AWS CLI Command Reference

[ aws . bedrock-agentcore-control ]

update-gateway

Description

Updates an existing gateway.

See also: AWS API Documentation

Synopsis

  update-gateway
--gateway-identifier <value>
--name <value>
[--description <value>]
--role-arn <value>
--protocol-type <value>
[--protocol-configuration <value>]
--authorizer-type <value>
[--authorizer-configuration <value>]
[--kms-key-arn <value>]
[--interceptor-configurations <value>]
[--policy-engine-configuration <value>]
[--exception-level <value>]
[--cli-input-json | --cli-input-yaml]
[--generate-cli-skeleton <value>]
[--debug]
[--endpoint-url <value>]
[--no-verify-ssl]
[--no-paginate]
[--output <value>]
[--query <value>]
[--profile <value>]
[--region <value>]
[--version <value>]
[--color <value>]
[--no-sign-request]
[--ca-bundle <value>]
[--cli-read-timeout <value>]
[--cli-connect-timeout <value>]
[--cli-binary-format <value>]
[--no-cli-pager]
[--cli-auto-prompt]
[--no-cli-auto-prompt]

Options

--gateway-identifier (string) [required]

The identifier of the gateway to update.

Constraints:

  • pattern: ([0-9a-z][-]?){1,100}-[0-9a-z]{10}

--name (string) [required]

The name of the gateway. This name must be the same as the one when the gateway was created.

Constraints:

  • pattern: ([0-9a-zA-Z][-]?){1,100}

--description (string)

The updated description for the gateway.

Constraints:

  • min: 1
  • max: 200

--role-arn (string) [required]

The updated IAM role ARN that provides permissions for the gateway.

Constraints:

  • min: 1
  • max: 2048
  • pattern: arn:aws(-[^:]+)?:iam::([0-9]{12})?:role/.+

--protocol-type (string) [required]

The updated protocol type for the gateway.

Possible values:

  • MCP

--protocol-configuration (tagged union structure)

The configuration for a gateway protocol. This structure defines how the gateway communicates with external services.

Note

This is a Tagged Union structure. Only one of the following top level keys can be set: mcp.

mcp -> (structure)

The configuration for the Model Context Protocol (MCP). This protocol enables communication between Amazon Bedrock Agent and external tools.

supportedVersions -> (list)

The supported versions of the Model Context Protocol. This field specifies which versions of the protocol the gateway can use.

(string)

instructions -> (string)

The instructions for using the Model Context Protocol gateway. These instructions provide guidance on how to interact with the gateway.

Constraints:

  • min: 1
  • max: 2048

searchType -> (string)

The search type for the Model Context Protocol gateway. This field specifies how the gateway handles search operations.

Possible values:

  • SEMANTIC

Shorthand Syntax:

mcp={supportedVersions=[string,string],instructions=string,searchType=string}

JSON Syntax:

{
  "mcp": {
    "supportedVersions": ["string", ...],
    "instructions": "string",
    "searchType": "SEMANTIC"
  }
}

--authorizer-type (string) [required]

The updated authorizer type for the gateway.

Possible values:

  • CUSTOM_JWT
  • AWS_IAM
  • NONE

--authorizer-configuration (tagged union structure)

The updated authorizer configuration for the gateway.

Note

This is a Tagged Union structure. Only one of the following top level keys can be set: customJWTAuthorizer.

customJWTAuthorizer -> (structure)

The inbound JWT-based authorization, specifying how incoming requests should be authenticated.

discoveryUrl -> (string) [required]

This URL is used to fetch OpenID Connect configuration or authorization server metadata for validating incoming tokens.

Constraints:

  • pattern: .+/\.well-known/openid-configuration

allowedAudience -> (list)

Represents individual audience values that are validated in the incoming JWT token validation process.

Constraints:

  • min: 1

(string)

allowedClients -> (list)

Represents individual client IDs that are validated in the incoming JWT token validation process.

Constraints:

  • min: 1

(string)

allowedScopes -> (list)

An array of scopes that are allowed to access the token.

Constraints:

  • min: 1

(string)

Constraints:

  • min: 1
  • max: 255
  • pattern: [\x21\x23-\x5B\x5D-\x7E]+

customClaims -> (list)

An array of objects that define a custom claim validation name, value, and operation

Constraints:

  • min: 1

(structure)

Defines the name of a custom claim field and rules for finding matches to authenticate its value.

inboundTokenClaimName -> (string) [required]

The name of the custom claim field to check.

