This is the new *CloudFormation Template Reference Guide*. Please update your bookmarks and links. For help getting started with CloudFormation, see the [AWS CloudFormation User Guide](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/Welcome.html). # AWS::BedrockAgentCore::Gateway Amazon Bedrock AgentCore Gateway provides a unified connectivity layer between agents and the tools and resources they need to interact with. For more information about creating a gateway, see [Set up an Amazon Bedrock AgentCore gateway](https://docs.aws.amazon.com/bedrock-agentcore/latest/devguide/gateway-building.html). See the **Properties** section below for descriptions of both the required and optional properties. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "Type" : "AWS::BedrockAgentCore::Gateway", "Properties" : { "[AuthorizerConfiguration](#cfn-bedrockagentcore-gateway-authorizerconfiguration)" : AuthorizerConfiguration, "[AuthorizerType](#cfn-bedrockagentcore-gateway-authorizertype)" : String, "[Description](#cfn-bedrockagentcore-gateway-description)" : String, "[ExceptionLevel](#cfn-bedrockagentcore-gateway-exceptionlevel)" : String, "[InterceptorConfigurations](#cfn-bedrockagentcore-gateway-interceptorconfigurations)" : [ GatewayInterceptorConfiguration, ... ], "[KmsKeyArn](#cfn-bedrockagentcore-gateway-kmskeyarn)" : String, "[Name](#cfn-bedrockagentcore-gateway-name)" : String, "[PolicyEngineConfiguration](#cfn-bedrockagentcore-gateway-policyengineconfiguration)" : GatewayPolicyEngineConfiguration, "[ProtocolConfiguration](#cfn-bedrockagentcore-gateway-protocolconfiguration)" : GatewayProtocolConfiguration, "[ProtocolType](#cfn-bedrockagentcore-gateway-protocoltype)" : String, "[RoleArn](#cfn-bedrockagentcore-gateway-rolearn)" : String, "[Tags](#cfn-bedrockagentcore-gateway-tags)" : {Key: Value, ...} } } ``` ### YAML ``` Type: AWS::BedrockAgentCore::Gateway Properties: [AuthorizerConfiguration](#cfn-bedrockagentcore-gateway-authorizerconfiguration): AuthorizerConfiguration [AuthorizerType](#cfn-bedrockagentcore-gateway-authorizertype): String [Description](#cfn-bedrockagentcore-gateway-description): String [ExceptionLevel](#cfn-bedrockagentcore-gateway-exceptionlevel): String [InterceptorConfigurations](#cfn-bedrockagentcore-gateway-interceptorconfigurations): - GatewayInterceptorConfiguration [KmsKeyArn](#cfn-bedrockagentcore-gateway-kmskeyarn): String [Name](#cfn-bedrockagentcore-gateway-name): String [PolicyEngineConfiguration](#cfn-bedrockagentcore-gateway-policyengineconfiguration): GatewayPolicyEngineConfiguration [ProtocolConfiguration](#cfn-bedrockagentcore-gateway-protocolconfiguration): GatewayProtocolConfiguration [ProtocolType](#cfn-bedrockagentcore-gateway-protocoltype): String [RoleArn](#cfn-bedrockagentcore-gateway-rolearn): String [Tags](#cfn-bedrockagentcore-gateway-tags): Key: Value ``` ## Properties `AuthorizerConfiguration` Represents inbound authorization configuration options used to authenticate incoming requests. *Required*: No *Type*: [AuthorizerConfiguration](aws-properties-bedrockagentcore-gateway-authorizerconfiguration.md) *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `AuthorizerType` The type of authorizer used by the gateway. *Required*: Yes *Type*: String *Allowed values*: `CUSTOM_JWT | AWS_IAM | NONE` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `Description` The description of the gateway. *Required*: No *Type*: String *Minimum*: `1` *Maximum*: `200` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `ExceptionLevel` The exception level for the gateway. *Required*: No *Type*: String *Allowed values*: `DEBUG` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `InterceptorConfigurations` A list of configuration settings for a gateway interceptor. Gateway interceptors allow custom code to be invoked during gateway invocations. *Required*: No *Type*: Array of [GatewayInterceptorConfiguration](aws-properties-bedrockagentcore-gateway-gatewayinterceptorconfiguration.md) *Minimum*: `1` *Maximum*: `2` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `KmsKeyArn` The KMS key ARN for the gateway. *Required*: No *Type*: String *Pattern*: `^arn:[a-z0-9-]{1,20}:kms:[a-zA-Z0-9-]*:[0-9]{12}:key/[a-zA-Z0-9-]{36}$` *Minimum*: `1` *Maximum*: `2048` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `Name` The name of the gateway. *Required*: Yes *Type*: String *Pattern*: `^([0-9a-zA-Z][-]?){1,100}$` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `PolicyEngineConfiguration` Property description not available. *Required*: No *Type*: [GatewayPolicyEngineConfiguration](aws-properties-bedrockagentcore-gateway-gatewaypolicyengineconfiguration.md) *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `ProtocolConfiguration` The protocol configuration for the gateway target. *Required*: No *Type*: [GatewayProtocolConfiguration](aws-properties-bedrockagentcore-gateway-gatewayprotocolconfiguration.md) *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `ProtocolType` The protocol type used by the gateway. *Required*: Yes *Type*: String *Allowed values*: `MCP` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `RoleArn` The ARN of the IAM role that provides permissions for the gateway to access AWS services. *Required*: Yes *Type*: String *Pattern*: `^arn:[a-z0-9-]{1,20}:iam::([0-9]{12})?:role/.+$` *Minimum*: `1` *Maximum*: `2048` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `Tags` The tags for the gateway. *Required*: No *Type*: Object of String *Pattern*: `^[a-zA-Z0-9\s._:/=+@-]*$` *Minimum*: `0` *Maximum*: `256` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) ## Return values ### Ref When you pass the logical ID of this resource to the intrinsic `Ref` function, `Ref` returns the gateway identifier. For example: `my-gateway-a1b2c3d4e5` For more information about using the `Ref` function, see [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-ref.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-ref.html). ### Fn::GetAtt The `Fn::GetAtt` intrinsic function returns a value for a specified attribute of this type. The following are the available attributes and sample return values. For more information about using the `Fn::GetAtt` intrinsic function, see [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-getatt.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-getatt.html). #### `CreatedAt` The date and time at which the target was created. `GatewayArn` The Amazon Resource Name (ARN) of the gateway target. `GatewayIdentifier` The unique identifier of the gateway. `GatewayUrl` The URL endpoint for the gateway. `Status` The status for the gateway. `StatusReasons` The status reasons for the target status. `UpdatedAt` The date and time at which the target was updated. # AWS::BedrockAgentCore::Gateway AuthorizerConfiguration Represents inbound authorization configuration options used to authenticate incoming requests. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "[CustomJWTAuthorizer](#cfn-bedrockagentcore-gateway-authorizerconfiguration-customjwtauthorizer)" : CustomJWTAuthorizerConfiguration } ``` ### YAML ``` [CustomJWTAuthorizer](#cfn-bedrockagentcore-gateway-authorizerconfiguration-customjwtauthorizer): CustomJWTAuthorizerConfiguration ``` ## Properties `CustomJWTAuthorizer` The inbound JWT-based authorization, specifying how incoming requests should be authenticated. *Required*: Yes *Type*: [CustomJWTAuthorizerConfiguration](aws-properties-bedrockagentcore-gateway-customjwtauthorizerconfiguration.md) *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) # AWS::BedrockAgentCore::Gateway AuthorizingClaimMatchValueType Defines the value or values to match for and the relationship of the match. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "[ClaimMatchOperator](#cfn-bedrockagentcore-gateway-authorizingclaimmatchvaluetype-claimmatchoperator)" : String, "[ClaimMatchValue](#cfn-bedrockagentcore-gateway-authorizingclaimmatchvaluetype-claimmatchvalue)" : ClaimMatchValueType } ``` ### YAML ``` [ClaimMatchOperator](#cfn-bedrockagentcore-gateway-authorizingclaimmatchvaluetype-claimmatchoperator): String [ClaimMatchValue](#cfn-bedrockagentcore-gateway-authorizingclaimmatchvaluetype-claimmatchvalue): ClaimMatchValueType ``` ## Properties `ClaimMatchOperator` Defines the relationship between the claim field value and the value or values you're matching for. *Required*: Yes *Type*: String *Allowed values*: `EQUALS | CONTAINS | CONTAINS_ANY` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `ClaimMatchValue` The value or values to match for. *Required*: Yes *Type*: [ClaimMatchValueType](aws-properties-bedrockagentcore-gateway-claimmatchvaluetype.md) *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) # AWS::BedrockAgentCore::Gateway ClaimMatchValueType The value or values to match for. + Include a `matchValueString` with the `EQUALS` operator to specify a string that matches the claim field value. + Include a `matchValueArray` to specify an array of string values. You can use the following operators: + Use `CONTAINS` to yield a match if the claim field value is in the array. + Use `CONTAINS_ANY` to yield a match if the claim field value contains any of the strings in the array. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "[MatchValueString](#cfn-bedrockagentcore-gateway-claimmatchvaluetype-matchvaluestring)" : String, "[MatchValueStringList](#cfn-bedrockagentcore-gateway-claimmatchvaluetype-matchvaluestringlist)" : [ String, ... ] } ``` ### YAML ``` [MatchValueString](#cfn-bedrockagentcore-gateway-claimmatchvaluetype-matchvaluestring): String [MatchValueStringList](#cfn-bedrockagentcore-gateway-claimmatchvaluetype-matchvaluestringlist): - String ``` ## Properties `MatchValueString` The string value to match for. *Required*: No *Type*: String *Pattern*: `[A-Za-z0-9_.-]+` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `MatchValueStringList` An array of strings to check for a match. *Required*: No *Type*: Array of String *Minimum*: `1` *Maximum*: `255` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) # AWS::BedrockAgentCore::Gateway CustomClaimValidationType Defines the name of a custom claim field and rules for finding matches to authenticate its value. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "[AuthorizingClaimMatchValue](#cfn-bedrockagentcore-gateway-customclaimvalidationtype-authorizingclaimmatchvalue)" : AuthorizingClaimMatchValueType, "[InboundTokenClaimName](#cfn-bedrockagentcore-gateway-customclaimvalidationtype-inboundtokenclaimname)" : String, "[InboundTokenClaimValueType](#cfn-bedrockagentcore-gateway-customclaimvalidationtype-inboundtokenclaimvaluetype)" : String } ``` ### YAML ``` [AuthorizingClaimMatchValue](#cfn-bedrockagentcore-gateway-customclaimvalidationtype-authorizingclaimmatchvalue): AuthorizingClaimMatchValueType [InboundTokenClaimName](#cfn-bedrockagentcore-gateway-customclaimvalidationtype-inboundtokenclaimname): String [InboundTokenClaimValueType](#cfn-bedrockagentcore-gateway-customclaimvalidationtype-inboundtokenclaimvaluetype): String ``` ## Properties `AuthorizingClaimMatchValue` Defines the value or values to match for and the relationship of the match. *Required*: Yes *Type*: [AuthorizingClaimMatchValueType](aws-properties-bedrockagentcore-gateway-authorizingclaimmatchvaluetype.md) *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `InboundTokenClaimName` The name of the custom claim field to check. *Required*: Yes *Type*: String *Pattern*: `[A-Za-z0-9_.