RuntimeAuthorizerConfiguration

class aws_cdk.aws_bedrock_agentcore_alpha.RuntimeAuthorizerConfiguration

Bases: object

(experimental) Abstract base class for runtime authorizer configurations.

Provides static factory methods to create different authentication types.

Stability:

experimental

ExampleMetadata:

infused

Example:

repository = ecr.Repository(self, "TestRepository",
    repository_name="test-agent-runtime"
)
agent_runtime_artifact = agentcore.AgentRuntimeArtifact.from_ecr_repository(repository, "v1.0.0")

runtime = agentcore.Runtime(self, "MyAgentRuntime",
    runtime_name="myAgent",
    agent_runtime_artifact=agent_runtime_artifact,
    authorizer_configuration=agentcore.RuntimeAuthorizerConfiguration.using_cognito("us-west-2_ABC123", "client123", "us-west-2")
)
Stability:

experimental

Static Methods

classmethod using_cognito(user_pool_id, client_id, region=None, allowed_audience=None)

(experimental) Use AWS Cognito User Pool authentication.

Validates Cognito-issued JWT tokens.

Parameters:

  • user_pool_id (str) – The Cognito User Pool ID (e.g., ‘us-west-2_ABC123’).

  • client_id (str) – The Cognito App Client ID.

  • region (Optional[str]) – Optional AWS region where the User Pool is located (defaults to stack region).

  • allowed_audience (Optional[Sequence[str]]) – Optional array of allowed audiences.

Return type:

RuntimeAuthorizerConfiguration

Returns:

RuntimeAuthorizerConfiguration for Cognito authentication

Stability:

experimental

classmethod using_iam()

(experimental) Use IAM authentication (default).

Requires AWS credentials to sign requests using SigV4.

Return type:

RuntimeAuthorizerConfiguration

Returns:

RuntimeAuthorizerConfiguration for IAM authentication

Stability:

experimental

classmethod using_jwt(discovery_url, allowed_clients=None, allowed_audience=None)

(experimental) Use custom JWT authentication.

Validates JWT tokens against the specified OIDC provider.

Parameters:

  • discovery_url (str) – The OIDC discovery URL (must end with /.well-known/openid-configuration).

  • allowed_clients (Optional[Sequence[str]]) – Optional array of allowed client IDs.

  • allowed_audience (Optional[Sequence[str]]) – Optional array of allowed audiences.

Return type:

RuntimeAuthorizerConfiguration

Returns:

RuntimeAuthorizerConfiguration for JWT authentication

Stability:

experimental

classmethod using_o_auth(discovery_url, client_id, allowed_audience=None)

(experimental) Use OAuth 2.0 authentication. Supports various OAuth providers.

Parameters:

  • discovery_url (str) – The OIDC discovery URL (must end with /.well-known/openid-configuration).

  • client_id (str) – OAuth client ID.

  • allowed_audience (Optional[Sequence[str]]) – Optional array of allowed audiences.

Return type:

RuntimeAuthorizerConfiguration

Returns:

RuntimeAuthorizerConfiguration for OAuth authentication

Stability:

experimental