BedrockAgentCoreControlClient
Welcome to the Amazon Bedrock AgentCore Control plane API reference. Control plane actions configure, create, modify, and monitor Amazon Web Services resources.
Types
Functions
Creates an Amazon Bedrock AgentCore Runtime.
Creates an AgentCore Runtime endpoint.
Creates a new API key credential provider.
Creates a custom browser.
Creates a custom code interpreter.
Creates a custom evaluator for agent quality assessment. Custom evaluators use LLM-as-a-Judge configurations with user-defined prompts, rating scales, and model settings to evaluate agent performance at tool call, trace, or session levels.
Creates a gateway for Amazon Bedrock Agent. A gateway serves as an integration point between your agent and external services.
Creates a target for a gateway. A target defines an endpoint that the gateway can connect to.
Creates a new Amazon Bedrock AgentCore Memory resource.
Creates a new OAuth2 credential provider.
Creates an online evaluation configuration for continuous monitoring of agent performance. Online evaluation automatically samples live traffic from CloudWatch logs at specified rates and applies evaluators to assess agent quality in production.
Creates a policy within the AgentCore Policy system. Policies provide real-time, deterministic control over agentic interactions with AgentCore Gateway. Using the Cedar policy language, you can define fine-grained policies that specify which interactions with Gateway tools are permitted based on input parameters and OAuth claims, ensuring agents operate within defined boundaries and business rules. The policy is validated during creation against the Cedar schema generated from the Gateway's tools' input schemas, which defines the available tools, their parameters, and expected data types. This is an asynchronous operation. Use the GetPolicy operation to poll the status field to track completion.
Creates a new policy engine within the AgentCore Policy system. A policy engine is a collection of policies that evaluates and authorizes agent tool calls. When associated with Gateways (each Gateway can be associated with at most one policy engine, but multiple Gateways can be associated with the same engine), the policy engine intercepts all agent requests and determines whether to allow or deny each action based on the defined policies. This is an asynchronous operation. Use the GetPolicyEngine operation to poll the status field to track completion.
Creates a new workload identity.
Deletes an Amazon Bedrock AgentCore Runtime.
Deletes an AAgentCore Runtime endpoint.
Deletes an API key credential provider.
Deletes a custom browser.
Deletes a custom code interpreter.
Deletes a custom evaluator. Builtin evaluators cannot be deleted. The evaluator must not be referenced by any active online evaluation configurations.
Deletes a gateway.
Deletes a gateway target.
Deletes an Amazon Bedrock AgentCore Memory resource.
Deletes an OAuth2 credential provider.
Deletes an online evaluation configuration and stops any ongoing evaluation processes associated with it.
Deletes an existing policy from the AgentCore Policy system. Once deleted, the policy can no longer be used for agent behavior control and all references to it become invalid. This is an asynchronous operation. Use the GetPolicy operation to poll the status field to track completion.
Deletes an existing policy engine from the AgentCore Policy system. The policy engine must not have any associated policies before deletion. Once deleted, the policy engine and all its configurations become unavailable for policy management and evaluation. This is an asynchronous operation. Use the GetPolicyEngine operation to poll the status field to track completion.
Deletes the resource-based policy for a specified resource.
Deletes a workload identity.
Gets an Amazon Bedrock AgentCore Runtime.
Gets information about an Amazon Secure AgentEndpoint.
Retrieves information about an API key credential provider.
Gets information about a custom browser.
Gets information about a custom code interpreter.
Retrieves detailed information about an evaluator, including its configuration, status, and metadata. Works with both built-in and custom evaluators.
Retrieves information about a specific Gateway.
Retrieves information about a specific gateway target.
Retrieve an existing Amazon Bedrock AgentCore Memory resource.
Retrieves information about an OAuth2 credential provider.
Retrieves detailed information about an online evaluation configuration, including its rules, data sources, evaluators, and execution status.
Retrieves detailed information about a specific policy within the AgentCore Policy system. This operation returns the complete policy definition, metadata, and current status, allowing administrators to review and manage policy configurations.
Retrieves detailed information about a specific policy engine within the AgentCore Policy system. This operation returns the complete policy engine configuration, metadata, and current status, allowing administrators to review and manage policy engine settings.