Constraints:

  • min: 1
  • max: 255
  • pattern: [A-Za-z0-9_.-:]+

inboundTokenClaimValueType -> (string) [required]

The data type of the claim value to check for.

  • Use STRING if you want to find an exact match to a string you define.
  • Use STRING_ARRAY if you want to fnd a match to at least one value in an array you define.

Possible values:

  • STRING
  • STRING_ARRAY

authorizingClaimMatchValue -> (structure) [required]

Defines the value or values to match for and the relationship of the match.

claimMatchValue -> (tagged union structure) [required]

The value or values to match for.

Note

This is a Tagged Union structure. Only one of the following top level keys can be set: matchValueString, matchValueStringList.

matchValueString -> (string)

The string value to match for.

Constraints:

  • min: 1
  • max: 255
  • pattern: [A-Za-z0-9_.-]+

matchValueStringList -> (list)

An array of strings to check for a match.

Constraints:

  • min: 1

(string)

Constraints:

  • min: 1
  • max: 255
  • pattern: [A-Za-z0-9_.-]+

claimMatchOperator -> (string) [required]

Defines the relationship between the claim field value and the value or values you’re matching for.

Possible values:

  • EQUALS
  • CONTAINS
  • CONTAINS_ANY

JSON Syntax:

{
  "customJWTAuthorizer": {
    "discoveryUrl": "string",
    "allowedAudience": ["string", ...],
    "allowedClients": ["string", ...],
    "allowedScopes": ["string", ...],
    "customClaims": [
      {
        "inboundTokenClaimName": "string",
        "inboundTokenClaimValueType": "STRING"|"STRING_ARRAY",
        "authorizingClaimMatchValue": {
          "claimMatchValue": {
            "matchValueString": "string",
            "matchValueStringList": ["string", ...]
          },
          "claimMatchOperator": "EQUALS"|"CONTAINS"|"CONTAINS_ANY"
        }
      }
      ...
    ]
  }
}

--kms-key-arn (string)

The updated ARN of the KMS key used to encrypt the gateway.

Constraints:

  • min: 1
  • max: 2048
  • pattern: arn:aws(|-cn|-us-gov):kms:[a-zA-Z0-9-]*:[0-9]{12}:key/[a-zA-Z0-9-]{36}

--interceptor-configurations (list)

The updated interceptor configurations for the gateway.

Constraints:

  • min: 1
  • max: 2

(structure)

The configuration for an interceptor on a gateway. This structure defines settings for an interceptor that will be invoked during the invocation of the gateway.

interceptor -> (tagged union structure) [required]

The infrastructure settings of an interceptor configuration. This structure defines how the interceptor can be invoked.

Note

This is a Tagged Union structure. Only one of the following top level keys can be set: lambda.

lambda -> (structure)

The details of the lambda function used for the interceptor.

arn -> (string) [required]

The arn of the lambda function to be invoked for the interceptor.

Constraints:

  • min: 1
  • max: 170
  • pattern: arn:(aws[a-zA-Z-]*)?:lambda:([a-z]{2}(-gov)?-[a-z]+-\d{1}):(\d{12}):function:([a-zA-Z0-9-_.]+)(:(\$LATEST|[a-zA-Z0-9-]+))?

interceptionPoints -> (list) [required]

The supported points of interception. This field specifies which points during the gateway invocation to invoke the interceptor

Constraints:

  • min: 1
  • max: 2

(string)

Possible values:

  • REQUEST
  • RESPONSE

inputConfiguration -> (structure)

The configuration for the input of the interceptor. This field specifies how the input to the interceptor is constructed

passRequestHeaders -> (boolean) [required]

Indicates whether to pass request headers as input into the interceptor. When set to true, request headers will be passed.

Shorthand Syntax:

interceptor={lambda={arn=string}},interceptionPoints=string,string,inputConfiguration={passRequestHeaders=boolean} ...

JSON Syntax:

[
  {
    "interceptor": {
      "lambda": {
        "arn": "string"
      }
    },
    "interceptionPoints": ["REQUEST"|"RESPONSE", ...],
    "inputConfiguration": {
      "passRequestHeaders": true|false
    }
  }
  ...
]

--policy-engine-configuration (structure)

The updated policy engine configuration for the gateway. A policy engine is a collection of policies that evaluates and authorizes agent tool calls. When associated with a gateway, the policy engine intercepts all agent requests and determines whether to allow or deny each action based on the defined policies.

arn -> (string) [required]

The ARN of the policy engine. The policy engine contains Cedar policies that define fine-grained authorization rules specifying who can perform what actions on which resources as agents interact through the gateway.