-:]+` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `InboundTokenClaimValueType` The data type of the claim value to check for. + Use `STRING` if you want to find an exact match to a string you define. + Use `STRING_ARRAY` if you want to fnd a match to at least one value in an array you define. *Required*: Yes *Type*: String *Allowed values*: `STRING | STRING_ARRAY` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) # AWS::BedrockAgentCore::Gateway CustomJWTAuthorizerConfiguration Configuration for inbound JWT-based authorization, specifying how incoming requests should be authenticated. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "[AllowedAudience](#cfn-bedrockagentcore-gateway-customjwtauthorizerconfiguration-allowedaudience)" : [ String, ... ], "[AllowedClients](#cfn-bedrockagentcore-gateway-customjwtauthorizerconfiguration-allowedclients)" : [ String, ... ], "[AllowedScopes](#cfn-bedrockagentcore-gateway-customjwtauthorizerconfiguration-allowedscopes)" : [ String, ... ], "[CustomClaims](#cfn-bedrockagentcore-gateway-customjwtauthorizerconfiguration-customclaims)" : [ CustomClaimValidationType, ... ], "[DiscoveryUrl](#cfn-bedrockagentcore-gateway-customjwtauthorizerconfiguration-discoveryurl)" : String } ``` ### YAML ``` [AllowedAudience](#cfn-bedrockagentcore-gateway-customjwtauthorizerconfiguration-allowedaudience): - String [AllowedClients](#cfn-bedrockagentcore-gateway-customjwtauthorizerconfiguration-allowedclients): - String [AllowedScopes](#cfn-bedrockagentcore-gateway-customjwtauthorizerconfiguration-allowedscopes): - String [CustomClaims](#cfn-bedrockagentcore-gateway-customjwtauthorizerconfiguration-customclaims): - CustomClaimValidationType [DiscoveryUrl](#cfn-bedrockagentcore-gateway-customjwtauthorizerconfiguration-discoveryurl): String ``` ## Properties `AllowedAudience` Represents individual audience values that are validated in the incoming JWT token validation process. *Required*: No *Type*: Array of String *Minimum*: `1` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `AllowedClients` Represents individual client IDs that are validated in the incoming JWT token validation process. *Required*: No *Type*: Array of String *Minimum*: `1` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `AllowedScopes` An array of scopes that are allowed to access the token. *Required*: No *Type*: Array of String *Minimum*: `1` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `CustomClaims` An array of objects that define a custom claim validation name, value, and operation *Required*: No *Type*: Array of [CustomClaimValidationType](aws-properties-bedrockagentcore-gateway-customclaimvalidationtype.md) *Minimum*: `1` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `DiscoveryUrl` This URL is used to fetch OpenID Connect configuration or authorization server metadata for validating incoming tokens. *Required*: Yes *Type*: String *Pattern*: `^.+/\.well-known/openid-configuration$` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) # AWS::BedrockAgentCore::Gateway GatewayInterceptorConfiguration The configuration for an interceptor on a gateway. This structure defines settings for an interceptor that will be invoked during the invocation of the gateway. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "[InputConfiguration](#cfn-bedrockagentcore-gateway-gatewayinterceptorconfiguration-inputconfiguration)" : InterceptorInputConfiguration, "[InterceptionPoints](#cfn-bedrockagentcore-gateway-gatewayinterceptorconfiguration-interceptionpoints)" : [ String, ... ], "[Interceptor](#cfn-bedrockagentcore-gateway-gatewayinterceptorconfiguration-interceptor)" : InterceptorConfiguration } ``` ### YAML ``` [InputConfiguration](#cfn-bedrockagentcore-gateway-gatewayinterceptorconfiguration-inputconfiguration): InterceptorInputConfiguration [InterceptionPoints](#cfn-bedrockagentcore-gateway-gatewayinterceptorconfiguration-interceptionpoints): - String [Interceptor](#cfn-bedrockagentcore-gateway-gatewayinterceptorconfiguration-interceptor): InterceptorConfiguration ``` ## Properties `InputConfiguration` The configuration for the input of the interceptor. This