Retrieves information about a policy generation request within the AgentCore Policy system. Policy generation converts natural language descriptions into Cedar policy statements using AI-powered translation, enabling non-technical users to create policies.
Retrieves the resource-based policy for a specified resource.
Retrieves information about a token vault.
Retrieves information about a workload identity.
Lists all endpoints for a specific Amazon Secure Agent.
Lists all Amazon Secure Agents in your account.
Lists all versions of a specific Amazon Secure Agent.
Lists all API key credential providers in your account.
Lists all custom browsers in your account.
Lists all custom code interpreters in your account.
Lists all available evaluators, including both builtin evaluators provided by the service and custom evaluators created by the user.
Lists all gateways in the account.
Lists all targets for a specific gateway.
Lists the available Amazon Bedrock AgentCore Memory resources in the current Amazon Web Services Region.
Lists all OAuth2 credential providers in your account.
Lists all online evaluation configurations in the account, providing summary information about each configuration's status and settings.
Retrieves a list of policies within the AgentCore Policy engine. This operation supports pagination and filtering to help administrators manage and discover policies across policy engines. Results can be filtered by policy engine or resource associations.
Retrieves a list of policy engines within the AgentCore Policy system. This operation supports pagination to help administrators discover and manage policy engines across their account. Each policy engine serves as a container for related policies.
Retrieves a list of generated policy assets from a policy generation request within the AgentCore Policy system. This operation returns the actual Cedar policies and related artifacts produced by the AI-powered policy generation process, allowing users to review and select from multiple generated policy options.
Retrieves a list of policy generation requests within the AgentCore Policy system. This operation supports pagination and filtering to help track and manage AI-powered policy generation operations.
Lists the tags associated with the specified resource.
Lists all workload identities in your account.
Creates or updates a resource-based policy for a resource with the specified resourceArn.
Sets the customer master key (CMK) for a token vault.
Initiates the AI-powered generation of Cedar policies from natural language descriptions within the AgentCore Policy system. This feature enables both technical and non-technical users to create policies by describing their authorization requirements in plain English, which is then automatically translated into formal Cedar policy statements. The generation process analyzes the natural language input along with the Gateway's tool context to produce validated policy options. Generated policy assets are automatically deleted after 7 days, so you should review and create policies from the generated assets within this timeframe. Once created, policies are permanent and not subject to this expiration. Generated policies should be reviewed and tested in log-only mode before deploying to production. Use this when you want to describe policy intent naturally rather than learning Cedar syntax, though generated policies may require refinement for complex scenarios.
The gateway targets.
Associates the specified tags to a resource with the specified resourceArn. If existing tags on a resource are not specified in the request parameters, they are not changed. When a resource is deleted, the tags associated with that resource are also deleted.
Removes the specified tags from the specified resource.
Updates an existing Amazon Secure Agent.
Updates an existing Amazon Bedrock AgentCore Runtime endpoint.
Updates an existing API key credential provider.
Updates a custom evaluator's configuration, description, or evaluation level. Built-in evaluators cannot be updated. The evaluator must not be locked for modification.
Updates an existing gateway.
Updates an existing gateway target.
Update an Amazon Bedrock AgentCore Memory resource memory.
Updates an existing OAuth2 credential provider.
Updates an online evaluation configuration's settings, including rules, data sources, evaluators, and execution status. Changes take effect immediately for ongoing evaluations.
Updates an existing policy within the AgentCore Policy system. This operation allows modification of the policy description and definition while maintaining the policy's identity. The updated policy is validated against the Cedar schema before being applied. This is an asynchronous operation. Use the GetPolicy operation to poll the status field to track completion.
Updates an existing policy engine within the AgentCore Policy system. This operation allows modification of the policy engine description while maintaining its identity. This is an asynchronous operation. Use the GetPolicyEngine operation to poll the status field to track completion.
Updates an existing workload identity.
Inherited functions
Creates an Amazon Bedrock AgentCore Runtime.
Creates an AgentCore Runtime endpoint.
Creates a new API key credential provider.
Creates a custom browser.
Creates a custom code interpreter.
Creates a custom evaluator for agent quality assessment. Custom evaluators use LLM-as-a-Judge configurations with user-defined prompts, rating scales, and model settings to evaluate agent performance at tool call, trace, or session levels.
Creates a gateway for Amazon Bedrock Agent. A gateway serves as an integration point between your agent and external services.
