2026/04/24 - Amazon Bedrock AgentCore Control - 20 updated api methods
Changes Added support for configuring identity providers and inbound authorizers within a private VPC for AWS Bedrock AgentCore, enabling secure network connection without public internet access
{'agentRuntimeArtifact': {'codeConfiguration': {'runtime': {'NODE_22'}}},
'authorizerConfiguration': {'customJWTAuthorizer': {'privateEndpoint': {'managedVpcResource': {'endpointIpAddressType': 'IPV4 '
'| '
'IPV6',
'routingDomain': 'string',
'securityGroupIds': ['string'],
'subnetIds': ['string'],
'tags': {'string': 'string'},
'vpcIdentifier': 'string'},
'selfManagedLatticeResource': {'resourceConfigurationIdentifier': 'string'}},
'privateEndpointOverrides': [{'domain': 'string',
'privateEndpoint': {'managedVpcResource': {'endpointIpAddressType': 'IPV4 '
'| '
'IPV6',
'routingDomain': 'string',
'securityGroupIds': ['string'],
'subnetIds': ['string'],
'tags': {'string': 'string'},
'vpcIdentifier': 'string'},
'selfManagedLatticeResource': {'resourceConfigurationIdentifier': 'string'}}}]}}}
Creates an Amazon Bedrock AgentCore Runtime.
See also: AWS API Documentation
Request Syntax
client.create_agent_runtime(
agentRuntimeName='string',
agentRuntimeArtifact={
'containerConfiguration': {
'containerUri': 'string'
},
'codeConfiguration': {
'code': {
's3': {
'bucket': 'string',
'prefix': 'string',
'versionId': 'string'
}
},
'runtime': 'PYTHON_3_10'|'PYTHON_3_11'|'PYTHON_3_12'|'PYTHON_3_13'|'PYTHON_3_14'|'NODE_22',
'entryPoint': [
'string',
]
}
},
roleArn='string',
networkConfiguration={
'networkMode': 'PUBLIC'|'VPC',
'networkModeConfig': {
'securityGroups': [
'string',
],
'subnets': [
'string',
]
}
},
clientToken='string',
description='string',
authorizerConfiguration={
'customJWTAuthorizer': {
'discoveryUrl': 'string',
'allowedAudience': [
'string',
],
'allowedClients': [
'string',
],
'allowedScopes': [
'string',
],
'customClaims': [
{
'inboundTokenClaimName': 'string',
'inboundTokenClaimValueType': 'STRING'|'STRING_ARRAY',
'authorizingClaimMatchValue': {
'claimMatchValue': {
'matchValueString': 'string',
'matchValueStringList': [
'string',
]
},
'claimMatchOperator': 'EQUALS'|'CONTAINS'|'CONTAINS_ANY'
}
},
],
'privateEndpoint': {
'selfManagedLatticeResource': {
'resourceConfigurationIdentifier': 'string'
},
'managedVpcResource': {
'vpcIdentifier': 'string',
'subnetIds': [
'string',
],
'endpointIpAddressType': 'IPV4'|'IPV6',
'securityGroupIds': [
'string',
],
'tags': {
'string': 'string'
},
'routingDomain': 'string'
}
},
'privateEndpointOverrides': [
{
'domain': 'string',
'privateEndpoint': {
'selfManagedLatticeResource': {
'resourceConfigurationIdentifier': 'string'
},
'managedVpcResource': {
'vpcIdentifier': 'string',
'subnetIds': [
'string',
],
'endpointIpAddressType': 'IPV4'|'IPV6',
'securityGroupIds': [
'string',
],
'tags': {
'string': 'string'
},
'routingDomain': 'string'
}
}
},
]
}
},
requestHeaderConfiguration={
'requestHeaderAllowlist': [
'string',
]
},
protocolConfiguration={
'serverProtocol': 'MCP'|'HTTP'|'A2A'|'AGUI'
},
lifecycleConfiguration={
'idleRuntimeSessionTimeout': 123,
'maxLifetime': 123
},
environmentVariables={
'string': 'string'
},
filesystemConfigurations=[
{
'sessionStorage': {
'mountPath': 'string'
}
},
],
tags={
'string': 'string'
}
)
string
[REQUIRED]
The name of the AgentCore Runtime.
dict
[REQUIRED]
The artifact of the AgentCore Runtime.
containerConfiguration (dict) --
The container configuration for the agent artifact.
containerUri (string) -- [REQUIRED]
The ECR URI of the container.
codeConfiguration (dict) --
The code configuration for the agent runtime artifact, including the source code location and execution settings.
code (dict) -- [REQUIRED]
The source code location and configuration details.
s3 (dict) --
The Amazon Amazon S3 object that contains the source code for the agent runtime.
bucket (string) -- [REQUIRED]
The name of the Amazon S3 bucket. This bucket contains the stored data.
prefix (string) -- [REQUIRED]
The prefix for objects in the Amazon S3 bucket. This prefix is added to the object keys to organize the data.
versionId (string) --
The version ID of the Amazon Amazon S3 object. If not specified, the latest version of the object is used.
runtime (string) -- [REQUIRED]
The runtime environment for executing the agent code. Specify the programming language and version to use for the agent runtime. For valid values, see the list of supported runtimes.
entryPoint (list) -- [REQUIRED]
The entry point for the code execution, specifying the function or method that should be invoked when the code runs.
(string) --
string
[REQUIRED]
The IAM role ARN that provides permissions for the AgentCore Runtime.
dict
[REQUIRED]
The network configuration for the AgentCore Runtime.
networkMode (string) -- [REQUIRED]
The network mode for the AgentCore Runtime.
networkModeConfig (dict) --
The network mode configuration for the AgentCore Runtime.
securityGroups (list) -- [REQUIRED]
The security groups associated with the VPC configuration.
(string) --
subnets (list) -- [REQUIRED]
The subnets associated with the VPC configuration.
(string) --
string
A unique, case-sensitive identifier to ensure idempotency of the request.
This field is autopopulated if not provided.
string
The description of the AgentCore Runtime.
dict
The authorizer configuration for the AgentCore Runtime.
customJWTAuthorizer (dict) --
The inbound JWT-based authorization, specifying how incoming requests should be authenticated.
discoveryUrl (string) -- [REQUIRED]
This URL is used to fetch OpenID Connect configuration or authorization server metadata for validating incoming tokens.
allowedAudience (list) --
Represents individual audience values that are validated in the incoming JWT token validation process.
(string) --
allowedClients (list) --
Represents individual client IDs that are validated in the incoming JWT token validation process.
(string) --
allowedScopes (list) --
An array of scopes that are allowed to access the token.
(string) --
customClaims (list) --
An array of objects that define a custom claim validation name, value, and operation
(dict) --
Defines the name of a custom claim field and rules for finding matches to authenticate its value.
inboundTokenClaimName (string) -- [REQUIRED]
The name of the custom claim field to check.
inboundTokenClaimValueType (string) -- [REQUIRED]
The data type of the claim value to check for.
Use STRING if you want to find an exact match to a string you define.
Use STRING_ARRAY if you want to fnd a match to at least one value in an array you define.
authorizingClaimMatchValue (dict) -- [REQUIRED]
Defines the value or values to match for and the relationship of the match.
claimMatchValue (dict) -- [REQUIRED]
The value or values to match for.
matchValueString (string) --
The string value to match for.
matchValueStringList (list) --
An array of strings to check for a match.
(string) --
claimMatchOperator (string) -- [REQUIRED]
Defines the relationship between the claim field value and the value or values you're matching for.
privateEndpoint (dict) --
The private endpoint configuration for a gateway target. Defines how the gateway connects to private resources in your VPC.
selfManagedLatticeResource (dict) --
Configuration for connecting to a private resource using a self-managed VPC Lattice resource configuration.
resourceConfigurationIdentifier (string) --
The ARN or ID of the VPC Lattice resource configuration.
managedVpcResource (dict) --
Configuration for connecting to a private resource using a managed VPC Lattice resource. The gateway creates and manages the VPC Lattice resources on your behalf.
vpcIdentifier (string) -- [REQUIRED]
The ID of the VPC that contains your private resource.
subnetIds (list) -- [REQUIRED]
The subnet IDs within the VPC where the VPC Lattice resource gateway is placed.
(string) --
endpointIpAddressType (string) -- [REQUIRED]
The IP address type for the resource configuration endpoint.
securityGroupIds (list) --
The security group IDs to associate with the VPC Lattice resource gateway. If not specified, the default security group for the VPC is used.
(string) --
tags (dict) --
Tags to apply to the managed VPC Lattice resource gateway.
(string) --
(string) --
routingDomain (string) --
An intermediate publicly resolvable domain used as the VPC Lattice resource configuration endpoint. Required when your private endpoint uses a domain that is not publicly resolvable.
privateEndpointOverrides (list) --
A list of private endpoint overrides for the JWT authorizer. Each override maps a specific domain to a private endpoint, enabling secure connectivity through VPC Lattice resource configurations.
(dict) --
A mapping of a specific domain to a private endpoint for secure connectivity through a VPC Lattice resource configuration.
domain (string) -- [REQUIRED]
The domain to override with a private endpoint.
privateEndpoint (dict) -- [REQUIRED]
The private endpoint configuration for the specified domain.
selfManagedLatticeResource (dict) --
Configuration for connecting to a private resource using a self-managed VPC Lattice resource configuration.
resourceConfigurationIdentifier (string) --
The ARN or ID of the VPC Lattice resource configuration.
managedVpcResource (dict) --
Configuration for connecting to a private resource using a managed VPC Lattice resource. The gateway creates and manages the VPC Lattice resources on your behalf.
vpcIdentifier (string) -- [REQUIRED]
The ID of the VPC that contains your private resource.
subnetIds (list) -- [REQUIRED]
The subnet IDs within the VPC where the VPC Lattice resource gateway is placed.
(string) --
endpointIpAddressType (string) -- [REQUIRED]
The IP address type for the resource configuration endpoint.
securityGroupIds (list) --
The security group IDs to associate with the VPC Lattice resource gateway. If not specified, the default security group for the VPC is used.
(string) --
tags (dict) --
Tags to apply to the managed VPC Lattice resource gateway.
(string) --
(string) --
routingDomain (string) --
An intermediate publicly resolvable domain used as the VPC Lattice resource configuration endpoint. Required when your private endpoint uses a domain that is not publicly resolvable.
dict
Configuration for HTTP request headers that will be passed through to the runtime.
requestHeaderAllowlist (list) --
A list of HTTP request headers that are allowed to be passed through to the runtime.
(string) --
dict
The protocol configuration for an agent runtime. This structure defines how the agent runtime communicates with clients.
serverProtocol (string) -- [REQUIRED]
The server protocol for the agent runtime. This field specifies which protocol the agent runtime uses to communicate with clients.
dict
The life cycle configuration for the AgentCore Runtime.
idleRuntimeSessionTimeout (integer) --
Timeout in seconds for idle runtime sessions. When a session remains idle for this duration, it will be automatically terminated. Default: 900 seconds (15 minutes).
maxLifetime (integer) --
Maximum lifetime for the instance in seconds. Once reached, instances will be automatically terminated and replaced. Default: 28800 seconds (8 hours).
dict
Environment variables to set in the AgentCore Runtime environment.
(string) --
(string) --
list
The filesystem configurations to mount into the AgentCore Runtime. Use filesystem configurations to provide persistent storage to your AgentCore Runtime sessions.
(dict) --
Configuration for a filesystem that can be mounted into the AgentCore Runtime.
sessionStorage (dict) --
Configuration for session storage. Session storage provides persistent storage that is preserved across AgentCore Runtime session invocations.
mountPath (string) -- [REQUIRED]
The mount path for the session storage filesystem inside the AgentCore Runtime. The path must be under /mnt with exactly one subdirectory level (for example, /mnt/data).
dict
A map of tag keys and values to assign to the agent runtime. Tags enable you to categorize your resources in different ways, for example, by purpose, owner, or environment.
(string) --
(string) --
dict
Response Syntax
{
'agentRuntimeArn': 'string',
'workloadIdentityDetails': {
'workloadIdentityArn': 'string'
},
'agentRuntimeId': 'string',
'agentRuntimeVersion': 'string',
'createdAt': datetime(2015, 1, 1),
'status': 'CREATING'|'CREATE_FAILED'|'UPDATING'|'UPDATE_FAILED'|'READY'|'DELETING'
}
Response Structure
(dict) --
agentRuntimeArn (string) --
The Amazon Resource Name (ARN) of the AgentCore Runtime.
workloadIdentityDetails (dict) --
The workload identity details for the AgentCore Runtime.
workloadIdentityArn (string) --
The ARN associated with the workload identity.
agentRuntimeId (string) --
The unique identifier of the AgentCore Runtime.
agentRuntimeVersion (string) --
The version of the AgentCore Runtime.
createdAt (datetime) --
The timestamp when the AgentCore Runtime was created.
status (string) --
The current status of the AgentCore Runtime.
{'authorizerConfiguration': {'customJWTAuthorizer': {'privateEndpoint': {'managedVpcResource': {'endpointIpAddressType': 'IPV4 '
'| '
'IPV6',
'routingDomain': 'string',
'securityGroupIds': ['string'],
'subnetIds': ['string'],
'tags': {'string': 'string'},
'vpcIdentifier': 'string'},
'selfManagedLatticeResource': {'resourceConfigurationIdentifier': 'string'}},
'privateEndpointOverrides': [{'domain': 'string',
'privateEndpoint': {'managedVpcResource': {'endpointIpAddressType': 'IPV4 '
'| '
'IPV6',
'routingDomain': 'string',
'securityGroupIds': ['string'],
'subnetIds': ['string'],
'tags': {'string': 'string'},
'vpcIdentifier': 'string'},
'selfManagedLatticeResource': {'resourceConfigurationIdentifier': 'string'}}}]}}}
Creates a gateway for Amazon Bedrock Agent. A gateway serves as an integration point between your agent and external services.
If you specify CUSTOM_JWT as the authorizerType, you must provide an authorizerConfiguration.
See also: AWS API Documentation
Request Syntax
client.create_gateway(
name='string',
description='string',
clientToken='string',
roleArn='string',
protocolType='MCP',
protocolConfiguration={
'mcp': {
'supportedVersions': [
'string',
],
'instructions': 'string',
'searchType': 'SEMANTIC'
}
},
authorizerType='CUSTOM_JWT'|'AWS_IAM'|'NONE',
authorizerConfiguration={
'customJWTAuthorizer': {
'discoveryUrl': 'string',
'allowedAudience': [
'string',
],
'allowedClients': [
'string',
],
'allowedScopes': [
'string',
],
'customClaims': [
{
'inboundTokenClaimName': 'string',
'inboundTokenClaimValueType': 'STRING'|'STRING_ARRAY',
'authorizingClaimMatchValue': {
'claimMatchValue': {
'matchValueString': 'string',
'matchValueStringList': [
'string',
]
},
'claimMatchOperator': 'EQUALS'|'CONTAINS'|'CONTAINS_ANY'
}
},
],
'privateEndpoint': {
'selfManagedLatticeResource': {
'resourceConfigurationIdentifier': 'string'
},
'managedVpcResource': {
'vpcIdentifier': 'string',
'subnetIds': [
'string',
],
'endpointIpAddressType': 'IPV4'|'IPV6',
'securityGroupIds': [
'string',
],
'tags': {
'string': 'string'
},
'routingDomain': 'string'
}
},
'privateEndpointOverrides': [
{
'domain': 'string',
'privateEndpoint': {
'selfManagedLatticeResource': {
'resourceConfigurationIdentifier': 'string'
},
'managedVpcResource': {
'vpcIdentifier': 'string',
'subnetIds': [
'string',
],
'endpointIpAddressType': 'IPV4'|'IPV6',
'securityGroupIds': [
'string',
],
'tags': {
'string': 'string'
},
'routingDomain': 'string'
}
}
},
]
}
},
kmsKeyArn='string',
interceptorConfigurations=[
{
'interceptor': {
'lambda': {
'arn': 'string'
}
},
'interceptionPoints': [
'REQUEST'|'RESPONSE',
],
'inputConfiguration': {
'passRequestHeaders': True|False
}
},
],
policyEngineConfiguration={
'arn': 'string',
'mode': 'LOG_ONLY'|'ENFORCE'
},
exceptionLevel='DEBUG',
tags={
'string': 'string'
}
)
string
[REQUIRED]
The name of the gateway. The name must be unique within your account.
string
The description of the gateway.
string
A unique, case-sensitive identifier to ensure that the API request completes no more than one time. If you don't specify this field, a value is randomly generated for you. If this token matches a previous request, the service ignores the request, but doesn't return an error. For more information, see Ensuring idempotency.
This field is autopopulated if not provided.
string
[REQUIRED]
The Amazon Resource Name (ARN) of the IAM role that provides permissions for the gateway to access Amazon Web Services services.
string
[REQUIRED]
The protocol type for the gateway.
dict
The configuration settings for the protocol specified in the protocolType parameter.
mcp (dict) --
The configuration for the Model Context Protocol (MCP). This protocol enables communication between Amazon Bedrock Agent and external tools.
supportedVersions (list) --
The supported versions of the Model Context Protocol. This field specifies which versions of the protocol the gateway can use.
(string) --
instructions (string) --
The instructions for using the Model Context Protocol gateway. These instructions provide guidance on how to interact with the gateway.
searchType (string) --
The search type for the Model Context Protocol gateway. This field specifies how the gateway handles search operations.
string
[REQUIRED]
The type of authorizer to use for the gateway.
CUSTOM_JWT - Authorize with a bearer token.
AWS_IAM - Authorize with your Amazon Web Services IAM credentials.
NONE - No authorization
dict
The authorizer configuration for the gateway. Required if authorizerType is CUSTOM_JWT.
customJWTAuthorizer (dict) --
The inbound JWT-based authorization, specifying how incoming requests should be authenticated.
discoveryUrl (string) -- [REQUIRED]
This URL is used to fetch OpenID Connect configuration or authorization server metadata for validating incoming tokens.
allowedAudience (list) --
Represents individual audience values that are validated in the incoming JWT token validation process.
(string) --
allowedClients (list) --
Represents individual client IDs that are validated in the incoming JWT token validation process.
(string) --
allowedScopes (list) --
An array of scopes that are allowed to access the token.
(string) --
customClaims (list) --
An array of objects that define a custom claim validation name, value, and operation
(dict) --
Defines the name of a custom claim field and rules for finding matches to authenticate its value.
inboundTokenClaimName (string) -- [REQUIRED]
The name of the custom claim field to check.
inboundTokenClaimValueType (string) -- [REQUIRED]
The data type of the claim value to check for.
Use STRING if you want to find an exact match to a string you define.
Use STRING_ARRAY if you want to fnd a match to at least one value in an array you define.
authorizingClaimMatchValue (dict) -- [REQUIRED]
Defines the value or values to match for and the relationship of the match.
claimMatchValue (dict) -- [REQUIRED]
The value or values to match for.
matchValueString (string) --
The string value to match for.
matchValueStringList (list) --
An array of strings to check for a match.
(string) --
claimMatchOperator (string) -- [REQUIRED]
Defines the relationship between the claim field value and the value or values you're matching for.
privateEndpoint (dict) --
The private endpoint configuration for a gateway target. Defines how the gateway connects to private resources in your VPC.
selfManagedLatticeResource (dict) --
Configuration for connecting to a private resource using a self-managed VPC Lattice resource configuration.
resourceConfigurationIdentifier (string) --
The ARN or ID of the VPC Lattice resource configuration.
managedVpcResource (dict) --
Configuration for connecting to a private resource using a managed VPC Lattice resource. The gateway creates and manages the VPC Lattice resources on your behalf.
vpcIdentifier (string) -- [REQUIRED]
The ID of the VPC that contains your private resource.
subnetIds (list) -- [REQUIRED]
The subnet IDs within the VPC where the VPC Lattice resource gateway is placed.
(string) --
endpointIpAddressType (string) -- [REQUIRED]
The IP address type for the resource configuration endpoint.
securityGroupIds (list) --
The security group IDs to associate with the VPC Lattice resource gateway. If not specified, the default security group for the VPC is used.
(string) --
tags (dict) --
Tags to apply to the managed VPC Lattice resource gateway.
(string) --
(string) --
routingDomain (string) --
An intermediate publicly resolvable domain used as the VPC Lattice resource configuration endpoint. Required when your private endpoint uses a domain that is not publicly resolvable.
privateEndpointOverrides (list) --
A list of private endpoint overrides for the JWT authorizer. Each override maps a specific domain to a private endpoint, enabling secure connectivity through VPC Lattice resource configurations.
(dict) --
A mapping of a specific domain to a private endpoint for secure connectivity through a VPC Lattice resource configuration.
domain (string) -- [REQUIRED]
The domain to override with a private endpoint.
privateEndpoint (dict) -- [REQUIRED]
The private endpoint configuration for the specified domain.
selfManagedLatticeResource (dict) --
Configuration for connecting to a private resource using a self-managed VPC Lattice resource configuration.
resourceConfigurationIdentifier (string) --
The ARN or ID of the VPC Lattice resource configuration.
managedVpcResource (dict) --
Configuration for connecting to a private resource using a managed VPC Lattice resource. The gateway creates and manages the VPC Lattice resources on your behalf.
vpcIdentifier (string) -- [REQUIRED]
The ID of the VPC that contains your private resource.
subnetIds (list) -- [REQUIRED]
The subnet IDs within the VPC where the VPC Lattice resource gateway is placed.
(string) --
endpointIpAddressType (string) -- [REQUIRED]
The IP address type for the resource configuration endpoint.
securityGroupIds (list) --
The security group IDs to associate with the VPC Lattice resource gateway. If not specified, the default security group for the VPC is used.
(string) --
tags (dict) --
Tags to apply to the managed VPC Lattice resource gateway.
(string) --
(string) --
routingDomain (string) --
An intermediate publicly resolvable domain used as the VPC Lattice resource configuration endpoint. Required when your private endpoint uses a domain that is not publicly resolvable.
string
The Amazon Resource Name (ARN) of the KMS key used to encrypt data associated with the gateway.
list
A list of configuration settings for a gateway interceptor. Gateway interceptors allow custom code to be invoked during gateway invocations.
(dict) --
The configuration for an interceptor on a gateway. This structure defines settings for an interceptor that will be invoked during the invocation of the gateway.
interceptor (dict) -- [REQUIRED]
The infrastructure settings of an interceptor configuration. This structure defines how the interceptor can be invoked.
lambda (dict) --
The details of the lambda function used for the interceptor.
arn (string) -- [REQUIRED]
The arn of the lambda function to be invoked for the interceptor.
interceptionPoints (list) -- [REQUIRED]
The supported points of interception. This field specifies which points during the gateway invocation to invoke the interceptor
(string) --
inputConfiguration (dict) --
The configuration for the input of the interceptor. This field specifies how the input to the interceptor is constructed
passRequestHeaders (boolean) -- [REQUIRED]
Indicates whether to pass request headers as input into the interceptor. When set to true, request headers will be passed.
dict
The policy engine configuration for the gateway. A policy engine is a collection of policies that evaluates and authorizes agent tool calls. When associated with a gateway, the policy engine intercepts all agent requests and determines whether to allow or deny each action based on the defined policies.
arn (string) -- [REQUIRED]
The ARN of the policy engine. The policy engine contains Cedar policies that define fine-grained authorization rules specifying who can perform what actions on which resources as agents interact through the gateway.
mode (string) -- [REQUIRED]
The enforcement mode for the policy engine. Valid values include:
LOG_ONLY - The policy engine evaluates each action against your policies and adds traces on whether tool calls would be allowed or denied, but does not enforce the decision. Use this mode to test and validate policies before enabling enforcement.
