GatewayAuthorizer

class aws_cdk.aws_bedrockagentcore.GatewayAuthorizer

Bases: object

Factory class for creating Gateway Authorizers.

ExampleMetadata:: fixture=default infused

Example:

# Optional: Create custom claims (CustomClaimOperator and GatewayCustomClaim from agentcore)
custom_claims = [
    agentcore.GatewayCustomClaim.with_string_value("department", "engineering"),
    agentcore.GatewayCustomClaim.with_string_array_value("roles", ["admin"], agentcore.CustomClaimOperator.CONTAINS),
    agentcore.GatewayCustomClaim.with_string_array_value("permissions", ["read", "write"], agentcore.CustomClaimOperator.CONTAINS_ANY)
]

gateway = agentcore.Gateway(self, "MyGateway",
    gateway_name="my-gateway",
    authorizer_configuration=agentcore.GatewayAuthorizer.using_custom_jwt(
        discovery_url="https://auth.example.com/.well-known/openid-configuration",
        allowed_audience=["my-app"],
        allowed_clients=["my-client-id"],
        allowed_scopes=["read", "write"],
        custom_claims=custom_claims
    )
)

Static Methods

classmethod using_aws_iam()

AWS IAM authorizer instance.

Return type:: IGatewayAuthorizerConfig

classmethod using_cognito(*, user_pool, allowed_audiences=None, allowed_clients=None, allowed_scopes=None, custom_claims=None)

Create a JWT authorizer from Cognito User Pool.

Parameters:

user_pool (IUserPool) – The Cognito User Pool to use for authentication.
allowed_audiences (Optional[Sequence[str]]) – The allowed audiences for JWT validation. Default: - No audience validation
allowed_clients (Optional[Sequence[IUserPoolClient]]) – The allowed User Pool clients. Default: - All clients are allowed
allowed_scopes (Optional[Sequence[str]]) – The allowed scopes for JWT validation. Default: - No scope validation
custom_claims (Optional[Sequence[GatewayCustomClaim]]) – Custom claims for additional JWT token validation. Allows you to validate additional fields in JWT tokens beyond the standard audience, client, and scope validations. Default: - No custom claim validation

Return type:

IGatewayAuthorizerConfig

Returns:

CustomJwtAuthorizer configured for Cognito

classmethod using_custom_jwt(*, discovery_url, allowed_audience=None, allowed_clients=None, allowed_scopes=None, custom_claims=None)

Create a custom JWT authorizer.

Parameters:

discovery_url (str) – This URL is used to fetch OpenID Connect configuration or authorization server metadata for validating incoming tokens. Pattern: .+/.well-known/openid-configuration Required: Yes
allowed_audience (Optional[Sequence[str]]) – Represents individual audience values that are validated in the incoming JWT token validation process. Default: - No audience validation
allowed_clients (Optional[Sequence[str]]) – Represents individual client IDs that are validated in the incoming JWT token validation process. Default: - No client ID validation
allowed_scopes (Optional[Sequence[str]]) – Represents individual scopes that are validated in the incoming JWT token validation process. Default: - No scope validation
custom_claims (Optional[Sequence[GatewayCustomClaim]]) – Custom claims for additional JWT token validation. Allows you to validate additional fields in JWT tokens beyond the standard audience, client, and scope validations. Default: - No custom claim validation

Return type:

IGatewayAuthorizerConfig

Returns:

IGatewayAuthorizerConfig configured for custom JWT

classmethod with_no_auth()

No authorization — the gateway will not perform any inbound authorization.

The gateway endpoint will be publicly accessible without credentials. Use this for testing/development, or for production gateways where you have implemented compensating controls such as Gateway Interceptors.

Return type:: IGatewayAuthorizerConfig
Returns:: IGatewayAuthorizerConfig configured for no authorization
See:: https://docs.aws.amazon.com/bedrock-agentcore/latest/devguide/gateway-inbound-auth.html#gateway-inbound-auth-none