# Add targets to an existing AgentCore gateway Add targets to a gateway After creating a gateway, you can add targets, which define the tools that your gateway will host. AgentCore Gateway supports multiple target type that are detailed in the following topics. Each target can have its own credential provider attached, enabling you to securely control access targets. By adding targets, your gateway becomes a single MCP URL that enables access to all of the relevant tools for an agent. When you add a target, you provide the following required fields: + The ID of the gateway to which to add the target. + A name for the gateway target. To understand how the target name affects tool names, see [Understand how AgentCore Gateway tools are named](gateway-tool-naming.md). + A target configuration. The configuration differs depending on the gateway protocol type and your gateway target type. For more information, see [TargetConfiguration](https://docs.aws.amazon.com/bedrock-agentcore-control/latest/APIReference/API_TargetConfiguration.html) and its daughter pages. + A credential provider configuration. The configuration depends on the [outbound authorization](gateway-outbound-auth.md). You can optionally provide the following fields: + A description of the gateway target. + A client token value to ensure that a request completes no more than once. If you don’t include this token, one is randomly generated for you. If you don’t include a value, one is randomly generated for you. For more information, see [Ensuring idempotency](https://docs.aws.amazon.com/ec2/latest/devguide/ec2-api-idempotency.html). Select a topic to learn how to add a target to an existing gateway using that method: **Topics** + [ # Add a target using the AWS Management Console ](gateway-add-target-console.md) + [ # Add a target using the CLI ](gateway-add-target-cli.md) + [ # Add a target using the API ](gateway-add-target-api.md) # Add a target using the AWS Management Console Add a target using the AWS Management Console In the AWS Management Console, you can add gateway targets when you create the gateway. After you’ve created a gateway, you can add targets by doing the following: **To add a target to an existing gateway** 1. Open the AgentCore console at [https://console.aws.amazon.com/bedrock-agentcore/home\$1](https://console.aws.amazon.com/bedrock-agentcore/home#). 1. Choose **Gateways**. 1. Select the gateway to which you want to add a target. 1. In the **Targets** section, choose **Add**. 1. (Optional) Change the auto-generated **Target name**. 1. (Optional) Provide an **Target description**. 1. Select the **Target type** and fill in the fields that appear. 1. (If applicable) Choose whether to define the target inline or by selecting an S3 location. 1. Select a supported outbound authorization configuration and choose the outbound authorization resource, if applicable. 1. (Optional, if applicable) Expand **Additional configurations** and configure them. 1. Choose **Add target**. # Add a target using the CLI Add a target using the CLI You can use the AgentCore CLI to add targets to an existing gateway with simplified commands. **Example** 1. Add an MCP server target: ``` agentcore add gateway-target \ --name MyMCPTarget \ --type mcp-server \ --endpoint https://your-mcp-server.example.com/mcp \ --gateway MyGateway agentcore deploy ``` Add a Lambda function target: ``` agentcore add gateway-target \ --name MyLambdaTarget \ --type lambda-function-arn \ --lambda-arn arn:aws:lambda:us-east-1:123456789012:function:MyFunction \ --tool-schema-file tools.json \ --gateway MyGateway agentcore deploy ``` Add an OpenAPI schema target: ``` agentcore add gateway-target \ --name MyOpenAPITarget \ --type open-api-schema \ --schema path/to/openapi-spec.json \ --outbound-auth none|api-key|oauth \ --gateway MyGateway agentcore deploy ``` 1. You can also use the AgentCore CLI interactive terminal UI. Run `agentcore` to open the TUI, then select **add** and choose **Gateway Target** : 1. In the **Add Resource** menu, select **Gateway Target** and press **Enter**. ![\[TUI Add Resource menu with Gateway Target option visible\]](http://docs.aws.amazon.com/bedrock-agentcore/latest/devguide/images/tui/gateway-add-resource.png) 1. Select the target type for your gateway. The wizard shows the available target types, including MCP Server endpoint, API Gateway REST API, OpenAPI Schema, Smithy Model, and Lambda function. ![\[TUI target type