Package software.amazon.awscdk.services.bedrockagentcore

Interface ApiKeyCredentialProviderOptions

All Superinterfaces:

software.amazon.jsii.JsiiSerializable

All Known Implementing Classes:

ApiKeyCredentialProviderOptions.Jsii$Proxy

@Generated(value="jsii-pacmak/1.129.0 (build eaca441)",
           date="2026-05-19T08:18:44.219Z")
@Stability(Stable)
public interface ApiKeyCredentialProviderOptions
extends software.amazon.jsii.JsiiSerializable

API key credential provider ARNs for gateway outbound auth (Token Vault identity).

Pass this to

invalid reference

GatewayCredentialProvider.fromApiKeyIdentityArn

or to

invalid reference

ApiKeyCredentialProviderConfiguration

.

Example:

 Gateway gateway = Gateway.Builder.create(this, "MyGateway")
         .gatewayName("my-gateway")
         .build();
 // ARNs from the console/API, or from ApiKeyCredentialProvider + bindForGatewayApiKeyTarget
 String apiKeyProviderArn = "arn:aws:bedrock-agentcore:us-east-1:123456789012:token-vault/abc123/apikeycredentialprovider/my-apikey";
 String apiKeySecretArn = "arn:aws:secretsmanager:us-east-1:123456789012:secret:my-apikey-secret-abc123";
 IBucket bucket = Bucket.fromBucketName(this, "ExistingBucket", "my-schema-bucket");
 S3ApiSchema s3mySchema = ApiSchema.fromS3File(bucket, "schemas/myschema.yaml");
 // Add an OpenAPI target using ARNs directly
 GatewayTarget target = gateway.addOpenApiTarget("MyTarget", AddOpenApiTargetOptions.builder()
         .gatewayTargetName("my-api-target")
         .description("Target for external API integration")
         .apiSchema(s3mySchema)
         .credentialProviderConfigurations(List.of(GatewayCredentialProvider.fromApiKeyIdentityArn(ApiKeyCredentialProviderOptions.builder()
                 .providerArn(apiKeyProviderArn)
                 .secretArn(apiKeySecretArn)
                 .credentialLocation(ApiKeyCredentialLocation.header(ApiKeyAdditionalConfiguration.builder()
                         .credentialParameterName("X-API-Key")
                         .build()))
                 .build())))
         .build());
 // This makes sure your s3 bucket is available before target
 target.node.addDependency(bucket);
 

Nested Class Summary

Nested Classes

Modifier and Type	Interface	Description
static final class	ApiKeyCredentialProviderOptions.Builder	A builder for ApiKeyCredentialProviderOptions
static final class	ApiKeyCredentialProviderOptions.Jsii$Proxy	An implementation for ApiKeyCredentialProviderOptions

Method Summary

Modifier and Type	Method	Description
static ApiKeyCredentialProviderOptions.Builder	builder()
default ApiKeyCredentialLocation	getCredentialLocation()	The location of the API key credential.
String	getProviderArn()	The API key credential provider ARN.
String	getSecretArn()	The ARN of the Secrets Manager secret containing the API key.

Methods inherited from interface software.amazon.jsii.JsiiSerializable

$jsii$toJson

Method Details

getProviderArn

@Stability(Stable)
@NotNull
String getProviderArn()

The API key credential provider ARN.

This is returned when creating the API key credential provider via Console or API. Format: arn:aws:bedrock-agentcore:region:account:token-vault/id/apikeycredentialprovider/name

getSecretArn

@Stability(Stable)
@NotNull
String getSecretArn()

The ARN of the Secrets Manager secret containing the API key.

This is returned when creating the API key credential provider via Console or API. Format: arn:aws:secretsmanager:region:account:secret:name

getCredentialLocation

@Stability(Stable)
@Nullable
default ApiKeyCredentialLocation getCredentialLocation()

The location of the API key credential.

This field specifies where in the request the API key should be placed.

Default: - HEADER

builder

@Stability(Stable)
static ApiKeyCredentialProviderOptions.Builder builder()

Returns:

a ApiKeyCredentialProviderOptions.Builder of ApiKeyCredentialProviderOptions