GatewayCredentialProvider

class aws_cdk.aws_bedrock_agentcore_alpha.GatewayCredentialProvider

Bases: object

(experimental) Factory class for creating different Gateway Credential Providers.

Stability:

experimental

ExampleMetadata:

fixture=default infused

Example:

gateway = agentcore.Gateway(self, "MyGateway",
    gateway_name="my-gateway"
)

# OAuth2 (recommended): use OAuth2CredentialProvider + bindForGatewayOAuthTarget, or ARNs from console/API
oauth_provider_arn = "arn:aws:bedrock-agentcore:us-east-1:123456789012:token-vault/abc123/oauth2credentialprovider/my-oauth"
oauth_secret_arn = "arn:aws:secretsmanager:us-east-1:123456789012:secret:my-oauth-secret-abc123"

# Add an MCP server target directly to the gateway
mcp_target = gateway.add_mcp_server_target("MyMcpServer",
    gateway_target_name="my-mcp-server",
    description="External MCP server integration",
    endpoint="https://my-mcp-server.example.com",
    credential_provider_configurations=[
        agentcore.GatewayCredentialProvider.from_oauth_identity_arn(
            provider_arn=oauth_provider_arn,
            secret_arn=oauth_secret_arn,
            scopes=["mcp-runtime-server/invoke"]
        )
    ]
)

# Grant sync permission to a Lambda function that will trigger synchronization
sync_function = lambda_.Function(self, "SyncFunction",
    runtime=lambda_.Runtime.PYTHON_3_12,
    handler="index.handler",
    code=lambda_.Code.from_inline("""
        import boto3

        def handler(event, context):
            client = boto3.client('bedrock-agentcore')
            response = client.synchronize_gateway_targets(
                gatewayIdentifier=event['gatewayId'],
                targetIds=[event['targetId']]
            )
            return response
          """)
)

mcp_target.grant_sync(sync_function)

Stability:

experimental

Static Methods

classmethod from_api_key_identity(provider, *, credential_location=None)

(experimental) Create an API key outbound auth configuration from a Token Vault {@link IApiKeyCredentialProvider} construct.

Prefer this over {@link GatewayCredentialProvider.fromApiKeyIdentityArn} when the provider is defined in CDK.

Parameters:

• provider (IApiKeyCredentialProvider)

• credential_location (Optional[ApiKeyCredentialLocation]) – (experimental) Where to place the API key on outbound requests. Default: header Authorization with ``Bearer `` prefix

Stability:

experimental

Return type:

ICredentialProviderConfig

classmethod from_api_key_identity_arn(*, provider_arn, secret_arn, credential_location=None)

(experimental) Create an API key credential provider from Identity ARN Use this method when you have the Identity ARN as a string.

Parameters:

• provider_arn (str) – (experimental) The API key credential provider ARN. This is returned when creating the API key credential provider via Console or API. Format: arn:aws:bedrock-agentcore:region:account:token-vault/id/apikeycredentialprovider/name

• secret_arn (str) – (experimental) The ARN of the Secrets Manager secret containing the API key. This is returned when creating the API key credential provider via Console or API. Format: arn:aws:secretsmanager:region:account:secret:name

• credential_location (Optional[ApiKeyCredentialLocation]) – (experimental) The location of the API key credential. This field specifies where in the request the API key should be placed. Default: - HEADER

Return type:

ICredentialProviderConfig

Returns:

ICredentialProviderConfig configured for API key authentication

Stability:

experimental

classmethod from_iam_role()

(experimental) Create an IAM role credential provider.

Return type:

ICredentialProviderConfig

Returns:

IIamRoleCredentialProvider configured for IAM role authentication

Stability:

experimental

classmethod from_oauth_identity(provider, *, scopes, custom_parameters=None)

(experimental) Create an OAuth outbound auth configuration from a Token Vault {@link IOAuth2CredentialProvider} construct.

Prefer this over {@link GatewayCredentialProvider.fromOauthIdentityArn} when the provider is defined in CDK.

Parameters:

• provider (IOAuth2CredentialProvider)

• scopes (Sequence[str]) – (experimental) OAuth scopes the gateway should request for this target.

• custom_parameters (Optional[Mapping[str, str]]) – (experimental) Additional OAuth parameters for the provider. Default: - none

Stability:

experimental

Return type:

ICredentialProviderConfig

classmethod from_oauth_identity_arn(*, provider_arn, scopes, secret_arn, custom_parameters=None)

(experimental) Create an OAuth credential provider from Identity ARN Use this method when you have the Identity ARN as a string.

Parameters:

• provider_arn (str) – (experimental) The OAuth credential provider ARN. This is returned when creating the OAuth credential provider via Console or API. Format: arn:aws:bedrock-agentcore:region:account:token-vault/id/oauth2credentialprovider/name Required: Yes

• scopes (Sequence[str]) – (experimental) The OAuth scopes for the credential provider. These scopes define the level of access requested from the OAuth provider. Array Members: Minimum number of 0 items. Maximum number of 100 items. Length Constraints: Minimum length of 1. Maximum length of 64. Required: Yes

• secret_arn (str) – (experimental) The ARN of the Secrets Manager secret containing OAuth credentials (client ID and secret). This is returned when creating the OAuth credential provider via Console or API. Format: arn:aws:secretsmanager:region:account:secret:name Required: Yes

• custom_parameters (Optional[Mapping[str, str]]) – (experimental) Custom parameters for the OAuth flow. Default: - No custom parameters

Return type:

ICredentialProviderConfig

Returns:

ICredentialProviderConfig configured for OAuth authentication

Stability:

experimental