2.238.0

class RuntimeAuthorizerConfiguration ๐Ÿ”น

LanguageType name
.NETAmazon.CDK.AWS.Bedrock.Agentcore.Alpha.RuntimeAuthorizerConfiguration
Gogithub.com/aws/aws-cdk-go/awsbedrockagentcorealpha/v2#RuntimeAuthorizerConfiguration
Javasoftware.amazon.awscdk.services.bedrock.agentcore.alpha.RuntimeAuthorizerConfiguration
Pythonaws_cdk.aws_bedrock_agentcore_alpha.RuntimeAuthorizerConfiguration
TypeScript (source)@aws-cdk/aws-bedrock-agentcore-alpha ยป RuntimeAuthorizerConfiguration

Abstract base class for runtime authorizer configurations.

Provides static factory methods to create different authentication types.

Example

const repository = new ecr.Repository(this, "TestRepository", {
  repositoryName: "test-agent-runtime",
});
const agentRuntimeArtifact = agentcore.AgentRuntimeArtifact.fromEcrRepository(repository, "v1.0.0");

// String claim - validates that the claim exactly equals the specified value
// Uses EQUALS operator automatically
const departmentClaim = agentcore.RuntimeCustomClaim.withStringValue('department', 'engineering');

// String array claim with CONTAINS operator (default)
// Validates that the claim array contains a specific string value
// IMPORTANT: CONTAINS requires exactly one value in the array parameter
const rolesClaim = agentcore.RuntimeCustomClaim.withStringArrayValue('roles', ['admin']);

// String array claim with CONTAINS_ANY operator
// Validates that the claim array contains at least one of the specified values
// Use this when you want to check for multiple possible values
const permissionsClaim = agentcore.RuntimeCustomClaim.withStringArrayValue(
  'permissions',
  ['read', 'write'],
  agentcore.CustomClaimOperator.CONTAINS_ANY
);

// Use custom claims in authorizer configuration
const runtime = new agentcore.Runtime(this, "MyAgentRuntime", {
  runtimeName: "myAgent",
  agentRuntimeArtifact: agentRuntimeArtifact,
  authorizerConfiguration: agentcore.RuntimeAuthorizerConfiguration.usingJWT(
    "https://example.com/.well-known/openid-configuration",
    ["client1", "client2"],
    ["audience1"],
    ["read", "write"],
    [departmentClaim, rolesClaim, permissionsClaim] // Custom claims
  ),
});

Initializer

new RuntimeAuthorizerConfiguration()

Methods

NameDescription
static usingCognito(userPool, userPoolClients, allowedAudience?, allowedScopes?, customClaims?)๐Ÿ”นUse AWS Cognito User Pool authentication.
static usingIAM()๐Ÿ”นUse IAM authentication (default).
static usingJWT(discoveryUrl, allowedClients?, allowedAudience?, allowedScopes?, customClaims?)๐Ÿ”นUse custom JWT authentication.
static usingOAuth(discoveryUrl, clientId, allowedAudience?, allowedScopes?, customClaims?)๐Ÿ”นUse OAuth 2.0 authentication. Supports various OAuth providers.

static usingCognito(userPool, userPoolClients, allowedAudience?, allowedScopes?, customClaims?)๐Ÿ”น

public static usingCognito(userPool: IUserPool, userPoolClients: IUserPoolClient[], allowedAudience?: string[], allowedScopes?: string[], customClaims?: RuntimeCustomClaim[]): RuntimeAuthorizerConfiguration

Parameters

  • userPool IUserPool โ€” The Cognito User Pool.
  • userPoolClients IUserPoolClient[] โ€” The Cognito User Pool App Clients.
  • allowedAudience string[] โ€” Optional array of allowed audiences.
  • allowedScopes string[] โ€” Optional array of allowed scopes.
  • customClaims RuntimeCustomClaim[] โ€” Optional array of custom claim validations.

Returns

Use AWS Cognito User Pool authentication.

Validates Cognito-issued JWT tokens.

static usingIAM()๐Ÿ”น

public static usingIAM(): RuntimeAuthorizerConfiguration

Returns

Use IAM authentication (default).

Requires AWS credentials to sign requests using SigV4.

static usingJWT(discoveryUrl, allowedClients?, allowedAudience?, allowedScopes?, customClaims?)๐Ÿ”น

public static usingJWT(discoveryUrl: string, allowedClients?: string[], allowedAudience?: string[], allowedScopes?: string[], customClaims?: RuntimeCustomClaim[]): RuntimeAuthorizerConfiguration

Parameters

  • discoveryUrl string โ€” The OIDC discovery URL (must end with /.well-known/openid-configuration).
  • allowedClients string[] โ€” Optional array of allowed client IDs.
  • allowedAudience string[] โ€” Optional array of allowed audiences.
  • allowedScopes string[] โ€” Optional array of allowed scopes.
  • customClaims RuntimeCustomClaim[] โ€” Optional array of custom claim validations.

Returns

Use custom JWT authentication.

Validates JWT tokens against the specified OIDC provider.

static usingOAuth(discoveryUrl, clientId, allowedAudience?, allowedScopes?, customClaims?)๐Ÿ”น

public static usingOAuth(discoveryUrl: string, clientId: string, allowedAudience?: string[], allowedScopes?: string[], customClaims?: RuntimeCustomClaim[]): RuntimeAuthorizerConfiguration

Parameters

  • discoveryUrl string โ€” The OIDC discovery URL (must end with /.well-known/openid-configuration).
  • clientId string โ€” OAuth client ID.
  • allowedAudience string[] โ€” Optional array of allowed audiences.
  • allowedScopes string[] โ€” Optional array of allowed scopes.
  • customClaims RuntimeCustomClaim[] โ€” Optional array of custom claim validations.

Returns

Use OAuth 2.0 authentication. Supports various OAuth providers.

โ† PreviousNext โ†’