field specifies how the input to the interceptor is constructed *Required*: No *Type*: [InterceptorInputConfiguration](aws-properties-bedrockagentcore-gateway-interceptorinputconfiguration.md) *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `InterceptionPoints` The supported points of interception. This field specifies which points during the gateway invocation to invoke the interceptor *Required*: Yes *Type*: Array of String *Minimum*: `1` *Maximum*: `2` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `Interceptor` The infrastructure settings of an interceptor configuration. This structure defines how the interceptor can be invoked. *Required*: Yes *Type*: [InterceptorConfiguration](aws-properties-bedrockagentcore-gateway-interceptorconfiguration.md) *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) # AWS::BedrockAgentCore::Gateway GatewayPolicyEngineConfiguration The configuration for a policy engine associated with a gateway. A policy engine is a collection of policies that evaluates and authorizes agent tool calls. When associated with a gateway, the policy engine intercepts all agent requests and determines whether to allow or deny each action based on the defined policies. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "[Arn](#cfn-bedrockagentcore-gateway-gatewaypolicyengineconfiguration-arn)" : String, "[Mode](#cfn-bedrockagentcore-gateway-gatewaypolicyengineconfiguration-mode)" : String } ``` ### YAML ``` [Arn](#cfn-bedrockagentcore-gateway-gatewaypolicyengineconfiguration-arn): String [Mode](#cfn-bedrockagentcore-gateway-gatewaypolicyengineconfiguration-mode): String ``` ## Properties `Arn` The ARN of the policy engine. The policy engine contains Cedar policies that define fine-grained authorization rules specifying who can perform what actions on which resources as agents interact through the gateway. *Required*: Yes *Type*: String *Pattern*: `^arn:[a-z0-9-]{1,20}:bedrock-agentcore:[a-z0-9-]+:[0-9]{12}:policy-engine/[a-zA-Z][a-zA-Z0-9-_]{0,99}-[a-zA-Z0-9_]{10}$` *Minimum*: `1` *Maximum*: `170` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `Mode` The enforcement mode for the policy engine. Valid values include: + `LOG_ONLY` - The policy engine evaluates each action against your policies and adds traces on whether tool calls would be allowed or denied, but does not enforce the decision. Use this mode to test and validate policies before enabling enforcement. + `ENFORCE` - The policy engine evaluates actions against your policies and enforces decisions by allowing or denying agent operations. Test and validate policies in `LOG_ONLY` mode before enabling enforcement to avoid unintended denials or adversely affecting production traffic. *Required*: Yes *Type*: String *Allowed values*: `LOG_ONLY | ENFORCE` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) # AWS::BedrockAgentCore::Gateway GatewayProtocolConfiguration The configuration for a gateway protocol. This structure defines how the gateway communicates with external services. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "[Mcp](#cfn-bedrockagentcore-gateway-gatewayprotocolconfiguration-mcp)" : MCPGatewayConfiguration } ``` ### YAML ``` [Mcp](#cfn-bedrockagentcore-gateway-gatewayprotocolconfiguration-mcp): MCPGatewayConfiguration ``` ## Properties `Mcp` The configuration for the Model Context Protocol (MCP). This protocol enables communication between Amazon Bedrock Agent and external tools. *Required*: Yes *Type*: [MCPGatewayConfiguration](aws-properties-bedrockagentcore-gateway-mcpgatewayconfiguration.md) *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) # AWS::BedrockAgentCore::Gateway InterceptorConfiguration The interceptor configuration. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "[Lambda](#cfn-bedrockagentcore-gateway-interceptorconfiguration-lambda)" : LambdaInterceptorConfiguration } ``` ### YAML ``` [Lambda](#cfn-bedrockagentcore-gateway-interceptorconfiguration-lambda): LambdaInterceptorConfiguration ``` ## Properties `Lambda` The details of the lambda function used for the interceptor. *Required*: Yes *Type*: [LambdaInterceptorConfiguration](aws-properties-bedrockagentcore-gateway-lambdainterceptorconfiguration.md) *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) # AWS::BedrockAgentCore::Gateway InterceptorInputConfiguration The input configuration of the interceptor. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "[PassRequestHeaders](#cfn-bedrockagentcore-gateway-interceptorinputconfiguration-passrequestheaders)" : Boolean } ``` ### YAML ``` [PassRequestHeaders](#cfn-bedrockagentcore-gateway-interceptorinputconfiguration-passrequestheaders): Boolean ``` ## Properties `PassRequestHeaders` Indicates whether to pass request headers as input into the interceptor. When set to true, request headers will be passed. *Required*: Yes *Type*: Boolean *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) # AWS::BedrockAgentCore::Gateway LambdaInterceptorConfiguration The lambda configuration for the interceptor ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "[Arn](#cfn-bedrockagentcore-gateway-lambdainterceptorconfiguration-arn)" : String } ``` ### YAML ``` [Arn](#cfn-bedrockagentcore-gateway-lambdainterceptorconfiguration-arn): String ``` ## Properties `Arn` The arn of the lambda function to be invoked for the interceptor. *Required*: Yes *Type*: String *Pattern*: `^arn:[a-z0-9-]{1,20}:lambda:([a-z]{2}(-gov)?-[a-z]+-\d{1}):(\d{12}):function:([a-zA-Z0-9-_.]+)(:(\$LATEST|[a-zA-Z0-9-_]+))?$` *Minimum*: `1` *Maximum*: `170` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) # AWS::BedrockAgentCore::Gateway MCPGatewayConfiguration The configuration for a Model Context Protocol (MCP) gateway. This structure defines how the gateway implements the MCP protocol. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "[Instructions](#cfn-bedrockagentcore-gateway-mcpgatewayconfiguration-instructions)" : String, "[SearchType](#cfn-bedrockagentcore-gateway-mcpgatewayconfiguration-searchtype)" : String, "[SupportedVersions](#cfn-bedrockagentcore-gateway-mcpgatewayconfiguration-supportedversions)" : [ String, ... ] } ``` ### YAML ``` [Instructions](#cfn-bedrockagentcore-gateway-mcpgatewayconfiguration-instructions): String [SearchType](#cfn-bedrockagentcore-gateway-mcpgatewayconfiguration-searchtype): String [SupportedVersions](#cfn-bedrockagentcore-gateway-mcpgatewayconfiguration-supportedversions): - String ``` ## Properties `Instructions` The instructions for using the Model Context Protocol gateway. These instructions provide guidance on how to interact with the gateway. *Required*: No *Type*: String *Minimum*: `1` *Maximum*: `2048` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `SearchType` The search type for the Model Context Protocol gateway. This field specifies how the gateway handles search operations. *Required*: No *Type*: String *Allowed values*: `SEMANTIC` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `SupportedVersions` The supported versions of the Model Context Protocol. This field specifies which versions of the protocol the gateway can use. *Required*: No *Type*: Array of String *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) # AWS::BedrockAgentCore::Gateway WorkloadIdentityDetails The workload identity details for the gateway. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "[WorkloadIdentityArn](#cfn-bedrockagentcore-gateway-workloadidentitydetails-workloadidentityarn)" : String } ``` ### YAML ``` [WorkloadIdentityArn](#cfn-bedrockagentcore-gateway-workloadidentitydetails-workloadidentityarn): String ``` ## Properties `WorkloadIdentityArn` The Amazon Resource Name (ARN) of the workload identity. *Required*: Yes *Type*: String *Minimum*: `1` *Maximum*: `1024` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt)