpoint_overrides
+    #   The private endpoint overrides for the custom OAuth2 provider
+    #   configuration.
+    #   @return [Array<Types::PrivateEndpointOverride>]
+    #
     # @see http://docs.aws.amazon.com/goto/WebAPI/bedrock-agentcore-control-2023-06-05/CustomOauth2ProviderConfigInput AWS API Documentation
     #
     class CustomOauth2ProviderConfigInput < Struct.new(
       :oauth_discovery,
       :client_id,
       :client_secret,
-      :private_endpoint,
-      :private_endpoint_overrides,
+      :client_secret_config,
+      :client_secret_source,
       :on_behalf_of_token_exchange_config,
-      :client_authentication_method)
+      :client_authentication_method,
+      :private_endpoint,
+      :private_endpoint_overrides)
       SENSITIVE = [:client_secret]
       include Aws::Structure
     end
@@ -4583,8 +4720,7 @@ module Aws::BedrockAgentCoreControl
     #   @return [Types::InlineExamplesSource]
     #
     # @!attribute [rw] s3_source
-    #   S3 URI pointing to a JSONL file in the customer's bucket. The
-    #   service reads this file using the caller's FAS credentials.
+    #   Amazon S3 URI pointing to a JSONL file in the customer's bucket.
     #   @return [Types::S3Source]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/bedrock-agentcore-control-2023-06-05/DataSourceType AWS API Documentation
@@ -4625,7 +4761,7 @@ module Aws::BedrockAgentCoreControl
     #   @return [String]
     #
     # @!attribute [rw] draft_status
-    #   Publish synchronization state. Only authoritative when status ==
+    #   Publish synchronization state. Only authoritative when status is
     #   ACTIVE.
     #   @return [String]
     #
@@ -4665,23 +4801,7 @@ module Aws::BedrockAgentCoreControl
     # Summary information about a published dataset version.
     #
     # @!attribute [rw] dataset_version
-    #   Dataset version identifier. Accepts "DRAFT" or a non-negative
-    #   integer string.
-    #
-    #   "DRAFT" refers to the single mutable working copy of the dataset.
-    #
-    #   * Always present after CreateDataset ingestion completes.
-    #   * Content changes in-place when examples are added, updated, or
-    #     deleted.
-    #   * NOT tracked as a DDB DatasetVersionItem — state lives in S3
-    #     (draft/manifest.json, draft/dataset.jsonl) and the
-    #     DatasetItem.exampleCount field.
-    #   * Default for read operations when ?datasetVersion is absent.
-    #
-    #   An integer string (e.g. "1", "2", "3") refers to a published,
-    #   immutable snapshot created by CreateDatasetVersion. Once created, a
-    #   published version's content never changes. Stored as a DDB
-    #   DatasetVersionItem (SK=VERSION#\{zero-padded-N}).
+    #   The version number of this published snapshot.
     #   @return [String]
     #
     # @!attribute [rw] example_count
@@ -5060,9 +5180,8 @@ module Aws::BedrockAgentCoreControl
     #   @return [String]
     #
     # @!attribute [rw] dataset_version
-    #   Optional version to delete. Use "DRAFT" or omit to delete the draft.
-    #   Returns ResourceNotFoundException if the specified version does not
-    #   exist.
+    #   Optional version to delete. If absent, deletes the entire dataset.
+    #   If provided, deletes only that specific version.
     #   @return [String]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/bedrock-agentcore-control-2023-06-05/DeleteDatasetRequest AWS API Documentation
@@ -5087,7 +5206,7 @@ module Aws::BedrockAgentCoreControl
     #   @return [String]
     #
     # @!attribute [rw] dataset_version
-    #   The version deleted.
+    #   The version that was deleted.
     #   @return [String]
     #
     # @!attribute [rw] updated_at
@@ -7004,6 +7123,17 @@ module Aws::BedrockAgentCoreControl
     #   Manager.
     #   @return [Types::Secret]
     #
+    # @!attribute [rw] api_key_secret_json_key
+    #   The JSON key used to extract the API key value from the AWS Secrets
+    #   Manager secret.