ENFORCE - The policy engine evaluates actions against your policies and enforces decisions by allowing or denying agent operations. Test and validate policies in LOG_ONLY mode before enabling enforcement to avoid unintended denials or adversely affecting production traffic.
string
The level of detail in error messages returned when invoking the gateway.
If the value is DEBUG, granular exception messages are returned to help a user debug the gateway.
If the value is omitted, a generic error message is returned to the end user.
dict
A map of key-value pairs to associate with the gateway as metadata tags.
(string) --
(string) --
dict
Response Syntax
{
'gatewayArn': 'string',
'gatewayId': 'string',
'gatewayUrl': 'string',
'createdAt': datetime(2015, 1, 1),
'updatedAt': datetime(2015, 1, 1),
'status': 'CREATING'|'UPDATING'|'UPDATE_UNSUCCESSFUL'|'DELETING'|'READY'|'FAILED',
'statusReasons': [
'string',
],
'name': 'string',
'description': 'string',
'roleArn': 'string',
'protocolType': 'MCP',
'protocolConfiguration': {
'mcp': {
'supportedVersions': [
'string',
],
'instructions': 'string',
'searchType': 'SEMANTIC'
}
},
'authorizerType': 'CUSTOM_JWT'|'AWS_IAM'|'NONE',
'authorizerConfiguration': {
'customJWTAuthorizer': {
'discoveryUrl': 'string',
'allowedAudience': [
'string',
],
'allowedClients': [
'string',
],
'allowedScopes': [
'string',
],
'customClaims': [
{
'inboundTokenClaimName': 'string',
'inboundTokenClaimValueType': 'STRING'|'STRING_ARRAY',
'authorizingClaimMatchValue': {
'claimMatchValue': {
'matchValueString': 'string',
'matchValueStringList': [
'string',
]
},
'claimMatchOperator': 'EQUALS'|'CONTAINS'|'CONTAINS_ANY'
}
},
],
'privateEndpoint': {
'selfManagedLatticeResource': {
'resourceConfigurationIdentifier': 'string'
},
'managedVpcResource': {
'vpcIdentifier': 'string',
'subnetIds': [
'string',
],
'endpointIpAddressType': 'IPV4'|'IPV6',
'securityGroupIds': [
'string',
],
'tags': {
'string': 'string'
},
'routingDomain': 'string'
}
},
'privateEndpointOverrides': [
{
'domain': 'string',
'privateEndpoint': {
'selfManagedLatticeResource': {
'resourceConfigurationIdentifier': 'string'
},
'managedVpcResource': {
'vpcIdentifier': 'string',
'subnetIds': [
'string',
],
'endpointIpAddressType': 'IPV4'|'IPV6',
'securityGroupIds': [
'string',
],
'tags': {
'string': 'string'
},
'routingDomain': 'string'
}
}
},
]
}
},
'kmsKeyArn': 'string',
'interceptorConfigurations': [
{
'interceptor': {
'lambda': {
'arn': 'string'
}
},
'interceptionPoints': [
'REQUEST'|'RESPONSE',
],
'inputConfiguration': {
'passRequestHeaders': True|False
}
},
],
'policyEngineConfiguration': {
'arn': 'string',
'mode': 'LOG_ONLY'|'ENFORCE'
},
'workloadIdentityDetails': {
'workloadIdentityArn': 'string'
},
'exceptionLevel': 'DEBUG'
}
Response Structure
(dict) --
gatewayArn (string) --
The Amazon Resource Name (ARN) of the created gateway.
gatewayId (string) --
The unique identifier of the created gateway.
gatewayUrl (string) --
The URL endpoint for the created gateway.
createdAt (datetime) --
The timestamp when the gateway was created.
updatedAt (datetime) --
The timestamp when the gateway was last updated.
status (string) --
The current status of the gateway.
statusReasons (list) --
The reasons for the current status of the gateway.
(string) --
name (string) --
The name of the gateway.
description (string) --
The description of the gateway.
roleArn (string) --
The Amazon Resource Name (ARN) of the IAM role associated with the gateway.
protocolType (string) --
The protocol type of the gateway.
protocolConfiguration (dict) --
The configuration settings for the protocol used by the gateway.
mcp (dict) --
The configuration for the Model Context Protocol (MCP). This protocol enables communication between Amazon Bedrock Agent and external tools.
supportedVersions (list) --
The supported versions of the Model Context Protocol. This field specifies which versions of the protocol the gateway can use.
(string) --
instructions (string) --
The instructions for using the Model Context Protocol gateway. These instructions provide guidance on how to interact with the gateway.
searchType (string) --
The search type for the Model Context Protocol gateway. This field specifies how the gateway handles search operations.
authorizerType (string) --
The type of authorizer used by the gateway.
authorizerConfiguration (dict) --
The authorizer configuration for the created gateway.
customJWTAuthorizer (dict) --
The inbound JWT-based authorization, specifying how incoming requests should be authenticated.
discoveryUrl (string) --
This URL is used to fetch OpenID Connect configuration or authorization server metadata for validating incoming tokens.
allowedAudience (list) --
Represents individual audience values that are validated in the incoming JWT token validation process.
(string) --
allowedClients (list) --
Represents individual client IDs that are validated in the incoming JWT token validation process.
(string) --
allowedScopes (list) --
An array of scopes that are allowed to access the token.
(string) --
customClaims (list) --
An array of objects that define a custom claim validation name, value, and operation
(dict) --
Defines the name of a custom claim field and rules for finding matches to authenticate its value.
inboundTokenClaimName (string) --
The name of the custom claim field to check.
inboundTokenClaimValueType (string) --
The data type of the claim value to check for.
Use STRING if you want to find an exact match to a string you define.
Use STRING_ARRAY if you want to fnd a match to at least one value in an array you define.
authorizingClaimMatchValue (dict) --
Defines the value or values to match for and the relationship of the match.
claimMatchValue (dict) --
The value or values to match for.
matchValueString (string) --
The string value to match for.
matchValueStringList (list) --
An array of strings to check for a match.
(string) --
claimMatchOperator (string) --
Defines the relationship between the claim field value and the value or values you're matching for.
privateEndpoint (dict) --
The private endpoint configuration for a gateway target. Defines how the gateway connects to private resources in your VPC.
selfManagedLatticeResource (dict) --
Configuration for connecting to a private resource using a self-managed VPC Lattice resource configuration.
resourceConfigurationIdentifier (string) --
The ARN or ID of the VPC Lattice resource configuration.
managedVpcResource (dict) --
Configuration for connecting to a private resource using a managed VPC Lattice resource. The gateway creates and manages the VPC Lattice resources on your behalf.
vpcIdentifier (string) --
The ID of the VPC that contains your private resource.
subnetIds (list) --
The subnet IDs within the VPC where the VPC Lattice resource gateway is placed.
(string) --
endpointIpAddressType (string) --
The IP address type for the resource configuration endpoint.
securityGroupIds (list) --
The security group IDs to associate with the VPC Lattice resource gateway. If not specified, the default security group for the VPC is used.
(string) --
tags (dict) --
Tags to apply to the managed VPC Lattice resource gateway.
(string) --
(string) --
routingDomain (string) --
An intermediate publicly resolvable domain used as the VPC Lattice resource configuration endpoint. Required when your private endpoint uses a domain that is not publicly resolvable.
privateEndpointOverrides (list) --
A list of private endpoint overrides for the JWT authorizer. Each override maps a specific domain to a private endpoint, enabling secure connectivity through VPC Lattice resource configurations.
(dict) --
A mapping of a specific domain to a private endpoint for secure connectivity through a VPC Lattice resource configuration.
domain (string) --
The domain to override with a private endpoint.
privateEndpoint (dict) --
The private endpoint configuration for the specified domain.
selfManagedLatticeResource (dict) --
Configuration for connecting to a private resource using a self-managed VPC Lattice resource configuration.
resourceConfigurationIdentifier (string) --
The ARN or ID of the VPC Lattice resource configuration.
managedVpcResource (dict) --
Configuration for connecting to a private resource using a managed VPC Lattice resource. The gateway creates and manages the VPC Lattice resources on your behalf.
vpcIdentifier (string) --
The ID of the VPC that contains your private resource.
subnetIds (list) --
The subnet IDs within the VPC where the VPC Lattice resource gateway is placed.
(string) --
endpointIpAddressType (string) --
The IP address type for the resource configuration endpoint.
securityGroupIds (list) --
The security group IDs to associate with the VPC Lattice resource gateway. If not specified, the default security group for the VPC is used.
(string) --
tags (dict) --
Tags to apply to the managed VPC Lattice resource gateway.
(string) --
(string) --
routingDomain (string) --
An intermediate publicly resolvable domain used as the VPC Lattice resource configuration endpoint. Required when your private endpoint uses a domain that is not publicly resolvable.
kmsKeyArn (string) --
The Amazon Resource Name (ARN) of the KMS key used to encrypt data associated with the gateway.
interceptorConfigurations (list) --
The list of interceptor configurations for the created gateway.
(dict) --
The configuration for an interceptor on a gateway. This structure defines settings for an interceptor that will be invoked during the invocation of the gateway.
interceptor (dict) --
The infrastructure settings of an interceptor configuration. This structure defines how the interceptor can be invoked.
lambda (dict) --
The details of the lambda function used for the interceptor.
arn (string) --
The arn of the lambda function to be invoked for the interceptor.
interceptionPoints (list) --
The supported points of interception. This field specifies which points during the gateway invocation to invoke the interceptor
(string) --
inputConfiguration (dict) --
The configuration for the input of the interceptor. This field specifies how the input to the interceptor is constructed
passRequestHeaders (boolean) --
Indicates whether to pass request headers as input into the interceptor. When set to true, request headers will be passed.
policyEngineConfiguration (dict) --
The policy engine configuration for the created gateway.
arn (string) --
The ARN of the policy engine. The policy engine contains Cedar policies that define fine-grained authorization rules specifying who can perform what actions on which resources as agents interact through the gateway.
mode (string) --
The enforcement mode for the policy engine. Valid values include:
LOG_ONLY - The policy engine evaluates each action against your policies and adds traces on whether tool calls would be allowed or denied, but does not enforce the decision. Use this mode to test and validate policies before enabling enforcement.
ENFORCE - The policy engine evaluates actions against your policies and enforces decisions by allowing or denying agent operations. Test and validate policies in LOG_ONLY mode before enabling enforcement to avoid unintended denials or adversely affecting production traffic.
workloadIdentityDetails (dict) --
The workload identity details for the created gateway.
workloadIdentityArn (string) --
The ARN associated with the workload identity.
exceptionLevel (string) --
The level of detail in error messages returned when invoking the gateway.
If the value is DEBUG, granular exception messages are returned to help a user debug the gateway.
If the value is omitted, a generic error message is returned to the end user.
{'privateEndpoint': {'managedVpcResource': {'endpointIpAddressType': 'IPV4 | '
'IPV6',
'routingDomain': 'string',
'securityGroupIds': ['string'],
'subnetIds': ['string'],
'tags': {'string': 'string'},
'vpcIdentifier': 'string'}}}
Creates a target for a gateway. A target defines an endpoint that the gateway can connect to.
See also: AWS API Documentation
Request Syntax
client.create_gateway_target(
gatewayIdentifier='string',
name='string',
description='string',
clientToken='string',
targetConfiguration={
'mcp': {
'openApiSchema': {
's3': {
'uri': 'string',
'bucketOwnerAccountId': 'string'
},
'inlinePayload': 'string'
},
'smithyModel': {
's3': {
'uri': 'string',
'bucketOwnerAccountId': 'string'
},
'inlinePayload': 'string'
},
'lambda': {
'lambdaArn': 'string',
'toolSchema': {
's3': {
'uri': 'string',
'bucketOwnerAccountId': 'string'
},
'inlinePayload': [
{
'name': 'string',
'description': 'string',
'inputSchema': {
'type': 'string'|'number'|'object'|'array'|'boolean'|'integer',
'properties': {
'string': {'... recursive ...'}
},
'required': [
'string',
],
'items': {'... recursive ...'},
'description': 'string'
},
'outputSchema': {
'type': 'string'|'number'|'object'|'array'|'boolean'|'integer',
'properties': {
'string': {'... recursive ...'}
},
'required': [
'string',
],
'items': {'... recursive ...'},
'description': 'string'
}
},
]
}
},
'mcpServer': {
'endpoint': 'string',
'mcpToolSchema': {
's3': {
'uri': 'string',
'bucketOwnerAccountId': 'string'
},
'inlinePayload': 'string'
},
'resourcePriority': 123,
'listingMode': 'DEFAULT'|'DYNAMIC'
},
'apiGateway': {
'restApiId': 'string',
'stage': 'string',
'apiGatewayToolConfiguration': {
'toolOverrides': [
{
'name': 'string',
'description': 'string',
'path': 'string',
'method': 'GET'|'DELETE'|'HEAD'|'OPTIONS'|'PATCH'|'PUT'|'POST'
},
],
'toolFilters': [
{
'filterPath': 'string',
'methods': [
'GET'|'DELETE'|'HEAD'|'OPTIONS'|'PATCH'|'PUT'|'POST',
]
},
]
}
}
}
},
credentialProviderConfigurations=[
{
'credentialProviderType': 'GATEWAY_IAM_ROLE'|'OAUTH'|'API_KEY',
'credentialProvider': {
'oauthCredentialProvider': {
'providerArn': 'string',
'scopes': [
'string',
],
'customParameters': {
'string': 'string'
},
'grantType': 'CLIENT_CREDENTIALS'|'AUTHORIZATION_CODE',
'defaultReturnUrl': 'string'
},
'apiKeyCredentialProvider': {
'providerArn': 'string',
'credentialParameterName': 'string',
'credentialPrefix': 'string',
'credentialLocation': 'HEADER'|'QUERY_PARAMETER'
},
'iamCredentialProvider': {
'service': 'string',
'region': 'string'
}
}
},
],
metadataConfiguration={
'allowedRequestHeaders': [
'string',
],
'allowedQueryParameters': [
'string',
],
'allowedResponseHeaders': [
'string',
]
},
privateEndpoint={
'selfManagedLatticeResource': {
'resourceConfigurationIdentifier': 'string'
},
'managedVpcResource': {
'vpcIdentifier': 'string',
'subnetIds': [
'string',
],
'endpointIpAddressType': 'IPV4'|'IPV6',
'securityGroupIds': [
'string',
],
'tags': {
'string': 'string'
},
'routingDomain': 'string'
}
}
)
string
[REQUIRED]
The identifier of the gateway to create a target for.
string
[REQUIRED]
The name of the gateway target. The name must be unique within the gateway.
string
The description of the gateway target.
string
A unique, case-sensitive identifier to ensure that the API request completes no more than one time. If you don't specify this field, a value is randomly generated for you. If this token matches a previous request, the service ignores the request, but doesn't return an error. For more information, see Ensuring idempotency.
This field is autopopulated if not provided.
dict
[REQUIRED]
The configuration settings for the target, including endpoint information and schema definitions.
mcp (dict) --
The Model Context Protocol (MCP) configuration for the target. This configuration defines how the gateway uses MCP to communicate with the target.
openApiSchema (dict) --
The OpenAPI schema for the Model Context Protocol target. This schema defines the API structure of the target.
s3 (dict) --
The Amazon S3 configuration for a gateway. This structure defines how the gateway accesses files in Amazon S3.
uri (string) --
The URI of the Amazon S3 object. This URI specifies the location of the object in Amazon S3.
bucketOwnerAccountId (string) --
The account ID of the Amazon S3 bucket owner. This ID is used for cross-account access to the bucket.
inlinePayload (string) --
The inline payload containing the API schema definition.
smithyModel (dict) --
The Smithy model for the Model Context Protocol target. This model defines the API structure of the target using the Smithy specification.
s3 (dict) --
The Amazon S3 configuration for a gateway. This structure defines how the gateway accesses files in Amazon S3.
uri (string) --
The URI of the Amazon S3 object. This URI specifies the location of the object in Amazon S3.
bucketOwnerAccountId (string) --
The account ID of the Amazon S3 bucket owner. This ID is used for cross-account access to the bucket.
inlinePayload (string) --
The inline payload containing the API schema definition.
lambda (dict) --
The Lambda configuration for the Model Context Protocol target. This configuration defines how the gateway uses a Lambda function to communicate with the target.
lambdaArn (string) -- [REQUIRED]
The Amazon Resource Name (ARN) of the Lambda function. This function is invoked by the gateway to communicate with the target.
toolSchema (dict) -- [REQUIRED]
The tool schema for the Lambda function. This schema defines the structure of the tools that the Lambda function provides.
s3 (dict) --
The Amazon S3 location of the tool schema. This location contains the schema definition file.
uri (string) --
The URI of the Amazon S3 object. This URI specifies the location of the object in Amazon S3.
bucketOwnerAccountId (string) --
The account ID of the Amazon S3 bucket owner. This ID is used for cross-account access to the bucket.
inlinePayload (list) --
The inline payload of the tool schema. This payload contains the schema definition directly in the request.
(dict) --
A tool definition for a gateway target. This structure defines a tool that the target exposes through the Model Context Protocol.
name (string) -- [REQUIRED]
The name of the tool. This name identifies the tool in the Model Context Protocol.
description (string) -- [REQUIRED]
The description of the tool. This description provides information about the purpose and usage of the tool.
inputSchema (dict) -- [REQUIRED]
The input schema for the tool. This schema defines the structure of the input that the tool accepts.
type (string) -- [REQUIRED]
The type of the schema definition. This field specifies the data type of the schema.
properties (dict) --
The properties of the schema definition. These properties define the fields in the schema.
(string) --
(dict) --
A schema definition for a gateway target. This structure defines the structure of the API that the target exposes.
required (list) --
The required fields in the schema definition. These fields must be provided when using the schema.
(string) --
items (dict) --
The items in the schema definition. This field is used for array types to define the structure of the array elements.
description (string) --
The description of the schema definition. This description provides information about the purpose and usage of the schema.
outputSchema (dict) --
The output schema for the tool. This schema defines the structure of the output that the tool produces.
type (string) -- [REQUIRED]
The type of the schema definition. This field specifies the data type of the schema.
properties (dict) --
The properties of the schema definition. These properties define the fields in the schema.
(string) --
(dict) --
A schema definition for a gateway target. This structure defines the structure of the API that the target exposes.
required (list) --
The required fields in the schema definition. These fields must be provided when using the schema.
(string) --
items (dict) --
The items in the schema definition. This field is used for array types to define the structure of the array elements.
description (string) --
The description of the schema definition. This description provides information about the purpose and usage of the schema.
mcpServer (dict) --
The MCP server specified as the gateway target.
endpoint (string) -- [REQUIRED]
The endpoint for the MCP server target configuration.
mcpToolSchema (dict) --
The tool schema configuration for the MCP server target. Supported only when the credential provider is configured with an authorization code grant type. Dynamic tool discovery/synchronization will be disabled when target is configured with mcpToolSchema.
s3 (dict) --
The Amazon S3 location of the tool schema. This location contains the schema definition file.
uri (string) --
The URI of the Amazon S3 object. This URI specifies the location of the object in Amazon S3.
bucketOwnerAccountId (string) --
The account ID of the Amazon S3 bucket owner. This ID is used for cross-account access to the bucket.
inlinePayload (string) --
The inline payload containing the MCP tool schema definition.
resourcePriority (integer) --
Priority for resolving MCP server targets with shared resource URIs. Lower values take precedence. Defaults to 1000 when not set.
listingMode (string) --
The listing mode for the MCP server target configuration. MCP resources for default targets are cached at the control plane for faster access. MCP resources for dynamic targets will be dynamically retrieved when listing tools.
apiGateway (dict) --
The configuration for an Amazon API Gateway target.
restApiId (string) -- [REQUIRED]
The ID of the API Gateway REST API.
stage (string) -- [REQUIRED]
The ID of the stage of the REST API to add as a target.
apiGatewayToolConfiguration (dict) -- [REQUIRED]
The configuration for defining REST API tool filters and overrides for the gateway target.
toolOverrides (list) --
A list of explicit tool definitions with optional custom names and descriptions.
(dict) --
Settings to override configurations for a tool.
name (string) -- [REQUIRED]
The name of tool. Identifies the tool in the Model Context Protocol.
description (string) --
The description of the tool. Provides information about the purpose and usage of the tool. If not provided, uses the description from the API's OpenAPI specification.
path (string) -- [REQUIRED]
Resource path in the REST API (e.g., /pets). Must explicitly match an existing path in the REST API.
method (string) -- [REQUIRED]
The HTTP method to expose for the specified path.
toolFilters (list) -- [REQUIRED]
A list of path and method patterns to expose as tools using metadata from the REST API's OpenAPI specification.
(dict) --
Specifies which operations from an API Gateway REST API are exposed as tools. Tool names and descriptions are derived from the operationId and description fields in the API's exported OpenAPI specification.
filterPath (string) -- [REQUIRED]
Resource path to match in the REST API. Supports exact paths (for example, /pets) or wildcard paths (for example, /pets/* to match all paths under /pets). Must match existing paths in the REST API.
methods (list) -- [REQUIRED]
The methods to filter for.
(string) --
list
The credential provider configurations for the target. These configurations specify how the gateway authenticates with the target endpoint.
(dict) --
The configuration for a credential provider. This structure defines how the gateway authenticates with the target endpoint.
credentialProviderType (string) -- [REQUIRED]
The type of credential provider. This field specifies which authentication method the gateway uses.
credentialProvider (dict) --
The credential provider. This field contains the specific configuration for the credential provider type.
oauthCredentialProvider (dict) --
The OAuth credential provider. This provider uses OAuth authentication to access the target endpoint.
providerArn (string) -- [REQUIRED]
The Amazon Resource Name (ARN) of the OAuth credential provider. This ARN identifies the provider in Amazon Web Services.
scopes (list) -- [REQUIRED]
The OAuth scopes for the credential provider. These scopes define the level of access requested from the OAuth provider.
(string) --
customParameters (dict) --
The custom parameters for the OAuth credential provider. These parameters provide additional configuration for the OAuth authentication process.
(string) --
(string) --
grantType (string) --
Specifies the kind of credentials to use for authorization:
CLIENT_CREDENTIALS - Authorization with a client ID and secret.
AUTHORIZATION_CODE - Authorization with a token that is specific to an individual end user.
defaultReturnUrl (string) --
The URL where the end user's browser is redirected after obtaining the authorization code. Generally points to the customer's application.
apiKeyCredentialProvider (dict) --
The API key credential provider. This provider uses an API key to authenticate with the target endpoint.
providerArn (string) -- [REQUIRED]
The Amazon Resource Name (ARN) of the API key credential provider. This ARN identifies the provider in Amazon Web Services.
credentialParameterName (string) --
The name of the credential parameter for the API key. This parameter name is used when sending the API key to the target endpoint.
credentialPrefix (string) --
The prefix for the API key credential. This prefix is added to the API key when sending it to the target endpoint.
credentialLocation (string) --
The location of the API key credential. This field specifies where in the request the API key should be placed.
iamCredentialProvider (dict) --
The IAM credential provider. This provider uses IAM authentication with SigV4 signing to access the target endpoint.
service (string) -- [REQUIRED]
The target Amazon Web Services service name used for SigV4 signing. This value identifies the service that the gateway authenticates with when making requests to the target endpoint.
region (string) --
The Amazon Web Services Region used for SigV4 signing. If not specified, defaults to the gateway's Region.
dict
Optional configuration for HTTP header and query parameter propagation to and from the gateway target.
allowedRequestHeaders (list) --
A list of HTTP headers that are allowed to be propagated from incoming client requests to the target.
