interface IWorkloadIdentity
| Language | Type name |
|---|---|
 .NET | Amazon.CDK.AWS.Bedrock.Agentcore.Alpha.IWorkloadIdentity |
 Go | github.com/aws/aws-cdk-go/awsbedrockagentcorealpha/v2#IWorkloadIdentity |
 Java | software.amazon.awscdk.services.bedrock.agentcore.alpha.IWorkloadIdentity |
 Python | aws_cdk.aws_bedrock_agentcore_alpha.IWorkloadIdentity |
 TypeScript (source) | @aws-cdk/aws-bedrock-agentcore-alpha ยป IWorkloadIdentity |
Implements
IDependable, IConstruct, IEnvironment, IResource, IGrantable, IWorkload
Implemented by
Workload
Obtainable from
Workload.fromWorkloadIdentityAttributes()
A workload identity for Amazon Bedrock AgentCore.
Represents the stable identity of an agent within an account's agent identity directory. It ties together IAM roles, OAuth2 flows, API keys, and workload access tokens for consistent authentication across environments.
Properties
| Name | Type | Description |
|---|---|---|
| env | Resource | The environment this resource belongs to. |
| grant | IPrincipal | The principal to grant permissions to. |
| node | Node | The tree node. |
| stack | Stack | The stack in which this resource is defined. |
| workload | string | The ARN of this workload identity. |
| workload | string | The name of this workload identity. |
| workload | Workload | A reference to a WorkloadIdentity resource. |
| created | string | Timestamp when the workload identity was created. |
| last | string | Timestamp when the workload identity was last updated. |
env
Type:
Resource
The environment this resource belongs to.
For resources that are created and managed in a Stack (those created by
creating new class instances like new Role(), new Bucket(), etc.), this
is always the same as the environment of the stack they belong to.
For referenced resources (those obtained from referencing methods like
Role.fromRoleArn(), Bucket.fromBucketName(), etc.), they might be
different than the stack they were imported into.
grantPrincipal
Type:
IPrincipal
The principal to grant permissions to.
node
Type:
Node
The tree node.
stack
Type:
Stack
The stack in which this resource is defined.
workloadIdentityArn
Type:
string
The ARN of this workload identity.
workloadIdentityName
Type:
string
The name of this workload identity.
workloadIdentityRef
Type:
Workload
A reference to a WorkloadIdentity resource.
createdTime?
Type:
string
(optional)
Timestamp when the workload identity was created.
lastUpdatedTime?
Type:
string
(optional)
Timestamp when the workload identity was last updated.
Methods
| Name | Description |
|---|---|
| apply | Apply the given removal policy to this resource. |
| grant(grantee, ...actions) | Grants IAM actions on this workload identity, scoped to its ARN and the parent resources required by the Bedrock AgentCore authorization model. |
| grant | Grant control plane permissions to manage this workload identity. |
| grant | Grant read, list, admin, and use permissions. |
| grant | Grant GetWorkloadIdentity and ListWorkloadIdentities, scoped to this identity and parent resources required by the Bedrock AgentCore authorization model. |
| grant | Grant data plane permissions to mint workload access tokens (GetWorkloadAccessToken, GetWorkloadAccessTokenForJWT, GetWorkloadAccessTokenForUserId). |
| with(...mixins) | Applies one or more mixins to this construct. |
applyRemovalPolicy(policy)
public applyRemovalPolicy(policy: RemovalPolicy): void
Parameters
- policy
RemovalPolicy
Apply the given removal policy to this resource.
The Removal Policy controls what happens to this resource when it stops being managed by CloudFormation, either because you've removed it from the CDK application or because you've made a change that requires the resource to be replaced.
The resource can be deleted (RemovalPolicy.DESTROY), or left in your AWS
account for data recovery and cleanup later (RemovalPolicy.RETAIN).
grant(grantee, ...actions)
public grant(grantee: IGrantable, ...actions: string[]): Grant
Parameters
- grantee
IGrantable - actions
string
Returns
Grants IAM actions on this workload identity, scoped to its ARN and the parent resources required by the Bedrock AgentCore authorization model.
grantAdmin(grantee)
public grantAdmin(grantee: IGrantable): Grant
Parameters
- grantee
IGrantable
Returns
Grant control plane permissions to manage this workload identity.
grantFullAccess(grantee)
public grantFullAccess(grantee: IGrantable): Grant
Parameters
- grantee
IGrantable
Returns
Grant read, list, admin, and use permissions.
grantRead(grantee)
public grantRead(grantee: IGrantable): Grant
Parameters
- grantee
IGrantable
Returns
Grant GetWorkloadIdentity and ListWorkloadIdentities, scoped to this identity and parent resources required by the Bedrock AgentCore authorization model.
grantUse(grantee)
public grantUse(grantee: IGrantable): Grant
Parameters
- grantee
IGrantable
Returns
Grant data plane permissions to mint workload access tokens (GetWorkloadAccessToken, GetWorkloadAccessTokenForJWT, GetWorkloadAccessTokenForUserId).
with(...mixins)
public with(...mixins: IMixin[]): IConstruct
Parameters
- mixins
IMixinโ The mixins to apply.
Returns
Applies one or more mixins to this construct.
Mixins are applied in order. The list of constructs is captured at the start of the call, so constructs added by a mixin will not be visited.