class ApiKeyCredentialProvider (construct)
| Language | Type name |
|---|---|
 .NET | Amazon.CDK.AWS.Bedrock.Agentcore.Alpha.ApiKeyCredentialProvider |
 Go | github.com/aws/aws-cdk-go/awsbedrockagentcorealpha/v2#ApiKeyCredentialProvider |
 Java | software.amazon.awscdk.services.bedrock.agentcore.alpha.ApiKeyCredentialProvider |
 Python | aws_cdk.aws_bedrock_agentcore_alpha.ApiKeyCredentialProvider |
 TypeScript (source) | @aws-cdk/aws-bedrock-agentcore-alpha ยป ApiKeyCredentialProvider |
Implements
IConstruct, IDependable, IResource, IEnvironment, IApi, IGrantable, IApi
L2 construct for AWS::BedrockAgentCore::ApiKeyCredentialProvider.
Use this to register an API key identity in AgentCore Token Vault. To attach the identity to a gateway target, use {@link GatewayCredentialProvider.fromApiKeyIdentity } with this construct, or {@link ApiKeyCredentialProvider.bindForGatewayApiKeyTarget} with {@link GatewayCredentialProvider.fromApiKeyIdentityArn }.
Example
const gateway = new agentcore.Gateway(this, "MyGateway", {
gatewayName: "my-gateway",
});
// Create an API key credential provider in Token Vault
const apiKeyProvider = new agentcore.ApiKeyCredentialProvider(this, "MyApiKeyProvider", {
apiKeyCredentialProviderName: "my-apikey",
});
const bucket = s3.Bucket.fromBucketName(this, "ExistingBucket", "my-schema-bucket");
const s3mySchema = agentcore.ApiSchema.fromS3File(bucket, "schemas/myschema.yaml");
// Add an OpenAPI target using the L2 construct directly
const target = gateway.addOpenApiTarget("MyTarget", {
gatewayTargetName: "my-api-target",
description: "Target for external API integration",
apiSchema: s3mySchema,
credentialProviderConfigurations: [
agentcore.GatewayCredentialProvider.fromApiKeyIdentity(apiKeyProvider, {
credentialLocation: agentcore.ApiKeyCredentialLocation.header({
credentialParameterName: "X-API-Key",
}),
}),
],
});
// This makes sure your s3 bucket is available before target
target.node.addDependency(bucket);
Initializer
new ApiKeyCredentialProvider(scope: Construct, id: string, props?: ApiKeyCredentialProviderResourceProps)
Parameters
- scope
Construct - id
string - props
ApiKey Credential Provider Resource Props
Construct Props
| Name | Type | Description |
|---|---|---|
| api | Secret | The API key value. |
| api | string | Name of the credential provider. |
| tags? | { [string]: string } | Tags for this credential provider. |
apiKey?
Type:
Secret
(optional, default: no key in template (provider may still be created depending on service behavior))
The API key value.
NOTE: The API key will be included in the CloudFormation template as part of synthesis.
The service stores the key in Secrets Manager after creation, but the value is visible
in the template and deployment history. Use SecretValue.unsafePlainText() to explicitly
acknowledge plaintext, or pass a reference from another construct to avoid embedding the
literal value.
If omitted, you can supply the key through another mechanism supported by the service.
apiKeyCredentialProviderName?
Type:
string
(optional, default: a name generated by CDK)
Name of the credential provider.
tags?
Type:
{ [string]: string }
(optional, default: no tags)
Tags for this credential provider.
Properties
| Name | Type | Description |
|---|---|---|
| api | string | The name of this API key credential provider. |
| api | Api | A reference to a ApiKeyCredentialProvider resource. |
| credential | string | The ARN of this credential provider. |
| env | Resource | The environment this resource belongs to. |
| grant | IPrincipal | The principal to grant permissions to. |
| node | Node | The tree node. |
| stack | Stack | The stack in which this resource is defined. |
| api | string | The ARN of the Secrets Manager secret that stores the API key after the resource is created. |
| created | string | Timestamp when the credential provider was created. |
| last | string | Timestamp when the credential provider was last updated. |
| static PROPERTY_INJECTION_ID | string | Uniquely identifies this class. |
apiKeyCredentialProviderName
Type:
string
The name of this API key credential provider.
apiKeyCredentialProviderRef
Type:
Api
A reference to a ApiKeyCredentialProvider resource.
credentialProviderArn
Type:
string
The ARN of this credential provider.
env
Type:
Resource
The environment this resource belongs to.