(string) --
allowedQueryParameters (list) --
A list of URL query parameters that are allowed to be propagated from incoming gateway URL to the target.
(string) --
allowedResponseHeaders (list) --
A list of HTTP headers that are allowed to be propagated from the target response back to the client.
(string) --
dict
The private endpoint configuration for the gateway target. Use this to connect the gateway to private resources in your VPC.
selfManagedLatticeResource (dict) --
Configuration for connecting to a private resource using a self-managed VPC Lattice resource configuration.
resourceConfigurationIdentifier (string) --
The ARN or ID of the VPC Lattice resource configuration.
managedVpcResource (dict) --
Configuration for connecting to a private resource using a managed VPC Lattice resource. The gateway creates and manages the VPC Lattice resources on your behalf.
vpcIdentifier (string) -- [REQUIRED]
The ID of the VPC that contains your private resource.
subnetIds (list) -- [REQUIRED]
The subnet IDs within the VPC where the VPC Lattice resource gateway is placed.
(string) --
endpointIpAddressType (string) -- [REQUIRED]
The IP address type for the resource configuration endpoint.
securityGroupIds (list) --
The security group IDs to associate with the VPC Lattice resource gateway. If not specified, the default security group for the VPC is used.
(string) --
tags (dict) --
Tags to apply to the managed VPC Lattice resource gateway.
(string) --
(string) --
routingDomain (string) --
An intermediate publicly resolvable domain used as the VPC Lattice resource configuration endpoint. Required when your private endpoint uses a domain that is not publicly resolvable.
dict
Response Syntax
{
'gatewayArn': 'string',
'targetId': 'string',
'createdAt': datetime(2015, 1, 1),
'updatedAt': datetime(2015, 1, 1),
'status': 'CREATING'|'UPDATING'|'UPDATE_UNSUCCESSFUL'|'DELETING'|'READY'|'FAILED'|'SYNCHRONIZING'|'SYNCHRONIZE_UNSUCCESSFUL'|'CREATE_PENDING_AUTH'|'UPDATE_PENDING_AUTH'|'SYNCHRONIZE_PENDING_AUTH',
'statusReasons': [
'string',
],
'name': 'string',
'description': 'string',
'targetConfiguration': {
'mcp': {
'openApiSchema': {
's3': {
'uri': 'string',
'bucketOwnerAccountId': 'string'
},
'inlinePayload': 'string'
},
'smithyModel': {
's3': {
'uri': 'string',
'bucketOwnerAccountId': 'string'
},
'inlinePayload': 'string'
},
'lambda': {
'lambdaArn': 'string',
'toolSchema': {
's3': {
'uri': 'string',
'bucketOwnerAccountId': 'string'
},
'inlinePayload': [
{
'name': 'string',
'description': 'string',
'inputSchema': {
'type': 'string'|'number'|'object'|'array'|'boolean'|'integer',
'properties': {
'string': {'... recursive ...'}
},
'required': [
'string',
],
'items': {'... recursive ...'},
'description': 'string'
},
'outputSchema': {
'type': 'string'|'number'|'object'|'array'|'boolean'|'integer',
'properties': {
'string': {'... recursive ...'}
},
'required': [
'string',
],
'items': {'... recursive ...'},
'description': 'string'
}
},
]
}
},
'mcpServer': {
'endpoint': 'string',
'mcpToolSchema': {
's3': {
'uri': 'string',
'bucketOwnerAccountId': 'string'
},
'inlinePayload': 'string'
},
'resourcePriority': 123,
'listingMode': 'DEFAULT'|'DYNAMIC'
},
'apiGateway': {
'restApiId': 'string',
'stage': 'string',
'apiGatewayToolConfiguration': {
'toolOverrides': [
{
'name': 'string',
'description': 'string',
'path': 'string',
'method': 'GET'|'DELETE'|'HEAD'|'OPTIONS'|'PATCH'|'PUT'|'POST'
},
],
'toolFilters': [
{
'filterPath': 'string',
'methods': [
'GET'|'DELETE'|'HEAD'|'OPTIONS'|'PATCH'|'PUT'|'POST',
]
},
]
}
}
}
},
'credentialProviderConfigurations': [
{
'credentialProviderType': 'GATEWAY_IAM_ROLE'|'OAUTH'|'API_KEY',
'credentialProvider': {
'oauthCredentialProvider': {
'providerArn': 'string',
'scopes': [
'string',
],
'customParameters': {
'string': 'string'
},
'grantType': 'CLIENT_CREDENTIALS'|'AUTHORIZATION_CODE',
'defaultReturnUrl': 'string'
},
'apiKeyCredentialProvider': {
'providerArn': 'string',
'credentialParameterName': 'string',
'credentialPrefix': 'string',
'credentialLocation': 'HEADER'|'QUERY_PARAMETER'
},
'iamCredentialProvider': {
'service': 'string',
'region': 'string'
}
}
},
],
'lastSynchronizedAt': datetime(2015, 1, 1),
'metadataConfiguration': {
'allowedRequestHeaders': [
'string',
],
'allowedQueryParameters': [
'string',
],
'allowedResponseHeaders': [
'string',
]
},
'privateEndpoint': {
'selfManagedLatticeResource': {
'resourceConfigurationIdentifier': 'string'
},
'managedVpcResource': {
'vpcIdentifier': 'string',
'subnetIds': [
'string',
],
'endpointIpAddressType': 'IPV4'|'IPV6',
'securityGroupIds': [
'string',
],
'tags': {
'string': 'string'
},
'routingDomain': 'string'
}
},
'privateEndpointManagedResources': [
{
'domain': 'string',
'resourceGatewayArn': 'string',
'resourceAssociationArn': 'string'
},
],
'authorizationData': {
'oauth2': {
'authorizationUrl': 'string',
'userId': 'string'
}
}
}
Response Structure
(dict) --
gatewayArn (string) --
The Amazon Resource Name (ARN) of the gateway.
targetId (string) --
The unique identifier of the created target.
createdAt (datetime) --
The timestamp when the target was created.
updatedAt (datetime) --
The timestamp when the target was last updated.
status (string) --
The current status of the target.
statusReasons (list) --
The reasons for the current status of the target.
(string) --
name (string) --
The name of the target.
description (string) --
The description of the target.
targetConfiguration (dict) --
The configuration settings for the target.
mcp (dict) --
The Model Context Protocol (MCP) configuration for the target. This configuration defines how the gateway uses MCP to communicate with the target.
openApiSchema (dict) --
The OpenAPI schema for the Model Context Protocol target. This schema defines the API structure of the target.
s3 (dict) --
The Amazon S3 configuration for a gateway. This structure defines how the gateway accesses files in Amazon S3.
uri (string) --
The URI of the Amazon S3 object. This URI specifies the location of the object in Amazon S3.
bucketOwnerAccountId (string) --
The account ID of the Amazon S3 bucket owner. This ID is used for cross-account access to the bucket.
inlinePayload (string) --
The inline payload containing the API schema definition.
smithyModel (dict) --
The Smithy model for the Model Context Protocol target. This model defines the API structure of the target using the Smithy specification.
s3 (dict) --
The Amazon S3 configuration for a gateway. This structure defines how the gateway accesses files in Amazon S3.
uri (string) --
The URI of the Amazon S3 object. This URI specifies the location of the object in Amazon S3.
bucketOwnerAccountId (string) --
The account ID of the Amazon S3 bucket owner. This ID is used for cross-account access to the bucket.
inlinePayload (string) --
The inline payload containing the API schema definition.
lambda (dict) --
The Lambda configuration for the Model Context Protocol target. This configuration defines how the gateway uses a Lambda function to communicate with the target.
lambdaArn (string) --
The Amazon Resource Name (ARN) of the Lambda function. This function is invoked by the gateway to communicate with the target.
toolSchema (dict) --
The tool schema for the Lambda function. This schema defines the structure of the tools that the Lambda function provides.
s3 (dict) --
The Amazon S3 location of the tool schema. This location contains the schema definition file.
uri (string) --
The URI of the Amazon S3 object. This URI specifies the location of the object in Amazon S3.
bucketOwnerAccountId (string) --
The account ID of the Amazon S3 bucket owner. This ID is used for cross-account access to the bucket.
inlinePayload (list) --
The inline payload of the tool schema. This payload contains the schema definition directly in the request.
(dict) --
A tool definition for a gateway target. This structure defines a tool that the target exposes through the Model Context Protocol.
name (string) --
The name of the tool. This name identifies the tool in the Model Context Protocol.
description (string) --
The description of the tool. This description provides information about the purpose and usage of the tool.
inputSchema (dict) --
The input schema for the tool. This schema defines the structure of the input that the tool accepts.
type (string) --
The type of the schema definition. This field specifies the data type of the schema.
properties (dict) --
The properties of the schema definition. These properties define the fields in the schema.
(string) --
(dict) --
A schema definition for a gateway target. This structure defines the structure of the API that the target exposes.
required (list) --
The required fields in the schema definition. These fields must be provided when using the schema.
(string) --
items (dict) --
The items in the schema definition. This field is used for array types to define the structure of the array elements.
description (string) --
The description of the schema definition. This description provides information about the purpose and usage of the schema.
outputSchema (dict) --
The output schema for the tool. This schema defines the structure of the output that the tool produces.
type (string) --
The type of the schema definition. This field specifies the data type of the schema.
properties (dict) --
The properties of the schema definition. These properties define the fields in the schema.
(string) --
(dict) --
A schema definition for a gateway target. This structure defines the structure of the API that the target exposes.
required (list) --
The required fields in the schema definition. These fields must be provided when using the schema.
(string) --
items (dict) --
The items in the schema definition. This field is used for array types to define the structure of the array elements.
description (string) --
The description of the schema definition. This description provides information about the purpose and usage of the schema.
mcpServer (dict) --
The MCP server specified as the gateway target.
endpoint (string) --
The endpoint for the MCP server target configuration.
mcpToolSchema (dict) --
The tool schema configuration for the MCP server target. Supported only when the credential provider is configured with an authorization code grant type. Dynamic tool discovery/synchronization will be disabled when target is configured with mcpToolSchema.
s3 (dict) --
The Amazon S3 location of the tool schema. This location contains the schema definition file.
uri (string) --
The URI of the Amazon S3 object. This URI specifies the location of the object in Amazon S3.
bucketOwnerAccountId (string) --
The account ID of the Amazon S3 bucket owner. This ID is used for cross-account access to the bucket.
inlinePayload (string) --
The inline payload containing the MCP tool schema definition.
resourcePriority (integer) --
Priority for resolving MCP server targets with shared resource URIs. Lower values take precedence. Defaults to 1000 when not set.
listingMode (string) --
The listing mode for the MCP server target configuration. MCP resources for default targets are cached at the control plane for faster access. MCP resources for dynamic targets will be dynamically retrieved when listing tools.
apiGateway (dict) --
The configuration for an Amazon API Gateway target.
restApiId (string) --
The ID of the API Gateway REST API.
stage (string) --
The ID of the stage of the REST API to add as a target.
apiGatewayToolConfiguration (dict) --
The configuration for defining REST API tool filters and overrides for the gateway target.
toolOverrides (list) --
A list of explicit tool definitions with optional custom names and descriptions.
(dict) --
Settings to override configurations for a tool.
name (string) --
The name of tool. Identifies the tool in the Model Context Protocol.
description (string) --
The description of the tool. Provides information about the purpose and usage of the tool. If not provided, uses the description from the API's OpenAPI specification.
path (string) --
Resource path in the REST API (e.g., /pets). Must explicitly match an existing path in the REST API.
method (string) --
The HTTP method to expose for the specified path.
toolFilters (list) --
A list of path and method patterns to expose as tools using metadata from the REST API's OpenAPI specification.
(dict) --
Specifies which operations from an API Gateway REST API are exposed as tools. Tool names and descriptions are derived from the operationId and description fields in the API's exported OpenAPI specification.
filterPath (string) --
Resource path to match in the REST API. Supports exact paths (for example, /pets) or wildcard paths (for example, /pets/* to match all paths under /pets). Must match existing paths in the REST API.
methods (list) --
The methods to filter for.
(string) --
credentialProviderConfigurations (list) --
The credential provider configurations for the target.
(dict) --
The configuration for a credential provider. This structure defines how the gateway authenticates with the target endpoint.
credentialProviderType (string) --
The type of credential provider. This field specifies which authentication method the gateway uses.
credentialProvider (dict) --
The credential provider. This field contains the specific configuration for the credential provider type.
oauthCredentialProvider (dict) --
The OAuth credential provider. This provider uses OAuth authentication to access the target endpoint.
providerArn (string) --
The Amazon Resource Name (ARN) of the OAuth credential provider. This ARN identifies the provider in Amazon Web Services.
scopes (list) --
The OAuth scopes for the credential provider. These scopes define the level of access requested from the OAuth provider.
(string) --
customParameters (dict) --
The custom parameters for the OAuth credential provider. These parameters provide additional configuration for the OAuth authentication process.
(string) --
(string) --
grantType (string) --
Specifies the kind of credentials to use for authorization:
CLIENT_CREDENTIALS - Authorization with a client ID and secret.
AUTHORIZATION_CODE - Authorization with a token that is specific to an individual end user.
defaultReturnUrl (string) --
The URL where the end user's browser is redirected after obtaining the authorization code. Generally points to the customer's application.
apiKeyCredentialProvider (dict) --
The API key credential provider. This provider uses an API key to authenticate with the target endpoint.
providerArn (string) --
The Amazon Resource Name (ARN) of the API key credential provider. This ARN identifies the provider in Amazon Web Services.
credentialParameterName (string) --
The name of the credential parameter for the API key. This parameter name is used when sending the API key to the target endpoint.
credentialPrefix (string) --
The prefix for the API key credential. This prefix is added to the API key when sending it to the target endpoint.
credentialLocation (string) --
The location of the API key credential. This field specifies where in the request the API key should be placed.
iamCredentialProvider (dict) --
The IAM credential provider. This provider uses IAM authentication with SigV4 signing to access the target endpoint.
service (string) --
The target Amazon Web Services service name used for SigV4 signing. This value identifies the service that the gateway authenticates with when making requests to the target endpoint.
region (string) --
The Amazon Web Services Region used for SigV4 signing. If not specified, defaults to the gateway's Region.
lastSynchronizedAt (datetime) --
The last synchronization of the target.
metadataConfiguration (dict) --
The metadata configuration that was applied to the created gateway target.
allowedRequestHeaders (list) --
A list of HTTP headers that are allowed to be propagated from incoming client requests to the target.
(string) --
allowedQueryParameters (list) --
A list of URL query parameters that are allowed to be propagated from incoming gateway URL to the target.
(string) --
allowedResponseHeaders (list) --
A list of HTTP headers that are allowed to be propagated from the target response back to the client.
(string) --
privateEndpoint (dict) --
The private endpoint configuration for the gateway target.
selfManagedLatticeResource (dict) --
Configuration for connecting to a private resource using a self-managed VPC Lattice resource configuration.
resourceConfigurationIdentifier (string) --
The ARN or ID of the VPC Lattice resource configuration.
managedVpcResource (dict) --
Configuration for connecting to a private resource using a managed VPC Lattice resource. The gateway creates and manages the VPC Lattice resources on your behalf.
vpcIdentifier (string) --
The ID of the VPC that contains your private resource.
subnetIds (list) --
The subnet IDs within the VPC where the VPC Lattice resource gateway is placed.
(string) --
endpointIpAddressType (string) --
The IP address type for the resource configuration endpoint.
securityGroupIds (list) --
The security group IDs to associate with the VPC Lattice resource gateway. If not specified, the default security group for the VPC is used.
(string) --
tags (dict) --
Tags to apply to the managed VPC Lattice resource gateway.
(string) --
(string) --
routingDomain (string) --
An intermediate publicly resolvable domain used as the VPC Lattice resource configuration endpoint. Required when your private endpoint uses a domain that is not publicly resolvable.
privateEndpointManagedResources (list) --
The managed resources created by the gateway for private endpoint connectivity.
(dict) --
Details of a resource created and managed by the gateway for private endpoint connectivity.
domain (string) --
The domain associated with this managed resource.
resourceGatewayArn (string) --
The ARN of the VPC Lattice resource gateway created in your account.
resourceAssociationArn (string) --
The ARN of the service network resource association.
authorizationData (dict) --
OAuth2 authorization data for the created gateway target. This data is returned when a target is configured with a credential provider with authorization code grant type and requires user federation.
oauth2 (dict) --
OAuth2 authorization data for the gateway target.
authorizationUrl (string) --
The URL to initiate the authorization process. This URL is provided when the OAuth2 access token requires user authorization.
userId (string) --
The user identifier associated with the OAuth2 authorization session that is defined by AgentCore Gateway.
{'authorizerConfiguration': {'customJWTAuthorizer': {'privateEndpoint': {'managedVpcResource': {'endpointIpAddressType': 'IPV4 '
'| '
'IPV6',
'routingDomain': 'string',
'securityGroupIds': ['string'],
'subnetIds': ['string'],
'tags': {'string': 'string'},
'vpcIdentifier': 'string'},
'selfManagedLatticeResource': {'resourceConfigurationIdentifier': 'string'}},
'privateEndpointOverrides': [{'domain': 'string',
'privateEndpoint': {'managedVpcResource': {'endpointIpAddressType': 'IPV4 '
'| '
'IPV6',
'routingDomain': 'string',
'securityGroupIds': ['string'],
'subnetIds': ['string'],
'tags': {'string': 'string'},
'vpcIdentifier': 'string'},
'selfManagedLatticeResource': {'resourceConfigurationIdentifier': 'string'}}}]}}}
Response {'harness': {'authorizerConfiguration': {'customJWTAuthorizer': {'privateEndpoint': {'managedVpcResource': {'endpointIpAddressType': 'IPV4 '
'| '
'IPV6',
'routingDomain': 'string',
'securityGroupIds': ['string'],
'subnetIds': ['string'],
'tags': {'string': 'string'},
'vpcIdentifier': 'string'},
'selfManagedLatticeResource': {'resourceConfigurationIdentifier': 'string'}},
'privateEndpointOverrides': [{'domain': 'string',
'privateEndpoint': {'managedVpcResource': {'endpointIpAddressType': 'IPV4 '
'| '
'IPV6',
'routingDomain': 'string',
'securityGroupIds': ['string'],
'subnetIds': ['string'],
'tags': {'string': 'string'},
'vpcIdentifier': 'string'},
'selfManagedLatticeResource': {'resourceConfigurationIdentifier': 'string'}}}]}}}}
Operation to create a Harness.
See also: AWS API Documentation
Request Syntax
client.create_harness(
harnessName='string',
clientToken='string',
executionRoleArn='string',
environment={
'agentCoreRuntimeEnvironment': {
'lifecycleConfiguration': {
'idleRuntimeSessionTimeout': 123,
'maxLifetime': 123
},
'networkConfiguration': {
'networkMode': 'PUBLIC'|'VPC',
'networkModeConfig': {
'securityGroups': [
'string',
],
'subnets': [
'string',
]
}
},
'filesystemConfigurations': [
{
'sessionStorage': {
'mountPath': 'string'
}
},
]
}
},
environmentArtifact={
'containerConfiguration': {
'containerUri': 'string'
}
},
environmentVariables={
'string': 'string'
},
authorizerConfiguration={
'customJWTAuthorizer': {
'discoveryUrl': 'string',
'allowedAudience': [
'string',
],
'allowedClients': [
'string',
],
'allowedScopes': [
'string',
],
'customClaims': [
{
'inboundTokenClaimName': 'string',
'inboundTokenClaimValueType': 'STRING'|'STRING_ARRAY',
'authorizingClaimMatchValue': {
'claimMatchValue': {
'matchValueString': 'string',
'matchValueStringList': [
'string',
]
},
'claimMatchOperator': 'EQUALS'|'CONTAINS'|'CONTAINS_ANY'
}
},
],
'privateEndpoint': {
'selfManagedLatticeResource': {
'resourceConfigurationIdentifier': 'string'
},
'managedVpcResource': {
'vpcIdentifier': 'string',
'subnetIds': [
'string',
],
'endpointIpAddressType': 'IPV4'|'IPV6',
'securityGroupIds': [
'string',
],
'tags': {
'string': 'string'
},
'routingDomain': 'string'
}
},
'privateEndpointOverrides': [
{
'domain': 'string',
'privateEndpoint': {
'selfManagedLatticeResource': {
'resourceConfigurationIdentifier': 'string'
},
'managedVpcResource': {
'vpcIdentifier': 'string',
'subnetIds': [
'string',
],
'endpointIpAddressType': 'IPV4'|'IPV6',
'securityGroupIds': [
'string',
],
'tags': {
'string': 'string'
},
'routingDomain': 'string'
}
}
},
]
}
},
model={
'bedrockModelConfig': {
'modelId': 'string',
'maxTokens': 123,
'temperature': ...,
'topP': ...
},
'openAiModelConfig': {
'modelId': 'string',
'apiKeyArn': 'string',
'maxTokens': 123,
'temperature': ...,
'topP': ...
},
'geminiModelConfig': {
'modelId': 'string',
'apiKeyArn': 'string',
'maxTokens': 123,
'temperature': ...,
'topP': ...,
'topK': 123
}
},
systemPrompt=[
{
'text': 'string'
},
],
tools=[
{
'type': 'remote_mcp'|'agentcore_browser'|'agentcore_gateway'|'inline_function'|'agentcore_code_interpreter',
'name': 'string',
'config': {
'remoteMcp': {
'url': 'string',
'headers': {
'string': 'string'
}
},
'agentCoreBrowser': {
'browserArn': 'string'
},
'agentCoreGateway': {
'gatewayArn': 'string',
'outboundAuth': {
'awsIam': {}
,
'none': {}
,
'oauth': {
'providerArn': 'string',
'scopes': [
'string',
],
'customParameters': {
'string': 'string'
},
'grantType': 'CLIENT_CREDENTIALS'|'AUTHORIZATION_CODE',
'defaultReturnUrl': 'string'
}
}
},
'inlineFunction': {
'description': 'string',
'inputSchema': {...}|[...]|123|123.4|'string'|True|None
},
'agentCoreCodeInterpreter': {
'codeInterpreterArn': 'string'
}
}
},
],
skills=[
{
'path': 'string'
},
],
allowedTools=[
'string',
],
memory={
'agentCoreMemoryConfiguration': {
'arn': 'string',
'actorId': 'string',
'messagesCount': 123,
'retrievalConfig': {
'string': {
'topK': 123,
'relevanceScore': ...,
'strategyId': 'string'
}
}
}
},
truncation={
'strategy': 'sliding_window'|'summarization'|'none',
'config': {
'slidingWindow': {
'messagesCount': 123
},
'summarization': {
'summaryRatio': ...,
'preserveRecentMessages': 123,
'summarizationSystemPrompt': 'string'
}
}
},
maxIterations=123,
maxTokens=123,
timeoutSeconds=123,
tags={
'string': 'string'
}
)
string
[REQUIRED]
The name of the harness. Must start with a letter and contain only alphanumeric characters and underscores.
string
A unique, case-sensitive identifier to ensure idempotency of the request.