selection showing MCP Server endpoint\]](http://docs.aws.amazon.com/bedrock-agentcore/latest/devguide/images/tui/gateway-target-type-mcp.png) 1. Follow the remaining wizard prompts to provide the target name, endpoint or schema details, and outbound authorization configuration. The specific fields depend on the target type you selected. For more CLI examples, see the [Get started with AgentCore Gateway](gateway-quick-start.md). # Add a target using the API Add a target using the API To add a target using the API, make a [CreateGatewayTarget](https://docs.aws.amazon.com/bedrock-agentcore-control/latest/APIReference/API_CreateGatewayTarget.html) request with one of the [AgentCore control plane endpoints](https://docs.aws.amazon.com/general/latest/gr/bedrock_agentcore.html#bedrock_agentcore_cp) and define a target configuration that matches the target type. **Note** To add an integration provider template as a gateway target, you must use the AWS Management Console. For more information, see [Built-in templates from integration providers as targets](gateway-target-integrations.md). When you create a gateway target, you specify the following configurations depending on what you set up when you fulfilled the prerequisites: + **A credential provider configuration** – To specify the authorization type and credentials to access the target. + **A target configuration** – To specify the target, tools, and how the gateway communicates with the target. To learn more about each type of configuration, see the following topics: **Topics** + [ # Specify the authorization type and credentials to access the gateway target ](gateway-building-adding-targets-authorization.md) + [ # Define the gateway target configuration ](gateway-add-target-api-target-config.md) # Specify the authorization type and credentials to access the gateway target Specify authorization type and credentials In the [CreateGatewayTarget](https://docs.aws.amazon.com/bedrock-agentcore-control/latest/APIReference/API_CreateGatewayTarget.html) request body, you specify the credential provider configuration in the `credentialProviderConfigurations` array. The configuration depends on the outbound authorization type that you set up. For reference information about the API structure for the credential provider configuration, see [CredentialProviderConfiguration](https://docs.aws.amazon.com/bedrock-agentcore-control/latest/APIReference/API_CredentialProviderConfiguration.html) . For more information on outbound authorization, see [Set up outbound authorization for your gateway](gateway-outbound-auth.md). To learn more about a credential provider configuration, select a topic: **Topics** + [ ## AgentCore Gateway service role (IAM) authorization ](#gateway-building-adding-targets-authorization-service-role) + [ ## OAuth authorization ](#gateway-building-adding-targets-authorization-oauth) + [ ## API key authorization ](#gateway-building-adding-targets-authorization-api-key) ## AgentCore Gateway service role (IAM) authorization If you’re using IAM authorization through an AgentCore Gateway service role for your target, specify the `credentialProviderType` as `GATEWAY_IAM_ROLE` . The configuration depends on your target type. **For Lambda, API Gateway, and Smithy targets** The `iamCredentialProvider` configuration is not needed because the target service name is already known to the AgentCore Gateway service. Use only the `credentialProviderType` configuration, as shown in the following example: ``` { "credentialProviderType": "GATEWAY_IAM_ROLE" } ``` **For MCP server targets** For MCP server targets, you must also provide an `iamCredentialProvider` with the service name used for [AWS Signature Version 4 (Sig V4)](https://docs.aws.amazon.com/AmazonS3/latest/API/sig-v4-authenticating-requests.html) signing. The `service` field is required. The `region` field is optional and defaults to the gateway’s Region. ``` { "credentialProviderType": "GATEWAY_IAM_ROLE", "credentialProvider": { "iamCredentialProvider": { "service": "bedrock-agentcore", "region": "us-west-2" } } } ``` The following table describes the fields in the `iamCredentialProvider` object: | Field | Required | Description | | --- | --- | --- | | `service` | Yes | The AWS service name used for SigV4 signing. This value must match the service name that the target expects when verifying the SigV4 signature. The following are common values: `bedrock-agentcore` – For MCP servers hosted