GatewayAuthorizer
- class aws_cdk.aws_bedrock_agentcore_alpha.GatewayAuthorizer
Bases:
object(experimental) Factory class for creating Gateway Authorizers.
- Stability:
experimental
- ExampleMetadata:
fixture=default infused
Example:
# Optional: Create custom claims (CustomClaimOperator and GatewayCustomClaim from agentcore) custom_claims = [ agentcore.GatewayCustomClaim.with_string_value("department", "engineering"), agentcore.GatewayCustomClaim.with_string_array_value("roles", ["admin"], agentcore.CustomClaimOperator.CONTAINS), agentcore.GatewayCustomClaim.with_string_array_value("permissions", ["read", "write"], agentcore.CustomClaimOperator.CONTAINS_ANY) ] gateway = agentcore.Gateway(self, "MyGateway", gateway_name="my-gateway", authorizer_configuration=agentcore.GatewayAuthorizer.using_custom_jwt( discovery_url="https://auth.example.com/.well-known/openid-configuration", allowed_audience=["my-app"], allowed_clients=["my-client-id"], allowed_scopes=["read", "write"], custom_claims=custom_claims ) )
- Stability:
experimental
Static Methods
- classmethod using_aws_iam()
(experimental) AWS IAM authorizer instance.
- Stability:
experimental
- Return type:
- classmethod using_cognito(*, user_pool, allowed_audiences=None, allowed_clients=None, allowed_scopes=None, custom_claims=None)
(experimental) Create a JWT authorizer from Cognito User Pool.
- Parameters:
user_pool (
IUserPool) – (experimental) The Cognito User Pool to use for authentication.allowed_audiences (
Optional[Sequence[str]]) – (experimental) The allowed audiences for JWT validation. Default: - No audience validationallowed_clients (
Optional[Sequence[IUserPoolClient]]) – (experimental) The allowed User Pool clients. Default: - All clients are allowedallowed_scopes (
Optional[Sequence[str]]) – (experimental) The allowed scopes for JWT validation. Default: - No scope validationcustom_claims (
Optional[Sequence[GatewayCustomClaim]]) – (experimental) Custom claims for additional JWT token validation. Allows you to validate additional fields in JWT tokens beyond the standard audience, client, and scope validations. Default: - No custom claim validation
- Return type:
- Returns:
CustomJwtAuthorizer configured for Cognito
- Stability:
experimental
- classmethod using_custom_jwt(*, discovery_url, allowed_audience=None, allowed_clients=None, allowed_scopes=None, custom_claims=None)
(experimental) Create a custom JWT authorizer.
- Parameters:
discovery_url (
str) – (experimental) This URL is used to fetch OpenID Connect configuration or authorization server metadata for validating incoming tokens. Pattern: .+/.well-known/openid-configuration Required: Yesallowed_audience (
Optional[Sequence[str]]) – (experimental) Represents individual audience values that are validated in the incoming JWT token validation process. Default: - No audience validationallowed_clients (
Optional[Sequence[str]]) – (experimental) Represents individual client IDs that are validated in the incoming JWT token validation process. Default: - No client ID validationallowed_scopes (
Optional[Sequence[str]]) – (experimental) Represents individual scopes that are validated in the incoming JWT token validation process. Default: - No scope validationcustom_claims (
Optional[Sequence[GatewayCustomClaim]]) – (experimental) Custom claims for additional JWT token validation. Allows you to validate additional fields in JWT tokens beyond the standard audience, client, and scope validations. Default: - No custom claim validation
- Return type:
- Returns:
IGatewayAuthorizerConfig configured for custom JWT
- Stability:
experimental
- classmethod with_no_auth()
(experimental) No authorization — the gateway will not perform any inbound authorization.
The gateway endpoint will be publicly accessible without credentials. Use this for testing/development, or for production gateways where you have implemented compensating controls such as Gateway Interceptors.
- Return type:
- Returns:
IGatewayAuthorizerConfig configured for no authorization
- See:
- Stability:
experimental