This field is autopopulated if not provided.
string
[REQUIRED]
The ARN of the IAM role that the harness assumes when running. This role must have permissions for the services the agent needs to access, such as Amazon Bedrock for model invocation.
dict
The compute environment configuration for the harness, including network and lifecycle settings.
agentCoreRuntimeEnvironment (dict) --
The AgentCore Runtime environment configuration.
lifecycleConfiguration (dict) --
LifecycleConfiguration lets you manage the lifecycle of runtime sessions and resources in AgentCore Runtime. This configuration helps optimize resource utilization by automatically cleaning up idle sessions and preventing long-running instances from consuming resources indefinitely.
idleRuntimeSessionTimeout (integer) --
Timeout in seconds for idle runtime sessions. When a session remains idle for this duration, it will be automatically terminated. Default: 900 seconds (15 minutes).
maxLifetime (integer) --
Maximum lifetime for the instance in seconds. Once reached, instances will be automatically terminated and replaced. Default: 28800 seconds (8 hours).
networkConfiguration (dict) --
SecurityConfig for the Agent.
networkMode (string) -- [REQUIRED]
The network mode for the AgentCore Runtime.
networkModeConfig (dict) --
The network mode configuration for the AgentCore Runtime.
securityGroups (list) -- [REQUIRED]
The security groups associated with the VPC configuration.
(string) --
subnets (list) -- [REQUIRED]
The subnets associated with the VPC configuration.
(string) --
filesystemConfigurations (list) --
The filesystem configurations for the runtime environment.
(dict) --
Configuration for a filesystem that can be mounted into the AgentCore Runtime.
sessionStorage (dict) --
Configuration for session storage. Session storage provides persistent storage that is preserved across AgentCore Runtime session invocations.
mountPath (string) -- [REQUIRED]
The mount path for the session storage filesystem inside the AgentCore Runtime. The path must be under /mnt with exactly one subdirectory level (for example, /mnt/data).
dict
The environment artifact for the harness, such as a custom container image containing additional dependencies.
containerConfiguration (dict) --
Representation of a container configuration.
containerUri (string) -- [REQUIRED]
The ECR URI of the container.
dict
Environment variables to set in the harness runtime environment.
(string) --
(string) --
dict
Represents inbound authorization configuration options used to authenticate incoming requests.
customJWTAuthorizer (dict) --
The inbound JWT-based authorization, specifying how incoming requests should be authenticated.
discoveryUrl (string) -- [REQUIRED]
This URL is used to fetch OpenID Connect configuration or authorization server metadata for validating incoming tokens.
allowedAudience (list) --
Represents individual audience values that are validated in the incoming JWT token validation process.
(string) --
allowedClients (list) --
Represents individual client IDs that are validated in the incoming JWT token validation process.
(string) --
allowedScopes (list) --
An array of scopes that are allowed to access the token.
(string) --
customClaims (list) --
An array of objects that define a custom claim validation name, value, and operation
(dict) --
Defines the name of a custom claim field and rules for finding matches to authenticate its value.
inboundTokenClaimName (string) -- [REQUIRED]
The name of the custom claim field to check.
inboundTokenClaimValueType (string) -- [REQUIRED]
The data type of the claim value to check for.
Use STRING if you want to find an exact match to a string you define.
Use STRING_ARRAY if you want to fnd a match to at least one value in an array you define.
authorizingClaimMatchValue (dict) -- [REQUIRED]
Defines the value or values to match for and the relationship of the match.
claimMatchValue (dict) -- [REQUIRED]
The value or values to match for.
matchValueString (string) --
The string value to match for.
matchValueStringList (list) --
An array of strings to check for a match.
(string) --
claimMatchOperator (string) -- [REQUIRED]
Defines the relationship between the claim field value and the value or values you're matching for.
privateEndpoint (dict) --
The private endpoint configuration for a gateway target. Defines how the gateway connects to private resources in your VPC.
selfManagedLatticeResource (dict) --
Configuration for connecting to a private resource using a self-managed VPC Lattice resource configuration.
resourceConfigurationIdentifier (string) --
The ARN or ID of the VPC Lattice resource configuration.
managedVpcResource (dict) --
Configuration for connecting to a private resource using a managed VPC Lattice resource. The gateway creates and manages the VPC Lattice resources on your behalf.
vpcIdentifier (string) -- [REQUIRED]
The ID of the VPC that contains your private resource.
subnetIds (list) -- [REQUIRED]
The subnet IDs within the VPC where the VPC Lattice resource gateway is placed.
(string) --
endpointIpAddressType (string) -- [REQUIRED]
The IP address type for the resource configuration endpoint.
securityGroupIds (list) --
The security group IDs to associate with the VPC Lattice resource gateway. If not specified, the default security group for the VPC is used.
(string) --
tags (dict) --
Tags to apply to the managed VPC Lattice resource gateway.
(string) --
(string) --
routingDomain (string) --
An intermediate publicly resolvable domain used as the VPC Lattice resource configuration endpoint. Required when your private endpoint uses a domain that is not publicly resolvable.
privateEndpointOverrides (list) --
A list of private endpoint overrides for the JWT authorizer. Each override maps a specific domain to a private endpoint, enabling secure connectivity through VPC Lattice resource configurations.
(dict) --
A mapping of a specific domain to a private endpoint for secure connectivity through a VPC Lattice resource configuration.
domain (string) -- [REQUIRED]
The domain to override with a private endpoint.
privateEndpoint (dict) -- [REQUIRED]
The private endpoint configuration for the specified domain.
selfManagedLatticeResource (dict) --
Configuration for connecting to a private resource using a self-managed VPC Lattice resource configuration.
resourceConfigurationIdentifier (string) --
The ARN or ID of the VPC Lattice resource configuration.
managedVpcResource (dict) --
Configuration for connecting to a private resource using a managed VPC Lattice resource. The gateway creates and manages the VPC Lattice resources on your behalf.
vpcIdentifier (string) -- [REQUIRED]
The ID of the VPC that contains your private resource.
subnetIds (list) -- [REQUIRED]
The subnet IDs within the VPC where the VPC Lattice resource gateway is placed.
(string) --
endpointIpAddressType (string) -- [REQUIRED]
The IP address type for the resource configuration endpoint.
securityGroupIds (list) --
The security group IDs to associate with the VPC Lattice resource gateway. If not specified, the default security group for the VPC is used.
(string) --
tags (dict) --
Tags to apply to the managed VPC Lattice resource gateway.
(string) --
(string) --
routingDomain (string) --
An intermediate publicly resolvable domain used as the VPC Lattice resource configuration endpoint. Required when your private endpoint uses a domain that is not publicly resolvable.
dict
The model configuration for the harness. Supports Amazon Bedrock, OpenAI, and Google Gemini model providers.
bedrockModelConfig (dict) --
Configuration for an Amazon Bedrock model.
modelId (string) -- [REQUIRED]
The Bedrock model ID.
maxTokens (integer) --
The maximum number of tokens to allow in the generated response per iteration.
temperature (float) --
The temperature to set when calling the model.
topP (float) --
The topP set when calling the model.
openAiModelConfig (dict) --
Configuration for an OpenAI model.
modelId (string) -- [REQUIRED]
The OpenAI model ID.
apiKeyArn (string) -- [REQUIRED]
The ARN of your OpenAI API key on AgentCore Identity.
maxTokens (integer) --
The maximum number of tokens to allow in the generated response per iteration.
temperature (float) --
The temperature to set when calling the model.
topP (float) --
The topP set when calling the model.
geminiModelConfig (dict) --
Configuration for a Google Gemini model.
modelId (string) -- [REQUIRED]
The Gemini model ID.
apiKeyArn (string) -- [REQUIRED]
The ARN of your Gemini API key on AgentCore Identity.
maxTokens (integer) --
The maximum number of tokens to allow in the generated response per iteration.
temperature (float) --
The temperature to set when calling the model.
topP (float) --
The topP set when calling the model.
topK (integer) --
The topK set when calling the model.
list
The system prompt that defines the agent's behavior and instructions.
(dict) --
A content block in the system prompt.
text (string) --
The text content of the system prompt block.
list
The tools available to the agent, such as remote MCP servers, AgentCore Gateway, AgentCore Browser, Code Interpreter, or inline functions.
(dict) --
A tool available to the agent loop.
type (string) -- [REQUIRED]
The type of tool.
name (string) --
Unique name for the tool. If not provided, a name will be inferred or generated.
config (dict) --
Tool-specific configuration.
remoteMcp (dict) --
Configuration for remote MCP server.
url (string) -- [REQUIRED]
URL of the MCP endpoint.
headers (dict) --
Map of key/value pairs for HTTP headers.
(string) --
The key of an HTTP header.
(string) --
The value of an HTTP header.
agentCoreBrowser (dict) --
Configuration for AgentCore Browser.
browserArn (string) --
If not populated, the built-in Browser ARN is used.
agentCoreGateway (dict) --
Configuration for AgentCore Gateway.
gatewayArn (string) -- [REQUIRED]
The ARN of the desired AgentCore Gateway.
outboundAuth (dict) --
How Loopy authenticates to this Gateway. Defaults to AWS_IAM (SigV4) if omitted.
awsIam (dict) --
SigV4-sign requests using the agent's execution role.
none (dict) --
No authentication.
oauth (dict) --
An OAuth credential provider for gateway authentication. This structure contains the configuration for authenticating with the target endpoint using OAuth.
providerArn (string) -- [REQUIRED]
The Amazon Resource Name (ARN) of the OAuth credential provider. This ARN identifies the provider in Amazon Web Services.
scopes (list) -- [REQUIRED]
The OAuth scopes for the credential provider. These scopes define the level of access requested from the OAuth provider.
(string) --
customParameters (dict) --
The custom parameters for the OAuth credential provider. These parameters provide additional configuration for the OAuth authentication process.
(string) --
(string) --
grantType (string) --
Specifies the kind of credentials to use for authorization:
CLIENT_CREDENTIALS - Authorization with a client ID and secret.
AUTHORIZATION_CODE - Authorization with a token that is specific to an individual end user.
defaultReturnUrl (string) --
The URL where the end user's browser is redirected after obtaining the authorization code. Generally points to the customer's application.
inlineFunction (dict) --
Configuration for an inline function tool.
description (string) -- [REQUIRED]
Description of what the tool does, provided to the model.
inputSchema (:ref:`document<document>`) -- [REQUIRED]
JSON Schema describing the tool's input parameters.
agentCoreCodeInterpreter (dict) --
Configuration for AgentCore Code Interpreter.
codeInterpreterArn (string) --
If not populated, the built-in Code Interpreter ARN is used.
list
The skills available to the agent. Skills are bundles of files that the agent can pull into its context on demand.
(dict) --
A skill available to the agent.
path (string) --
The filesystem path to the skill definition.
list
The tools that the agent is allowed to use. Supports glob patterns such as * for all tools, @builtin for all built-in tools, or @serverName/toolName for specific MCP server tools.
(string) --
dict
The AgentCore Memory configuration for persisting conversation context across sessions.
agentCoreMemoryConfiguration (dict) --
The AgentCore Memory configuration.
arn (string) -- [REQUIRED]
The ARN of the AgentCore Memory resource.
actorId (string) --
The actor ID for memory operations.
messagesCount (integer) --
The number of messages to retrieve from memory.
retrievalConfig (dict) --
The retrieval configuration for long-term memory, mapping namespace path templates to retrieval settings.
(string) --
(dict) --
Configuration for memory retrieval within a namespace.
topK (integer) --
The maximum number of memory entries to retrieve.
relevanceScore (float) --
The minimum relevance score for retrieved memories.
strategyId (string) --
The ID of the retrieval strategy to use.
dict
The truncation configuration for managing conversation context when it exceeds model limits.
strategy (string) -- [REQUIRED]
The truncation strategy to use.
config (dict) --
The strategy-specific configuration.
slidingWindow (dict) --
Configuration for sliding window truncation.
messagesCount (integer) --
The number of recent messages to retain in the context window.
summarization (dict) --
Configuration for summarization-based truncation.
summaryRatio (float) --
The ratio of content to summarize.
preserveRecentMessages (integer) --
The number of recent messages to preserve without summarization.
summarizationSystemPrompt (string) --
The system prompt used for generating summaries.
integer
The maximum number of iterations the agent loop can execute per invocation.
integer
The maximum number of tokens the agent can generate per iteration.
integer
The maximum duration in seconds for the agent loop execution per invocation.
dict
Tags to apply to the harness resource.
(string) --
(string) --
dict
Response Syntax
{
'harness': {
'harnessId': 'string',
'harnessName': 'string',
'arn': 'string',
'status': 'CREATING'|'CREATE_FAILED'|'UPDATING'|'UPDATE_FAILED'|'READY'|'DELETING'|'DELETE_FAILED',
'executionRoleArn': 'string',
'createdAt': datetime(2015, 1, 1),
'updatedAt': datetime(2015, 1, 1),
'model': {
'bedrockModelConfig': {
'modelId': 'string',
'maxTokens': 123,
'temperature': ...,
'topP': ...
},
'openAiModelConfig': {
'modelId': 'string',
'apiKeyArn': 'string',
'maxTokens': 123,
'temperature': ...,
'topP': ...
},
'geminiModelConfig': {
'modelId': 'string',
'apiKeyArn': 'string',
'maxTokens': 123,
'temperature': ...,
'topP': ...,
'topK': 123
}
},
'systemPrompt': [
{
'text': 'string'
},
],
'tools': [
{
'type': 'remote_mcp'|'agentcore_browser'|'agentcore_gateway'|'inline_function'|'agentcore_code_interpreter',
'name': 'string',
'config': {
'remoteMcp': {
'url': 'string',
'headers': {
'string': 'string'
}
},
'agentCoreBrowser': {
'browserArn': 'string'
},
'agentCoreGateway': {
'gatewayArn': 'string',
'outboundAuth': {
'awsIam': {},
'none': {},
'oauth': {
'providerArn': 'string',
'scopes': [
'string',
],
'customParameters': {
'string': 'string'
},
'grantType': 'CLIENT_CREDENTIALS'|'AUTHORIZATION_CODE',
'defaultReturnUrl': 'string'
}
}
},
'inlineFunction': {
'description': 'string',
'inputSchema': {...}|[...]|123|123.4|'string'|True|None
},
'agentCoreCodeInterpreter': {
'codeInterpreterArn': 'string'
}
}
},
],
'skills': [
{
'path': 'string'
},
],
'allowedTools': [
'string',
],
'truncation': {
'strategy': 'sliding_window'|'summarization'|'none',
'config': {
'slidingWindow': {
'messagesCount': 123
},
'summarization': {
'summaryRatio': ...,
'preserveRecentMessages': 123,
'summarizationSystemPrompt': 'string'
}
}
},
'environment': {
'agentCoreRuntimeEnvironment': {
'agentRuntimeArn': 'string',
'agentRuntimeName': 'string',
'agentRuntimeId': 'string',
'lifecycleConfiguration': {
'idleRuntimeSessionTimeout': 123,
'maxLifetime': 123
},
'networkConfiguration': {
'networkMode': 'PUBLIC'|'VPC',
'networkModeConfig': {
'securityGroups': [
'string',
],
'subnets': [
'string',
]
}
},
'filesystemConfigurations': [
{
'sessionStorage': {
'mountPath': 'string'
}
},
]
}
},
'environmentArtifact': {
'containerConfiguration': {
'containerUri': 'string'
}
},
'environmentVariables': {
'string': 'string'
},
'authorizerConfiguration': {
'customJWTAuthorizer': {
'discoveryUrl': 'string',
'allowedAudience': [
'string',
],
'allowedClients': [
'string',
],
'allowedScopes': [
'string',
],
'customClaims': [
{
'inboundTokenClaimName': 'string',
'inboundTokenClaimValueType': 'STRING'|'STRING_ARRAY',
'authorizingClaimMatchValue': {
'claimMatchValue': {
'matchValueString': 'string',
'matchValueStringList': [
'string',
]
},
'claimMatchOperator': 'EQUALS'|'CONTAINS'|'CONTAINS_ANY'
}
},
],
'privateEndpoint': {
'selfManagedLatticeResource': {
'resourceConfigurationIdentifier': 'string'
},
'managedVpcResource': {
'vpcIdentifier': 'string',
'subnetIds': [
'string',
],
'endpointIpAddressType': 'IPV4'|'IPV6',
'securityGroupIds': [
'string',
],
'tags': {
'string': 'string'
},
'routingDomain': 'string'
}
},
'privateEndpointOverrides': [
{
'domain': 'string',
'privateEndpoint': {
'selfManagedLatticeResource': {
'resourceConfigurationIdentifier': 'string'
},
'managedVpcResource': {
'vpcIdentifier': 'string',
'subnetIds': [
'string',
],
'endpointIpAddressType': 'IPV4'|'IPV6',
'securityGroupIds': [
'string',
],
'tags': {
'string': 'string'
},
'routingDomain': 'string'
}
}
},
]
}
},
'memory': {
'agentCoreMemoryConfiguration': {
'arn': 'string',
'actorId': 'string',
'messagesCount': 123,
'retrievalConfig': {
'string': {
'topK': 123,
'relevanceScore': ...,
'strategyId': 'string'
}
}
}
},
'maxIterations': 123,
'maxTokens': 123,
'timeoutSeconds': 123,
'failureReason': 'string'
}
}
Response Structure
(dict) --
harness (dict) --
The harness that was created.
harnessId (string) --
The ID of the Harness.
harnessName (string) --
The name of the Harness.
arn (string) --
The ARN of the Harness.
status (string) --
The status of the Harness.
executionRoleArn (string) --
IAM role the Harness assumes when running.
createdAt (datetime) --
The createdAt time of the Harness.
updatedAt (datetime) --
The updatedAt time of the Harness.
model (dict) --
The configuration of the default model used by the Harness.
bedrockModelConfig (dict) --
Configuration for an Amazon Bedrock model.
modelId (string) --
The Bedrock model ID.
maxTokens (integer) --
The maximum number of tokens to allow in the generated response per iteration.
temperature (float) --
The temperature to set when calling the model.
topP (float) --
The topP set when calling the model.
openAiModelConfig (dict) --
Configuration for an OpenAI model.
modelId (string) --
The OpenAI model ID.
apiKeyArn (string) --
The ARN of your OpenAI API key on AgentCore Identity.
maxTokens (integer) --
The maximum number of tokens to allow in the generated response per iteration.
temperature (float) --
The temperature to set when calling the model.
topP (float) --
The topP set when calling the model.
geminiModelConfig (dict) --
Configuration for a Google Gemini model.
modelId (string) --
The Gemini model ID.
apiKeyArn (string) --
The ARN of your Gemini API key on AgentCore Identity.
maxTokens (integer) --
The maximum number of tokens to allow in the generated response per iteration.
temperature (float) --
The temperature to set when calling the model.
topP (float) --
The topP set when calling the model.
topK (integer) --
The topK set when calling the model.
systemPrompt (list) --
The system prompt of the Harness.
(dict) --
A content block in the system prompt.
text (string) --
The text content of the system prompt block.
tools (list) --
The tools of the Harness.
(dict) --
A tool available to the agent loop.
type (string) --
The type of tool.
name (string) --
Unique name for the tool. If not provided, a name will be inferred or generated.
config (dict) --
Tool-specific configuration.
remoteMcp (dict) --
Configuration for remote MCP server.
url (string) --
URL of the MCP endpoint.
headers (dict) --
Map of key/value pairs for HTTP headers.
(string) --
The key of an HTTP header.
(string) --
The value of an HTTP header.
agentCoreBrowser (dict) --
Configuration for AgentCore Browser.
browserArn (string) --
If not populated, the built-in Browser ARN is used.
agentCoreGateway (dict) --
Configuration for AgentCore Gateway.
gatewayArn (string) --
The ARN of the desired AgentCore Gateway.
outboundAuth (dict) --
How Loopy authenticates to this Gateway. Defaults to AWS_IAM (SigV4) if omitted.
awsIam (dict) --
SigV4-sign requests using the agent's execution role.
none (dict) --
No authentication.
oauth (dict) --
An OAuth credential provider for gateway authentication. This structure contains the configuration for authenticating with the target endpoint using OAuth.
providerArn (string) --
The Amazon Resource Name (ARN) of the OAuth credential provider. This ARN identifies the provider in Amazon Web Services.
scopes (list) --
The OAuth scopes for the credential provider. These scopes define the level of access requested from the OAuth provider.
(string) --
customParameters (dict) --
The custom parameters for the OAuth credential provider. These parameters provide additional configuration for the OAuth authentication process.
(string) --
(string) --
grantType (string) --
Specifies the kind of credentials to use for authorization:
CLIENT_CREDENTIALS - Authorization with a client ID and secret.
AUTHORIZATION_CODE - Authorization with a token that is specific to an individual end user.
defaultReturnUrl (string) --
The URL where the end user's browser is redirected after obtaining the authorization code. Generally points to the customer's application.
inlineFunction (dict) --
Configuration for an inline function tool.
description (string) --
Description of what the tool does, provided to the model.
inputSchema (:ref:`document<document>`) --
JSON Schema describing the tool's input parameters.
agentCoreCodeInterpreter (dict) --
Configuration for AgentCore Code Interpreter.
codeInterpreterArn (string) --
If not populated, the built-in Code Interpreter ARN is used.
skills (list) --
The skills of the Harness.
(dict) --
A skill available to the agent.
path (string) --
The filesystem path to the skill definition.
allowedTools (list) --
The allowed tools of the Harness. All tools are allowed by default.
(string) --
truncation (dict) --
Configuration for truncating model context.
strategy (string) --
The truncation strategy to use.
config (dict) --
The strategy-specific configuration.
slidingWindow (dict) --
Configuration for sliding window truncation.
messagesCount (integer) --
The number of recent messages to retain in the context window.
summarization (dict) --
Configuration for summarization-based truncation.
summaryRatio (float) --
The ratio of content to summarize.
preserveRecentMessages (integer) --
The number of recent messages to preserve without summarization.
summarizationSystemPrompt (string) --
The system prompt used for generating summaries.
environment (dict) --
The compute environment on which the Harness runs.
agentCoreRuntimeEnvironment (dict) --
The AgentCore Runtime environment configuration.
agentRuntimeArn (string) --
The ARN of the underlying AgentCore Runtime.
agentRuntimeName (string) --
The name of the underlying AgentCore Runtime.
agentRuntimeId (string) --
The ID of the underlying AgentCore Runtime.
lifecycleConfiguration (dict) --
LifecycleConfiguration lets you manage the lifecycle of runtime sessions and resources in AgentCore Runtime. This configuration helps optimize resource utilization by automatically cleaning up idle sessions and preventing long-running instances from consuming resources indefinitely.
idleRuntimeSessionTimeout (integer) --
Timeout in seconds for idle runtime sessions. When a session remains idle for this duration, it will be automatically terminated. Default: 900 seconds (15 minutes).
maxLifetime (integer) --
Maximum lifetime for the instance in seconds. Once reached, instances will be automatically terminated and replaced. Default: 28800 seconds (8 hours).
networkConfiguration (dict) --
SecurityConfig for the Agent.
networkMode (string) --
The network mode for the AgentCore Runtime.
networkModeConfig (dict) --
The network mode configuration for the AgentCore Runtime.
securityGroups (list) --
The security groups associated with the VPC configuration.
(string) --
subnets (list) --
The subnets associated with the VPC configuration.
(string) --
filesystemConfigurations (list) --
The filesystem configurations for the runtime environment.