on Amazon Bedrock AgentCore, such as the runtime (see [Deploy MCP servers in AgentCore Runtime](runtime-mcp.md) ) or another gateway. `execute-api` – For MCP servers behind Amazon API Gateway. `lambda` – For MCP servers behind Lambda Function URLs. | | `region` | No | The AWS Region for SigV4 signing. If omitted, defaults to the gateway’s Region. | ## OAuth authorization If you’re using OAuth authorization, you specify the `credentialProviderType` as `OAUTH` . In the object that the `credentialProvider` field maps to, map an `oauthCredentialProvider` field name to an [OAuthCredentialProvider](https://docs.aws.amazon.com/bedrock-agentcore-control/latest/APIReference/API_OAuthCredentialProvider.html) object and provide the values based on your outbound authorization setup. The structure of the [OAuthCredentialProvider](https://docs.aws.amazon.com/bedrock-agentcore-control/latest/APIReference/API_OAuthCredentialProvider.html) differs depending on the type of authentication pattern that you set up. To learn more about different authentication patterns, see [Supported authentication patterns](common-use-cases.md). + If you set up machine-to-machine authentication, also known as a client credentials grant or 2-legged OAuth (2LO), follow the structure in the **Client credentials** tab. + If you set up user-delegated access, also known as an authorization code grant or 3-legged OAuth (3LO), follow the structure in the **Authorization code** tab. Select one of the following methods: **Example** 1. Specify the `grantType` as `CLIENT_CREDENTIALS` , as in the following example: ``` { "credentialProviderType": "OAUTH", "credentialProvider": { "oauthCredentialProvider": { "providerArn": "string", "grantType": "CLIENT_CREDENTIALS", "scopes": [ "string", ... ], "customParameters": { "string": "string" } } } } ``` 1. Specify the `grantType` as `AUTHORIZATION_CODE` and include, in the `defaultReturnUrl` field, the URL to which to redirect the end user’s browser after obtaining the authorization code, as in the following example: ``` { "credentialProviderType": "OAUTH", "credentialProvider": { "oauthCredentialProvider": { "providerArn": "string", "grantType": "AUTHORIZATION_CODE", "defaultReturnUrl": "string", "scopes": [ "string", ... ], "customParameters": { "string": "string" } } } } ``` To learn more about 3LO authentication, see [OAuth 2.0 authorization URL session binding](oauth2-authorization-url-session-binding.md). ## API key authorization If you set up API key authorization, you specify the `credentialProviderType` as `API_KEY` . In the object that the `credentialProvider` field maps to, map an `apiKeyCredentialProvider` field name to an [ApiKeyCredentialProvider](https://docs.aws.amazon.com/bedrock-agentcore-control/latest/APIReference/API_ApiKeyCredentialProvider.html) object and provide the values based on your outbound authorization setup. The following JSON shows the structure: ``` { "credentialProviderType": "API_KEY", "credentialProvider": { "apiKeyCredentialProvider": { "providerArn": "string", "credentialLocation": "HEADER" | "QUERY_PARAMETER", "credentialParameterName": "string", "credentialPrefix": "string" } } } ``` # Define the gateway target configuration Define the target configuration The target configuration depends on the target type that you’re adding to the gateway. For more information about supported gateway target types, see [Supported targets for Amazon Bedrock AgentCore gateways](gateway-supported-targets.md). Select a topic to see examples of adding a target type: **Topics** + [ ## Add a Lambda target ](#gateway-add-target-api-lambda) + [ ## Add an API Gateway stage target ](#gateway-add-target-api-gateway) + [ ## Add an OpenAPI target ](#gateway-add-target-api-openapi) + [ ## Add a Smithy target ](#gateway-add-target-api-smithy) + [ ## Add an MCP server target ](#gateway-add-target-api-MCPserver) ## Add a Lambda target You can add a Lambda target to your gateway using the AgentCore CLI by specifying the `--type` as `lambda-function-arn` and providing the Lambda ARN and a tool schema file. **Target configuration** The target configuration (or payload) for a Lambda function contains the following fields: + **lambdaArn** – The ARN of the Lambda function to use as your target. + **toolSchema** – The tool schema for the gateway target. For more information about Lambda targets, see [AWS Lambda function targets](gateway-add-target-lambda.md). Select one of the following