+    #   @return [String]
+    #
+    # @!attribute [rw] api_key_secret_source
+    #   The source type of the API key secret. Either `MANAGED` if the
+    #   secret is managed by the service, or `EXTERNAL` if managed by the
+    #   user in AWS Secrets Manager.
+    #   @return [String]
+    #
     # @!attribute [rw] name
     #   The name of the API key credential provider.
     #   @return [String]
@@ -7024,6 +7154,8 @@ module Aws::BedrockAgentCoreControl
     #
     class GetApiKeyCredentialProviderResponse < Struct.new(
       :api_key_secret_arn,
+      :api_key_secret_json_key,
+      :api_key_secret_source,
       :name,
       :credential_provider_arn,
       :created_time,
@@ -7420,8 +7552,8 @@ module Aws::BedrockAgentCoreControl
     #   @return [String]
     #
     # @!attribute [rw] dataset_version
-    #   Version to retrieve: "DRAFT" or a version number. Defaults to DRAFT
-    #   if absent.
+    #   Version to retrieve: "DRAFT" or a version number. Defaults to
+    #   DRAFT if absent.
     #   @return [String]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/bedrock-agentcore-control-2023-06-05/GetDatasetRequest AWS API Documentation
@@ -7459,15 +7591,14 @@ module Aws::BedrockAgentCoreControl
     #   @return [String]
     #
     # @!attribute [rw] draft_status
-    #   Publish synchronization state. Only authoritative when status ==
-    #   ACTIVE. MODIFIED — DRAFT has unpublished changes (or no published
-    #   versions yet). UNMODIFIED — DRAFT matches the latest published
-    #   version exactly.
+    #   Publish synchronization state. Only authoritative when status is
+    #   ACTIVE. MODIFIED indicates DRAFT has unpublished changes. UNMODIFIED
+    #   indicates DRAFT matches the latest published version.
     #   @return [String]
     #
     # @!attribute [rw] failure_reason
     #   Populated when status is CREATE\_FAILED, UPDATE\_FAILED, or
-    #   DELETE\_FAILED.
+    #   DELETE\_FAILED. Describes the reason for the failure.
     #   @return [String]
     #
     # @!attribute [rw] schema_type
@@ -7475,23 +7606,22 @@ module Aws::BedrockAgentCoreControl
     #   @return [String]
     #
     # @!attribute [rw] kms_key_arn
-    #   AWS KMS key ARN used for SSE-KMS on service S3 writes, if
-    #   configured.
+    #   KMS key ARN used for server-side encryption on service Amazon S3
+    #   writes, if configured.
     #   @return [String]
     #
     # @!attribute [rw] example_count
-    #   Example count for DRAFT.
+    #   The number of examples in the DRAFT.
     #   @return [Integer]
     #
     # @!attribute [rw] download_url
-    #   Presigned S3 URL to download the consolidated dataset.jsonl file for
-    #   the resolved version (DRAFT or published). TTL: 5 minutes. Omitted
-    #   if the file does not yet exist (e.g. during CREATING) or on presign
-    #   failure.
+    #   Presigned Amazon S3 URL to download the consolidated dataset file
+    #   for the resolved version. Expires after 5 minutes. Omitted if the
+    #   file does not yet exist.
     #   @return [String]
     #
     # @!attribute [rw] download_url_expires_at
-    #   Expiry timestamp for downloadUrl.
+    #   Expiry timestamp for the download URL.
     #   @return [Time]
     #
     # @!attribute [rw] created_at
@@ -8002,6 +8132,17 @@ module Aws::BedrockAgentCoreControl
     #   Manager.
     #   @return [Types::Secret]
     #
+    # @!attribute [rw] client_secret_json_key
+    #   The JSON key used to extract the client secret value from the AWS
+    #   Secrets Manager secret.
+    #   @return [String]
+    #
+    # @!attribute [rw] client_secret_source
+    #   The source type of the client secret. Either `MANAGED` if the secret
+    #   is managed by the service, or `EXTERNAL` if managed by the user in
+    #   AWS Secrets Manager.
