class WorkloadIdentity (construct)
| Language | Type name |
|---|---|
 .NET | Amazon.CDK.AWS.Bedrock.Agentcore.Alpha.WorkloadIdentity |
 Go | github.com/aws/aws-cdk-go/awsbedrockagentcorealpha/v2#WorkloadIdentity |
 Java | software.amazon.awscdk.services.bedrock.agentcore.alpha.WorkloadIdentity |
 Python | aws_cdk.aws_bedrock_agentcore_alpha.WorkloadIdentity |
 TypeScript (source) | @aws-cdk/aws-bedrock-agentcore-alpha ยป WorkloadIdentity |
Implements
IConstruct, IDependable, IResource, IEnvironment, IWorkload, IGrantable, IWorkload
L2 construct for AWS::BedrockAgentCore::WorkloadIdentity.
A workload identity is the stable identity of an agent in an AWS account. It ties together IAM roles, OAuth2 flows, API keys, and workload access tokens for consistent authentication across environments.
Example
new agentcore.WorkloadIdentity(this, "MyWorkloadIdentity", {
workloadIdentityName: "customer-support-agent-prod",
allowedResourceOauth2ReturnUrls: ["https://app.example.com/oauth/callback"],
tags: { team: "agents", env: "prod" },
});
Initializer
new WorkloadIdentity(scope: Construct, id: string, props?: WorkloadIdentityProps)
Parameters
- scope
Construct - id
string - props
WorkloadIdentity Props
Construct Props
| Name | Type | Description |
|---|---|---|
| allowed | string[] | Allowed OAuth2 return URLs for resources associated with this workload identity. |
| tags? | { [string]: string } | Tags for this workload identity. |
| workload | string | Name of the workload identity. |
allowedResourceOauth2ReturnUrls?
Type:
string[]
(optional, default: no return URLs)
Allowed OAuth2 return URLs for resources associated with this workload identity.
tags?
Type:
{ [string]: string }
(optional, default: no tags)
Tags for this workload identity.
workloadIdentityName?
Type:
string
(optional, default: a name generated by CDK)
Name of the workload identity.
Properties
| Name | Type | Description |
|---|---|---|
| env | Resource | The environment this resource belongs to. |
| grant | IPrincipal | The principal to grant permissions to. |
| node | Node | The tree node. |
| stack | Stack | The stack in which this resource is defined. |
| workload | string | The ARN of this workload identity. |
| workload | string | The name of this workload identity. |
| workload | Workload | A reference to a WorkloadIdentity resource. |
| created | string | Timestamp when the workload identity was created. |
| last | string | Timestamp when the workload identity was last updated. |
| static PROPERTY_INJECTION_ID | string | Uniquely identifies this class. |
env
Type:
Resource
The environment this resource belongs to.
For resources that are created and managed in a Stack (those created by
creating new class instances like new Role(), new Bucket(), etc.), this
is always the same as the environment of the stack they belong to.
For referenced resources (those obtained from referencing methods like
Role.fromRoleArn(), Bucket.fromBucketName(), etc.), they might be
different than the stack they were imported into.
grantPrincipal
Type:
IPrincipal
The principal to grant permissions to.
node
Type:
Node
The tree node.
stack
Type:
Stack
The stack in which this resource is defined.
workloadIdentityArn
Type:
string
The ARN of this workload identity.
workloadIdentityName
Type:
string
The name of this workload identity.
workloadIdentityRef
Type:
Workload
A reference to a WorkloadIdentity resource.
createdTime?
Type:
string
(optional)
Timestamp when the workload identity was created.
lastUpdatedTime?
Type:
string
(optional)
Timestamp when the workload identity was last updated.
static PROPERTY_INJECTION_ID
Type:
string
Uniquely identifies this class.
Methods
| Name | Description |
|---|---|
| apply | Apply the given removal policy to this resource. |
| grant(grantee, ...actions) | [disable-awslint:no-grants]. |
| grant | [disable-awslint:no-grants]. |
| grant | [disable-awslint:no-grants]. |
| grant | [disable-awslint:no-grants]. |
| grant | [disable-awslint:no-grants]. |
| to | Returns a string representation of this construct. |
| with(...mixins) | Applies one or more mixins to this construct. |
| static from | Import an existing workload identity. |
applyRemovalPolicy(policy)
public applyRemovalPolicy(policy: RemovalPolicy): void
Parameters
- policy
RemovalPolicy
Apply the given removal policy to this resource.
The Removal Policy controls what happens to this resource when it stops being managed by CloudFormation, either because you've removed it from the CDK application or because you've made a change that requires the resource to be replaced.
The resource can be deleted (RemovalPolicy.DESTROY), or left in your AWS
account for data recovery and cleanup later (RemovalPolicy.RETAIN).
grant(grantee, ...actions)
public grant(grantee: IGrantable, ...actions: string[]): Grant
Parameters
- grantee
IGrantable - actions
string
Returns
[disable-awslint:no-grants].
grantAdmin(grantee)
public grantAdmin(grantee: IGrantable): Grant
Parameters
- grantee
IGrantable
Returns
[disable-awslint:no-grants].
grantFullAccess(grantee)
public grantFullAccess(grantee: IGrantable): Grant
Parameters
- grantee
IGrantable
Returns
[disable-awslint:no-grants].
grantRead(grantee)
public grantRead(grantee: IGrantable): Grant
Parameters
- grantee
IGrantable
Returns
[disable-awslint:no-grants].
grantUse(grantee)
public grantUse(grantee: IGrantable): Grant
Parameters
- grantee
IGrantable
Returns
[disable-awslint:no-grants].
toString()
public toString(): string
Returns
string
Returns a string representation of this construct.
with(...mixins)
public with(...mixins: IMixin[]): IConstruct
Parameters
- mixins
IMixin
Returns
Applies one or more mixins to this construct.
Mixins are applied in order. The list of constructs is captured at the
start of the call, so constructs added by a mixin will not be visited.
Use multiple with() calls if subsequent mixins should apply to added
constructs.
static fromWorkloadIdentityAttributes(scope, id, attrs)
public static fromWorkloadIdentityAttributes(scope: Construct, id: string, attrs: WorkloadIdentityAttributes): IWorkloadIdentity
Parameters
- scope
Construct - id
string - attrs
WorkloadIdentity Attributes
Returns
Import an existing workload identity.