GatewayAuthorizer

class aws_cdk.aws_bedrock_agentcore_alpha.GatewayAuthorizer

Bases: object

(experimental) Factory class for creating Gateway Authorizers.

Stability:

experimental

Stability:

experimental

Static Methods

classmethod using_aws_iam()

(experimental) AWS IAM authorizer instance.

Stability:

experimental

Return type:

IGatewayAuthorizerConfig

classmethod using_cognito(*, user_pool, allowed_audiences=None, allowed_clients=None, allowed_scopes=None, custom_claims=None)

(experimental) Create a JWT authorizer from Cognito User Pool.

Parameters:

  • user_pool (IUserPool) – (experimental) The Cognito User Pool to use for authentication.

  • allowed_audiences (Optional[Sequence[str]]) – (experimental) The allowed audiences for JWT validation. Default: - No audience validation

  • allowed_clients (Optional[Sequence[IUserPoolClient]]) – (experimental) The allowed User Pool clients. Default: - All clients are allowed

  • allowed_scopes (Optional[Sequence[str]]) – (experimental) The allowed scopes for JWT validation. Default: - No scope validation

  • custom_claims (Optional[Sequence[GatewayCustomClaim]]) – (experimental) Custom claims for additional JWT token validation. Allows you to validate additional fields in JWT tokens beyond the standard audience, client, and scope validations. Default: - No custom claim validation

Return type:

IGatewayAuthorizerConfig

Returns:

CustomJwtAuthorizer configured for Cognito

Stability:

experimental

classmethod using_custom_jwt(*, discovery_url, allowed_audience=None, allowed_clients=None, allowed_scopes=None, custom_claims=None)

(experimental) Create a custom JWT authorizer.

Parameters:

  • discovery_url (str) – (experimental) This URL is used to fetch OpenID Connect configuration or authorization server metadata for validating incoming tokens. Pattern: .+/.well-known/openid-configuration Required: Yes

  • allowed_audience (Optional[Sequence[str]]) – (experimental) Represents individual audience values that are validated in the incoming JWT token validation process. Default: - No audience validation

  • allowed_clients (Optional[Sequence[str]]) – (experimental) Represents individual client IDs that are validated in the incoming JWT token validation process. Default: - No client ID validation

  • allowed_scopes (Optional[Sequence[str]]) – (experimental) Represents individual scopes that are validated in the incoming JWT token validation process. Default: - No scope validation

  • custom_claims (Optional[Sequence[GatewayCustomClaim]]) – (experimental) Custom claims for additional JWT token validation. Allows you to validate additional fields in JWT tokens beyond the standard audience, client, and scope validations. Default: - No custom claim validation

Return type:

IGatewayAuthorizerConfig

Returns:

IGatewayAuthorizerConfig configured for custom JWT

Stability:

experimental

classmethod with_no_auth()

(experimental) No authorization — the gateway will not perform any inbound authorization.

The gateway endpoint will be publicly accessible without credentials. Use this for testing/development, or for production gateways where you have implemented compensating controls such as Gateway Interceptors.

Return type:

IGatewayAuthorizerConfig

Returns:

IGatewayAuthorizerConfig configured for no authorization

See:

https://docs.aws.amazon.com/bedrock-agentcore/latest/devguide/gateway-inbound-auth.html#gateway-inbound-auth-none

Stability:

experimental