+    #   @return [String]
+    #
     # @!attribute [rw] name
     #   The name of the OAuth2 credential provider.
     #   @return [String]
@@ -8045,6 +8186,8 @@ module Aws::BedrockAgentCoreControl
     #
     class GetOauth2CredentialProviderResponse < Struct.new(
       :client_secret_arn,
+      :client_secret_json_key,
+      :client_secret_source,
       :name,
       :credential_provider_arn,
       :credential_provider_vendor,
@@ -9132,11 +9275,26 @@ module Aws::BedrockAgentCoreControl
     #   The client secret for the GitHub OAuth2 provider.
     #   @return [String]
     #
+    # @!attribute [rw] client_secret_config
+    #   A reference to the AWS Secrets Manager secret that stores the client
+    #   secret. This includes the secret ID and the JSON key used to extract
+    #   the client secret value from the secret. Required when
+    #   `clientSecretSource` is set to `EXTERNAL`.
+    #   @return [Types::SecretReference]
+    #
+    # @!attribute [rw] client_secret_source
+    #   The source type of the client secret. Use `MANAGED` if the secret is
+    #   managed by the service, or `EXTERNAL` if you manage the secret
+    #   yourself in AWS Secrets Manager.
+    #   @return [String]
+    #
     # @see http://docs.aws.amazon.com/goto/WebAPI/bedrock-agentcore-control-2023-06-05/GithubOauth2ProviderConfigInput AWS API Documentation
     #
     class GithubOauth2ProviderConfigInput < Struct.new(
       :client_id,
-      :client_secret)
+      :client_secret,
+      :client_secret_config,
+      :client_secret_source)
       SENSITIVE = [:client_secret]
       include Aws::Structure
     end
@@ -9170,11 +9328,26 @@ module Aws::BedrockAgentCoreControl
     #   The client secret for the Google OAuth2 provider.
     #   @return [String]
     #
+    # @!attribute [rw] client_secret_config
+    #   A reference to the AWS Secrets Manager secret that stores the client
+    #   secret. This includes the secret ID and the JSON key used to extract
+    #   the client secret value from the secret. Required when
+    #   `clientSecretSource` is set to `EXTERNAL`.
+    #   @return [Types::SecretReference]
+    #
+    # @!attribute [rw] client_secret_source
+    #   The source type of the client secret. Use `MANAGED` if the secret is
+    #   managed by the service, or `EXTERNAL` if you manage the secret
+    #   yourself in AWS Secrets Manager.
+    #   @return [String]
+    #
     # @see http://docs.aws.amazon.com/goto/WebAPI/bedrock-agentcore-control-2023-06-05/GoogleOauth2ProviderConfigInput AWS API Documentation
     #
     class GoogleOauth2ProviderConfigInput < Struct.new(
       :client_id,
-      :client_secret)
+      :client_secret,
+      :client_secret_config,
+      :client_secret_source)
       SENSITIVE = [:client_secret]
       include Aws::Structure
     end
@@ -10280,6 +10453,19 @@ module Aws::BedrockAgentCoreControl
     #   authenticate your application.
     #   @return [String]
     #
+    # @!attribute [rw] client_secret_config
+    #   A reference to the AWS Secrets Manager secret that stores the client
+    #   secret. This includes the secret ID and the JSON key used to extract
+    #   the client secret value from the secret. Required when
+    #   `clientSecretSource` is set to `EXTERNAL`.
+    #   @return [Types::SecretReference]
+    #
+    # @!attribute [rw] client_secret_source
+    #   The source type of the client secret. Use `MANAGED` if the secret is
+    #   managed by the service, or `EXTERNAL` if you manage the secret
+    #   yourself in AWS Secrets Manager.
+    #   @return [String]
+    #
     # @!attribute [rw] issuer
     #   Token issuer of your isolated OAuth2 application tenant. This URL
     #   identifies the authorization server that issues tokens for this
@@ -10302,6 +10488,8 @@ module Aws::BedrockAgentCoreControl
     class IncludedOauth2ProviderConfigInput < Struct.new(
       :client_id,
       :client_secret,
+      :client_secret_config,
+      :client_secret_source,
       :issuer,
       :authorization_endpoint,
       :token_endpoint)
@@ -10604,11 +10792,26 @@ module Aws::BedrockAgentCoreControl
     #   authenticate your application.
     #   @return [String]
     #
+    # @!attribute [rw] client_secret_config
+    #   A reference to the AWS Secrets Manager secret that stores the client
+    #   secret. This includes the secret ID and the JSON key used to extract
+    #   the client secret value from the secret. Required when
+    #   `clientSecretSource` is set to `EXTERNAL`.
