Package software.amazon.awscdk.services.bedrockagentcore

Class RuntimeAuthorizerConfiguration

java.lang.Object
software.amazon.jsii.JsiiObject
software.amazon.awscdk.services.bedrockagentcore.RuntimeAuthorizerConfiguration
All Implemented Interfaces:
software.amazon.jsii.JsiiSerializable
@Generated(value="jsii-pacmak/1.129.0 (build eaca441)", date="2026-05-19T08:18:44.495Z") @Stability(Stable) public abstract class RuntimeAuthorizerConfiguration extends software.amazon.jsii.JsiiObject
Abstract base class for runtime authorizer configurations.

Provides static factory methods to create different authentication types.

Example: 

 Repository repository = Repository.Builder.create(this, "TestRepository")
         .repositoryName("test-agent-runtime")
         .build();
 AgentRuntimeArtifact agentRuntimeArtifact = AgentRuntimeArtifact.fromEcrRepository(repository, "v1.0.0");
 // String claim - validates that the claim exactly equals the specified value
 // Uses EQUALS operator automatically
 RuntimeCustomClaim departmentClaim = RuntimeCustomClaim.withStringValue("department", "engineering");
 // String array claim with CONTAINS operator (default)
 // Validates that the claim array contains a specific string value
 // IMPORTANT: CONTAINS requires exactly one value in the array parameter
 RuntimeCustomClaim rolesClaim = RuntimeCustomClaim.withStringArrayValue("roles", List.of("admin"));
 // String array claim with CONTAINS_ANY operator
 // Validates that the claim array contains at least one of the specified values
 // Use this when you want to check for multiple possible values
 RuntimeCustomClaim permissionsClaim = RuntimeCustomClaim.withStringArrayValue("permissions", List.of("read", "write"), CustomClaimOperator.CONTAINS_ANY);
 // Use custom claims in authorizer configuration
 Runtime runtime = Runtime.Builder.create(this, "MyAgentRuntime")
         .runtimeName("myAgent")
         .agentRuntimeArtifact(agentRuntimeArtifact)
         .authorizerConfiguration(RuntimeAuthorizerConfiguration.usingJWT("https://example.com/.well-known/openid-configuration", List.of("client1", "client2"), List.of("audience1"), List.of("read", "write"), List.of(departmentClaim, rolesClaim, permissionsClaim)))
         .build();

  • Constructor Details

    • RuntimeAuthorizerConfiguration

      protected RuntimeAuthorizerConfiguration(software.amazon.jsii.JsiiObjectRef objRef)

    • RuntimeAuthorizerConfiguration

      protected RuntimeAuthorizerConfiguration(software.amazon.jsii.JsiiObject.InitializationMode initializationMode)

    • RuntimeAuthorizerConfiguration

      @Stability(Stable) protected RuntimeAuthorizerConfiguration()

  • Method Details

    • usingCognito

      @Stability(Stable) @NotNull public static RuntimeAuthorizerConfiguration usingCognito(@NotNull IUserPool userPool, @NotNull List<? extends IUserPoolClient> userPoolClients, @Nullable List<String> allowedAudience, @Nullable List<String> allowedScopes, @Nullable List<? extends RuntimeCustomClaim> customClaims)
      Use AWS Cognito User Pool authentication.

      Validates Cognito-issued JWT tokens.

      Parameters:
      userPool - The Cognito User Pool. This parameter is required.
      userPoolClients - The Cognito User Pool App Clients. This parameter is required.
      allowedAudience - Optional array of allowed audiences.
      allowedScopes - Optional array of allowed scopes.
      customClaims - Optional array of custom claim validations.
      Returns:
      RuntimeAuthorizerConfiguration for Cognito authentication

    • usingCognito

      @Stability(Stable) @NotNull public static RuntimeAuthorizerConfiguration usingCognito(@NotNull IUserPool userPool, @NotNull List<? extends IUserPoolClient> userPoolClients, @Nullable List<String> allowedAudience, @Nullable List<String> allowedScopes)
      Use AWS Cognito User Pool authentication.