Creates a target for a gateway. A target defines an endpoint that the gateway can connect to.
Creates a new Amazon Bedrock AgentCore Memory resource.
Creates a new OAuth2 credential provider.
Creates an online evaluation configuration for continuous monitoring of agent performance. Online evaluation automatically samples live traffic from CloudWatch logs at specified rates and applies evaluators to assess agent quality in production.
Creates a policy within the AgentCore Policy system. Policies provide real-time, deterministic control over agentic interactions with AgentCore Gateway. Using the Cedar policy language, you can define fine-grained policies that specify which interactions with Gateway tools are permitted based on input parameters and OAuth claims, ensuring agents operate within defined boundaries and business rules. The policy is validated during creation against the Cedar schema generated from the Gateway's tools' input schemas, which defines the available tools, their parameters, and expected data types. This is an asynchronous operation. Use the GetPolicy operation to poll the status field to track completion.
Creates a new policy engine within the AgentCore Policy system. A policy engine is a collection of policies that evaluates and authorizes agent tool calls. When associated with Gateways (each Gateway can be associated with at most one policy engine, but multiple Gateways can be associated with the same engine), the policy engine intercepts all agent requests and determines whether to allow or deny each action based on the defined policies. This is an asynchronous operation. Use the GetPolicyEngine operation to poll the status field to track completion.
Creates a new workload identity.
Deletes an Amazon Bedrock AgentCore Runtime.
Deletes an AAgentCore Runtime endpoint.
Deletes an API key credential provider.
Deletes a custom browser.
Deletes a custom code interpreter.
Deletes a custom evaluator. Builtin evaluators cannot be deleted. The evaluator must not be referenced by any active online evaluation configurations.
Deletes a gateway.
Deletes a gateway target.
Deletes an Amazon Bedrock AgentCore Memory resource.
Deletes an OAuth2 credential provider.
Deletes an online evaluation configuration and stops any ongoing evaluation processes associated with it.
Deletes an existing policy from the AgentCore Policy system. Once deleted, the policy can no longer be used for agent behavior control and all references to it become invalid. This is an asynchronous operation. Use the GetPolicy operation to poll the status field to track completion.
Deletes an existing policy engine from the AgentCore Policy system. The policy engine must not have any associated policies before deletion. Once deleted, the policy engine and all its configurations become unavailable for policy management and evaluation. This is an asynchronous operation. Use the GetPolicyEngine operation to poll the status field to track completion.
Deletes the resource-based policy for a specified resource.
Deletes a workload identity.
Gets an Amazon Bedrock AgentCore Runtime.
Gets information about an Amazon Secure AgentEndpoint.
Retrieves information about an API key credential provider.
Gets information about a custom browser.
Gets information about a custom code interpreter.
Retrieves detailed information about an evaluator, including its configuration, status, and metadata. Works with both built-in and custom evaluators.
Retrieves information about a specific Gateway.
Retrieves information about a specific gateway target.
Retrieve an existing Amazon Bedrock AgentCore Memory resource.
Retrieves information about an OAuth2 credential provider.
Retrieves detailed information about an online evaluation configuration, including its rules, data sources, evaluators, and execution status.
Retrieves detailed information about a specific policy within the AgentCore Policy system. This operation returns the complete policy definition, metadata, and current status, allowing administrators to review and manage policy configurations.
Retrieves detailed information about a specific policy engine within the AgentCore Policy system. This operation returns the complete policy engine configuration, metadata, and current status, allowing administrators to review and manage policy engine settings.
Retrieves information about a policy generation request within the AgentCore Policy system. Policy generation converts natural language descriptions into Cedar policy statements using AI-powered translation, enabling non-technical users to create policies.
Retrieves the resource-based policy for a specified resource.
Retrieves information about a token vault.
Retrieves information about a workload identity.
Lists all endpoints for a specific Amazon Secure Agent.
Paginate over ListAgentRuntimeEndpointsResponse results.
Lists all Amazon Secure Agents in your account.
Paginate over ListAgentRuntimesResponse results.
Lists all versions of a specific Amazon Secure Agent.
Paginate over ListAgentRuntimeVersionsResponse results.
Lists all API key credential providers in your account.
Paginate over ListApiKeyCredentialProvidersResponse results.
Lists all custom browsers in your account.
