Package software.amazon.awscdk.services.bedrockagentcore

Class ApiKeyCredentialProvider

java.lang.Object

software.amazon.jsii.JsiiObject

software.constructs.Construct

software.amazon.awscdk.Resource

software.amazon.awscdk.services.bedrockagentcore.ApiKeyCredentialProvider

All Implemented Interfaces:

IApiKeyCredentialProviderRef, IEnvironmentAware, IResource, IApiKeyCredentialProvider, IGrantable, software.amazon.jsii.JsiiSerializable, software.constructs.IConstruct, software.constructs.IDependable

@Generated(value="jsii-pacmak/1.129.0 (build eaca441)",
           date="2026-05-19T08:18:44.218Z")
@Stability(Stable)
public class ApiKeyCredentialProvider
extends Resource
implements IApiKeyCredentialProvider

L2 construct for AWS::BedrockAgentCore::ApiKeyCredentialProvider.

Use this to register an API key identity in AgentCore Token Vault. To attach the identity to a gateway target, use

invalid reference

GatewayCredentialProvider.fromApiKeyIdentity

with this construct, or

invalid reference

ApiKeyCredentialProvider.bindForGatewayApiKeyTarget

with

invalid reference

GatewayCredentialProvider.fromApiKeyIdentityArn

.

Example:

 Gateway gateway = Gateway.Builder.create(this, "MyGateway")
         .gatewayName("my-gateway")
         .build();
 // Create an API key credential provider in Token Vault
 ApiKeyCredentialProvider apiKeyProvider = ApiKeyCredentialProvider.Builder.create(this, "MyApiKeyProvider")
         .apiKeyCredentialProviderName("my-apikey")
         .build();
 IBucket bucket = Bucket.fromBucketName(this, "ExistingBucket", "my-schema-bucket");
 S3ApiSchema s3mySchema = ApiSchema.fromS3File(bucket, "schemas/myschema.yaml");
 // Add an OpenAPI target using the L2 construct directly
 GatewayTarget target = gateway.addOpenApiTarget("MyTarget", AddOpenApiTargetOptions.builder()
         .gatewayTargetName("my-api-target")
         .description("Target for external API integration")
         .apiSchema(s3mySchema)
         .credentialProviderConfigurations(List.of(GatewayCredentialProvider.fromApiKeyIdentity(apiKeyProvider, FromApiKeyIdentityOptions.builder()
                 .credentialLocation(ApiKeyCredentialLocation.header(ApiKeyAdditionalConfiguration.builder()
                         .credentialParameterName("X-API-Key")
                         .build()))
                 .build())))
         .build());
 // This makes sure your s3 bucket is available before target
 target.node.addDependency(bucket);
 

See Also:

• https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-bedrockagentcore-apikeycredentialprovider.html

Nested Class Summary

Nested Classes

Modifier and Type	Class	Description
static final class	ApiKeyCredentialProvider.Builder	A fluent builder for ApiKeyCredentialProvider.

Nested classes/interfaces inherited from class software.amazon.jsii.JsiiObject

software.amazon.jsii.JsiiObject.InitializationMode

Nested classes/interfaces inherited from interface software.amazon.awscdk.services.bedrockagentcore.IApiKeyCredentialProvider

IApiKeyCredentialProvider.Jsii$Default, IApiKeyCredentialProvider.Jsii$Proxy

Nested classes/interfaces inherited from interface software.constructs.IConstruct

software.constructs.IConstruct.Jsii$Default

Nested classes/interfaces inherited from interface software.amazon.awscdk.IResource

IResource.Jsii$Default

Field Summary

Fields

Modifier and Type	Field	Description
static final String	PROPERTY_INJECTION_ID	Uniquely identifies this class.