      Validates Cognito-issued JWT tokens.

      Parameters:
      userPool - The Cognito User Pool. This parameter is required.
      userPoolClients - The Cognito User Pool App Clients. This parameter is required.
      allowedAudience - Optional array of allowed audiences.
      allowedScopes - Optional array of allowed scopes.
      Returns:
      RuntimeAuthorizerConfiguration for Cognito authentication

    • usingCognito

      @Stability(Stable) @NotNull public static RuntimeAuthorizerConfiguration usingCognito(@NotNull IUserPool userPool, @NotNull List<? extends IUserPoolClient> userPoolClients, @Nullable List<String> allowedAudience)
      Use AWS Cognito User Pool authentication.

      Validates Cognito-issued JWT tokens.

      Parameters:
      userPool - The Cognito User Pool. This parameter is required.
      userPoolClients - The Cognito User Pool App Clients. This parameter is required.
      allowedAudience - Optional array of allowed audiences.
      Returns:
      RuntimeAuthorizerConfiguration for Cognito authentication

    • usingCognito

      @Stability(Stable) @NotNull public static RuntimeAuthorizerConfiguration usingCognito(@NotNull IUserPool userPool, @NotNull List<? extends IUserPoolClient> userPoolClients)
      Use AWS Cognito User Pool authentication.

      Validates Cognito-issued JWT tokens.

      Parameters:
      userPool - The Cognito User Pool. This parameter is required.
      userPoolClients - The Cognito User Pool App Clients. This parameter is required.
      Returns:
      RuntimeAuthorizerConfiguration for Cognito authentication

    • usingIAM

      @Stability(Stable) @NotNull public static RuntimeAuthorizerConfiguration usingIAM()
      Use IAM authentication (default).

      Requires AWS credentials to sign requests using SigV4.

      Returns:
      RuntimeAuthorizerConfiguration for IAM authentication

    • usingJWT

      @Stability(Stable) @NotNull public static RuntimeAuthorizerConfiguration usingJWT(@NotNull String discoveryUrl, @Nullable List<String> allowedClients, @Nullable List<String> allowedAudience, @Nullable List<String> allowedScopes, @Nullable List<? extends RuntimeCustomClaim> customClaims)
      Use custom JWT authentication.

      Validates JWT tokens against the specified OIDC provider.

      Parameters:
      discoveryUrl - The OIDC discovery URL (must end with /.well-known/openid-configuration). This parameter is required.
      allowedClients - Optional array of allowed client IDs.
      allowedAudience - Optional array of allowed audiences.
      allowedScopes - Optional array of allowed scopes.
      customClaims - Optional array of custom claim validations.
      Returns:
      RuntimeAuthorizerConfiguration for JWT authentication

    • usingJWT

      @Stability(Stable) @NotNull public static RuntimeAuthorizerConfiguration usingJWT(@NotNull String discoveryUrl, @Nullable List<String> allowedClients, @Nullable List<String> allowedAudience, @Nullable List<String> allowedScopes)
      Use custom JWT authentication.

      Validates JWT tokens against the specified OIDC provider.

      Parameters:
      discoveryUrl - The OIDC discovery URL (must end with /.well-known/openid-configuration). This parameter is required.
      allowedClients - Optional array of allowed client IDs.
      allowedAudience - Optional array of allowed audiences.
      allowedScopes - Optional array of allowed scopes.
      Returns:
      RuntimeAuthorizerConfiguration for JWT authentication

    • usingJWT

      @Stability(Stable) @NotNull public static RuntimeAuthorizerConfiguration usingJWT(@NotNull String discoveryUrl, @Nullable List<String> allowedClients, @Nullable List<String> allowedAudience)
      Use custom JWT authentication.

      Validates JWT tokens against the specified OIDC provider.

