GatewayCredentialProvider

class aws_cdk.aws_bedrock_agentcore_alpha.GatewayCredentialProvider

Bases: object

(experimental) Factory class for creating different Gateway Credential Providers.

Stability:: experimental
ExampleMetadata:: fixture=default infused

Example:

gateway = agentcore.Gateway(self, "MyGateway",
    gateway_name="my-gateway"
)

# OAuth2 authentication (recommended)
# Note: Create the OAuth provider using AWS console or Identity L2 construct when available
oauth_provider_arn = "arn:aws:bedrock-agentcore:us-east-1:123456789012:token-vault/abc123/oauth2credentialprovider/my-oauth"
oauth_secret_arn = "arn:aws:secretsmanager:us-east-1:123456789012:secret:my-oauth-secret-abc123"

# Add an MCP server target directly to the gateway
mcp_target = gateway.add_mcp_server_target("MyMcpServer",
    gateway_target_name="my-mcp-server",
    description="External MCP server integration",
    endpoint="https://my-mcp-server.example.com",
    credential_provider_configurations=[
        agentcore.GatewayCredentialProvider.from_oauth_identity_arn(
            provider_arn=oauth_provider_arn,
            secret_arn=oauth_secret_arn,
            scopes=["mcp-runtime-server/invoke"]
        )
    ]
)

# Grant sync permission to a Lambda function that will trigger synchronization
sync_function = lambda_.Function(self, "SyncFunction",
    runtime=lambda_.Runtime.PYTHON_3_12,
    handler="index.handler",
    code=lambda_.Code.from_inline("""
        import boto3

        def handler(event, context):
            client = boto3.client('bedrock-agentcore')
            response = client.synchronize_gateway_targets(
                gatewayIdentifier=event['gatewayId'],
                targetIds=[event['targetId']]
            )
            return response
          """)
)

mcp_target.grant_sync(sync_function)

Stability:: experimental

Static Methods

classmethod from_api_key_identity_arn(*, provider_arn, secret_arn, credential_location=None)

(experimental) Create an API key credential provider from Identity ARN Use this method when you have the Identity ARN as a string.

Parameters:

provider_arn (str) – (experimental) The API key credential provider ARN. This is returned when creating the API key credential provider via Console or API. Format: arn:aws:bedrock-agentcore:region:account:token-vault/id/apikeycredentialprovider/name
secret_arn (str) – (experimental) The ARN of the Secrets Manager secret containing the API key. This is returned when creating the API key credential provider via Console or API. Format: arn:aws:secretsmanager:region:account:secret:name
credential_location (Optional[ApiKeyCredentialLocation]) – (experimental) The location of the API key credential. This field specifies where in the request the API key should be placed. Default: - HEADER

Return type:

ICredentialProviderConfig

Returns:

ICredentialProviderConfig configured for API key authentication

Stability:

experimental

classmethod from_iam_role()

(experimental) Create an IAM role credential provider.

Return type:: ICredentialProviderConfig
Returns:: IIamRoleCredentialProvider configured for IAM role authentication
Stability:: experimental

classmethod from_oauth_identity_arn(*, provider_arn, scopes, secret_arn, custom_parameters=None)

(experimental) Create an OAuth credential provider from Identity ARN Use this method when you have the Identity ARN as a string.