interface GatewayProps 🔹

Language	Type name
.NET	`Amazon.CDK.AWS.Bedrock.Agentcore.Alpha.GatewayProps`
Go	`github.com/aws/aws-cdk-go/awsbedrockagentcorealpha/v2#GatewayProps`
Java	`software.amazon.awscdk.services.bedrock.agentcore.alpha.GatewayProps`
Python	`aws_cdk.aws_bedrock_agentcore_alpha.GatewayProps`
TypeScript (source)	`@aws-cdk/aws-bedrock-agentcore-alpha` » `GatewayProps`

Properties for defining a Gateway.

Example


// Create a Policy engine
const policyEngine = new agentcore.PolicyEngine(this, "MyPolicyEngine", {
  policyEngineName: "my_policy_engine",
  description: "Policy engine for access control",
});

const gateway = new agentcore.Gateway(this, "MyGateway", {
  gatewayName: "my-gateway",
  policyEngineConfiguration: {
    policyEngine: policyEngine,
    mode: agentcore.PolicyEngineMode.ENFORCE, // Default is LOG_ONLY
  },
});

// Add policy to policy engine
policyEngine.addPolicy("AllowAllActions", {
  definition: `
    permit(
      principal,
      action,
      resource == AgentCore::Gateway::"${gateway.gatewayArn}"
    );
  `,
  description: "Allow all actions on specific gateway (development)",
  validationMode: agentcore.PolicyValidationMode.IGNORE_ALL_FINDINGS, // This will ignore all cedar warnings
});

// you can add multiple policies to the policy engine
policyEngine.addPolicy("SpecificToolPolicy", {
  definition: `
    permit(
      principal is AgentCore::OAuthUser,
      action == AgentCore::Action::"WeatherTool__get_forecast",
      resource == AgentCore::Gateway::"${gateway.gatewayArn}"
    );
  `,
  description: "Allow specific weather tool access",
  validationMode: agentcore.PolicyValidationMode.FAIL_ON_ANY_FINDINGS, // This will fail policy creation for any cedar warning
});

Properties

Name	Type	Description
authorizerConfiguration?🔹	`IGatewayAuthorizerConfig`	The authorizer configuration for the gateway.
description?🔹	`string`	Optional description for the gateway Valid characters are a-z, A-Z, 0-9, _ (underscore), - (hyphen) and spaces The description can have up to 200 characters.
exceptionLevel?🔹	`GatewayExceptionLevel`	The verbosity of exception messages Use DEBUG mode to see granular exception messages from a Gateway.
gatewayName?🔹	`string`	The name of the gateway Valid characters are a-z, A-Z, 0-9, _ (underscore) and - (hyphen) The name must be unique within your account.
interceptorConfigurations?🔹	`IInterceptor[]`	Interceptor configurations for the gateway.
kmsKey?🔹	`IKey`	The AWS KMS key used to encrypt data associated with the gateway.
policyEngineConfiguration?🔹	`GatewayPolicyEngineConfig`	The policy engine configuration for this gateway.
protocolConfiguration?🔹	`IGatewayProtocolConfig`	The protocol configuration for the gateway.
role?🔹	`IRole`	The IAM role that provides permissions for the gateway to access AWS services.
tags?🔹	`{ [string]: string }`	Tags for the gateway A list of key:value pairs of tags to apply to this Gateway resource.

authorizerConfiguration?🔹

Type: IGatewayAuthorizerConfig (optional, default: A default authorizer will be created using Cognito)

The authorizer configuration for the gateway.

description?🔹

Type: string (optional, default: No description)

Optional description for the gateway Valid characters are a-z, A-Z, 0-9, _ (underscore), - (hyphen) and spaces The description can have up to 200 characters.

exceptionLevel?🔹

Type: GatewayExceptionLevel (optional, default: Exception messages are sanitized for presentation to end users)

The verbosity of exception messages Use DEBUG mode to see granular exception messages from a Gateway.

gatewayName?🔹

Type: string (optional, default: auto generate)

The name of the gateway Valid characters are a-z, A-Z, 0-9, _ (underscore) and - (hyphen) The name must be unique within your account.

interceptorConfigurations?🔹

Type: IInterceptor[] (optional, default: No interceptors)

Interceptor configurations for the gateway.

Interceptors allow you to run custom code during each gateway invocation:

REQUEST interceptors execute before the gateway calls the target
RESPONSE interceptors execute after the target responds

A gateway can have at most one REQUEST interceptor and one RESPONSE interceptor.

kmsKey?🔹

Type: IKey (optional, default: No encryption)

The AWS KMS key used to encrypt data associated with the gateway.

policyEngineConfiguration?🔹

Type: GatewayPolicyEngineConfig (optional, default: No policy engine (requests are not subject to Cedar policy authorization))

The policy engine configuration for this gateway.

When provided, the specified policy engine will be associated with this gateway. All agent requests through this gateway will be evaluated against the Cedar policies defined in the policy engine.

protocolConfiguration?🔹

Type: IGatewayProtocolConfig (optional, default: A default protocol configuration will be created using MCP with following params supportedVersions: [MCPProtocolVersion.MCP_2025_03_26], searchType: McpGatewaySearchType.SEMANTIC, instructions: "Default gateway to connect to external MCP tools",)

The protocol configuration for the gateway.

role?🔹

Type: IRole (optional, default: A new role will be created)

The IAM role that provides permissions for the gateway to access AWS services.

tags?🔹

Type: { [string]: string } (optional, default: No tags)

Tags for the gateway A list of key:value pairs of tags to apply to this Gateway resource.

AWS CDK

2.257.0