interface OAuthConfiguration
| Language | Type name |
|---|---|
 .NET | Amazon.CDK.AWS.Bedrock.Agentcore.Alpha.OAuthConfiguration |
 Go | github.com/aws/aws-cdk-go/awsbedrockagentcorealpha/v2#OAuthConfiguration |
 Java | software.amazon.awscdk.services.bedrock.agentcore.alpha.OAuthConfiguration |
 Python | aws_cdk.aws_bedrock_agentcore_alpha.OAuthConfiguration |
 TypeScript (source) | @aws-cdk/aws-bedrock-agentcore-alpha ยป OAuthConfiguration |
OAuth configuration.
Example
const gateway = new agentcore.Gateway(this, "MyGateway", {
gatewayName: "my-gateway",
});
// OAuth2 authentication (recommended)
// Note: Create the OAuth provider using AWS console or Identity L2 construct when available
const oauthProviderArn = "arn:aws:bedrock-agentcore:us-east-1:123456789012:token-vault/abc123/oauth2credentialprovider/my-oauth";
const oauthSecretArn = "arn:aws:secretsmanager:us-east-1:123456789012:secret:my-oauth-secret-abc123";
// Add an MCP server target directly to the gateway
const mcpTarget = gateway.addMcpServerTarget("MyMcpServer", {
gatewayTargetName: "my-mcp-server",
description: "External MCP server integration",
endpoint: "https://my-mcp-server.example.com",
credentialProviderConfigurations: [
agentcore.GatewayCredentialProvider.fromOauthIdentityArn({
providerArn: oauthProviderArn,
secretArn: oauthSecretArn,
scopes:['mcp-runtime-server/invoke']
}),
],
});
// Grant sync permission to a Lambda function that will trigger synchronization
const syncFunction = new lambda.Function(this, "SyncFunction", {
runtime: lambda.Runtime.PYTHON_3_12,
handler: "index.handler",
code: lambda.Code.fromInline(`
import boto3
def handler(event, context):
client = boto3.client('bedrock-agentcore')
response = client.synchronize_gateway_targets(
gatewayIdentifier=event['gatewayId'],
targetIds=[event['targetId']]
)
return response
`),
});
mcpTarget.grantSync(syncFunction);
Properties
| Name | Type | Description |
|---|---|---|
| provider | string | The OAuth credential provider ARN. |
| scopes | string[] | The OAuth scopes for the credential provider. These scopes define the level of access requested from the OAuth provider. |
| secret | string | The ARN of the Secrets Manager secret containing OAuth credentials (client ID and secret). |
| custom | { [string]: string } | Custom parameters for the OAuth flow. |
providerArn
Type:
string
The OAuth credential provider ARN.
This is returned when creating the OAuth credential provider via Console or API. Format: arn:aws:bedrock-agentcore:region:account:token-vault/id/oauth2credentialprovider/name Required: Yes
scopes
Type:
string[]
The OAuth scopes for the credential provider. These scopes define the level of access requested from the OAuth provider.
Array Members: Minimum number of 0 items. Maximum number of 100 items. Length Constraints: Minimum length of 1. Maximum length of 64. Required: Yes
secretArn
Type:
string
The ARN of the Secrets Manager secret containing OAuth credentials (client ID and secret).
This is returned when creating the OAuth credential provider via Console or API. Format: arn:aws:secretsmanager:region:account:secret:name Required: Yes
customParameters?
Type:
{ [string]: string }
(optional, default: No custom parameters)
Custom parameters for the OAuth flow.