GatewayAuthorizer

class aws_cdk.aws_bedrock_agentcore_alpha.GatewayAuthorizer

Bases: object

(experimental) Factory class for creating Gateway Authorizers.

Stability:

experimental

ExampleMetadata:

fixture=default infused

Example:

# Create a KMS key for encryption
encryption_key = kms.Key(self, "GatewayEncryptionKey",
    enable_key_rotation=True,
    description="KMS key for gateway encryption"
)

# Create gateway with KMS encryption
gateway = agentcore.Gateway(self, "MyGateway",
    gateway_name="my-encrypted-gateway",
    description="Gateway with KMS encryption",
    protocol_configuration=agentcore.McpProtocolConfiguration(
        instructions="Use this gateway to connect to external MCP tools",
        search_type=agentcore.McpGatewaySearchType.SEMANTIC,
        supported_versions=[agentcore.MCPProtocolVersion.MCP_2025_03_26]
    ),
    authorizer_configuration=agentcore.GatewayAuthorizer.using_custom_jwt(
        discovery_url="https://auth.example.com/.well-known/openid-configuration",
        allowed_audience=["my-app"],
        allowed_clients=["my-client-id"]
    ),
    kms_key=encryption_key,
    exception_level=agentcore.GatewayExceptionLevel.DEBUG
)
Stability:

experimental

Static Methods

classmethod using_aws_iam()

(experimental) AWS IAM authorizer instance.

Stability:

experimental

Return type:

IGatewayAuthorizerConfig

classmethod using_cognito(*, user_pool, allowed_audiences=None, allowed_clients=None)

(experimental) Create a JWT authorizer from Cognito User Pool.

Parameters:

  • user_pool (IUserPool) – (experimental) The Cognito User Pool to use for authentication.

  • allowed_audiences (Optional[Sequence[str]]) – (experimental) The allowed audiences for JWT validation. Default: - No audience validation

  • allowed_clients (Optional[Sequence[IUserPoolClient]]) – (experimental) The allowed User Pool clients. Default: - All clients are allowed

Return type:

IGatewayAuthorizerConfig

Returns:

CustomJwtAuthorizer configured for Cognito

Stability:

experimental

classmethod using_custom_jwt(*, discovery_url, allowed_audience=None, allowed_clients=None)

(experimental) Create a custom JWT authorizer.

Parameters:

  • discovery_url (str) – (experimental) This URL is used to fetch OpenID Connect configuration or authorization server metadata for validating incoming tokens. Pattern: .+/.well-known/openid-configuration Required: Yes

  • allowed_audience (Optional[Sequence[str]]) – (experimental) Represents individual audience values that are validated in the incoming JWT token validation process. Default: - No audience validation

  • allowed_clients (Optional[Sequence[str]]) – (experimental) Represents individual client IDs that are validated in the incoming JWT token validation process. Default: - No client ID validation

Return type:

IGatewayAuthorizerConfig

Returns:

IGatewayAuthorizerConfig configured for custom JWT

Stability:

experimental