(dict) --
Configuration for a filesystem that can be mounted into the AgentCore Runtime.
sessionStorage (dict) --
Configuration for session storage. Session storage provides persistent storage that is preserved across AgentCore Runtime session invocations.
mountPath (string) --
The mount path for the session storage filesystem inside the AgentCore Runtime. The path must be under /mnt with exactly one subdirectory level (for example, /mnt/data).
environmentArtifact (dict) --
The environment artifact (e.g., container) in which the Harness operates.
containerConfiguration (dict) --
Representation of a container configuration.
containerUri (string) --
The ECR URI of the container.
environmentVariables (dict) --
Environment variables exposed in the environment in which the Harness operates.
(string) --
(string) --
authorizerConfiguration (dict) --
Represents inbound authorization configuration options used to authenticate incoming requests.
customJWTAuthorizer (dict) --
The inbound JWT-based authorization, specifying how incoming requests should be authenticated.
discoveryUrl (string) --
This URL is used to fetch OpenID Connect configuration or authorization server metadata for validating incoming tokens.
allowedAudience (list) --
Represents individual audience values that are validated in the incoming JWT token validation process.
(string) --
allowedClients (list) --
Represents individual client IDs that are validated in the incoming JWT token validation process.
(string) --
allowedScopes (list) --
An array of scopes that are allowed to access the token.
(string) --
customClaims (list) --
An array of objects that define a custom claim validation name, value, and operation
(dict) --
Defines the name of a custom claim field and rules for finding matches to authenticate its value.
inboundTokenClaimName (string) --
The name of the custom claim field to check.
inboundTokenClaimValueType (string) --
The data type of the claim value to check for.
Use STRING if you want to find an exact match to a string you define.
Use STRING_ARRAY if you want to fnd a match to at least one value in an array you define.
authorizingClaimMatchValue (dict) --
Defines the value or values to match for and the relationship of the match.
claimMatchValue (dict) --
The value or values to match for.
matchValueString (string) --
The string value to match for.
matchValueStringList (list) --
An array of strings to check for a match.
(string) --
claimMatchOperator (string) --
Defines the relationship between the claim field value and the value or values you're matching for.
privateEndpoint (dict) --
The private endpoint configuration for a gateway target. Defines how the gateway connects to private resources in your VPC.
selfManagedLatticeResource (dict) --
Configuration for connecting to a private resource using a self-managed VPC Lattice resource configuration.
resourceConfigurationIdentifier (string) --
The ARN or ID of the VPC Lattice resource configuration.
managedVpcResource (dict) --
Configuration for connecting to a private resource using a managed VPC Lattice resource. The gateway creates and manages the VPC Lattice resources on your behalf.
vpcIdentifier (string) --
The ID of the VPC that contains your private resource.
subnetIds (list) --
The subnet IDs within the VPC where the VPC Lattice resource gateway is placed.
(string) --
endpointIpAddressType (string) --
The IP address type for the resource configuration endpoint.
securityGroupIds (list) --
The security group IDs to associate with the VPC Lattice resource gateway. If not specified, the default security group for the VPC is used.
(string) --
tags (dict) --
Tags to apply to the managed VPC Lattice resource gateway.
(string) --
(string) --
routingDomain (string) --
An intermediate publicly resolvable domain used as the VPC Lattice resource configuration endpoint. Required when your private endpoint uses a domain that is not publicly resolvable.
privateEndpointOverrides (list) --
A list of private endpoint overrides for the JWT authorizer. Each override maps a specific domain to a private endpoint, enabling secure connectivity through VPC Lattice resource configurations.
(dict) --
A mapping of a specific domain to a private endpoint for secure connectivity through a VPC Lattice resource configuration.
domain (string) --
The domain to override with a private endpoint.
privateEndpoint (dict) --
The private endpoint configuration for the specified domain.
selfManagedLatticeResource (dict) --
Configuration for connecting to a private resource using a self-managed VPC Lattice resource configuration.
resourceConfigurationIdentifier (string) --
The ARN or ID of the VPC Lattice resource configuration.
managedVpcResource (dict) --
Configuration for connecting to a private resource using a managed VPC Lattice resource. The gateway creates and manages the VPC Lattice resources on your behalf.
vpcIdentifier (string) --
The ID of the VPC that contains your private resource.
subnetIds (list) --
The subnet IDs within the VPC where the VPC Lattice resource gateway is placed.
(string) --
endpointIpAddressType (string) --
The IP address type for the resource configuration endpoint.
securityGroupIds (list) --
The security group IDs to associate with the VPC Lattice resource gateway. If not specified, the default security group for the VPC is used.
(string) --
tags (dict) --
Tags to apply to the managed VPC Lattice resource gateway.
(string) --
(string) --
routingDomain (string) --
An intermediate publicly resolvable domain used as the VPC Lattice resource configuration endpoint. Required when your private endpoint uses a domain that is not publicly resolvable.
memory (dict) --
AgentCore Memory instance configuration for short and long term memory.
agentCoreMemoryConfiguration (dict) --
The AgentCore Memory configuration.
arn (string) --
The ARN of the AgentCore Memory resource.
actorId (string) --
The actor ID for memory operations.
messagesCount (integer) --
The number of messages to retrieve from memory.
retrievalConfig (dict) --
The retrieval configuration for long-term memory, mapping namespace path templates to retrieval settings.
(string) --
(dict) --
Configuration for memory retrieval within a namespace.
topK (integer) --
The maximum number of memory entries to retrieve.
relevanceScore (float) --
The minimum relevance score for retrieved memories.
strategyId (string) --
The ID of the retrieval strategy to use.
maxIterations (integer) --
The maximum number of iterations in the agent loop allowed before exiting per invocation.
maxTokens (integer) --
The maximum number of tokens allowed before exiting per invocation.
timeoutSeconds (integer) --
The maximum duration per invocation.
failureReason (string) --
Reason why create or update operations fail.
{'oauth2ProviderConfigInput': {'customOauth2ProviderConfig': {'privateEndpoint': {'managedVpcResource': {'endpointIpAddressType': 'IPV4 '
'| '
'IPV6',
'routingDomain': 'string',
'securityGroupIds': ['string'],
'subnetIds': ['string'],
'tags': {'string': 'string'},
'vpcIdentifier': 'string'},
'selfManagedLatticeResource': {'resourceConfigurationIdentifier': 'string'}},
'privateEndpointOverrides': [{'domain': 'string',
'privateEndpoint': {'managedVpcResource': {'endpointIpAddressType': 'IPV4 '
'| '
'IPV6',
'routingDomain': 'string',
'securityGroupIds': ['string'],
'subnetIds': ['string'],
'tags': {'string': 'string'},
'vpcIdentifier': 'string'},
'selfManagedLatticeResource': {'resourceConfigurationIdentifier': 'string'}}}]}}}
Response {'oauth2ProviderConfigOutput': {'customOauth2ProviderConfig': {'privateEndpoint': {'managedVpcResource': {'endpointIpAddressType': 'IPV4 '
'| '
'IPV6',
'routingDomain': 'string',
'securityGroupIds': ['string'],
'subnetIds': ['string'],
'tags': {'string': 'string'},
'vpcIdentifier': 'string'},
'selfManagedLatticeResource': {'resourceConfigurationIdentifier': 'string'}},
'privateEndpointOverrides': [{'domain': 'string',
'privateEndpoint': {'managedVpcResource': {'endpointIpAddressType': 'IPV4 '
'| '
'IPV6',
'routingDomain': 'string',
'securityGroupIds': ['string'],
'subnetIds': ['string'],
'tags': {'string': 'string'},
'vpcIdentifier': 'string'},
'selfManagedLatticeResource': {'resourceConfigurationIdentifier': 'string'}}}]}},
'status': 'CREATING | CREATE_FAILED | UPDATING | UPDATE_FAILED | READY | '
'DELETING | DELETE_FAILED'}
Creates a new OAuth2 credential provider.
See also: AWS API Documentation
Request Syntax
client.create_oauth2_credential_provider(
name='string',
credentialProviderVendor='GoogleOauth2'|'GithubOauth2'|'SlackOauth2'|'SalesforceOauth2'|'MicrosoftOauth2'|'CustomOauth2'|'AtlassianOauth2'|'LinkedinOauth2'|'XOauth2'|'OktaOauth2'|'OneLoginOauth2'|'PingOneOauth2'|'FacebookOauth2'|'YandexOauth2'|'RedditOauth2'|'ZoomOauth2'|'TwitchOauth2'|'SpotifyOauth2'|'DropboxOauth2'|'NotionOauth2'|'HubspotOauth2'|'CyberArkOauth2'|'FusionAuthOauth2'|'Auth0Oauth2'|'CognitoOauth2',
oauth2ProviderConfigInput={
'customOauth2ProviderConfig': {
'oauthDiscovery': {
'discoveryUrl': 'string',
'authorizationServerMetadata': {
'issuer': 'string',
'authorizationEndpoint': 'string',
'tokenEndpoint': 'string',
'responseTypes': [
'string',
],
'tokenEndpointAuthMethods': [
'string',
]
}
},
'clientId': 'string',
'clientSecret': 'string',
'privateEndpoint': {
'selfManagedLatticeResource': {
'resourceConfigurationIdentifier': 'string'
},
'managedVpcResource': {
'vpcIdentifier': 'string',
'subnetIds': [
'string',
],
'endpointIpAddressType': 'IPV4'|'IPV6',
'securityGroupIds': [
'string',
],
'tags': {
'string': 'string'
},
'routingDomain': 'string'
}
},
'privateEndpointOverrides': [
{
'domain': 'string',
'privateEndpoint': {
'selfManagedLatticeResource': {
'resourceConfigurationIdentifier': 'string'
},
'managedVpcResource': {
'vpcIdentifier': 'string',
'subnetIds': [
'string',
],
'endpointIpAddressType': 'IPV4'|'IPV6',
'securityGroupIds': [
'string',
],
'tags': {
'string': 'string'
},
'routingDomain': 'string'
}
}
},
]
},
'googleOauth2ProviderConfig': {
'clientId': 'string',
'clientSecret': 'string'
},
'githubOauth2ProviderConfig': {
'clientId': 'string',
'clientSecret': 'string'
},
'slackOauth2ProviderConfig': {
'clientId': 'string',
'clientSecret': 'string'
},
'salesforceOauth2ProviderConfig': {
'clientId': 'string',
'clientSecret': 'string'
},
'microsoftOauth2ProviderConfig': {
'clientId': 'string',
'clientSecret': 'string',
'tenantId': 'string'
},
'atlassianOauth2ProviderConfig': {
'clientId': 'string',
'clientSecret': 'string'
},
'linkedinOauth2ProviderConfig': {
'clientId': 'string',
'clientSecret': 'string'
},
'includedOauth2ProviderConfig': {
'clientId': 'string',
'clientSecret': 'string',
'issuer': 'string',
'authorizationEndpoint': 'string',
'tokenEndpoint': 'string'
}
},
tags={
'string': 'string'
}
)
string
[REQUIRED]
The name of the OAuth2 credential provider. The name must be unique within your account.
string
[REQUIRED]
The vendor of the OAuth2 credential provider. This specifies which OAuth2 implementation to use.
dict
[REQUIRED]
The configuration settings for the OAuth2 provider, including client ID, client secret, and other vendor-specific settings.
customOauth2ProviderConfig (dict) --
The configuration for a custom OAuth2 provider.
oauthDiscovery (dict) -- [REQUIRED]
The OAuth2 discovery information for the custom provider.
discoveryUrl (string) --
The discovery URL for the OAuth2 provider.
authorizationServerMetadata (dict) --
The authorization server metadata for the OAuth2 provider.
issuer (string) -- [REQUIRED]
The issuer URL for the OAuth2 authorization server.
authorizationEndpoint (string) -- [REQUIRED]
The authorization endpoint URL for the OAuth2 authorization server.
tokenEndpoint (string) -- [REQUIRED]
The token endpoint URL for the OAuth2 authorization server.
responseTypes (list) --
The supported response types for the OAuth2 authorization server.
(string) --
tokenEndpointAuthMethods (list) --
The authentication methods supported by the token endpoint. This specifies how clients can authenticate when requesting tokens from the authorization server.
(string) --
clientId (string) -- [REQUIRED]
The client ID for the custom OAuth2 provider.
clientSecret (string) -- [REQUIRED]
The client secret for the custom OAuth2 provider.
privateEndpoint (dict) --
The default private endpoint for the custom OAuth2 provider, enabling secure connectivity through a VPC Lattice resource configuration.
selfManagedLatticeResource (dict) --
Configuration for connecting to a private resource using a self-managed VPC Lattice resource configuration.
resourceConfigurationIdentifier (string) --
The ARN or ID of the VPC Lattice resource configuration.
managedVpcResource (dict) --
Configuration for connecting to a private resource using a managed VPC Lattice resource. The gateway creates and manages the VPC Lattice resources on your behalf.
vpcIdentifier (string) -- [REQUIRED]
The ID of the VPC that contains your private resource.
subnetIds (list) -- [REQUIRED]
The subnet IDs within the VPC where the VPC Lattice resource gateway is placed.
(string) --
endpointIpAddressType (string) -- [REQUIRED]
The IP address type for the resource configuration endpoint.
securityGroupIds (list) --
The security group IDs to associate with the VPC Lattice resource gateway. If not specified, the default security group for the VPC is used.
(string) --
tags (dict) --
Tags to apply to the managed VPC Lattice resource gateway.
(string) --
(string) --
routingDomain (string) --
An intermediate publicly resolvable domain used as the VPC Lattice resource configuration endpoint. Required when your private endpoint uses a domain that is not publicly resolvable.
privateEndpointOverrides (list) --
The list of private endpoint overrides for the custom OAuth2 provider. Each override maps a specific domain to a private endpoint, enabling secure connectivity through VPC Lattice resource configurations.
(dict) --
A mapping of a specific domain to a private endpoint for secure connectivity through a VPC Lattice resource configuration.
domain (string) -- [REQUIRED]
The domain to override with a private endpoint.
privateEndpoint (dict) -- [REQUIRED]
The private endpoint configuration for the specified domain.
selfManagedLatticeResource (dict) --
Configuration for connecting to a private resource using a self-managed VPC Lattice resource configuration.
resourceConfigurationIdentifier (string) --
The ARN or ID of the VPC Lattice resource configuration.
managedVpcResource (dict) --
Configuration for connecting to a private resource using a managed VPC Lattice resource. The gateway creates and manages the VPC Lattice resources on your behalf.
vpcIdentifier (string) -- [REQUIRED]
The ID of the VPC that contains your private resource.
subnetIds (list) -- [REQUIRED]
The subnet IDs within the VPC where the VPC Lattice resource gateway is placed.
(string) --
endpointIpAddressType (string) -- [REQUIRED]
The IP address type for the resource configuration endpoint.
securityGroupIds (list) --
The security group IDs to associate with the VPC Lattice resource gateway. If not specified, the default security group for the VPC is used.
(string) --
tags (dict) --
Tags to apply to the managed VPC Lattice resource gateway.
(string) --
(string) --
routingDomain (string) --
An intermediate publicly resolvable domain used as the VPC Lattice resource configuration endpoint. Required when your private endpoint uses a domain that is not publicly resolvable.
googleOauth2ProviderConfig (dict) --
The configuration for a Google OAuth2 provider.
clientId (string) -- [REQUIRED]
The client ID for the Google OAuth2 provider.
clientSecret (string) -- [REQUIRED]
The client secret for the Google OAuth2 provider.
githubOauth2ProviderConfig (dict) --
The configuration for a GitHub OAuth2 provider.
clientId (string) -- [REQUIRED]
The client ID for the GitHub OAuth2 provider.
clientSecret (string) -- [REQUIRED]
The client secret for the GitHub OAuth2 provider.
slackOauth2ProviderConfig (dict) --
The configuration for a Slack OAuth2 provider.
clientId (string) -- [REQUIRED]
The client ID for the Slack OAuth2 provider.
clientSecret (string) -- [REQUIRED]
The client secret for the Slack OAuth2 provider.
salesforceOauth2ProviderConfig (dict) --
The configuration for a Salesforce OAuth2 provider.
clientId (string) -- [REQUIRED]
The client ID for the Salesforce OAuth2 provider.
clientSecret (string) -- [REQUIRED]
The client secret for the Salesforce OAuth2 provider.
microsoftOauth2ProviderConfig (dict) --
The configuration for a Microsoft OAuth2 provider.
clientId (string) -- [REQUIRED]
The client ID for the Microsoft OAuth2 provider.
clientSecret (string) -- [REQUIRED]
The client secret for the Microsoft OAuth2 provider.
tenantId (string) --
The Microsoft Entra ID (formerly Azure AD) tenant ID for your organization. This identifies the specific tenant within Microsoft's identity platform where your application is registered.
atlassianOauth2ProviderConfig (dict) --
Configuration settings for Atlassian OAuth2 provider integration.
clientId (string) -- [REQUIRED]
The client ID for the Atlassian OAuth2 provider. This identifier is assigned by Atlassian when you register your application.
clientSecret (string) -- [REQUIRED]
The client secret for the Atlassian OAuth2 provider. This secret is assigned by Atlassian and used along with the client ID to authenticate your application.
linkedinOauth2ProviderConfig (dict) --
Configuration settings for LinkedIn OAuth2 provider integration.
clientId (string) -- [REQUIRED]
The client ID for the LinkedIn OAuth2 provider. This identifier is assigned by LinkedIn when you register your application.
clientSecret (string) -- [REQUIRED]
The client secret for the LinkedIn OAuth2 provider. This secret is assigned by LinkedIn and used along with the client ID to authenticate your application.
includedOauth2ProviderConfig (dict) --
The configuration for a non-custom OAuth2 provider. This includes settings for supported OAuth2 providers that have built-in integration support.
clientId (string) -- [REQUIRED]
The client ID for the supported OAuth2 provider. This identifier is assigned by the OAuth2 provider when you register your application.
clientSecret (string) -- [REQUIRED]
The client secret for the supported OAuth2 provider. This secret is assigned by the OAuth2 provider and used along with the client ID to authenticate your application.
issuer (string) --
Token issuer of your isolated OAuth2 application tenant. This URL identifies the authorization server that issues tokens for this provider.
authorizationEndpoint (string) --
OAuth2 authorization endpoint for your isolated OAuth2 application tenant. This is where users are redirected to authenticate and authorize access to their resources.
tokenEndpoint (string) --
OAuth2 token endpoint for your isolated OAuth2 application tenant. This is where authorization codes are exchanged for access tokens.
dict
A map of tag keys and values to assign to the OAuth2 credential provider. Tags enable you to categorize your resources in different ways, for example, by purpose, owner, or environment.
(string) --
(string) --
dict
Response Syntax
{
'clientSecretArn': {
'secretArn': 'string'
},
'name': 'string',
'credentialProviderArn': 'string',
'callbackUrl': 'string',
'oauth2ProviderConfigOutput': {
'customOauth2ProviderConfig': {
'oauthDiscovery': {
'discoveryUrl': 'string',
'authorizationServerMetadata': {
'issuer': 'string',
'authorizationEndpoint': 'string',
'tokenEndpoint': 'string',
'responseTypes': [
'string',
],
'tokenEndpointAuthMethods': [
'string',
]
}
},
'clientId': 'string',
'privateEndpoint': {
'selfManagedLatticeResource': {
'resourceConfigurationIdentifier': 'string'
},
'managedVpcResource': {
'vpcIdentifier': 'string',
'subnetIds': [
'string',
],
'endpointIpAddressType': 'IPV4'|'IPV6',
'securityGroupIds': [
'string',
],
'tags': {
'string': 'string'
},
'routingDomain': 'string'
}
},
'privateEndpointOverrides': [
{
'domain': 'string',
'privateEndpoint': {
'selfManagedLatticeResource': {
'resourceConfigurationIdentifier': 'string'
},
'managedVpcResource': {
'vpcIdentifier': 'string',
'subnetIds': [
'string',
],
'endpointIpAddressType': 'IPV4'|'IPV6',
'securityGroupIds': [
'string',
],
'tags': {
'string': 'string'
},
'routingDomain': 'string'
}
}
},
]
},
'googleOauth2ProviderConfig': {
'oauthDiscovery': {
'discoveryUrl': 'string',
'authorizationServerMetadata': {
'issuer': 'string',
'authorizationEndpoint': 'string',
'tokenEndpoint': 'string',
'responseTypes': [
'string',
],
'tokenEndpointAuthMethods': [
'string',
]
}
},
'clientId': 'string'
},
'githubOauth2ProviderConfig': {
'oauthDiscovery': {
'discoveryUrl': 'string',
'authorizationServerMetadata': {
'issuer': 'string',
'authorizationEndpoint': 'string',
'tokenEndpoint': 'string',
'responseTypes': [
'string',
],
'tokenEndpointAuthMethods': [
'string',
]
}
},
'clientId': 'string'
},
'slackOauth2ProviderConfig': {
'oauthDiscovery': {
'discoveryUrl': 'string',
'authorizationServerMetadata': {
'issuer': 'string',
'authorizationEndpoint': 'string',
'tokenEndpoint': 'string',
'responseTypes': [
'string',
],
'tokenEndpointAuthMethods': [
'string',
]
}
},
'clientId': 'string'
},
'salesforceOauth2ProviderConfig': {
'oauthDiscovery': {
'discoveryUrl': 'string',
'authorizationServerMetadata': {
'issuer': 'string',
'authorizationEndpoint': 'string',
'tokenEndpoint': 'string',
'responseTypes': [
'string',
],
'tokenEndpointAuthMethods': [
'string',
]
}
},
'clientId': 'string'
},
'microsoftOauth2ProviderConfig': {
'oauthDiscovery': {
'discoveryUrl': 'string',
'authorizationServerMetadata': {
'issuer': 'string',
'authorizationEndpoint': 'string',
'tokenEndpoint': 'string',
'responseTypes': [
'string',
],
'tokenEndpointAuthMethods': [
'string',
]
}
},
'clientId': 'string'
},
'atlassianOauth2ProviderConfig': {
'oauthDiscovery': {
'discoveryUrl': 'string',
'authorizationServerMetadata': {
'issuer': 'string',
'authorizationEndpoint': 'string',
'tokenEndpoint': 'string',
'responseTypes': [
'string',
],
'tokenEndpointAuthMethods': [
'string',
]
}
},
'clientId': 'string'
},
'linkedinOauth2ProviderConfig': {
'oauthDiscovery': {
'discoveryUrl': 'string',
'authorizationServerMetadata': {
'issuer': 'string',
'authorizationEndpoint': 'string',
'tokenEndpoint': 'string',
'responseTypes': [
'string',
],
'tokenEndpointAuthMethods': [
'string',
]
}
},
'clientId': 'string'
},
'includedOauth2ProviderConfig': {
'oauthDiscovery': {
'discoveryUrl': 'string',
'authorizationServerMetadata': {
'issuer': 'string',
'authorizationEndpoint': 'string',
'tokenEndpoint': 'string',
'responseTypes': [
'string',
],
'tokenEndpointAuthMethods': [
'string',
]
}
},
'clientId': 'string'
}
},
'status': 'CREATING'|'CREATE_FAILED'|'UPDATING'|'UPDATE_FAILED'|'READY'|'DELETING'|'DELETE_FAILED'
}
Response Structure
(dict) --
clientSecretArn (dict) --
The Amazon Resource Name (ARN) of the client secret in AWS Secrets Manager.
secretArn (string) --
The Amazon Resource Name (ARN) of the secret in AWS Secrets Manager.
name (string) --
The name of the OAuth2 credential provider.
credentialProviderArn (string) --
The Amazon Resource Name (ARN) of the OAuth2 credential provider.
callbackUrl (string) --
Callback URL to register on the OAuth2 credential provider as an allowed callback URL. This URL is where the OAuth2 authorization server redirects users after they complete the authorization flow.
oauth2ProviderConfigOutput (dict) --
Contains the output configuration for an OAuth2 provider.
customOauth2ProviderConfig (dict) --
The output configuration for a custom OAuth2 provider.
oauthDiscovery (dict) --
The OAuth2 discovery information for the custom provider.
discoveryUrl (string) --
The discovery URL for the OAuth2 provider.
authorizationServerMetadata (dict) --
The authorization server metadata for the OAuth2 provider.
issuer (string) --
The issuer URL for the OAuth2 authorization server.
authorizationEndpoint (string) --
The authorization endpoint URL for the OAuth2 authorization server.
tokenEndpoint (string) --
The token endpoint URL for the OAuth2 authorization server.
responseTypes (list) --
The supported response types for the OAuth2 authorization server.
(string) --
tokenEndpointAuthMethods (list) --
The authentication methods supported by the token endpoint. This specifies how clients can authenticate when requesting tokens from the authorization server.
(string) --
clientId (string) --
The client ID for the custom OAuth2 provider.
privateEndpoint (dict) --
The default private endpoint for the custom OAuth2 provider, enabling secure connectivity through a VPC Lattice resource configuration.
selfManagedLatticeResource (dict) --
Configuration for connecting to a private resource using a self-managed VPC Lattice resource configuration.
resourceConfigurationIdentifier (string) --
The ARN or ID of the VPC Lattice resource configuration.
managedVpcResource (dict) --
Configuration for connecting to a private resource using a managed VPC Lattice resource. The gateway creates and manages the VPC Lattice resources on your behalf.
vpcIdentifier (string) --
The ID of the VPC that contains your private resource.
subnetIds (list) --
The subnet IDs within the VPC where the VPC Lattice resource gateway is placed.
(string) --
endpointIpAddressType (string) --
The IP address type for the resource configuration endpoint.
securityGroupIds (list) --
The security group IDs to associate with the VPC Lattice resource gateway. If not specified, the default security group for the VPC is used.
(string) --
tags (dict) --
Tags to apply to the managed VPC Lattice resource gateway.
(string) --
(string) --
routingDomain (string) --
An intermediate publicly resolvable domain used as the VPC Lattice resource configuration endpoint. Required when your private endpoint uses a domain that is not publicly resolvable.
privateEndpointOverrides (list) --
The list of private endpoint overrides for the custom OAuth2 provider. Each override maps a specific domain to a private endpoint, enabling secure connectivity through VPC Lattice resource configurations.
(dict) --
A mapping of a specific domain to a private endpoint for secure connectivity through a VPC Lattice resource configuration.
domain (string) --
The domain to override with a private endpoint.
privateEndpoint (dict) --
The private endpoint configuration for the specified domain.
selfManagedLatticeResource (dict) --
Configuration for connecting to a private resource using a self-managed VPC Lattice resource configuration.
resourceConfigurationIdentifier (string) --
The ARN or ID of the VPC Lattice resource configuration.
managedVpcResource (dict) --
Configuration for connecting to a private resource using a managed VPC Lattice resource. The gateway creates and manages the VPC Lattice resources on your behalf.
vpcIdentifier (string) --
The ID of the VPC that contains your private resource.
subnetIds (list) --
The subnet IDs within the VPC where the VPC Lattice resource gateway is placed.
(string) --
endpointIpAddressType (string) --
The IP address type for the resource configuration endpoint.
securityGroupIds (list) --
The security group IDs to associate with the VPC Lattice resource gateway. If not specified, the default security group for the VPC is used.
(string) --
tags (dict) --
Tags to apply to the managed VPC Lattice resource gateway.
(string) --
(string) --
routingDomain (string) --
An intermediate publicly resolvable domain used as the VPC Lattice resource configuration endpoint. Required when your private endpoint uses a domain that is not publicly resolvable.
googleOauth2ProviderConfig (dict) --
The output configuration for a Google OAuth2 provider.
oauthDiscovery (dict) --
The OAuth2 discovery information for the Google provider.
discoveryUrl (string) --
The discovery URL for the OAuth2 provider.
authorizationServerMetadata (dict) --
The authorization server metadata for the OAuth2 provider.
issuer (string) --
The issuer URL for the OAuth2 authorization server.
authorizationEndpoint (string) --
The authorization endpoint URL for the OAuth2 authorization server.
tokenEndpoint (string) --
The token endpoint URL for the OAuth2 authorization server.
responseTypes (list) --
The supported response types for the OAuth2 authorization server.
(string) --
tokenEndpointAuthMethods (list) --
The authentication methods supported by the token endpoint. This specifies how clients can authenticate when requesting tokens from the authorization server.
(string) --
clientId (string) --
The client ID for the Google OAuth2 provider.
githubOauth2ProviderConfig (dict) --
The output configuration for a GitHub OAuth2 provider.
oauthDiscovery (dict) --
The OAuth2 discovery information for the GitHub provider.
discoveryUrl (string) --
The discovery URL for the OAuth2 provider.
authorizationServerMetadata (dict) --
The authorization server metadata for the OAuth2 provider.
issuer (string) --
The issuer URL for the OAuth2 authorization server.
authorizationEndpoint (string) --
The authorization endpoint URL for the OAuth2 authorization server.
tokenEndpoint (string) --
The token endpoint URL for the OAuth2 authorization server.
responseTypes (list) --
The supported response types for the OAuth2 authorization server.
(string) --
tokenEndpointAuthMethods (list) --
The authentication methods supported by the token endpoint. This specifies how clients can authenticate when requesting tokens from the authorization server.
(string) --
clientId (string) --
The client ID for the GitHub OAuth2 provider.
slackOauth2ProviderConfig (dict) --
The output configuration for a Slack OAuth2 provider.
oauthDiscovery (dict) --
The OAuth2 discovery information for the Slack provider.
discoveryUrl (string) --
The discovery URL for the OAuth2 provider.
authorizationServerMetadata (dict) --
The authorization server metadata for the OAuth2 provider.
issuer (string) --
The issuer URL for the OAuth2 authorization server.
authorizationEndpoint (string) --
The authorization endpoint URL for the OAuth2 authorization server.
tokenEndpoint (string) --
The token endpoint URL for the OAuth2 authorization server.
responseTypes (list) --
The supported response types for the OAuth2 authorization server.
(string) --
tokenEndpointAuthMethods (list) --
The authentication methods supported by the token endpoint. This specifies how clients can authenticate when requesting tokens from the authorization server.
(string) --
clientId (string) --
The client ID for the Slack OAuth2 provider.
salesforceOauth2ProviderConfig (dict) --
The output configuration for a Salesforce OAuth2 provider.
oauthDiscovery (dict) --
The OAuth2 discovery information for the Salesforce provider.
discoveryUrl (string) --
The discovery URL for the OAuth2 provider.
authorizationServerMetadata (dict) --
The authorization server metadata for the OAuth2 provider.
issuer (string) --
The issuer URL for the OAuth2 authorization server.
authorizationEndpoint (string) --
The authorization endpoint URL for the OAuth2 authorization server.
tokenEndpoint (string) --
The token endpoint URL for the OAuth2 authorization server.
responseTypes (list) --
The supported response types for the OAuth2 authorization server.
(string) --
tokenEndpointAuthMethods (list) --
The authentication methods supported by the token endpoint. This specifies how clients can authenticate when requesting tokens from the authorization server.
(string) --
clientId (string) --
The client ID for the Salesforce OAuth2 provider.
microsoftOauth2ProviderConfig (dict) --
The output configuration for a Microsoft OAuth2 provider.
oauthDiscovery (dict) --
The OAuth2 discovery information for the Microsoft provider.
discoveryUrl (string) --
The discovery URL for the OAuth2 provider.
authorizationServerMetadata (dict) --
The authorization server metadata for the OAuth2 provider.
issuer (string) --
The issuer URL for the OAuth2 authorization server.
authorizationEndpoint (string) --
The authorization endpoint URL for the OAuth2 authorization server.
tokenEndpoint (string) --
The token endpoint URL for the OAuth2 authorization server.
responseTypes (list) --
The supported response types for the OAuth2 authorization server.
(string) --
tokenEndpointAuthMethods (list) --
The authentication methods supported by the token endpoint. This specifies how clients can authenticate when requesting tokens from the authorization server.
(string) --
clientId (string) --
The client ID for the Microsoft OAuth2 provider.
atlassianOauth2ProviderConfig (dict) --
The configuration details for the Atlassian OAuth2 provider.
oauthDiscovery (dict) --
Contains the discovery information for an OAuth2 provider.
discoveryUrl (string) --
The discovery URL for the OAuth2 provider.
authorizationServerMetadata (dict) --
The authorization server metadata for the OAuth2 provider.
issuer (string) --
The issuer URL for the OAuth2 authorization server.
authorizationEndpoint (string) --
The authorization endpoint URL for the OAuth2 authorization server.
tokenEndpoint (string) --
The token endpoint URL for the OAuth2 authorization server.
responseTypes (list) --
The supported response types for the OAuth2 authorization server.
(string) --
tokenEndpointAuthMethods (list) --
The authentication methods supported by the token endpoint. This specifies how clients can authenticate when requesting tokens from the authorization server.
(string) --
clientId (string) --
The client ID for the Atlassian OAuth2 provider.
linkedinOauth2ProviderConfig (dict) --
The configuration details for the LinkedIn OAuth2 provider.
oauthDiscovery (dict) --
Contains the discovery information for an OAuth2 provider.
discoveryUrl (string) --
The discovery URL for the OAuth2 provider.
authorizationServerMetadata (dict) --
The authorization server metadata for the OAuth2 provider.
issuer (string) --
The issuer URL for the OAuth2 authorization server.
authorizationEndpoint (string) --
The authorization endpoint URL for the OAuth2 authorization server.
tokenEndpoint (string) --
The token endpoint URL for the OAuth2 authorization server.
responseTypes (list) --
The supported response types for the OAuth2 authorization server.
(string) --
tokenEndpointAuthMethods (list) --
The authentication methods supported by the token endpoint. This specifies how clients can authenticate when requesting tokens from the authorization server.
(string) --
clientId (string) --
The client ID for the LinkedIn OAuth2 provider.
includedOauth2ProviderConfig (dict) --
The configuration for a non-custom OAuth2 provider. This includes the configuration details for supported OAuth2 providers that have built-in integration support.
oauthDiscovery (dict) --
Contains the discovery information for an OAuth2 provider.
discoveryUrl (string) --
The discovery URL for the OAuth2 provider.
authorizationServerMetadata (dict) --
The authorization server metadata for the OAuth2 provider.
issuer (string) --
The issuer URL for the OAuth2 authorization server.
authorizationEndpoint (string) --
The authorization endpoint URL for the OAuth2 authorization server.
tokenEndpoint (string) --
The token endpoint URL for the OAuth2 authorization server.
responseTypes (list) --
The supported response types for the OAuth2 authorization server.
(string) --
tokenEndpointAuthMethods (list) --
The authentication methods supported by the token endpoint. This specifies how clients can authenticate when requesting tokens from the authorization server.
(string) --
clientId (string) --
The client ID for the supported OAuth2 provider.
status (string) --
The current status of the OAuth2 credential provider.
{'authorizerConfiguration': {'customJWTAuthorizer': {'privateEndpoint': {'managedVpcResource': {'endpointIpAddressType': 'IPV4 '
'| '
'IPV6',
'routingDomain': 'string',
'securityGroupIds': ['string'],
'subnetIds': ['string'],
'tags': {'string': 'string'},
'vpcIdentifier': 'string'},
'selfManagedLatticeResource': {'resourceConfigurationIdentifier': 'string'}},
'privateEndpointOverrides': [{'domain': 'string',
'privateEndpoint': {'managedVpcResource': {'endpointIpAddressType': 'IPV4 '
'| '
'IPV6',
'routingDomain': 'string',
'securityGroupIds': ['string'],
'subnetIds': ['string'],
'tags': {'string': 'string'},
'vpcIdentifier': 'string'},
'selfManagedLatticeResource': {'resourceConfigurationIdentifier': 'string'}}}]}}}
Creates a new registry in your Amazon Web Services account. A registry serves as a centralized catalog for organizing and managing registry records, including MCP servers, A2A agents, agent skills, and custom resource types.
If you specify CUSTOM_JWT as the authorizerType, you must provide an authorizerConfiguration.
See also: AWS API Documentation
Request Syntax
client.create_registry(
name='string',
description='string',
authorizerType='CUSTOM_JWT'|'AWS_IAM',
authorizerConfiguration={
'customJWTAuthorizer': {
'discoveryUrl': 'string',
'allowedAudience': [
'string',
],
'allowedClients': [
'string',
],
'allowedScopes': [
'string',
],
'customClaims': [
{
'inboundTokenClaimName': 'string',
'inboundTokenClaimValueType': 'STRING'|'STRING_ARRAY',
'authorizingClaimMatchValue': {
'claimMatchValue': {
'matchValueString': 'string',
'matchValueStringList': [
'string',
]
},
'claimMatchOperator': 'EQUALS'|'CONTAINS'|'CONTAINS_ANY'
}
},
],
'privateEndpoint': {
'selfManagedLatticeResource': {
'resourceConfigurationIdentifier': 'string'
},
'managedVpcResource': {
'vpcIdentifier': 'string',
'subnetIds': [
'string',
],
'endpointIpAddressType': 'IPV4'|'IPV6',
'securityGroupIds': [
'string',
],
'tags': {
'string': 'string'
},
'routingDomain': 'string'
}
},
'privateEndpointOverrides': [
{
'domain': 'string',
'privateEndpoint': {
'selfManagedLatticeResource': {
'resourceConfigurationIdentifier': 'string'
},
'managedVpcResource': {
'vpcIdentifier': 'string',
'subnetIds': [
'string',
],
'endpointIpAddressType': 'IPV4'|'IPV6',
'securityGroupIds': [
'string',
],
'tags': {
'string': 'string'
},
'routingDomain': 'string'
}
}
},
]
}
},
clientToken='string',
approvalConfiguration={
'autoApproval': True|False
}
)
string
[REQUIRED]
The name of the registry. The name must be unique within your account and can contain alphanumeric characters and underscores.
string
A description of the registry.
string
The type of authorizer to use for the registry. This controls the authorization method for the Search and Invoke APIs used by consumers, and does not affect the standard CRUDL APIs for registry and registry record management used by administrators.
CUSTOM_JWT - Authorize with a bearer token.
AWS_IAM - Authorize with your Amazon Web Services IAM credentials.
dict
The authorizer configuration for the registry. Required if authorizerType is CUSTOM_JWT. For details, see the AuthorizerConfiguration data type.
customJWTAuthorizer (dict) --
The inbound JWT-based authorization, specifying how incoming requests should be authenticated.
discoveryUrl (string) -- [REQUIRED]
This URL is used to fetch OpenID Connect configuration or authorization server metadata for validating incoming tokens.
allowedAudience (list) --
Represents individual audience values that are validated in the incoming JWT token validation process.
(string) --
allowedClients (list) --
Represents individual client IDs that are validated in the incoming JWT token validation process.
(string) --
allowedScopes (list) --
An array of scopes that are allowed to access the token.
(string) --
customClaims (list) --
An array of objects that define a custom claim validation name, value, and operation
(dict) --
Defines the name of a custom claim field and rules for finding matches to authenticate its value.
inboundTokenClaimName (string) -- [REQUIRED]
The name of the custom claim field to check.
inboundTokenClaimValueType (string) -- [REQUIRED]
The data type of the claim value to check for.
Use STRING if you want to find an exact match to a string you define.
Use STRING_ARRAY if you want to fnd a match to at least one value in an array you define.
authorizingClaimMatchValue (dict) -- [REQUIRED]
Defines the value or values to match for and the relationship of the match.
claimMatchValue (dict) -- [REQUIRED]
The value or values to match for.
matchValueString (string) --
The string value to match for.
matchValueStringList (list) --
An array of strings to check for a match.
(string) --
claimMatchOperator (string) -- [REQUIRED]
Defines the relationship between the claim field value and the value or values you're matching for.
privateEndpoint (dict) --
The private endpoint configuration for a gateway target. Defines how the gateway connects to private resources in your VPC.
selfManagedLatticeResource (dict) --
Configuration for connecting to a private resource using a self-managed VPC Lattice resource configuration.
resourceConfigurationIdentifier (string) --
The ARN or ID of the VPC Lattice resource configuration.
managedVpcResource (dict) --
Configuration for connecting to a private resource using a managed VPC Lattice resource. The gateway creates and manages the VPC Lattice resources on your behalf.
vpcIdentifier (string) -- [REQUIRED]
The ID of the VPC that contains your private resource.
subnetIds (list) -- [REQUIRED]
The subnet IDs within the VPC where the VPC Lattice resource gateway is placed.
(string) --
endpointIpAddressType (string) -- [REQUIRED]
The IP address type for the resource configuration endpoint.
securityGroupIds (list) --
The security group IDs to associate with the VPC Lattice resource gateway. If not specified, the default security group for the VPC is used.
(string) --
tags (dict) --
Tags to apply to the managed VPC Lattice resource gateway.
(string) --
(string) --
routingDomain (string) --
An intermediate publicly resolvable domain used as the VPC Lattice resource configuration endpoint. Required when your private endpoint uses a domain that is not publicly resolvable.
privateEndpointOverrides (list) --
A list of private endpoint overrides for the JWT authorizer. Each override maps a specific domain to a private endpoint, enabling secure connectivity through VPC Lattice resource configurations.
(dict) --
A mapping of a specific domain to a private endpoint for secure connectivity through a VPC Lattice resource configuration.
domain (string) -- [REQUIRED]
The domain to override with a private endpoint.
privateEndpoint (dict) -- [REQUIRED]
The private endpoint configuration for the specified domain.
selfManagedLatticeResource (dict) --
Configuration for connecting to a private resource using a self-managed VPC Lattice resource configuration.
resourceConfigurationIdentifier (string) --
The ARN or ID of the VPC Lattice resource configuration.
managedVpcResource (dict) --
Configuration for connecting to a private resource using a managed VPC Lattice resource. The gateway creates and manages the VPC Lattice resources on your behalf.
vpcIdentifier (string) -- [REQUIRED]
The ID of the VPC that contains your private resource.
subnetIds (list) -- [REQUIRED]
The subnet IDs within the VPC where the VPC Lattice resource gateway is placed.
(string) --
endpointIpAddressType (string) -- [REQUIRED]
The IP address type for the resource configuration endpoint.
securityGroupIds (list) --
The security group IDs to associate with the VPC Lattice resource gateway. If not specified, the default security group for the VPC is used.
(string) --
tags (dict) --
Tags to apply to the managed VPC Lattice resource gateway.
(string) --
(string) --
routingDomain (string) --
An intermediate publicly resolvable domain used as the VPC Lattice resource configuration endpoint. Required when your private endpoint uses a domain that is not publicly resolvable.
string
A unique, case-sensitive identifier to ensure that the API request completes no more than one time. If you don't specify this field, a value is randomly generated for you. If this token matches a previous request, the service ignores the request, but doesn't return an error. For more information, see Ensuring idempotency.
This field is autopopulated if not provided.
dict
The approval configuration for registry records. Controls whether records require explicit approval before becoming active. See the ApprovalConfiguration data type for supported configuration options.
autoApproval (boolean) --
Whether registry records are auto-approved. When set to true, records are automatically approved upon creation. When set to false (the default), records require explicit approval for security purposes.
dict
Response Syntax
{
'registryArn': 'string'
}
Response Structure
(dict) --
registryArn (string) --
The Amazon Resource Name (ARN) of the created registry.
{'harness': {'authorizerConfiguration': {'customJWTAuthorizer': {'privateEndpoint': {'managedVpcResource': {'endpointIpAddressType': 'IPV4 '
'| '
'IPV6',
'routingDomain': 'string',
'securityGroupIds': ['string'],
'subnetIds': ['string'],
'tags': {'string': 'string'},
'vpcIdentifier': 'string'},
'selfManagedLatticeResource': {'resourceConfigurationIdentifier': 'string'}},
'privateEndpointOverrides': [{'domain': 'string',
'privateEndpoint': {'managedVpcResource': {'endpointIpAddressType': 'IPV4 '
'| '
'IPV6',
'routingDomain': 'string',
'securityGroupIds': ['string'],
'subnetIds': ['string'],
'tags': {'string': 'string'},
'vpcIdentifier': 'string'},
'selfManagedLatticeResource': {'resourceConfigurationIdentifier': 'string'}}}]}}}}
Operation to delete a Harness.
See also: AWS API Documentation
Request Syntax
client.delete_harness(
harnessId='string',
clientToken='string'
)
string
[REQUIRED]
The ID of the harness to delete.
string
A unique, case-sensitive identifier to ensure idempotency of the request.
This field is autopopulated if not provided.
dict
Response Syntax
{
'harness': {
'harnessId': 'string',
'harnessName': 'string',
'arn': 'string',
'status': 'CREATING'|'CREATE_FAILED'|'UPDATING'|'UPDATE_FAILED'|'READY'|'DELETING'|'DELETE_FAILED',
'executionRoleArn': 'string',
'createdAt': datetime(2015, 1, 1),
'updatedAt': datetime(2015, 1, 1),
'model': {
'bedrockModelConfig': {
'modelId': 'string',
'maxTokens': 123,
'temperature': ...,
'topP': ...
},
'openAiModelConfig': {
'modelId': 'string',
'apiKeyArn': 'string',
'maxTokens': 123,
'temperature': ...,
'topP': ...
},
'geminiModelConfig': {
'modelId': 'string',
'apiKeyArn': 'string',
'maxTokens': 123,
'temperature': ...,
'topP': ...,
'topK': 123
}
},
'systemPrompt': [
{
'text': 'string'
},
],
'tools': [
{
'type': 'remote_mcp'|'agentcore_browser'|'agentcore_gateway'|'inline_function'|'agentcore_code_interpreter',
'name': 'string',
'config': {
'remoteMcp': {
'url': 'string',
'headers': {
'string': 'string'
}
},
'agentCoreBrowser': {
'browserArn': 'string'
},
'agentCoreGateway': {
'gatewayArn': 'string',
'outboundAuth': {
'awsIam': {},
'none': {},
'oauth': {
'providerArn': 'string',
'scopes': [
'string',
],
'customParameters': {
'string': 'string'
},
'grantType': 'CLIENT_CREDENTIALS'|'AUTHORIZATION_CODE',
'defaultReturnUrl': 'string'
}
}
},
'inlineFunction': {
'description': 'string',
'inputSchema': {...}|[...]|123|123.4|'string'|True|None
},
'agentCoreCodeInterpreter': {
'codeInterpreterArn': 'string'
}
}
},
],
'skills': [
{
'path': 'string'
},
],
'allowedTools': [
'string',
],
'truncation': {
'strategy': 'sliding_window'|'summarization'|'none',
'config': {
'slidingWindow': {
'messagesCount': 123
},
'summarization': {
'summaryRatio': ...,
'preserveRecentMessages': 123,
'summarizationSystemPrompt': 'string'
}
}
},
'environment': {
'agentCoreRuntimeEnvironment': {
'agentRuntimeArn': 'string',
'agentRuntimeName': 'string',
'agentRuntimeId': 'string',
'lifecycleConfiguration': {
'idleRuntimeSessionTimeout': 123,
'maxLifetime': 123
},
'networkConfiguration': {
'networkMode': 'PUBLIC'|'VPC',
'networkModeConfig': {
'securityGroups': [
'string',
],
'subnets': [
'string',
]
}
},
'filesystemConfigurations': [
{
'sessionStorage': {
'mountPath': 'string'
}
},
]
}
},
'environmentArtifact': {
'containerConfiguration': {
'containerUri': 'string'
}
},
'environmentVariables': {
'string': 'string'
},
'authorizerConfiguration': {
'customJWTAuthorizer': {
'discoveryUrl': 'string',
'allowedAudience': [
'string',
],
'allowedClients': [
'string',
],
'allowedScopes': [
'string',
],
'customClaims': [
{
'inboundTokenClaimName': 'string',
'inboundTokenClaimValueType': 'STRING'|'STRING_ARRAY',
'authorizingClaimMatchValue': {
'claimMatchValue': {
'matchValueString': 'string',
'matchValueStringList': [
'string',
]
},
'claimMatchOperator': 'EQUALS'|'CONTAINS'|'CONTAINS_ANY'
}
},
],
'privateEndpoint': {
'selfManagedLatticeResource': {
'resourceConfigurationIdentifier': 'string'
},
'managedVpcResource': {
'vpcIdentifier': 'string',
'subnetIds': [
'string',
],
'endpointIpAddressType': 'IPV4'|'IPV6',
'securityGroupIds': [
'string',
],
'tags': {
'string': 'string'
},
'routingDomain': 'string'
}
},
'privateEndpointOverrides': [
{
'domain': 'string',
'privateEndpoint': {
'selfManagedLatticeResource': {
'resourceConfigurationIdentifier': 'string'
},
'managedVpcResource': {
'vpcIdentifier': 'string',
'subnetIds': [
'string',
],
'endpointIpAddressType': 'IPV4'|'IPV6',
'securityGroupIds': [
'string',
],
'tags': {
'string': 'string'
},
'routingDomain': 'string'
}
}
},
]
}
},
'memory': {
'agentCoreMemoryConfiguration': {
'arn': 'string',
'actorId': 'string',
'messagesCount': 123,
'retrievalConfig': {
'string': {
'topK': 123,
'relevanceScore': ...,
'strategyId': 'string'
}
}
}
},
'maxIterations': 123,
'maxTokens': 123,
'timeoutSeconds': 123,
'failureReason': 'string'
}
}
Response Structure
(dict) --
harness (dict) --
The harness that was deleted.
harnessId (string) --
The ID of the Harness.
harnessName (string) --
The name of the Harness.
arn (string) --
The ARN of the Harness.
status (string) --
The status of the Harness.
executionRoleArn (string) --
IAM role the Harness assumes when running.
createdAt (datetime) --
The createdAt time of the Harness.
updatedAt (datetime) --
The updatedAt time of the Harness.
model (dict) --
The configuration of the default model used by the Harness.
bedrockModelConfig (dict) --
Configuration for an Amazon Bedrock model.
modelId (string) --
The Bedrock model ID.
maxTokens (integer) --
The maximum number of tokens to allow in the generated response per iteration.
temperature (float) --
The temperature to set when calling the model.
topP (float) --
The topP set when calling the model.
openAiModelConfig (dict) --
Configuration for an OpenAI model.
modelId (string) --
The OpenAI model ID.
apiKeyArn (string) --
The ARN of your OpenAI API key on AgentCore Identity.
maxTokens (integer) --
The maximum number of tokens to allow in the generated response per iteration.
temperature (float) --
The temperature to set when calling the model.
topP (float) --
The topP set when calling the model.
geminiModelConfig (dict) --
Configuration for a Google Gemini model.
modelId (string) --
The Gemini model ID.
apiKeyArn (string) --
The ARN of your Gemini API key on AgentCore Identity.
maxTokens (integer) --
The maximum number of tokens to allow in the generated response per iteration.
temperature (float) --
The temperature to set when calling the model.
topP (float) --
The topP set when calling the model.
topK (integer) --
The topK set when calling the model.
systemPrompt (list) --
The system prompt of the Harness.
(dict) --
A content block in the system prompt.
text (string) --
The text content of the system prompt block.
tools (list) --
The tools of the Harness.
(dict) --
A tool available to the agent loop.
type (string) --
The type of tool.
name (string) --
Unique name for the tool. If not provided, a name will be inferred or generated.
config (dict) --
Tool-specific configuration.
remoteMcp (dict) --
Configuration for remote MCP server.
url (string) --
URL of the MCP endpoint.
headers (dict) --
Map of key/value pairs for HTTP headers.
(string) --
The key of an HTTP header.
(string) --
The value of an HTTP header.
agentCoreBrowser (dict) --
Configuration for AgentCore Browser.
browserArn (string) --
If not populated, the built-in Browser ARN is used.
agentCoreGateway (dict) --
Configuration for AgentCore Gateway.
gatewayArn (string) --
The ARN of the desired AgentCore Gateway.
outboundAuth (dict) --
How Loopy authenticates to this Gateway. Defaults to AWS_IAM (SigV4) if omitted.
awsIam (dict) --
SigV4-sign requests using the agent's execution role.
none (dict) --
No authentication.
oauth (dict) --
An OAuth credential provider for gateway authentication. This structure contains the configuration for authenticating with the target endpoint using OAuth.
providerArn (string) --
The Amazon Resource Name (ARN) of the OAuth credential provider. This ARN identifies the provider in Amazon Web Services.
scopes (list) --
The OAuth scopes for the credential provider. These scopes define the level of access requested from the OAuth provider.
(string) --
customParameters (dict) --
The custom parameters for the OAuth credential provider. These parameters provide additional configuration for the OAuth authentication process.
(string) --
(string) --
grantType (string) --
Specifies the kind of credentials to use for authorization:
CLIENT_CREDENTIALS - Authorization with a client ID and secret.
AUTHORIZATION_CODE - Authorization with a token that is specific to an individual end user.
defaultReturnUrl (string) --
The URL where the end user's browser is redirected after obtaining the authorization code. Generally points to the customer's application.
inlineFunction (dict) --
Configuration for an inline function tool.
description (string) --
Description of what the tool does, provided to the model.
inputSchema (:ref:`document<document>`) --
JSON Schema describing the tool's input parameters.
agentCoreCodeInterpreter (dict) --
Configuration for AgentCore Code Interpreter.
codeInterpreterArn (string) --
If not populated, the built-in Code Interpreter ARN is used.
skills (list) --
The skills of the Harness.
(dict) --
A skill available to the agent.
path (string) --
The filesystem path to the skill definition.
allowedTools (list) --
The allowed tools of the Harness. All tools are allowed by default.
(string) --
truncation (dict) --
Configuration for truncating model context.
strategy (string) --
The truncation strategy to use.
config (dict) --
The strategy-specific configuration.
slidingWindow (dict) --
Configuration for sliding window truncation.
messagesCount (integer) --
The number of recent messages to retain in the context window.
summarization (dict) --
Configuration for summarization-based truncation.
summaryRatio (float) --
The ratio of content to summarize.
preserveRecentMessages (integer) --
The number of recent messages to preserve without summarization.
summarizationSystemPrompt (string) --
The system prompt used for generating summaries.
environment (dict) --
The compute environment on which the Harness runs.
agentCoreRuntimeEnvironment (dict) --
The AgentCore Runtime environment configuration.
agentRuntimeArn (string) --
The ARN of the underlying AgentCore Runtime.
agentRuntimeName (string) --
The name of the underlying AgentCore Runtime.
agentRuntimeId (string) --
The ID of the underlying AgentCore Runtime.
lifecycleConfiguration (dict) --
LifecycleConfiguration lets you manage the lifecycle of runtime sessions and resources in AgentCore Runtime. This configuration helps optimize resource utilization by automatically cleaning up idle sessions and preventing long-running instances from consuming resources indefinitely.
idleRuntimeSessionTimeout (integer) --
Timeout in seconds for idle runtime sessions. When a session remains idle for this duration, it will be automatically terminated. Default: 900 seconds (15 minutes).
maxLifetime (integer) --
Maximum lifetime for the instance in seconds. Once reached, instances will be automatically terminated and replaced. Default: 28800 seconds (8 hours).
networkConfiguration (dict) --
SecurityConfig for the Agent.
networkMode (string) --
The network mode for the AgentCore Runtime.
networkModeConfig (dict) --
The network mode configuration for the AgentCore Runtime.
securityGroups (list) --
The security groups associated with the VPC configuration.
(string) --
subnets (list) --
The subnets associated with the VPC configuration.
(string) --
filesystemConfigurations (list) --
The filesystem configurations for the runtime environment.
(dict) --
Configuration for a filesystem that can be mounted into the AgentCore Runtime.
sessionStorage (dict) --
Configuration for session storage. Session storage provides persistent storage that is preserved across AgentCore Runtime session invocations.
mountPath (string) --
The mount path for the session storage filesystem inside the AgentCore Runtime. The path must be under /mnt with exactly one subdirectory level (for example, /mnt/data).
environmentArtifact (dict) --
The environment artifact (e.g., container) in which the Harness operates.
containerConfiguration (dict) --
Representation of a container configuration.
containerUri (string) --
The ECR URI of the container.
environmentVariables (dict) --
Environment variables exposed in the environment in which the Harness operates.
(string) --
(string) --
authorizerConfiguration (dict) --
Represents inbound authorization configuration options used to authenticate incoming requests.
customJWTAuthorizer (dict) --
The inbound JWT-based authorization, specifying how incoming requests should be authenticated.
discoveryUrl (string) --
This URL is used to fetch OpenID Connect configuration or authorization server metadata for validating incoming tokens.
allowedAudience (list) --
Represents individual audience values that are validated in the incoming JWT token validation process.
(string) --
allowedClients (list) --
Represents individual client IDs that are validated in the incoming JWT token validation process.
(string) --
allowedScopes (list) --
An array of scopes that are allowed to access the token.
(string) --
customClaims (list) --
An array of objects that define a custom claim validation name, value, and operation
(dict) --
Defines the name of a custom claim field and rules for finding matches to authenticate its value.
inboundTokenClaimName (string) --
The name of the custom claim field to check.
inboundTokenClaimValueType (string) --
The data type of the claim value to check for.
Use STRING if you want to find an exact match to a string you define.
Use STRING_ARRAY if you want to fnd a match to at least one value in an array you define.
authorizingClaimMatchValue (dict) --
Defines the value or values to match for and the relationship of the match.
claimMatchValue (dict) --
The value or values to match for.
matchValueString (string) --
The string value to match for.
matchValueStringList (list) --
An array of strings to check for a match.
(string) --
claimMatchOperator (string) --
Defines the relationship between the claim field value and the value or values you're matching for.
privateEndpoint (dict) --
The private endpoint configuration for a gateway target. Defines how the gateway connects to private resources in your VPC.
selfManagedLatticeResource (dict) --
Configuration for connecting to a private resource using a self-managed VPC Lattice resource configuration.
resourceConfigurationIdentifier (string) --
The ARN or ID of the VPC Lattice resource configuration.
managedVpcResource (dict) --
Configuration for connecting to a private resource using a managed VPC Lattice resource. The gateway creates and manages the VPC Lattice resources on your behalf.
vpcIdentifier (string) --
The ID of the VPC that contains your private resource.
subnetIds (list) --
The subnet IDs within the VPC where the VPC Lattice resource gateway is placed.
(string) --
endpointIpAddressType (string) --
The IP address type for the resource configuration endpoint.
securityGroupIds (list) --
The security group IDs to associate with the VPC Lattice resource gateway. If not specified, the default security group for the VPC is used.
(string) --
tags (dict) --
Tags to apply to the managed VPC Lattice resource gateway.
(string) --
(string) --
routingDomain (string) --
An intermediate publicly resolvable domain used as the VPC Lattice resource configuration endpoint. Required when your private endpoint uses a domain that is not publicly resolvable.
privateEndpointOverrides (list) --
A list of private endpoint overrides for the JWT authorizer. Each override maps a specific domain to a private endpoint, enabling secure connectivity through VPC Lattice resource configurations.
(dict) --
A mapping of a specific domain to a private endpoint for secure connectivity through a VPC Lattice resource configuration.
domain (string) --
The domain to override with a private endpoint.
privateEndpoint (dict) --
The private endpoint configuration for the specified domain.
selfManagedLatticeResource (dict) --
Configuration for connecting to a private resource using a self-managed VPC Lattice resource configuration.
resourceConfigurationIdentifier (string) --
The ARN or ID of the VPC Lattice resource configuration.
managedVpcResource (dict) --
Configuration for connecting to a private resource using a managed VPC Lattice resource. The gateway creates and manages the VPC Lattice resources on your behalf.
vpcIdentifier (string) --
The ID of the VPC that contains your private resource.
subnetIds (list) --
The subnet IDs within the VPC where the VPC Lattice resource gateway is placed.
(string) --
endpointIpAddressType (string) --
The IP address type for the resource configuration endpoint.
securityGroupIds (list) --
The security group IDs to associate with the VPC Lattice resource gateway. If not specified, the default security group for the VPC is used.
(string) --
tags (dict) --
Tags to apply to the managed VPC Lattice resource gateway.
(string) --
(string) --
routingDomain (string) --
An intermediate publicly resolvable domain used as the VPC Lattice resource configuration endpoint. Required when your private endpoint uses a domain that is not publicly resolvable.
memory (dict) --
AgentCore Memory instance configuration for short and long term memory.
agentCoreMemoryConfiguration (dict) --
The AgentCore Memory configuration.
arn (string) --
The ARN of the AgentCore Memory resource.
actorId (string) --
The actor ID for memory operations.
messagesCount (integer) --
The number of messages to retrieve from memory.
retrievalConfig (dict) --
The retrieval configuration for long-term memory, mapping namespace path templates to retrieval settings.
(string) --
(dict) --
Configuration for memory retrieval within a namespace.
topK (integer) --
The maximum number of memory entries to retrieve.
relevanceScore (float) --
The minimum relevance score for retrieved memories.
strategyId (string) --
The ID of the retrieval strategy to use.
maxIterations (integer) --
The maximum number of iterations in the agent loop allowed before exiting per invocation.
maxTokens (integer) --
The maximum number of tokens allowed before exiting per invocation.
timeoutSeconds (integer) --
The maximum duration per invocation.
failureReason (string) --
Reason why create or update operations fail.
{'agentRuntimeArtifact': {'codeConfiguration': {'runtime': {'NODE_22'}}},
'authorizerConfiguration': {'customJWTAuthorizer': {'privateEndpoint': {'managedVpcResource': {'endpointIpAddressType': 'IPV4 '
'| '
'IPV6',
'routingDomain': 'string',
'securityGroupIds': ['string'],
'subnetIds': ['string'],
'tags': {'string': 'string'},
'vpcIdentifier': 'string'},
'selfManagedLatticeResource': {'resourceConfigurationIdentifier': 'string'}},
'privateEndpointOverrides': [{'domain': 'string',
'privateEndpoint': {'managedVpcResource': {'endpointIpAddressType': 'IPV4 '
'| '
'IPV6',
'routingDomain': 'string',
'securityGroupIds': ['string'],
'subnetIds': ['string'],
'tags': {'string': 'string'},
'vpcIdentifier': 'string'},
'selfManagedLatticeResource': {'resourceConfigurationIdentifier': 'string'}}}]}}}
Gets an Amazon Bedrock AgentCore Runtime.
See also: AWS API Documentation
Request Syntax
client.get_agent_runtime(
agentRuntimeId='string',
agentRuntimeVersion='string'
)
string
[REQUIRED]
The unique identifier of the AgentCore Runtime to retrieve.
string
The version of the AgentCore Runtime to retrieve.
dict
Response Syntax
{
'agentRuntimeArn': 'string',
'agentRuntimeName': 'string',
'agentRuntimeId': 'string',
'agentRuntimeVersion': 'string',
'createdAt': datetime(2015, 1, 1),
'lastUpdatedAt': datetime(2015, 1, 1),
'roleArn': 'string',
'networkConfiguration': {
'networkMode': 'PUBLIC'|'VPC',
'networkModeConfig': {
'securityGroups': [
'string',
],
'subnets': [
'string',
]
}
},
'status': 'CREATING'|'CREATE_FAILED'|'UPDATING'|'UPDATE_FAILED'|'READY'|'DELETING',
'lifecycleConfiguration': {
'idleRuntimeSessionTimeout': 123,
'maxLifetime': 123
},
'failureReason': 'string',
'description': 'string',
'workloadIdentityDetails': {
'workloadIdentityArn': 'string'
},
'agentRuntimeArtifact': {
'containerConfiguration': {
'containerUri': 'string'
},
'codeConfiguration': {
'code': {
's3': {
'bucket': 'string',
'prefix': 'string',
'versionId': 'string'
}
},
'runtime': 'PYTHON_3_10'|'PYTHON_3_11'|'PYTHON_3_12'|'PYTHON_3_13'|'PYTHON_3_14'|'NODE_22',
'entryPoint': [
'string',
]
}
},
'protocolConfiguration': {
'serverProtocol': 'MCP'|'HTTP'|'A2A'|'AGUI'
},
'environmentVariables': {
'string': 'string'
},
'authorizerConfiguration': {
'customJWTAuthorizer': {
'discoveryUrl': 'string',
'allowedAudience': [
'string',
],
'allowedClients': [
'string',
],
'allowedScopes': [
'string',
],
'customClaims': [
{
'inboundTokenClaimName': 'string',
'inboundTokenClaimValueType': 'STRING'|'STRING_ARRAY',
'authorizingClaimMatchValue': {
'claimMatchValue': {
'matchValueString': 'string',
'matchValueStringList': [
'string',
]
},
'claimMatchOperator': 'EQUALS'|'CONTAINS'|'CONTAINS_ANY'
}
},
],
'privateEndpoint': {
'selfManagedLatticeResource': {
'resourceConfigurationIdentifier': 'string'
},
'managedVpcResource': {
'vpcIdentifier': 'string',
'subnetIds': [
'string',
],
'endpointIpAddressType': 'IPV4'|'IPV6',
'securityGroupIds': [
'string',
],
'tags': {
'string': 'string'
},
'routingDomain': 'string'
}
},
'privateEndpointOverrides': [
{
'domain': 'string',
'privateEndpoint': {
'selfManagedLatticeResource': {
'resourceConfigurationIdentifier': 'string'
},
'managedVpcResource': {
'vpcIdentifier': 'string',
'subnetIds': [
'string',
],
'endpointIpAddressType': 'IPV4'|'IPV6',
'securityGroupIds': [
'string',
],
'tags': {
'string': 'string'
},
'routingDomain': 'string'
}
}
},
]
}
},
'requestHeaderConfiguration': {
'requestHeaderAllowlist': [
'string',
]
},
'metadataConfiguration': {
'requireMMDSV2': True|False
},
'filesystemConfigurations': [
{
'sessionStorage': {
'mountPath': 'string'
}
},
]
}
Response Structure
(dict) --
agentRuntimeArn (string) --
The Amazon Resource Name (ARN) of the AgentCore Runtime.
agentRuntimeName (string) --
The name of the AgentCore Runtime.
agentRuntimeId (string) --
The unique identifier of the AgentCore Runtime.
agentRuntimeVersion (string) --
The version of the AgentCore Runtime.
createdAt (datetime) --
The timestamp when the AgentCore Runtime was created.
lastUpdatedAt (datetime) --
The timestamp when the AgentCore Runtime was last updated.
roleArn (string) --
The IAM role ARN that provides permissions for the AgentCore Runtime.
networkConfiguration (dict) --
The network configuration for the AgentCore Runtime.
networkMode (string) --
The network mode for the AgentCore Runtime.
networkModeConfig (dict) --
The network mode configuration for the AgentCore Runtime.
securityGroups (list) --
The security groups associated with the VPC configuration.
(string) --
subnets (list) --
The subnets associated with the VPC configuration.
(string) --
status (string) --
The current status of the AgentCore Runtime.
lifecycleConfiguration (dict) --
The life cycle configuration for the AgentCore Runtime.
idleRuntimeSessionTimeout (integer) --
Timeout in seconds for idle runtime sessions. When a session remains idle for this duration, it will be automatically terminated. Default: 900 seconds (15 minutes).
maxLifetime (integer) --
Maximum lifetime for the instance in seconds. Once reached, instances will be automatically terminated and replaced. Default: 28800 seconds (8 hours).
failureReason (string) --
The reason for failure if the AgentCore Runtime is in a failed state.
description (string) --
The description of the AgentCore Runtime.
workloadIdentityDetails (dict) --
The workload identity details for the AgentCore Runtime.
workloadIdentityArn (string) --
The ARN associated with the workload identity.
agentRuntimeArtifact (dict) --
The artifact of the AgentCore Runtime.
containerConfiguration (dict) --
The container configuration for the agent artifact.
containerUri (string) --
The ECR URI of the container.
codeConfiguration (dict) --
The code configuration for the agent runtime artifact, including the source code location and execution settings.
code (dict) --
The source code location and configuration details.
s3 (dict) --
The Amazon Amazon S3 object that contains the source code for the agent runtime.
bucket (string) --
The name of the Amazon S3 bucket. This bucket contains the stored data.
prefix (string) --
The prefix for objects in the Amazon S3 bucket. This prefix is added to the object keys to organize the data.
versionId (string) --
The version ID of the Amazon Amazon S3 object. If not specified, the latest version of the object is used.
runtime (string) --
The runtime environment for executing the agent code. Specify the programming language and version to use for the agent runtime. For valid values, see the list of supported runtimes.
entryPoint (list) --
The entry point for the code execution, specifying the function or method that should be invoked when the code runs.
(string) --
protocolConfiguration (dict) --
The protocol configuration for an agent runtime. This structure defines how the agent runtime communicates with clients.
serverProtocol (string) --
The server protocol for the agent runtime. This field specifies which protocol the agent runtime uses to communicate with clients.
environmentVariables (dict) --
Environment variables set in the AgentCore Runtime environment.
(string) --
(string) --
authorizerConfiguration (dict) --
The authorizer configuration for the AgentCore Runtime.
customJWTAuthorizer (dict) --
The inbound JWT-based authorization, specifying how incoming requests should be authenticated.
discoveryUrl (string) --
This URL is used to fetch OpenID Connect configuration or authorization server metadata for validating incoming tokens.
allowedAudience (list) --
Represents individual audience values that are validated in the incoming JWT token validation process.
(string) --
allowedClients (list) --
Represents individual client IDs that are validated in the incoming JWT token validation process.
(string) --
allowedScopes (list) --
An array of scopes that are allowed to access the token.
(string) --
customClaims (list) --
An array of objects that define a custom claim validation name, value, and operation
(dict) --
Defines the name of a custom claim field and rules for finding matches to authenticate its value.
inboundTokenClaimName (string) --
The name of the custom claim field to check.
inboundTokenClaimValueType (string) --
The data type of the claim value to check for.
Use STRING if you want to find an exact match to a string you define.
Use STRING_ARRAY if you want to fnd a match to at least one value in an array you define.
authorizingClaimMatchValue (dict) --
Defines the value or values to match for and the relationship of the match.
claimMatchValue (dict) --
The value or values to match for.
matchValueString (string) --
The string value to match for.
matchValueStringList (list) --
An array of strings to check for a match.