Paginate over ListBrowsersResponse results.
Lists all custom code interpreters in your account.
Paginate over ListCodeInterpretersResponse results.
Lists all available evaluators, including both builtin evaluators provided by the service and custom evaluators created by the user.
Paginate over ListEvaluatorsResponse results.
Lists all gateways in the account.
Paginate over ListGatewaysResponse results.
Lists all targets for a specific gateway.
Paginate over ListGatewayTargetsResponse results.
Lists the available Amazon Bedrock AgentCore Memory resources in the current Amazon Web Services Region.
Paginate over ListMemoriesResponse results.
Lists all OAuth2 credential providers in your account.
Paginate over ListOauth2CredentialProvidersResponse results.
Lists all online evaluation configurations in the account, providing summary information about each configuration's status and settings.
Paginate over ListOnlineEvaluationConfigsResponse results.
Retrieves a list of policies within the AgentCore Policy engine. This operation supports pagination and filtering to help administrators manage and discover policies across policy engines. Results can be filtered by policy engine or resource associations.
Paginate over ListPoliciesResponse results.
Retrieves a list of policy engines within the AgentCore Policy system. This operation supports pagination to help administrators discover and manage policy engines across their account. Each policy engine serves as a container for related policies.
Paginate over ListPolicyEnginesResponse results.
Retrieves a list of generated policy assets from a policy generation request within the AgentCore Policy system. This operation returns the actual Cedar policies and related artifacts produced by the AI-powered policy generation process, allowing users to review and select from multiple generated policy options.
Paginate over ListPolicyGenerationAssetsResponse results.
Retrieves a list of policy generation requests within the AgentCore Policy system. This operation supports pagination and filtering to help track and manage AI-powered policy generation operations.
Paginate over ListPolicyGenerationsResponse results.
Lists the tags associated with the specified resource.
Lists all workload identities in your account.
Paginate over ListWorkloadIdentitiesResponse results.
Creates or updates a resource-based policy for a resource with the specified resourceArn.
Sets the customer master key (CMK) for a token vault.
Initiates the AI-powered generation of Cedar policies from natural language descriptions within the AgentCore Policy system. This feature enables both technical and non-technical users to create policies by describing their authorization requirements in plain English, which is then automatically translated into formal Cedar policy statements. The generation process analyzes the natural language input along with the Gateway's tool context to produce validated policy options. Generated policy assets are automatically deleted after 7 days, so you should review and create policies from the generated assets within this timeframe. Once created, policies are permanent and not subject to this expiration. Generated policies should be reviewed and tested in log-only mode before deploying to production. Use this when you want to describe policy intent naturally rather than learning Cedar syntax, though generated policies may require refinement for complex scenarios.
The gateway targets.
Associates the specified tags to a resource with the specified resourceArn. If existing tags on a resource are not specified in the request parameters, they are not changed. When a resource is deleted, the tags associated with that resource are also deleted.
Removes the specified tags from the specified resource.
Updates an existing Amazon Secure Agent.
Updates an existing Amazon Bedrock AgentCore Runtime endpoint.
Updates an existing API key credential provider.
Updates a custom evaluator's configuration, description, or evaluation level. Built-in evaluators cannot be updated. The evaluator must not be locked for modification.
Updates an existing gateway.
Updates an existing gateway target.
Update an Amazon Bedrock AgentCore Memory resource memory.
Updates an existing OAuth2 credential provider.
Updates an online evaluation configuration's settings, including rules, data sources, evaluators, and execution status. Changes take effect immediately for ongoing evaluations.
Updates an existing policy within the AgentCore Policy system. This operation allows modification of the policy description and definition while maintaining the policy's identity. The updated policy is validated against the Cedar schema before being applied. This is an asynchronous operation. Use the GetPolicy operation to poll the status field to track completion.
Updates an existing policy engine within the AgentCore Policy system. This operation allows modification of the policy engine description while maintaining its identity. This is an asynchronous operation. Use the GetPolicyEngine operation to poll the status field to track completion.
Updates an existing workload identity.
Wait until a Policy is active
Wait until a Policy is deleted
Wait until a PolicyEngine is active
Wait until a PolicyEngine is deleted
Wait until policy generation is completed
Create a copy of the client with one or more configuration values overridden. This method allows the caller to perform scoped config overrides for one or more client operations.