+    #   @return [Types::SecretReference]
+    #
+    # @!attribute [rw] client_secret_source
+    #   The source type of the client secret. Use `MANAGED` if the secret is
+    #   managed by the service, or `EXTERNAL` if you manage the secret
+    #   yourself in AWS Secrets Manager.
+    #   @return [String]
+    #
     # @see http://docs.aws.amazon.com/goto/WebAPI/bedrock-agentcore-control-2023-06-05/LinkedinOauth2ProviderConfigInput AWS API Documentation
     #
     class LinkedinOauth2ProviderConfigInput < Struct.new(
       :client_id,
-      :client_secret)
+      :client_secret,
+      :client_secret_config,
+      :client_secret_source)
       SENSITIVE = [:client_secret]
       include Aws::Structure
     end
@@ -11005,17 +11208,13 @@ module Aws::BedrockAgentCoreControl
     #   @return [String]
     #
     # @!attribute [rw] dataset_version
-    #   Version to paginate: "DRAFT" or a version number. Defaults to DRAFT
-    #   if absent. Only used on the first request (when nextToken is
-    #   absent). For subsequent pages, the version is extracted from the
-    #   nextToken and this parameter is ignored.
+    #   Version to paginate: "DRAFT" or a version number. Defaults to
+    #   DRAFT if absent. Only used on the first request; for subsequent
+    #   pages, the version is extracted from the pagination token.
     #   @return [String]
     #
     # @!attribute [rw] max_results
-    #   Maximum number of examples to return per page. Default: 1000. Min:
-    #   1, max: 1000. Response size is validated against 5 MB limit after
-    #   reading. For bulk access to all examples, use the `downloadUrl`
-    #   field from GetDataset.
+    #   Maximum number of examples to return per page.
     #   @return [Integer]
     #
     # @!attribute [rw] next_token
@@ -12864,9 +13063,14 @@ module Aws::BedrockAgentCoreControl
     #   The MetadataValueType.
     #   @return [String]
     #
+    # @!attribute [rw] extraction_type
+    #   Specifies whether the metadata value is extracted by the LLM or
+    #   passed through deterministically from the event.
+    #   @return [String]
+    #
     # @!attribute [rw] extraction_config
     #   Configuration for extracting this metadata value from conversational
-    #   content.
+    #   content. Applicable only if extractionType is LLM inferred.
     #   @return [Types::ExtractionConfig]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/bedrock-agentcore-control-2023-06-05/MetadataSchemaEntry AWS API Documentation
@@ -12874,6 +13078,7 @@ module Aws::BedrockAgentCoreControl
     class MetadataSchemaEntry < Struct.new(
       :key,
       :type,
+      :extraction_type,
       :extraction_config)
       SENSITIVE = []
       include Aws::Structure
@@ -12889,6 +13094,19 @@ module Aws::BedrockAgentCoreControl
     #   The client secret for the Microsoft OAuth2 provider.
     #   @return [String]
     #
+    # @!attribute [rw] client_secret_config
+    #   A reference to the AWS Secrets Manager secret that stores the client
+    #   secret. This includes the secret ID and the JSON key used to extract
+    #   the client secret value from the secret. Required when
+    #   `clientSecretSource` is set to `EXTERNAL`.
+    #   @return [Types::SecretReference]
+    #
+    # @!attribute [rw] client_secret_source
+    #   The source type of the client secret. Use `MANAGED` if the secret is
+    #   managed by the service, or `EXTERNAL` if you manage the secret
+    #   yourself in AWS Secrets Manager.
