Package software.amazon.awscdk.services.bedrockagentcore

Class GatewayCredentialProvider

java.lang.Object
software.amazon.jsii.JsiiObject
software.amazon.awscdk.services.bedrockagentcore.GatewayCredentialProvider
All Implemented Interfaces:
software.amazon.jsii.JsiiSerializable
@Generated(value="jsii-pacmak/1.129.0 (build eaca441)", date="2026-05-19T08:18:44.409Z") @Stability(Stable) public abstract class GatewayCredentialProvider extends software.amazon.jsii.JsiiObject
Factory class for creating different Gateway Credential Providers.

Example: 

 Gateway gateway = Gateway.Builder.create(this, "MyGateway")
         .gatewayName("my-gateway")
         .build();
 // OAuth2 (recommended): use OAuth2CredentialProvider + bindForGatewayOAuthTarget, or ARNs from console/API
 String oauthProviderArn = "arn:aws:bedrock-agentcore:us-east-1:123456789012:token-vault/abc123/oauth2credentialprovider/my-oauth";
 String oauthSecretArn = "arn:aws:secretsmanager:us-east-1:123456789012:secret:my-oauth-secret-abc123";
 // Add an MCP server target directly to the gateway
 GatewayTarget mcpTarget = gateway.addMcpServerTarget("MyMcpServer", AddMcpServerTargetOptions.builder()
         .gatewayTargetName("my-mcp-server")
         .description("External MCP server integration")
         .endpoint("https://my-mcp-server.example.com")
         .credentialProviderConfigurations(List.of(GatewayCredentialProvider.fromOauthIdentityArn(OAuthConfiguration.builder()
                 .providerArn(oauthProviderArn)
                 .secretArn(oauthSecretArn)
                 .scopes(List.of("mcp-runtime-server/invoke"))
                 .build())))
         .build());
 // Grant sync permission to a Lambda function that will trigger synchronization
 Function syncFunction = Function.Builder.create(this, "SyncFunction")
         .runtime(Runtime.PYTHON_3_12)
         .handler("index.handler")
         .code(Code.fromInline("\nimport boto3\n\ndef handler(event, context):\n    client = boto3.client('bedrock-agentcore')\n    response = client.synchronize_gateway_targets(\n        gatewayIdentifier=event['gatewayId'],\n        targetIds=[event['targetId']]\n    )\n    return response\n  "))
         .build();
 mcpTarget.grantSync(syncFunction);

  • Constructor Details

    • GatewayCredentialProvider

      protected GatewayCredentialProvider(software.amazon.jsii.JsiiObjectRef objRef)

    • GatewayCredentialProvider

      protected GatewayCredentialProvider(software.amazon.jsii.JsiiObject.InitializationMode initializationMode)

    • GatewayCredentialProvider

      @Stability(Stable) protected GatewayCredentialProvider()

  • Method Details

    • fromApiKeyIdentity

      @Stability(Stable) @NotNull public static ICredentialProviderConfig fromApiKeyIdentity(@NotNull IApiKeyCredentialProvider provider, @Nullable FromApiKeyIdentityOptions options)
      Create an API key outbound auth configuration from a Token Vault IApiKeyCredentialProvider construct.

      Prefer this over

      invalid reference 
      GatewayCredentialProvider.fromApiKeyIdentityArn
      when the provider is defined in CDK.

      Parameters:
      provider - This parameter is required.
      options -

    • fromApiKeyIdentity

      @Stability(Stable) @NotNull public static ICredentialProviderConfig fromApiKeyIdentity(@NotNull IApiKeyCredentialProvider provider)
      Create an API key outbound auth configuration from a Token Vault IApiKeyCredentialProvider construct.

      Prefer this over

      invalid reference 
      GatewayCredentialProvider.fromApiKeyIdentityArn
      when the provider is defined in CDK.

      Parameters:
      provider - This parameter is required.

    • fromApiKeyIdentityArn

      @Stability(Stable) @NotNull public static ICredentialProviderConfig fromApiKeyIdentityArn(@NotNull ApiKeyCredentialProviderOptions props)
      Create an API key credential provider from Identity ARN Use this method when you have the Identity ARN as a string.

      Parameters:
      props -
      • The configuration properties for the API key credential provider.
      This parameter is required.
      Returns:
      ICredentialProviderConfig configured for API key authentication

    • fromIamRole

      @Stability(Stable) @NotNull public static ICredentialProviderConfig fromIamRole()
      Create an IAM role credential provider.

      Returns:
      IIamRoleCredentialProvider configured for IAM role authentication

    • fromOauthIdentity

      @Stability(Stable) @NotNull public static ICredentialProviderConfig fromOauthIdentity(@NotNull IOAuth2CredentialProvider provider, @NotNull FromOauthIdentityOptions options)
      Create an OAuth outbound auth configuration from a Token Vault IOAuth2CredentialProvider construct.

      Prefer this over

      invalid reference 
      GatewayCredentialProvider.fromOauthIdentityArn
      when the provider is defined in CDK.

      Parameters:
      provider - This parameter is required.
      options - This parameter is required.

    • fromOauthIdentityArn

      @Stability(Stable) @NotNull public static ICredentialProviderConfig fromOauthIdentityArn(@NotNull OAuthConfiguration props)
      Create an OAuth credential provider from Identity ARN Use this method when you have the Identity ARN as a string.

      Parameters:
      props -
      • The configuration properties for the OAuth credential provider.
      This parameter is required.
      Returns:
      ICredentialProviderConfig configured for OAuth authentication