Constraints:

  • min: 1
  • max: 170
  • pattern: arn:aws:bedrock-agentcore:[a-z0-9-]+:[0-9]{12}:policy-engine\/[a-zA-Z][a-zA-Z0-9-_]{0,99}-[a-zA-Z0-9_]{10}

mode -> (string) [required]

The enforcement mode for the policy engine. Valid values include:

  • LOG_ONLY - The policy engine evaluates each action against your policies and adds traces on whether tool calls would be allowed or denied, but does not enforce the decision. Use this mode to test and validate policies before enabling enforcement.
  • ENFORCE - The policy engine evaluates actions against your policies and enforces decisions by allowing or denying agent operations. Test and validate policies in LOG_ONLY mode before enabling enforcement to avoid unintended denials or adversely affecting production traffic.

Possible values:

  • LOG_ONLY
  • ENFORCE

Shorthand Syntax:

arn=string,mode=string

JSON Syntax:

{
  "arn": "string",
  "mode": "LOG_ONLY"|"ENFORCE"
}

--exception-level (string)

The level of detail in error messages returned when invoking the gateway.

  • If the value is DEBUG , granular exception messages are returned to help a user debug the gateway.
  • If the value is omitted, a generic error message is returned to the end user.

Possible values:

  • DEBUG

--cli-input-json | --cli-input-yaml (string) Reads arguments from the JSON string provided. The JSON string follows the format provided by --generate-cli-skeleton. If other arguments are provided on the command line, those values will override the JSON-provided values. It is not possible to pass arbitrary binary values using a JSON-provided value as the string will be taken literally. This may not be specified along with --cli-input-yaml.

--generate-cli-skeleton (string) Prints a JSON skeleton to standard output without sending an API request. If provided with no value or the value input, prints a sample input JSON that can be used as an argument for --cli-input-json. Similarly, if provided yaml-input it will print a sample input YAML that can be used with --cli-input-yaml. If provided with the value output, it validates the command inputs and returns a sample output JSON for that command. The generated JSON skeleton is not stable between versions of the AWS CLI and there are no backwards compatibility guarantees in the JSON skeleton generated.

Global Options

--debug (boolean)

Turn on debug logging.

--endpoint-url (string)

Override command’s default URL with the given URL.

--no-verify-ssl (boolean)

By default, the AWS CLI uses SSL when communicating with AWS services. For each SSL connection, the AWS CLI will verify SSL certificates. This option overrides the default behavior of verifying SSL certificates.

--no-paginate (boolean)

Disable automatic pagination. If automatic pagination is disabled, the AWS CLI will only make one call, for the first page of results.

--output (string)

The formatting style for command output.

  • json
  • text
  • table
  • yaml
  • yaml-stream

--query (string)

A JMESPath query to use in filtering the response data.

--profile (string)

Use a specific profile from your credential file.

--region (string)

The region to use. Overrides config/env settings.

--version (string)

Display the version of this tool.

--color (string)

Turn on/off color output.

  • on
  • off
  • auto

--no-sign-request (boolean)

Do not sign requests. Credentials will not be loaded if this argument is provided.

--ca-bundle (string)

The CA certificate bundle to use when verifying SSL certificates. Overrides config/env settings.

--cli-read-timeout (int)

The maximum socket read time in seconds. If the value is set to 0, the socket read will be blocking and not timeout. The default value is 60 seconds.

--cli-connect-timeout (int)

The maximum socket connect time in seconds. If the value is set to 0, the socket connect will be blocking and not timeout. The default value is 60 seconds.

--cli-binary-format (string)

The formatting style to be used for binary blobs. The default format is base64. The base64 format expects binary blobs to be provided as a base64 encoded string. The raw-in-base64-out format preserves compatibility with AWS CLI V1 behavior and binary values must be passed literally. When providing contents from a file that map to a binary blob fileb:// will always be treated as binary and use the file contents directly regardless of the cli-binary-format setting. When using file:// the file contents will need to properly formatted for the configured cli-binary-format.

  • base64
  • raw-in-base64-out

--no-cli-pager (boolean)

Disable cli pager for output.