methods: **Example** 1. To add a Lambda function as a target, run `agentcore add gateway-target` with the `--type lambda-function-arn` option. Provide the Lambda ARN and a JSON file containing the tool schema: ``` agentcore add gateway-target \ --name MyLambdaTarget \ --type lambda-function-arn \ --lambda-arn arn:aws:lambda:us-east-1:123456789012:function:MyFunction \ --tool-schema-file tools.json \ --gateway MyGateway agentcore deploy ``` 1. With the AgentCore CLI, you can easily create a Lambda target with default configurations. ``` # Import dependencies from bedrock_agentcore_starter_toolkit.operations.gateway.client import GatewayClient # Initialize the client client = GatewayClient(region_name="us-east-1") # Create a lambda target. lambda_target = client.create_mcp_gateway_target( gateway=gateway, name=None, # If you don't set one, one will be generated. target_type="lambda", target_payload=None, # Define your own lambda if you pre-created one. Otherwise leave this as None and one will be created for you. credentials=None, # If you leave this as None, one will be created for you ) ``` The following is an example argument you can provide for the `target_payload` . If you omit the `target_payload` argument, this payload is used: ``` { "lambdaArn": "", "toolSchema": { "inlinePayload": [ { "name": "get_weather", "description": "Get weather for a location", "inputSchema": { "type": "object", "properties": { "location": { "type": "string", "description": "the location e.g. seattle, wa" } }, "required": [ "location" ] } }, { "name": "get_time", "description": "Get time for a timezone", "inputSchema": { "type": "object", "properties": { "timezone": { "type": "string" } }, "required": [ "timezone" ] } } ] } } ``` 1. The following Python code shows how to add a Lambda target using the AWS Python SDK (Boto3): ``` import boto3 # Create the agentcore client agentcore_client = boto3.client('bedrock-agentcore-control') # Create a Lambda target target = agentcore_client.create_gateway_target( gatewayIdentifier="your-gateway-id", name="LambdaTarget", targetConfiguration={ "mcp": { "lambda": { "lambdaArn": "arn:aws:lambda:us-west-2:123456789012:function:YourLambdaFunction", "toolSchema": { "inlinePayload": [ { "name": "get_weather", "description": "Get weather for a location", "inputSchema": { "type": "object", "properties": {"location": {"type": "string"}}, "required": ["location"], }, }, { "name": "get_time", "description": "Get time for a timezone", "inputSchema": { "type": "object", "properties": {"timezone": {"type": "string"}}, "required": ["timezone"], }, }, ] } } } }, credentialProviderConfigurations=[ { "credentialProviderType": "GATEWAY_IAM_ROLE" } ] ) ``` 1. In the AgentCore CLI interactive terminal UI, run `agentcore` , select **add** , choose **Gateway Target** , and then select **Lambda function** : ![\[TUI target type selection with Lambda function highlighted\]](http://docs.aws.amazon.com/bedrock-agentcore/latest/devguide/images/tui/gateway-target-type-lambda.png) The wizard then prompts you for the target name, Lambda function ARN, tool schema file, and outbound authorization configuration. ## Add an API Gateway stage target To add a stage of an API Gateway REST API as a target, specify the ARN of the API and stage and define settings to filter tools in the API gateway or to override names and descriptions of tools in the gateway: The following examples show how to add an API Gateway target. The following configurations are also applied: + The tools filtered for are the GET and POST methods for the `/products` path. + GET /products is renamed as `get_items`. Select one of the following methods: **Example** 1. To add an API Gateway REST API stage as a target, run `agentcore add gateway-target` with the `--type api-gateway` option: ``` agentcore add gateway-target \ --name MyAPIGatewayTarget \ --type api-gateway \ --rest-api-id your-rest-api-id \ --stage your-stage \ --gateway MyGateway agentcore deploy ``` 1. The following command uses the AWS CLI: ``` aws bedrock-agentcore-control create-gateway-target \ --gateway-identifier "your-gateway-id" \ --name "SearchAPITarget" \ --target-configuration '{ "mcp": { "apiGateway": { "restApiId": rest-api-id, "stage": stage, "apiGatewayToolConfiguration": { "toolFilters": [ { "filterPath": "/products", "methods": [ "GET", "POST" ] } ], "toolOverrides": [ { "path": "/products", "method": "GET", "name": "get_items", "description": "Gets