Constructor Summary

Constructors

Modifier	Constructor	Description
protected	ApiKeyCredentialProvider(software.amazon.jsii.JsiiObject.InitializationMode initializationMode)
protected	ApiKeyCredentialProvider(software.amazon.jsii.JsiiObjectRef objRef)
	ApiKeyCredentialProvider(software.constructs.Construct scope, String id)
	ApiKeyCredentialProvider(software.constructs.Construct scope, String id, ApiKeyCredentialProviderProps props)

Method Summary

Modifier and Type	Method	Description
GatewayApiKeyIdentityBinding	bindForGatewayApiKeyTarget()	ARNs for invalid reference GatewayCredentialProvider.fromApiKeyIdentity / invalid reference GatewayCredentialProvider.fromApiKeyIdentityArn .
static IApiKeyCredentialProvider	fromApiKeyCredentialProviderAttributes(software.constructs.Construct scope, String id, ApiKeyCredentialProviderAttributes attrs)	Import an existing API key credential provider.
String	getApiKeyCredentialProviderName()	The name of this API key credential provider.
ApiKeyCredentialProviderReference	getApiKeyCredentialProviderRef()	A reference to a ApiKeyCredentialProvider resource.
String	getApiKeySecretArn()	The ARN of the Secrets Manager secret that stores the API key after the resource is created.
String	getCreatedTime()	Timestamp when the credential provider was created.
String	getCredentialProviderArn()	The ARN of this credential provider.
IPrincipal	getGrantPrincipal()	The principal to grant permissions to.
String	getLastUpdatedTime()	Timestamp when the credential provider was last updated.
Grant	grant(IGrantable grantee, String... actions)	[disable-awslint:no-grants].
Grant	grantAdmin(IGrantable grantee)	[disable-awslint:no-grants].
Grant	grantFullAccess(IGrantable grantee)	[disable-awslint:no-grants].
Grant	grantRead(IGrantable grantee)	[disable-awslint:no-grants].
Grant	grantUse(IGrantable grantee)	[disable-awslint:no-grants].

Methods inherited from class software.amazon.awscdk.Resource

applyRemovalPolicy, generatePhysicalName, getEnv, getPhysicalName, getResourceArnAttribute, getResourceNameAttribute, getStack, isOwnedResource, isResource, with

Methods inherited from class software.constructs.Construct

getNode, isConstruct, toString

Methods inherited from class software.amazon.jsii.JsiiObject

jsiiAsyncCall, jsiiAsyncCall, jsiiCall, jsiiCall, jsiiGet, jsiiGet, jsiiSet, jsiiStaticCall, jsiiStaticCall, jsiiStaticGet, jsiiStaticGet, jsiiStaticSet, jsiiStaticSet

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, wait, wait, wait

Methods inherited from interface software.constructs.IConstruct

getNode, with

Methods inherited from interface software.amazon.awscdk.interfaces.IEnvironmentAware

getEnv

Methods inherited from interface software.amazon.awscdk.IResource

applyRemovalPolicy, getStack

Methods inherited from interface software.amazon.jsii.JsiiSerializable

$jsii$toJson

Field Details

PROPERTY_INJECTION_ID

@Stability(Stable)
public static final String PROPERTY_INJECTION_ID

Uniquely identifies this class.

Constructor Details

ApiKeyCredentialProvider

protected ApiKeyCredentialProvider(software.amazon.jsii.JsiiObjectRef objRef)

ApiKeyCredentialProvider

protected ApiKeyCredentialProvider(software.amazon.jsii.JsiiObject.InitializationMode initializationMode)

ApiKeyCredentialProvider

@Stability(Stable)
public ApiKeyCredentialProvider(@NotNull
 software.constructs.Construct scope,
 @NotNull
 String id,
 @Nullable
 ApiKeyCredentialProviderProps props)

Parameters:

scope - This parameter is required.

id - This parameter is required.

props -

ApiKeyCredentialProvider

@Stability(Stable)
public ApiKeyCredentialProvider(@NotNull
 software.constructs.Construct scope,
 @NotNull
 String id)

Parameters:

scope - This parameter is required.

id - This parameter is required.