--cli-auto-prompt (boolean)

Automatically prompt for CLI input parameters.

--no-cli-auto-prompt (boolean)

Disable automatically prompt for CLI input parameters.

Output

gatewayArn -> (string)

The Amazon Resource Name (ARN) of the updated gateway.

Constraints:

  • pattern: arn:aws(|-cn|-us-gov):bedrock-agentcore:[a-z0-9-]{1,20}:[0-9]{12}:gateway/[0-9a-zA-Z]{10}

gatewayId -> (string)

The unique identifier of the updated gateway.

Constraints:

  • pattern: ([0-9a-z][-]?){1,100}-[0-9a-z]{10}

gatewayUrl -> (string)

An endpoint for invoking the updated gateway.

Constraints:

  • min: 1
  • max: 1024

createdAt -> (timestamp)

The timestamp when the gateway was created.

updatedAt -> (timestamp)

The timestamp when the gateway was last updated.

status -> (string)

The current status of the updated gateway.

Possible values:

  • CREATING
  • UPDATING
  • UPDATE_UNSUCCESSFUL
  • DELETING
  • READY
  • FAILED

statusReasons -> (list)

The reasons for the current status of the updated gateway.

Constraints:

  • min: 0
  • max: 100

(string)

Constraints:

  • min: 0
  • max: 2048

name -> (string)

The name of the gateway.

Constraints:

  • pattern: ([0-9a-zA-Z][-]?){1,100}

description -> (string)

The updated description of the gateway.

Constraints:

  • min: 1
  • max: 200

roleArn -> (string)

The updated IAM role ARN that provides permissions for the gateway.

Constraints:

  • min: 1
  • max: 2048
  • pattern: arn:aws(-[^:]+)?:iam::([0-9]{12})?:role/.+

protocolType -> (string)

The updated protocol type for the gateway.

Possible values:

  • MCP

protocolConfiguration -> (tagged union structure)

The configuration for a gateway protocol. This structure defines how the gateway communicates with external services.

Note

This is a Tagged Union structure. Only one of the following top level keys can be set: mcp.

mcp -> (structure)

The configuration for the Model Context Protocol (MCP). This protocol enables communication between Amazon Bedrock Agent and external tools.

supportedVersions -> (list)

The supported versions of the Model Context Protocol. This field specifies which versions of the protocol the gateway can use.

(string)

instructions -> (string)

The instructions for using the Model Context Protocol gateway. These instructions provide guidance on how to interact with the gateway.

Constraints:

  • min: 1
  • max: 2048

searchType -> (string)

The search type for the Model Context Protocol gateway. This field specifies how the gateway handles search operations.

Possible values:

  • SEMANTIC

authorizerType -> (string)

The updated authorizer type for the gateway.

Possible values:

  • CUSTOM_JWT
  • AWS_IAM
  • NONE

authorizerConfiguration -> (tagged union structure)

The updated authorizer configuration for the gateway.

Note

This is a Tagged Union structure. Only one of the following top level keys can be set: customJWTAuthorizer.

customJWTAuthorizer -> (structure)

The inbound JWT-based authorization, specifying how incoming requests should be authenticated.

discoveryUrl -> (string) [required]

This URL is used to fetch OpenID Connect configuration or authorization server metadata for validating incoming tokens.

Constraints:

  • pattern: .+/\.well-known/openid-configuration

allowedAudience -> (list)

Represents individual audience values that are validated in the incoming JWT token validation process.

Constraints:

  • min: 1

(string)

allowedClients -> (list)

Represents individual client IDs that are validated in the incoming JWT token validation process.

Constraints:

  • min: 1

(string)

allowedScopes -> (list)

An array of scopes that are allowed to access the token.

Constraints:

  • min: 1

(string)

Constraints:

  • min: 1
  • max: 255
  • pattern: [\x21\x23-\x5B\x5D-\x7E]+

customClaims -> (list)

An array of objects that define a custom claim validation name, value, and operation

Constraints:

  • min: 1

(structure)

Defines the name of a custom claim field and rules for finding matches to authenticate its value.

inboundTokenClaimName -> (string) [required]

The name of the custom claim field to check.

Constraints:

  • min: 1
  • max: 255
  • pattern: [A-Za-z0-9_.-:]+

inboundTokenClaimValueType -> (string) [required]

The data type of the claim value to check for.

  • Use STRING if you want to find an exact match to a string you define.
  • Use STRING_ARRAY if you want to fnd a match to at least one value in an array you define.