+    #   @return [String]
+    #
     # @!attribute [rw] tenant_id
     #   The Microsoft Entra ID (formerly Azure AD) tenant ID for your
     #   organization. This identifies the specific tenant within
@@ -12900,6 +13118,8 @@ module Aws::BedrockAgentCoreControl
     class MicrosoftOauth2ProviderConfigInput < Struct.new(
       :client_id,
       :client_secret,
+      :client_secret_config,
+      :client_secret_source,
       :tenant_id)
       SENSITIVE = [:client_secret]
       include Aws::Structure
@@ -15026,11 +15246,11 @@ module Aws::BedrockAgentCoreControl
       include Aws::Structure
     end
 
-    # S3 location of a JSONL file containing dataset examples.
+    # Amazon S3 location of a JSONL file containing dataset examples.
     #
     # @!attribute [rw] s3_uri
-    #   S3 URI of the JSONL file (e.g.
-    #   s3://my-bucket/path/to/examples.jsonl).
+    #   Amazon S3 URI of the JSONL file (for example,
+    #   `s3://my-bucket/path/to/examples.jsonl`).
     #   @return [String]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/bedrock-agentcore-control-2023-06-05/S3Source AWS API Documentation
@@ -15051,11 +15271,26 @@ module Aws::BedrockAgentCoreControl
     #   The client secret for the Salesforce OAuth2 provider.
     #   @return [String]
     #
+    # @!attribute [rw] client_secret_config
+    #   A reference to the AWS Secrets Manager secret that stores the client
+    #   secret. This includes the secret ID and the JSON key used to extract
+    #   the client secret value from the secret. Required when
+    #   `clientSecretSource` is set to `EXTERNAL`.
+    #   @return [Types::SecretReference]
+    #
+    # @!attribute [rw] client_secret_source
+    #   The source type of the client secret. Use `MANAGED` if the secret is
+    #   managed by the service, or `EXTERNAL` if you manage the secret
+    #   yourself in AWS Secrets Manager.
+    #   @return [String]
+    #
     # @see http://docs.aws.amazon.com/goto/WebAPI/bedrock-agentcore-control-2023-06-05/SalesforceOauth2ProviderConfigInput AWS API Documentation
     #
     class SalesforceOauth2ProviderConfigInput < Struct.new(
       :client_id,
-      :client_secret)
+      :client_secret,
+      :client_secret_config,
+      :client_secret_source)
       SENSITIVE = [:client_secret]
       include Aws::Structure
     end
@@ -15149,6 +15384,27 @@ module Aws::BedrockAgentCoreControl
       include Aws::Structure
     end
 
+    # Contains a reference to a secret stored in AWS Secrets Manager.
+    #
+    # @!attribute [rw] secret_id
+    #   The ID of the AWS Secrets Manager secret that stores the secret
+    #   value.
+    #   @return [String]
+    #
+    # @!attribute [rw] json_key
+    #   The JSON key used to extract the secret value from the AWS Secrets
+    #   Manager secret.
+    #   @return [String]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/bedrock-agentcore-control-2023-06-05/SecretReference AWS API Documentation
+    #
+    class SecretReference < Struct.new(
+      :secret_id,
+      :json_key)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
     # The Amazon Web Services Secrets Manager location configuration.
     #
     # @!attribute [rw] secret_arn
@@ -15557,11 +15813,26 @@ module Aws::BedrockAgentCoreControl
     #   The client secret for the Slack OAuth2 provider.
     #   @return [String]
     #
+    # @!attribute [rw] client_secret_config
+    #   A reference to the AWS Secrets Manager secret that stores the client
+    #   secret. This includes the secret ID and the JSON key used to extract
+    #   the client secret value from the secret. Required when
+    #   `clientSecretSource` is set to `EXTERNAL`.
+    #   @return [Types::SecretReference]
+    #
+    # @!attribute [rw] client_secret_source
+    #   The source type of the client secret. Use `MANAGED` if the secret is
+    #   managed by the service, or `EXTERNAL` if you manage the secret
+    #   yourself in AWS Secrets Manager.