information for items in the list of products." } ] } } } }' --credential-provider-configurations '[ { "credentialProviderType": "GATEWAY_IAM_ROLE" } ]' ``` 1. The following code shows uses the AWS Python SDK (Boto3): ``` import boto3 # Create the client agentcore_client = boto3.client('bedrock-agentcore-control') # Create an API gateway REST API target with gateway service role authentication target = agentcore_client.create_gateway_target( gatewayIdentifier="your-gateway-id", name="SearchAPITarget", targetConfiguration={ "mcp": { "apiGateway": { "restApiId": rest-api-id, "stage": stage, "apiGatewayToolConfiguration": { "toolFilters": [ { "filterPath": "/products", "methods": [ "GET", "POST" ] } ], "toolOverrides": [ { "path": "/products", "method": "GET", "name": "get_item", "description": "Gets information for a specific item in the product list." } ] } } } }, credentialProviderConfigurations=[ { "credentialProviderType": "GATEWAY_IAM_ROLE" } ] ) ``` 1. In the AgentCore CLI interactive terminal UI, run `agentcore` , select **add** , choose **Gateway Target** , and then select **API Gateway REST API** : ![\[TUI target type selection showing API Gateway REST API option\]](http://docs.aws.amazon.com/bedrock-agentcore/latest/devguide/images/tui/gateway-target-type-apigw.png) The wizard then prompts you for the target name, REST API ID, stage, and outbound authorization configuration. ## Add an OpenAPI target Select one of the following methods: **Example** 1. To add an OpenAPI schema target, run `agentcore add gateway-target` with the `--type open-api-schema` option and provide the path to your OpenAPI specification file: ``` agentcore add gateway-target \ --name MyOpenAPITarget \ --type open-api-schema \ --schema path/to/openapi-spec.json \ --outbound-auth none|api-key|oauth \ --gateway MyGateway agentcore deploy ``` 1. The following Python code shows how to add an OpenAPI target using the AWS Python SDK (Boto3). The schema has been uploaded to an S3 location whose URI is referenced in the `target_payload` . Outbound authorization for the target is through an API key. ``` import boto3 # Create the client agentcore_client = boto3.client('bedrock-agentcore-control') # Create an OpenAPI target with API Key authentication target = agentcore_client.create_gateway_target( gatewayIdentifier="your-gateway-id", name="SearchAPITarget", targetConfiguration={ "mcp": { "openApiSchema": { "s3": { "uri": "s3://your-bucket/path/to/open-api-spec.json", "bucketOwnerAccountId": "123456789012" } } } }, credentialProviderConfigurations=[ { "credentialProviderType": "API_KEY", "credentialProvider": { "apiKeyCredentialProvider": { "providerArn": "arn:aws:agent-credential-provider:us-east-1:123456789012:token-vault/default/apikeycredentialprovider/abcdefghijk", "credentialLocation": "HEADER", "credentialParameterName": "X-API-Key" } } } ] ) ``` 1. In the AgentCore CLI interactive terminal UI, run `agentcore` , select **add** , choose **Gateway Target** , and then select **OpenAPI Schema** : ![\[TUI target type selection showing OpenAPI Schema option\]](http://docs.aws.amazon.com/bedrock-agentcore/latest/devguide/images/tui/gateway-target-type-openapi.png) The wizard then prompts you for the target name, path to the OpenAPI specification file, and outbound authorization configuration. ## Add a Smithy target Select one of the following methods: **Example** 1. To add a Smithy model target, run `agentcore add gateway-target` with the `--type smithy-model` option and provide the path to your Smithy model file: ``` agentcore add gateway-target \ --name MySmithyTarget \ --type smithy-model \ --schema path/to/smithy-model.json \ --gateway MyGateway agentcore deploy ``` 1. The following Python code shows how to add a Smithy model target using the AWS Python SDK (Boto3): ``` import boto3 # Create the agentcore client agentcore_client = boto3.client('bedrock-agentcore-control') # Create a Smithy model target target = agentcore_client.create_gateway_target( gatewayIdentifier="your-gateway-id", name="DynamoDBTarget", targetConfiguration={ "mcp": { "smithyModel": { "s3": { "uri": "s3://your-bucket/path/to/smithy-model.json", "bucketOwnerAccountId": "123456789012" } } } }, credentialProviderConfigurations=[ { "credentialProviderType": "GATEWAY_IAM_ROLE" } ] ) ``` 1. In the AgentCore CLI interactive terminal UI, run `agentcore` , select **add** , choose **Gateway Target** , and then select **Smithy Model** : ![\[TUI