Possible values:

  • STRING
  • STRING_ARRAY

authorizingClaimMatchValue -> (structure) [required]

Defines the value or values to match for and the relationship of the match.

claimMatchValue -> (tagged union structure) [required]

The value or values to match for.

Note

This is a Tagged Union structure. Only one of the following top level keys can be set: matchValueString, matchValueStringList.

matchValueString -> (string)

The string value to match for.

Constraints:

  • min: 1
  • max: 255
  • pattern: [A-Za-z0-9_.-]+

matchValueStringList -> (list)

An array of strings to check for a match.

Constraints:

  • min: 1

(string)

Constraints:

  • min: 1
  • max: 255
  • pattern: [A-Za-z0-9_.-]+

claimMatchOperator -> (string) [required]

Defines the relationship between the claim field value and the value or values you’re matching for.

Possible values:

  • EQUALS
  • CONTAINS
  • CONTAINS_ANY

kmsKeyArn -> (string)

The updated ARN of the KMS key used to encrypt the gateway.

Constraints:

  • min: 1
  • max: 2048
  • pattern: arn:aws(|-cn|-us-gov):kms:[a-zA-Z0-9-]*:[0-9]{12}:key/[a-zA-Z0-9-]{36}

interceptorConfigurations -> (list)

The updated interceptor configurations for the gateway.

Constraints:

  • min: 1
  • max: 2

(structure)

The configuration for an interceptor on a gateway. This structure defines settings for an interceptor that will be invoked during the invocation of the gateway.

interceptor -> (tagged union structure) [required]

The infrastructure settings of an interceptor configuration. This structure defines how the interceptor can be invoked.

Note

This is a Tagged Union structure. Only one of the following top level keys can be set: lambda.

lambda -> (structure)

The details of the lambda function used for the interceptor.

arn -> (string) [required]

The arn of the lambda function to be invoked for the interceptor.

Constraints:

  • min: 1
  • max: 170
  • pattern: arn:(aws[a-zA-Z-]*)?:lambda:([a-z]{2}(-gov)?-[a-z]+-\d{1}):(\d{12}):function:([a-zA-Z0-9-_.]+)(:(\$LATEST|[a-zA-Z0-9-]+))?

interceptionPoints -> (list) [required]

The supported points of interception. This field specifies which points during the gateway invocation to invoke the interceptor

Constraints:

  • min: 1
  • max: 2

(string)

Possible values:

  • REQUEST
  • RESPONSE

inputConfiguration -> (structure)

The configuration for the input of the interceptor. This field specifies how the input to the interceptor is constructed

passRequestHeaders -> (boolean) [required]

Indicates whether to pass request headers as input into the interceptor. When set to true, request headers will be passed.

policyEngineConfiguration -> (structure)

The updated policy engine configuration for the gateway.

arn -> (string) [required]

The ARN of the policy engine. The policy engine contains Cedar policies that define fine-grained authorization rules specifying who can perform what actions on which resources as agents interact through the gateway.

Constraints:

  • min: 1
  • max: 170
  • pattern: arn:aws:bedrock-agentcore:[a-z0-9-]+:[0-9]{12}:policy-engine\/[a-zA-Z][a-zA-Z0-9-_]{0,99}-[a-zA-Z0-9_]{10}

mode -> (string) [required]

The enforcement mode for the policy engine. Valid values include:

  • LOG_ONLY - The policy engine evaluates each action against your policies and adds traces on whether tool calls would be allowed or denied, but does not enforce the decision. Use this mode to test and validate policies before enabling enforcement.
  • ENFORCE - The policy engine evaluates actions against your policies and enforces decisions by allowing or denying agent operations. Test and validate policies in LOG_ONLY mode before enabling enforcement to avoid unintended denials or adversely affecting production traffic.

Possible values:

  • LOG_ONLY
  • ENFORCE

workloadIdentityDetails -> (structure)

The workload identity details for the updated gateway.

workloadIdentityArn -> (string) [required]

The ARN associated with the workload identity.

Constraints:

  • min: 1
  • max: 1024

exceptionLevel -> (string)

The level of detail in error messages returned when invoking the gateway.

  • If the value is DEBUG , granular exception messages are returned to help a user debug the gateway.
  • If the value is omitted, a generic error message is returned to the end user.

Possible values:

  • DEBUG
© Copyright 2025, Amazon Web Services. Created using Sphinx.