+    #   @return [String]
+    #
     # @see http://docs.aws.amazon.com/goto/WebAPI/bedrock-agentcore-control-2023-06-05/SlackOauth2ProviderConfigInput AWS API Documentation
     #
     class SlackOauth2ProviderConfigInput < Struct.new(
       :client_id,
-      :client_secret)
+      :client_secret,
+      :client_secret_config,
+      :client_secret_source)
       SENSITIVE = [:client_secret]
       include Aws::Structure
     end
@@ -15856,10 +16127,37 @@ module Aws::BedrockAgentCoreControl
     #   The app secret provided by Privy.
     #   @return [String]
     #
+    # @!attribute [rw] app_secret_source
+    #   The source type of the app secret. Use `MANAGED` if the secret is
+    #   managed by the service, or `EXTERNAL` if you manage the secret
+    #   yourself in AWS Secrets Manager.
+    #   @return [String]
+    #
+    # @!attribute [rw] app_secret_config
+    #   A reference to the AWS Secrets Manager secret that stores the app
+    #   secret. This includes the secret ID and the JSON key used to extract
+    #   the app secret value from the secret. Required when
+    #   `appSecretSource` is set to `EXTERNAL`.
+    #   @return [Types::SecretReference]
+    #
     # @!attribute [rw] authorization_private_key
     #   The authorization private key for the Stripe Privy integration.
     #   @return [String]
     #
+    # @!attribute [rw] authorization_private_key_source
+    #   The source type of the authorization private key. Use `MANAGED` if
+    #   the secret is managed by the service, or `EXTERNAL` if you manage
+    #   the secret yourself in AWS Secrets Manager.
+    #   @return [String]
+    #
+    # @!attribute [rw] authorization_private_key_config
+    #   A reference to the AWS Secrets Manager secret that stores the
+    #   authorization private key. This includes the secret ID and the JSON
+    #   key used to extract the authorization private key value from the
+    #   secret. Required when `authorizationPrivateKeySource` is set to
+    #   `EXTERNAL`.
+    #   @return [Types::SecretReference]
+    #
     # @!attribute [rw] authorization_id
     #   The authorization ID for the Stripe Privy integration.
     #   @return [String]
@@ -15869,7 +16167,11 @@ module Aws::BedrockAgentCoreControl
     class StripePrivyConfigurationInput < Struct.new(
       :app_id,
       :app_secret,
+      :app_secret_source,
+      :app_secret_config,
       :authorization_private_key,
+      :authorization_private_key_source,
+      :authorization_private_key_config,
       :authorization_id)
       SENSITIVE = [:app_secret, :authorization_private_key]
       include Aws::Structure
@@ -15885,10 +16187,32 @@ module Aws::BedrockAgentCoreControl
     #   Contains information about a secret in AWS Secrets Manager.
     #   @return [Types::Secret]
     #
+    # @!attribute [rw] app_secret_json_key
+    #   The JSON key used to extract the app secret value from the AWS
+    #   Secrets Manager secret.
+    #   @return [String]
+    #
+    # @!attribute [rw] app_secret_source
+    #   The source type of the app secret. Either `MANAGED` if the secret is
+    #   managed by the service, or `EXTERNAL` if managed by the user in AWS
+    #   Secrets Manager.
+    #   @return [String]
+    #
     # @!attribute [rw] authorization_private_key_arn
     #   Contains information about a secret in AWS Secrets Manager.
     #   @return [Types::Secret]
     #
+    # @!attribute [rw] authorization_private_key_json_key
+    #   The JSON key used to extract the authorization private key value
+    #   from the AWS Secrets Manager secret.
+    #   @return [String]
+    #
+    # @!attribute [rw] authorization_private_key_source
+    #   The source type of the authorization private key. Either `MANAGED`
+    #   if the secret is managed by the service, or `EXTERNAL` if managed by
+    #   the user in AWS Secrets Manager.
+    #   @return [String]
+    #
     # @!attribute [rw] authorization_id
     #   The authorization ID for the Stripe Privy integration.
     #   @return [String]
@@ -15898,7 +16222,11 @@ module Aws::BedrockAgentCoreControl
     class StripePrivyConfigurationOutput < Struct.new(
       :app_id,
       :app_secret_arn,
+      :app_secret_json_key,
+      :app_secret_source,
       :authorization_private_key_arn,
+      :authorization_private_key_json_key,
+      :authorization_private_key_source,
       :authorization_id)
       SENSITIVE = []
       include Aws::Structure
@@ -16787,11 +17115,26 @@ module Aws::BedrockAgentCoreControl
     #   existing API key and is encrypted and stored securely.
     #   @return [String]
     #
+    # @!attribute [rw] api_key_secret_config
+    #   A reference to the AWS Secrets Manager secret that stores the API
+    #   key. This includes the secret ID and the JSON key used to extract
+    #   the API key value from the secret. Required when
+    #   `apiKeySecretSource` is set to `EXTERNAL`.