target type selection showing Smithy Model option\]](http://docs.aws.amazon.com/bedrock-agentcore/latest/devguide/images/tui/gateway-target-type-smithy.png) The wizard then prompts you for the target name, path to the Smithy model file, and outbound authorization configuration. ## Add an MCP server target You can add an MCP server target using the AgentCore CLI or AWS Python SDK (Boto3). The following examples show how to create an MCP server target with different outbound authorization types. **MCP server with IAM (SigV4) authorization** The following example creates an MCP server target with IAM authorization. The gateway signs requests to the MCP server using SigV4 with the gateway service role’s credentials. You must specify the `service` name for signing. The `region` is optional and defaults to the gateway’s Region. The value of `service` depends on where your MCP server is hosted. The following are common values: + `bedrock-agentcore` – For MCP servers hosted on Amazon Bedrock AgentCore, such as the runtime (see [Deploy MCP servers in AgentCore Runtime](runtime-mcp.md) ) or another gateway. + `execute-api` – For MCP servers behind Amazon API Gateway. + `lambda` – For MCP servers behind Lambda Function URLs. Select one of the following methods: **Example** 1. ``` aws bedrock-agentcore-control create-gateway-target \ --gateway-identifier "your-gateway-id" \ --name "MyMCPTarget" \ --target-configuration '{ "mcp": { "mcpServer": { "endpoint": "https://my-server.bedrock-agentcore.us-west-2.api.aws" } } }' \ --credential-provider-configurations '[{ "credentialProviderType": "GATEWAY_IAM_ROLE", "credentialProvider": { "iamCredentialProvider": { "service": "bedrock-agentcore", "region": "us-west-2" } } }]' ``` 1. In the AgentCore CLI interactive terminal UI, run `agentcore` , select **add** , choose **Gateway Target** , and then select **MCP Server endpoint** : ![\[TUI target type selection with MCP Server endpoint highlighted\]](http://docs.aws.amazon.com/bedrock-agentcore/latest/devguide/images/tui/gateway-target-type-mcp.png) The wizard then prompts you for the target name, MCP server endpoint URL, and outbound authorization configuration. 1. ``` import boto3 agentcore_client = boto3.client('bedrock-agentcore-control') target = agentcore_client.create_gateway_target( gatewayIdentifier="your-gateway-id", name="MyMCPTarget", targetConfiguration={ "mcp": { "mcpServer": { "endpoint": "https://my-server.bedrock-agentcore.us-west-2.api.aws" } } }, credentialProviderConfigurations=[ { "credentialProviderType": "GATEWAY_IAM_ROLE", "credentialProvider": { "iamCredentialProvider": { "service": "bedrock-agentcore", "region": "us-west-2" } } } ] ) ``` **MCP server with OAuth authorization** The following example creates an MCP server target with OAuth (client credentials) authorization. Select one of the following methods: **Example** 1. ``` aws bedrock-agentcore-control create-gateway-target \ --gateway-identifier "your-gateway-id" \ --name "MyMCPTarget" \ --target-configuration '{ "mcp": { "mcpServer": { "endpoint": "https://my-mcp-server.example.com" } } }' \ --credential-provider-configurations '[{ "credentialProviderType": "OAUTH", "credentialProvider": { "oauthCredentialProvider": { "providerArn": "arn:aws:bedrock-agentcore:us-west-2:123456789012:token-vault/default/oauth2credentialprovider/my-oauth-provider", "scopes": [] } } }]' ``` 1. To add an MCP server target with OAuth authorization, run `agentcore add gateway-target` with the `--type mcp-server` option and specify the OAuth credentials: ``` agentcore add gateway-target \ --type mcp-server \ --name MyMCPTarget \ --endpoint https://my-mcp-server.example.com \ --gateway MyGateway \ --outbound-auth oauth \ --oauth-client-id my-client \ --oauth-client-secret my-secret \ --oauth-discovery-url https://auth.example.com/.well-known/openid-configuration agentcore deploy ``` 1. ``` import boto3 agentcore_client = boto3.client('bedrock-agentcore-control') target = agentcore_client.create_gateway_target( gatewayIdentifier="your-gateway-id", name="MyMCPTarget", targetConfiguration={ "mcp": { "mcpServer": { "endpoint": "https://my-mcp-server.example.com" } } }, credentialProviderConfigurations=[ { "credentialProviderType": "OAUTH", "credentialProvider": { "oauthCredentialProvider": { "providerArn": "arn:aws:bedrock-agentcore:us-west-2:123456789012:token-vault/default/oauth2credentialprovider/my-oauth-provider", "scopes": [] } } } ] ) ```