Method Details

fromApiKeyCredentialProviderAttributes

@Stability(Stable)
@NotNull
public static IApiKeyCredentialProvider fromApiKeyCredentialProviderAttributes(@NotNull
 software.constructs.Construct scope,
 @NotNull
 String id,
 @NotNull
 ApiKeyCredentialProviderAttributes attrs)

Import an existing API key credential provider.

Parameters:

scope - This parameter is required.

id - This parameter is required.

attrs - This parameter is required.

bindForGatewayApiKeyTarget

@Stability(Stable)
@NotNull
public GatewayApiKeyIdentityBinding bindForGatewayApiKeyTarget()

ARNs for

invalid reference

GatewayCredentialProvider.fromApiKeyIdentity

/

invalid reference

GatewayCredentialProvider.fromApiKeyIdentityArn

.

Specified by:

bindForGatewayApiKeyTarget in interface IApiKeyCredentialProvider

grant

@Stability(Stable)
@NotNull
public Grant grant(@NotNull
 IGrantable grantee,
 @NotNull
 String... actions)

[disable-awslint:no-grants].

Specified by:

grant in interface IApiKeyCredentialProvider

Parameters:

grantee - This parameter is required.

actions - This parameter is required.

grantAdmin

@Stability(Stable)
@NotNull
public Grant grantAdmin(@NotNull
 IGrantable grantee)

[disable-awslint:no-grants].

Specified by:

grantAdmin in interface IApiKeyCredentialProvider

Parameters:

grantee - This parameter is required.

grantFullAccess

@Stability(Stable)
@NotNull
public Grant grantFullAccess(@NotNull
 IGrantable grantee)

[disable-awslint:no-grants].

Specified by:

grantFullAccess in interface IApiKeyCredentialProvider

Parameters:

grantee - This parameter is required.

grantRead

@Stability(Stable)
@NotNull
public Grant grantRead(@NotNull
 IGrantable grantee)

[disable-awslint:no-grants].

Specified by:

grantRead in interface IApiKeyCredentialProvider

Parameters:

grantee - This parameter is required.

grantUse

@Stability(Stable)
@NotNull
public Grant grantUse(@NotNull
 IGrantable grantee)

[disable-awslint:no-grants].

Specified by:

grantUse in interface IApiKeyCredentialProvider

Parameters:

grantee - This parameter is required.

getApiKeyCredentialProviderName

@Stability(Stable)
@NotNull
public String getApiKeyCredentialProviderName()

The name of this API key credential provider.

getApiKeyCredentialProviderRef

@Stability(Stable)
@NotNull
public ApiKeyCredentialProviderReference getApiKeyCredentialProviderRef()

A reference to a ApiKeyCredentialProvider resource.

Specified by:

getApiKeyCredentialProviderRef in interface IApiKeyCredentialProviderRef

getCredentialProviderArn

@Stability(Stable)
@NotNull
public String getCredentialProviderArn()

The ARN of this credential provider.

Specified by:

getCredentialProviderArn in interface IApiKeyCredentialProvider

getGrantPrincipal

@Stability(Stable)
@NotNull
public IPrincipal getGrantPrincipal()

The principal to grant permissions to.

Specified by:

getGrantPrincipal in interface IGrantable

getApiKeySecretArn

@Stability(Stable)
@Nullable
public String getApiKeySecretArn()

The ARN of the Secrets Manager secret that stores the API key after the resource is created.

May be undefined for resources imported without this attribute.

Specified by:

getApiKeySecretArn in interface IApiKeyCredentialProvider

getCreatedTime

@Stability(Stable)
@Nullable
public String getCreatedTime()

Timestamp when the credential provider was created.

Specified by:

getCreatedTime in interface IApiKeyCredentialProvider

getLastUpdatedTime

@Stability(Stable)
@Nullable
public String getLastUpdatedTime()

Timestamp when the credential provider was last updated.

Specified by:

getLastUpdatedTime in interface IApiKeyCredentialProvider