CustomJwtConfiguration
- class aws_cdk.aws_bedrock_agentcore_alpha.CustomJwtConfiguration(*, discovery_url, allowed_audience=None, allowed_clients=None, allowed_scopes=None, custom_claims=None)
Bases:
object(experimental) Custom JWT authorizer configuration.
- Parameters:
discovery_url (
str) – (experimental) This URL is used to fetch OpenID Connect configuration or authorization server metadata for validating incoming tokens. Pattern: .+/.well-known/openid-configuration Required: Yesallowed_audience (
Optional[Sequence[str]]) – (experimental) Represents individual audience values that are validated in the incoming JWT token validation process. Default: - No audience validationallowed_clients (
Optional[Sequence[str]]) – (experimental) Represents individual client IDs that are validated in the incoming JWT token validation process. Default: - No client ID validationallowed_scopes (
Optional[Sequence[str]]) – (experimental) Represents individual scopes that are validated in the incoming JWT token validation process. Default: - No scope validationcustom_claims (
Optional[Sequence[GatewayCustomClaim]]) – (experimental) Custom claims for additional JWT token validation. Allows you to validate additional fields in JWT tokens beyond the standard audience, client, and scope validations. Default: - No custom claim validation
- Stability:
experimental
- ExampleMetadata:
fixture=default infused
Example:
# Create a custom execution role execution_role = iam.Role(self, "GatewayExecutionRole", assumed_by=iam.ServicePrincipal("bedrock-agentcore.amazonaws.com"), managed_policies=[ iam.ManagedPolicy.from_aws_managed_policy_name("AmazonBedrockAgentCoreGatewayExecutionRolePolicy") ] ) # Create gateway with custom execution role gateway = agentcore.Gateway(self, "MyGateway", gateway_name="my-gateway", description="Gateway with custom execution role", protocol_configuration=agentcore.McpProtocolConfiguration( instructions="Use this gateway to connect to external MCP tools", search_type=agentcore.McpGatewaySearchType.SEMANTIC, supported_versions=[agentcore.MCPProtocolVersion.MCP_2025_03_26] ), authorizer_configuration=agentcore.GatewayAuthorizer.using_custom_jwt( discovery_url="https://auth.example.com/.well-known/openid-configuration", allowed_audience=["my-app"], allowed_clients=["my-client-id"], allowed_scopes=["read", "write"] ), role=execution_role )
Attributes
- allowed_audience
(experimental) Represents individual audience values that are validated in the incoming JWT token validation process.
- Default:
No audience validation
- Stability:
experimental
- allowed_clients
(experimental) Represents individual client IDs that are validated in the incoming JWT token validation process.
- Default:
No client ID validation
- Stability:
experimental
- allowed_scopes
(experimental) Represents individual scopes that are validated in the incoming JWT token validation process.
- Default:
No scope validation
- Stability:
experimental
- custom_claims
(experimental) Custom claims for additional JWT token validation.
Allows you to validate additional fields in JWT tokens beyond the standard audience, client, and scope validations.
- Default:
No custom claim validation
- Stability:
experimental
- discovery_url
(experimental) This URL is used to fetch OpenID Connect configuration or authorization server metadata for validating incoming tokens.
Pattern: .+/.well-known/openid-configuration Required: Yes
- Stability:
experimental