For resources that are created and managed in a Stack (those created by
creating new class instances like new Role(), new Bucket(), etc.), this
is always the same as the environment of the stack they belong to.
For referenced resources (those obtained from referencing methods like
Role.fromRoleArn(), Bucket.fromBucketName(), etc.), they might be
different than the stack they were imported into.
grantPrincipal
Type:
IPrincipal
The principal to grant permissions to.
node
Type:
Node
The tree node.
stack
Type:
Stack
The stack in which this resource is defined.
apiKeySecretArn?
Type:
string
(optional)
The ARN of the Secrets Manager secret that stores the API key after the resource is created.
May be undefined for resources imported without this attribute.
createdTime?
Type:
string
(optional)
Timestamp when the credential provider was created.
lastUpdatedTime?
Type:
string
(optional)
Timestamp when the credential provider was last updated.
static PROPERTY_INJECTION_ID
Type:
string
Uniquely identifies this class.
Methods
| Name | Description |
|---|---|
| apply | Apply the given removal policy to this resource. |
| bind | ARNs for {@link GatewayCredentialProvider.fromApiKeyIdentity } / {@link GatewayCredentialProvider.fromApiKeyIdentityArn }. |
| grant(grantee, ...actions) | [disable-awslint:no-grants]. |
| grant | [disable-awslint:no-grants]. |
| grant | [disable-awslint:no-grants]. |
| grant | [disable-awslint:no-grants]. |
| grant | [disable-awslint:no-grants]. |
| to | Returns a string representation of this construct. |
| with(...mixins) | Applies one or more mixins to this construct. |
| static from | Import an existing API key credential provider. |
applyRemovalPolicy(policy)
public applyRemovalPolicy(policy: RemovalPolicy): void
Parameters
- policy
RemovalPolicy
Apply the given removal policy to this resource.
The Removal Policy controls what happens to this resource when it stops being managed by CloudFormation, either because you've removed it from the CDK application or because you've made a change that requires the resource to be replaced.
The resource can be deleted (RemovalPolicy.DESTROY), or left in your AWS
account for data recovery and cleanup later (RemovalPolicy.RETAIN).
bindForGatewayApiKeyTarget()
public bindForGatewayApiKeyTarget(): GatewayApiKeyIdentityBinding
Returns
ARNs for {@link GatewayCredentialProvider.fromApiKeyIdentity } / {@link GatewayCredentialProvider.fromApiKeyIdentityArn }.
grant(grantee, ...actions)
public grant(grantee: IGrantable, ...actions: string[]): Grant
Parameters
- grantee
IGrantable - actions
string
Returns
[disable-awslint:no-grants].
grantAdmin(grantee)
public grantAdmin(grantee: IGrantable): Grant
Parameters
- grantee
IGrantable
Returns
[disable-awslint:no-grants].
grantFullAccess(grantee)
public grantFullAccess(grantee: IGrantable): Grant
Parameters
- grantee
IGrantable
Returns
[disable-awslint:no-grants].
grantRead(grantee)
public grantRead(grantee: IGrantable): Grant
Parameters
- grantee
IGrantable
Returns
[disable-awslint:no-grants].
grantUse(grantee)
public grantUse(grantee: IGrantable): Grant
Parameters
- grantee
IGrantable
Returns
[disable-awslint:no-grants].
toString()
public toString(): string
Returns
string
Returns a string representation of this construct.
with(...mixins)
public with(...mixins: IMixin[]): IConstruct
Parameters
- mixins
IMixin
Returns
Applies one or more mixins to this construct.
Mixins are applied in order. The list of constructs is captured at the
start of the call, so constructs added by a mixin will not be visited.
Use multiple with() calls if subsequent mixins should apply to added
constructs.
static fromApiKeyCredentialProviderAttributes(scope, id, attrs)
public static fromApiKeyCredentialProviderAttributes(scope: Construct, id: string, attrs: ApiKeyCredentialProviderAttributes): IApiKeyCredentialProvider
Parameters
- scope
Construct - id
string - attrs
ApiKey Credential Provider Attributes
Returns
Import an existing API key credential provider.