      Parameters:
      discoveryUrl - The OIDC discovery URL (must end with /.well-known/openid-configuration). This parameter is required.
      allowedClients - Optional array of allowed client IDs.
      allowedAudience - Optional array of allowed audiences.
      Returns:
      RuntimeAuthorizerConfiguration for JWT authentication

    • usingJWT

      @Stability(Stable) @NotNull public static RuntimeAuthorizerConfiguration usingJWT(@NotNull String discoveryUrl, @Nullable List<String> allowedClients)
      Use custom JWT authentication.

      Validates JWT tokens against the specified OIDC provider.

      Parameters:
      discoveryUrl - The OIDC discovery URL (must end with /.well-known/openid-configuration). This parameter is required.
      allowedClients - Optional array of allowed client IDs.
      Returns:
      RuntimeAuthorizerConfiguration for JWT authentication

    • usingJWT

      @Stability(Stable) @NotNull public static RuntimeAuthorizerConfiguration usingJWT(@NotNull String discoveryUrl)
      Use custom JWT authentication.

      Validates JWT tokens against the specified OIDC provider.

      Parameters:
      discoveryUrl - The OIDC discovery URL (must end with /.well-known/openid-configuration). This parameter is required.
      Returns:
      RuntimeAuthorizerConfiguration for JWT authentication

    • usingOAuth

      @Stability(Stable) @NotNull public static RuntimeAuthorizerConfiguration usingOAuth(@NotNull String discoveryUrl, @NotNull String clientId, @Nullable List<String> allowedAudience, @Nullable List<String> allowedScopes, @Nullable List<? extends RuntimeCustomClaim> customClaims)
      Use OAuth 2.0 authentication. Supports various OAuth providers.

      Parameters:
      discoveryUrl - The OIDC discovery URL (must end with /.well-known/openid-configuration). This parameter is required.
      clientId - OAuth client ID. This parameter is required.
      allowedAudience - Optional array of allowed audiences.
      allowedScopes - Optional array of allowed scopes.
      customClaims - Optional array of custom claim validations.
      Returns:
      RuntimeAuthorizerConfiguration for OAuth authentication

    • usingOAuth

      @Stability(Stable) @NotNull public static RuntimeAuthorizerConfiguration usingOAuth(@NotNull String discoveryUrl, @NotNull String clientId, @Nullable List<String> allowedAudience, @Nullable List<String> allowedScopes)
      Use OAuth 2.0 authentication. Supports various OAuth providers.

      Parameters:
      discoveryUrl - The OIDC discovery URL (must end with /.well-known/openid-configuration). This parameter is required.
      clientId - OAuth client ID. This parameter is required.
      allowedAudience - Optional array of allowed audiences.
      allowedScopes - Optional array of allowed scopes.
      Returns:
      RuntimeAuthorizerConfiguration for OAuth authentication

    • usingOAuth

      @Stability(Stable) @NotNull public static RuntimeAuthorizerConfiguration usingOAuth(@NotNull String discoveryUrl, @NotNull String clientId, @Nullable List<String> allowedAudience)
      Use OAuth 2.0 authentication. Supports various OAuth providers.

      Parameters:
      discoveryUrl - The OIDC discovery URL (must end with /.well-known/openid-configuration). This parameter is required.
      clientId - OAuth client ID. This parameter is required.
      allowedAudience - Optional array of allowed audiences.
      Returns:
      RuntimeAuthorizerConfiguration for OAuth authentication

    • usingOAuth

      @Stability(Stable) @NotNull public static RuntimeAuthorizerConfiguration usingOAuth(@NotNull String discoveryUrl, @NotNull String clientId)
      Use OAuth 2.0 authentication. Supports various OAuth providers.

      Parameters:
      discoveryUrl - The OIDC discovery URL (must end with /.well-known/openid-configuration). This parameter is required.
      clientId - OAuth client ID. This parameter is required.
      Returns:
      RuntimeAuthorizerConfiguration for OAuth authentication