interface IPolicyEngine
| Language | Type name |
|---|---|
 .NET | Amazon.CDK.AWS.Bedrock.Agentcore.Alpha.IPolicyEngine |
 Go | github.com/aws/aws-cdk-go/awsbedrockagentcorealpha/v2#IPolicyEngine |
 Java | software.amazon.awscdk.services.bedrock.agentcore.alpha.IPolicyEngine |
 Python | aws_cdk.aws_bedrock_agentcore_alpha.IPolicyEngine |
 TypeScript (source) | @aws-cdk/aws-bedrock-agentcore-alpha ยป IPolicyEngine |
Implements
IDependable, IConstruct, IEnvironment, IResource, IPolicy, IGrantable
Implemented by
Policy
Obtainable from
Policy.fromPolicyEngineAttributes()
Contains all properties and methods for both created and imported policy engines.
Properties
| Name | Type | Description |
|---|---|---|
| env | Resource | The environment this resource belongs to. |
| grant | IPrincipal | The principal to grant permissions to. |
| node | Node | The tree node. |
| policy | string | The ARN of the policy engine resource. |
| policy | string | The ID of the policy engine. |
| policy | string | The name of the policy engine. |
| policy | Policy | A reference to a PolicyEngine resource. |
| stack | Stack | The stack in which this resource is defined. |
| description? | string | The description of the policy engine. |
| kms | IKey | The KMS key used for encryption. |
env
Type:
Resource
The environment this resource belongs to.
For resources that are created and managed in a Stack (those created by
creating new class instances like new Role(), new Bucket(), etc.), this
is always the same as the environment of the stack they belong to.
For referenced resources (those obtained from referencing methods like
Role.fromRoleArn(), Bucket.fromBucketName(), etc.), they might be
different than the stack they were imported into.
grantPrincipal
Type:
IPrincipal
The principal to grant permissions to.
node
Type:
Node
The tree node.
policyEngineArn
Type:
string
The ARN of the policy engine resource.
policyEngineId
Type:
string
The ID of the policy engine.
policyEngineName
Type:
string
The name of the policy engine.
policyEngineRef
Type:
Policy
A reference to a PolicyEngine resource.
stack
Type:
Stack
The stack in which this resource is defined.
description?
Type:
string
(optional)
The description of the policy engine.
kmsKey?
Type:
IKey
(optional)
The KMS key used for encryption.
Methods
| Name | Description |
|---|---|
| apply | Apply the given removal policy to this resource. |
| grant(grantee, ...actions) | Grants IAM actions to the IAM Principal. |
| grant | Grants permissions to evaluate policies at runtime . |
| grant | Grants the full set of permissions required for a gateway execution role to use this policy engine, correctly scoped to both the policy engine and gateway ARNs. |
| grant | Grants read permissions on the PolicyEngine. |
| metric(metricName, dimensions, props?) | Return the given named metric for this policy engine. |
| metric | Return a metric measuring the authorization latency for this policy engine. |
| metric | Return a metric containing the number of denied authorization requests for this policy engine. |
| metric | Return a metric containing the number of errors during authorization for this policy engine. |
| with(...mixins) | Applies one or more mixins to this construct. |
applyRemovalPolicy(policy)
public applyRemovalPolicy(policy: RemovalPolicy): void
Parameters
- policy
RemovalPolicy
Apply the given removal policy to this resource.
The Removal Policy controls what happens to this resource when it stops being managed by CloudFormation, either because you've removed it from the CDK application or because you've made a change that requires the resource to be replaced.
The resource can be deleted (RemovalPolicy.DESTROY), or left in your AWS
account for data recovery and cleanup later (RemovalPolicy.RETAIN).
grant(grantee, ...actions)
public grant(grantee: IGrantable, ...actions: string[]): Grant
Parameters
- grantee
IGrantableโ - The IAM principal to grant permissions to. - actions
stringโ - The actions to grant.
Returns
Grants IAM actions to the IAM Principal.
grantEvaluate(grantee)
public grantEvaluate(grantee: IGrantable): Grant
Parameters
- grantee
IGrantableโ - The IAM principal to grant evaluation permissions to.
Returns
Grants permissions to evaluate policies at runtime .
This is the primary permission needed by Gateway execution roles to evaluate authorization decisions during agent requests. Grant this to roles that need to call AuthorizeAction or PartiallyAuthorizeActions.
grantEvaluateForGateway(grantee, gateway)
public grantEvaluateForGateway(grantee: IGrantable, gateway: IGateway): Grant
Parameters
- grantee
IGrantableโ - The IAM principal (gateway execution role) to grant permissions to. - gateway
IGatewayโ - The gateway that will use this policy engine [disable-awslint:prefer-ref-interface].
Returns
Grants the full set of permissions required for a gateway execution role to use this policy engine, correctly scoped to both the policy engine and gateway ARNs.
Per the AWS docs, AuthorizeAction and PartiallyAuthorizeActions require
both the policy engine ARN and the gateway ARN as resources, while
GetPolicyEngine only needs the policy engine ARN.
This follows the same pattern as Lambda's grantInvokeVersion(grantee, version).
grantRead(grantee)
public grantRead(grantee: IGrantable): Grant
Parameters
- grantee
IGrantableโ - The IAM principal to grant read permissions to.
Returns
Grants read permissions on the PolicyEngine.
This grants runtime read access to policy engine configuration. Use this for monitoring, observability, or read-only administrative roles.
metric(metricName, dimensions, props?)
public metric(metricName: string, dimensions: { [string]: string }, props?: MetricOptions): Metric
Parameters
- metricName
stringโ The name of the metric. - dimensions
{ [string]: string }โ Additional dimensions for the metric. - props
Metricโ Optional metric configuration.Options
Returns
Return the given named metric for this policy engine.
metricAuthorizationLatency(props?)
public metricAuthorizationLatency(props?: MetricOptions): Metric
Parameters
- props
Metricโ Optional metric configuration.Options
Returns
Return a metric measuring the authorization latency for this policy engine.
This metric represents the time taken to evaluate authorization policies.
metricDeniedRequests(props?)
public metricDeniedRequests(props?: MetricOptions): Metric
Parameters
- props
Metricโ Optional metric configuration.Options
Returns
Return a metric containing the number of denied authorization requests for this policy engine.
This metric tracks authorization requests that were explicitly denied by policies.
metricErrors(props?)
public metricErrors(props?: MetricOptions): Metric
Parameters
- props
Metricโ Optional metric configuration.Options
Returns
Return a metric containing the number of errors during authorization for this policy engine.
This metric tracks errors encountered during policy evaluation.
with(...mixins)
public with(...mixins: IMixin[]): IConstruct
Parameters
- mixins
IMixinโ The mixins to apply.
Returns
Applies one or more mixins to this construct.
Mixins are applied in order. The list of constructs is captured at the start of the call, so constructs added by a mixin will not be visited.