+    #   @return [Types::SecretReference]
+    #
+    # @!attribute [rw] api_key_secret_source
+    #   The source type of the API key secret. Use `MANAGED` if the secret
+    #   is managed by the service, or `EXTERNAL` if you manage the secret
+    #   yourself in AWS Secrets Manager.
+    #   @return [String]
+    #
     # @see http://docs.aws.amazon.com/goto/WebAPI/bedrock-agentcore-control-2023-06-05/UpdateApiKeyCredentialProviderRequest AWS API Documentation
     #
     class UpdateApiKeyCredentialProviderRequest < Struct.new(
       :name,
-      :api_key)
+      :api_key,
+      :api_key_secret_config,
+      :api_key_secret_source)
       SENSITIVE = [:api_key]
       include Aws::Structure
     end
@@ -16801,6 +17144,17 @@ module Aws::BedrockAgentCoreControl
     #   Manager.
     #   @return [Types::Secret]
     #
+    # @!attribute [rw] api_key_secret_json_key
+    #   The JSON key used to extract the API key value from the AWS Secrets
+    #   Manager secret.
+    #   @return [String]
+    #
+    # @!attribute [rw] api_key_secret_source
+    #   The source type of the API key secret. Either `MANAGED` if the
+    #   secret is managed by the service, or `EXTERNAL` if managed by the
+    #   user in AWS Secrets Manager.
+    #   @return [String]
+    #
     # @!attribute [rw] name
     #   The name of the API key credential provider.
     #   @return [String]
@@ -16821,6 +17175,8 @@ module Aws::BedrockAgentCoreControl
     #
     class UpdateApiKeyCredentialProviderResponse < Struct.new(
       :api_key_secret_arn,
+      :api_key_secret_json_key,
+      :api_key_secret_source,
       :name,
       :credential_provider_arn,
       :created_time,
@@ -16949,11 +17305,8 @@ module Aws::BedrockAgentCoreControl
     #
     # @!attribute [rw] examples
     #   Examples to update. Each element is a JSON object containing a
-    #   required `exampleId` string field identifying the existing example,
-    #   plus the replacement fields. The `exampleId` is extracted and
-    #   removed before persistence; the remaining document is validated
-    #   against the dataset's schemaType. Max 1000 examples per call. Total
-    #   request body must not exceed 5 MB.
+    #   required `exampleId` field identifying the existing example, plus
+    #   the replacement fields. Maximum 1000 examples per call.
     #   @return [Array<Hash,Array,String,Numeric,Boolean>]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/bedrock-agentcore-control-2023-06-05/UpdateDatasetExamplesRequest AWS API Documentation
@@ -17803,6 +18156,17 @@ module Aws::BedrockAgentCoreControl
     #   Manager.
     #   @return [Types::Secret]
     #
+    # @!attribute [rw] client_secret_json_key
+    #   The JSON key used to extract the client secret value from the AWS
+    #   Secrets Manager secret.
+    #   @return [String]
+    #
+    # @!attribute [rw] client_secret_source
+    #   The source type of the client secret. Either `MANAGED` if the secret
+    #   is managed by the service, or `EXTERNAL` if managed by the user in
+    #   AWS Secrets Manager.
+    #   @return [String]
+    #
     # @!attribute [rw] name
     #   The name of the OAuth2 credential provider.
     #   @return [String]
@@ -17841,6 +18205,8 @@ module Aws::BedrockAgentCoreControl
     #
     class UpdateOauth2CredentialProviderResponse < Struct.new(
       :client_secret_arn,
+      :client_secret_json_key,
+      :client_secret_source,
       :name,
       :credential_provider_vendor,
       :credential_provider_arn,