(string) --
claimMatchOperator (string) --
Defines the relationship between the claim field value and the value or values you're matching for.
privateEndpoint (dict) --
The private endpoint configuration for a gateway target. Defines how the gateway connects to private resources in your VPC.
selfManagedLatticeResource (dict) --
Configuration for connecting to a private resource using a self-managed VPC Lattice resource configuration.
resourceConfigurationIdentifier (string) --
The ARN or ID of the VPC Lattice resource configuration.
managedVpcResource (dict) --
Configuration for connecting to a private resource using a managed VPC Lattice resource. The gateway creates and manages the VPC Lattice resources on your behalf.
vpcIdentifier (string) --
The ID of the VPC that contains your private resource.
subnetIds (list) --
The subnet IDs within the VPC where the VPC Lattice resource gateway is placed.
(string) --
endpointIpAddressType (string) --
The IP address type for the resource configuration endpoint.
securityGroupIds (list) --
The security group IDs to associate with the VPC Lattice resource gateway. If not specified, the default security group for the VPC is used.
(string) --
tags (dict) --
Tags to apply to the managed VPC Lattice resource gateway.
(string) --
(string) --
routingDomain (string) --
An intermediate publicly resolvable domain used as the VPC Lattice resource configuration endpoint. Required when your private endpoint uses a domain that is not publicly resolvable.
privateEndpointOverrides (list) --
A list of private endpoint overrides for the JWT authorizer. Each override maps a specific domain to a private endpoint, enabling secure connectivity through VPC Lattice resource configurations.
(dict) --
A mapping of a specific domain to a private endpoint for secure connectivity through a VPC Lattice resource configuration.
domain (string) --
The domain to override with a private endpoint.
privateEndpoint (dict) --
The private endpoint configuration for the specified domain.
selfManagedLatticeResource (dict) --
Configuration for connecting to a private resource using a self-managed VPC Lattice resource configuration.
resourceConfigurationIdentifier (string) --
The ARN or ID of the VPC Lattice resource configuration.
managedVpcResource (dict) --
Configuration for connecting to a private resource using a managed VPC Lattice resource. The gateway creates and manages the VPC Lattice resources on your behalf.
vpcIdentifier (string) --
The ID of the VPC that contains your private resource.
subnetIds (list) --
The subnet IDs within the VPC where the VPC Lattice resource gateway is placed.
(string) --
endpointIpAddressType (string) --
The IP address type for the resource configuration endpoint.
securityGroupIds (list) --
The security group IDs to associate with the VPC Lattice resource gateway. If not specified, the default security group for the VPC is used.
(string) --
tags (dict) --
Tags to apply to the managed VPC Lattice resource gateway.
(string) --
(string) --
routingDomain (string) --
An intermediate publicly resolvable domain used as the VPC Lattice resource configuration endpoint. Required when your private endpoint uses a domain that is not publicly resolvable.
requestHeaderConfiguration (dict) --
Configuration for HTTP request headers that will be passed through to the runtime.
requestHeaderAllowlist (list) --
A list of HTTP request headers that are allowed to be passed through to the runtime.
(string) --
metadataConfiguration (dict) --
Configuration for microVM Metadata Service (MMDS) settings for the AgentCore Runtime.
requireMMDSV2 (boolean) --
Enables MMDSv2 (microVM Metadata Service Version 2) requirement for the agent runtime. When set to true, the runtime microVM will only accept MMDSv2 requests.
filesystemConfigurations (list) --
The filesystem configurations mounted into the AgentCore Runtime.
(dict) --
Configuration for a filesystem that can be mounted into the AgentCore Runtime.
sessionStorage (dict) --
Configuration for session storage. Session storage provides persistent storage that is preserved across AgentCore Runtime session invocations.
mountPath (string) --
The mount path for the session storage filesystem inside the AgentCore Runtime. The path must be under /mnt with exactly one subdirectory level (for example, /mnt/data).
{'authorizerConfiguration': {'customJWTAuthorizer': {'privateEndpoint': {'managedVpcResource': {'endpointIpAddressType': 'IPV4 '
'| '
'IPV6',
'routingDomain': 'string',
'securityGroupIds': ['string'],
'subnetIds': ['string'],
'tags': {'string': 'string'},
'vpcIdentifier': 'string'},
'selfManagedLatticeResource': {'resourceConfigurationIdentifier': 'string'}},
'privateEndpointOverrides': [{'domain': 'string',
'privateEndpoint': {'managedVpcResource': {'endpointIpAddressType': 'IPV4 '
'| '
'IPV6',
'routingDomain': 'string',
'securityGroupIds': ['string'],
'subnetIds': ['string'],
'tags': {'string': 'string'},
'vpcIdentifier': 'string'},
'selfManagedLatticeResource': {'resourceConfigurationIdentifier': 'string'}}}]}}}
Retrieves information about a specific Gateway.
See also: AWS API Documentation
Request Syntax
client.get_gateway(
gatewayIdentifier='string'
)
string
[REQUIRED]
The identifier of the gateway to retrieve.
dict
Response Syntax
{
'gatewayArn': 'string',
'gatewayId': 'string',
'gatewayUrl': 'string',
'createdAt': datetime(2015, 1, 1),
'updatedAt': datetime(2015, 1, 1),
'status': 'CREATING'|'UPDATING'|'UPDATE_UNSUCCESSFUL'|'DELETING'|'READY'|'FAILED',
'statusReasons': [
'string',
],
'name': 'string',
'description': 'string',
'roleArn': 'string',
'protocolType': 'MCP',
'protocolConfiguration': {
'mcp': {
'supportedVersions': [
'string',
],
'instructions': 'string',
'searchType': 'SEMANTIC'
}
},
'authorizerType': 'CUSTOM_JWT'|'AWS_IAM'|'NONE',
'authorizerConfiguration': {
'customJWTAuthorizer': {
'discoveryUrl': 'string',
'allowedAudience': [
'string',
],
'allowedClients': [
'string',
],
'allowedScopes': [
'string',
],
'customClaims': [
{
'inboundTokenClaimName': 'string',
'inboundTokenClaimValueType': 'STRING'|'STRING_ARRAY',
'authorizingClaimMatchValue': {
'claimMatchValue': {
'matchValueString': 'string',
'matchValueStringList': [
'string',
]
},
'claimMatchOperator': 'EQUALS'|'CONTAINS'|'CONTAINS_ANY'
}
},
],
'privateEndpoint': {
'selfManagedLatticeResource': {
'resourceConfigurationIdentifier': 'string'
},
'managedVpcResource': {
'vpcIdentifier': 'string',
'subnetIds': [
'string',
],
'endpointIpAddressType': 'IPV4'|'IPV6',
'securityGroupIds': [
'string',
],
'tags': {
'string': 'string'
},
'routingDomain': 'string'
}
},
'privateEndpointOverrides': [
{
'domain': 'string',
'privateEndpoint': {
'selfManagedLatticeResource': {
'resourceConfigurationIdentifier': 'string'
},
'managedVpcResource': {
'vpcIdentifier': 'string',
'subnetIds': [
'string',
],
'endpointIpAddressType': 'IPV4'|'IPV6',
'securityGroupIds': [
'string',
],
'tags': {
'string': 'string'
},
'routingDomain': 'string'
}
}
},
]
}
},
'kmsKeyArn': 'string',
'interceptorConfigurations': [
{
'interceptor': {
'lambda': {
'arn': 'string'
}
},
'interceptionPoints': [
'REQUEST'|'RESPONSE',
],
'inputConfiguration': {
'passRequestHeaders': True|False
}
},
],
'policyEngineConfiguration': {
'arn': 'string',
'mode': 'LOG_ONLY'|'ENFORCE'
},
'workloadIdentityDetails': {
'workloadIdentityArn': 'string'
},
'exceptionLevel': 'DEBUG'
}
Response Structure
(dict) --
gatewayArn (string) --
The Amazon Resource Name (ARN) of the gateway.
gatewayId (string) --
The unique identifier of the gateway.
gatewayUrl (string) --
An endpoint for invoking gateway.
createdAt (datetime) --
The timestamp when the gateway was created.
updatedAt (datetime) --
The timestamp when the gateway was last updated.
status (string) --
The current status of the gateway.
statusReasons (list) --
The reasons for the current status of the gateway.
(string) --
name (string) --
The name of the gateway.
description (string) --
The description of the gateway.
roleArn (string) --
The IAM role ARN that provides permissions for the gateway.
protocolType (string) --
Protocol applied to a gateway.
protocolConfiguration (dict) --
The configuration for a gateway protocol. This structure defines how the gateway communicates with external services.
mcp (dict) --
The configuration for the Model Context Protocol (MCP). This protocol enables communication between Amazon Bedrock Agent and external tools.
supportedVersions (list) --
The supported versions of the Model Context Protocol. This field specifies which versions of the protocol the gateway can use.
(string) --
instructions (string) --
The instructions for using the Model Context Protocol gateway. These instructions provide guidance on how to interact with the gateway.
searchType (string) --
The search type for the Model Context Protocol gateway. This field specifies how the gateway handles search operations.
authorizerType (string) --
Authorizer type for the gateway.
authorizerConfiguration (dict) --
The authorizer configuration for the gateway.
customJWTAuthorizer (dict) --
The inbound JWT-based authorization, specifying how incoming requests should be authenticated.
discoveryUrl (string) --
This URL is used to fetch OpenID Connect configuration or authorization server metadata for validating incoming tokens.
allowedAudience (list) --
Represents individual audience values that are validated in the incoming JWT token validation process.
(string) --
allowedClients (list) --
Represents individual client IDs that are validated in the incoming JWT token validation process.
(string) --
allowedScopes (list) --
An array of scopes that are allowed to access the token.
(string) --
customClaims (list) --
An array of objects that define a custom claim validation name, value, and operation
(dict) --
Defines the name of a custom claim field and rules for finding matches to authenticate its value.
inboundTokenClaimName (string) --
The name of the custom claim field to check.
inboundTokenClaimValueType (string) --
The data type of the claim value to check for.
Use STRING if you want to find an exact match to a string you define.
Use STRING_ARRAY if you want to fnd a match to at least one value in an array you define.
authorizingClaimMatchValue (dict) --
Defines the value or values to match for and the relationship of the match.
claimMatchValue (dict) --
The value or values to match for.
matchValueString (string) --
The string value to match for.
matchValueStringList (list) --
An array of strings to check for a match.
(string) --
claimMatchOperator (string) --
Defines the relationship between the claim field value and the value or values you're matching for.
privateEndpoint (dict) --
The private endpoint configuration for a gateway target. Defines how the gateway connects to private resources in your VPC.
selfManagedLatticeResource (dict) --
Configuration for connecting to a private resource using a self-managed VPC Lattice resource configuration.
resourceConfigurationIdentifier (string) --
The ARN or ID of the VPC Lattice resource configuration.
managedVpcResource (dict) --
Configuration for connecting to a private resource using a managed VPC Lattice resource. The gateway creates and manages the VPC Lattice resources on your behalf.
vpcIdentifier (string) --
The ID of the VPC that contains your private resource.
subnetIds (list) --
The subnet IDs within the VPC where the VPC Lattice resource gateway is placed.
(string) --
endpointIpAddressType (string) --
The IP address type for the resource configuration endpoint.
securityGroupIds (list) --
The security group IDs to associate with the VPC Lattice resource gateway. If not specified, the default security group for the VPC is used.
(string) --
tags (dict) --
Tags to apply to the managed VPC Lattice resource gateway.
(string) --
(string) --
routingDomain (string) --
An intermediate publicly resolvable domain used as the VPC Lattice resource configuration endpoint. Required when your private endpoint uses a domain that is not publicly resolvable.
privateEndpointOverrides (list) --
A list of private endpoint overrides for the JWT authorizer. Each override maps a specific domain to a private endpoint, enabling secure connectivity through VPC Lattice resource configurations.
(dict) --
A mapping of a specific domain to a private endpoint for secure connectivity through a VPC Lattice resource configuration.
domain (string) --
The domain to override with a private endpoint.
privateEndpoint (dict) --
The private endpoint configuration for the specified domain.
selfManagedLatticeResource (dict) --
Configuration for connecting to a private resource using a self-managed VPC Lattice resource configuration.
resourceConfigurationIdentifier (string) --
The ARN or ID of the VPC Lattice resource configuration.
managedVpcResource (dict) --
Configuration for connecting to a private resource using a managed VPC Lattice resource. The gateway creates and manages the VPC Lattice resources on your behalf.
vpcIdentifier (string) --
The ID of the VPC that contains your private resource.
subnetIds (list) --
The subnet IDs within the VPC where the VPC Lattice resource gateway is placed.
(string) --
endpointIpAddressType (string) --
The IP address type for the resource configuration endpoint.
securityGroupIds (list) --
The security group IDs to associate with the VPC Lattice resource gateway. If not specified, the default security group for the VPC is used.
(string) --
tags (dict) --
Tags to apply to the managed VPC Lattice resource gateway.
(string) --
(string) --
routingDomain (string) --
An intermediate publicly resolvable domain used as the VPC Lattice resource configuration endpoint. Required when your private endpoint uses a domain that is not publicly resolvable.
kmsKeyArn (string) --
The Amazon Resource Name (ARN) of the KMS key used to encrypt the gateway.
interceptorConfigurations (list) --
The interceptors configured on the gateway.
(dict) --
The configuration for an interceptor on a gateway. This structure defines settings for an interceptor that will be invoked during the invocation of the gateway.
interceptor (dict) --
The infrastructure settings of an interceptor configuration. This structure defines how the interceptor can be invoked.
lambda (dict) --
The details of the lambda function used for the interceptor.
arn (string) --
The arn of the lambda function to be invoked for the interceptor.
interceptionPoints (list) --
The supported points of interception. This field specifies which points during the gateway invocation to invoke the interceptor
(string) --
inputConfiguration (dict) --
The configuration for the input of the interceptor. This field specifies how the input to the interceptor is constructed
passRequestHeaders (boolean) --
Indicates whether to pass request headers as input into the interceptor. When set to true, request headers will be passed.
policyEngineConfiguration (dict) --
The policy engine configuration for the gateway.
arn (string) --
The ARN of the policy engine. The policy engine contains Cedar policies that define fine-grained authorization rules specifying who can perform what actions on which resources as agents interact through the gateway.
mode (string) --
The enforcement mode for the policy engine. Valid values include:
LOG_ONLY - The policy engine evaluates each action against your policies and adds traces on whether tool calls would be allowed or denied, but does not enforce the decision. Use this mode to test and validate policies before enabling enforcement.
ENFORCE - The policy engine evaluates actions against your policies and enforces decisions by allowing or denying agent operations. Test and validate policies in LOG_ONLY mode before enabling enforcement to avoid unintended denials or adversely affecting production traffic.
workloadIdentityDetails (dict) --
The workload identity details for the gateway.
workloadIdentityArn (string) --
The ARN associated with the workload identity.
exceptionLevel (string) --
The level of detail in error messages returned when invoking the gateway.
If the value is DEBUG, granular exception messages are returned to help a user debug the gateway.
If the value is omitted, a generic error message is returned to the end user.
{'privateEndpoint': {'managedVpcResource': {'endpointIpAddressType': 'IPV4 | '
'IPV6',
'routingDomain': 'string',
'securityGroupIds': ['string'],
'subnetIds': ['string'],
'tags': {'string': 'string'},
'vpcIdentifier': 'string'}}}
Retrieves information about a specific gateway target.
See also: AWS API Documentation
Request Syntax
client.get_gateway_target(
gatewayIdentifier='string',
targetId='string'
)
string
[REQUIRED]
The identifier of the gateway that contains the target.
string
[REQUIRED]
The unique identifier of the target to retrieve.
dict
Response Syntax
{
'gatewayArn': 'string',
'targetId': 'string',
'createdAt': datetime(2015, 1, 1),
'updatedAt': datetime(2015, 1, 1),
'status': 'CREATING'|'UPDATING'|'UPDATE_UNSUCCESSFUL'|'DELETING'|'READY'|'FAILED'|'SYNCHRONIZING'|'SYNCHRONIZE_UNSUCCESSFUL'|'CREATE_PENDING_AUTH'|'UPDATE_PENDING_AUTH'|'SYNCHRONIZE_PENDING_AUTH',
'statusReasons': [
'string',
],
'name': 'string',
'description': 'string',
'targetConfiguration': {
'mcp': {
'openApiSchema': {
's3': {
'uri': 'string',
'bucketOwnerAccountId': 'string'
},
'inlinePayload': 'string'
},
'smithyModel': {
's3': {
'uri': 'string',
'bucketOwnerAccountId': 'string'
},
'inlinePayload': 'string'
},
'lambda': {
'lambdaArn': 'string',
'toolSchema': {
's3': {
'uri': 'string',
'bucketOwnerAccountId': 'string'
},
'inlinePayload': [
{
'name': 'string',
'description': 'string',
'inputSchema': {
'type': 'string'|'number'|'object'|'array'|'boolean'|'integer',
'properties': {
'string': {'... recursive ...'}
},
'required': [
'string',
],
'items': {'... recursive ...'},
'description': 'string'
},
'outputSchema': {
'type': 'string'|'number'|'object'|'array'|'boolean'|'integer',
'properties': {
'string': {'... recursive ...'}
},
'required': [
'string',
],
'items': {'... recursive ...'},
'description': 'string'
}
},
]
}
},
'mcpServer': {
'endpoint': 'string',
'mcpToolSchema': {
's3': {
'uri': 'string',
'bucketOwnerAccountId': 'string'
},
'inlinePayload': 'string'
},
'resourcePriority': 123,
'listingMode': 'DEFAULT'|'DYNAMIC'
},
'apiGateway': {
'restApiId': 'string',
'stage': 'string',
'apiGatewayToolConfiguration': {
'toolOverrides': [
{
'name': 'string',
'description': 'string',
'path': 'string',
'method': 'GET'|'DELETE'|'HEAD'|'OPTIONS'|'PATCH'|'PUT'|'POST'
},
],
'toolFilters': [
{
'filterPath': 'string',
'methods': [
'GET'|'DELETE'|'HEAD'|'OPTIONS'|'PATCH'|'PUT'|'POST',
]
},
]
}
}
}
},
'credentialProviderConfigurations': [
{
'credentialProviderType': 'GATEWAY_IAM_ROLE'|'OAUTH'|'API_KEY',
'credentialProvider': {
'oauthCredentialProvider': {
'providerArn': 'string',
'scopes': [
'string',
],
'customParameters': {
'string': 'string'
},
'grantType': 'CLIENT_CREDENTIALS'|'AUTHORIZATION_CODE',
'defaultReturnUrl': 'string'
},
'apiKeyCredentialProvider': {
'providerArn': 'string',
'credentialParameterName': 'string',
'credentialPrefix': 'string',
'credentialLocation': 'HEADER'|'QUERY_PARAMETER'
},
'iamCredentialProvider': {
'service': 'string',
'region': 'string'
}
}
},
],
'lastSynchronizedAt': datetime(2015, 1, 1),
'metadataConfiguration': {
'allowedRequestHeaders': [
'string',
],
'allowedQueryParameters': [
'string',
],
'allowedResponseHeaders': [
'string',
]
},
'privateEndpoint': {
'selfManagedLatticeResource': {
'resourceConfigurationIdentifier': 'string'
},
'managedVpcResource': {
'vpcIdentifier': 'string',
'subnetIds': [
'string',
],
'endpointIpAddressType': 'IPV4'|'IPV6',
'securityGroupIds': [
'string',
],
'tags': {
'string': 'string'
},
'routingDomain': 'string'
}
},
'privateEndpointManagedResources': [
{
'domain': 'string',
'resourceGatewayArn': 'string',
'resourceAssociationArn': 'string'
},
],
'authorizationData': {
'oauth2': {
'authorizationUrl': 'string',
'userId': 'string'
}
}
}
Response Structure
(dict) --
gatewayArn (string) --
The Amazon Resource Name (ARN) of the gateway.
targetId (string) --
The unique identifier of the gateway target.
createdAt (datetime) --
The timestamp when the gateway target was created.
updatedAt (datetime) --
The timestamp when the gateway target was last updated.
status (string) --
The current status of the gateway target.
statusReasons (list) --
The reasons for the current status of the gateway target.
(string) --
name (string) --
The name of the gateway target.
description (string) --
The description of the gateway target.
targetConfiguration (dict) --
The configuration for a gateway target. This structure defines how the gateway connects to and interacts with the target endpoint.
mcp (dict) --
The Model Context Protocol (MCP) configuration for the target. This configuration defines how the gateway uses MCP to communicate with the target.
openApiSchema (dict) --
The OpenAPI schema for the Model Context Protocol target. This schema defines the API structure of the target.
s3 (dict) --
The Amazon S3 configuration for a gateway. This structure defines how the gateway accesses files in Amazon S3.
uri (string) --
The URI of the Amazon S3 object. This URI specifies the location of the object in Amazon S3.
bucketOwnerAccountId (string) --
The account ID of the Amazon S3 bucket owner. This ID is used for cross-account access to the bucket.
inlinePayload (string) --
The inline payload containing the API schema definition.
smithyModel (dict) --
The Smithy model for the Model Context Protocol target. This model defines the API structure of the target using the Smithy specification.
s3 (dict) --
The Amazon S3 configuration for a gateway. This structure defines how the gateway accesses files in Amazon S3.
uri (string) --
The URI of the Amazon S3 object. This URI specifies the location of the object in Amazon S3.
bucketOwnerAccountId (string) --
The account ID of the Amazon S3 bucket owner. This ID is used for cross-account access to the bucket.
inlinePayload (string) --
The inline payload containing the API schema definition.
lambda (dict) --
The Lambda configuration for the Model Context Protocol target. This configuration defines how the gateway uses a Lambda function to communicate with the target.
lambdaArn (string) --
The Amazon Resource Name (ARN) of the Lambda function. This function is invoked by the gateway to communicate with the target.
toolSchema (dict) --
The tool schema for the Lambda function. This schema defines the structure of the tools that the Lambda function provides.
s3 (dict) --
The Amazon S3 location of the tool schema. This location contains the schema definition file.
uri (string) --
The URI of the Amazon S3 object. This URI specifies the location of the object in Amazon S3.
bucketOwnerAccountId (string) --
The account ID of the Amazon S3 bucket owner. This ID is used for cross-account access to the bucket.
inlinePayload (list) --
The inline payload of the tool schema. This payload contains the schema definition directly in the request.
(dict) --
A tool definition for a gateway target. This structure defines a tool that the target exposes through the Model Context Protocol.
name (string) --
The name of the tool. This name identifies the tool in the Model Context Protocol.
description (string) --
The description of the tool. This description provides information about the purpose and usage of the tool.
inputSchema (dict) --
The input schema for the tool. This schema defines the structure of the input that the tool accepts.
type (string) --
The type of the schema definition. This field specifies the data type of the schema.
properties (dict) --
The properties of the schema definition. These properties define the fields in the schema.
(string) --
(dict) --
A schema definition for a gateway target. This structure defines the structure of the API that the target exposes.
required (list) --
The required fields in the schema definition. These fields must be provided when using the schema.
(string) --
items (dict) --
The items in the schema definition. This field is used for array types to define the structure of the array elements.
description (string) --
The description of the schema definition. This description provides information about the purpose and usage of the schema.
outputSchema (dict) --
The output schema for the tool. This schema defines the structure of the output that the tool produces.
type (string) --
The type of the schema definition. This field specifies the data type of the schema.
properties (dict) --
The properties of the schema definition. These properties define the fields in the schema.
(string) --
(dict) --
A schema definition for a gateway target. This structure defines the structure of the API that the target exposes.
required (list) --
The required fields in the schema definition. These fields must be provided when using the schema.
(string) --
items (dict) --
The items in the schema definition. This field is used for array types to define the structure of the array elements.
description (string) --
The description of the schema definition. This description provides information about the purpose and usage of the schema.
mcpServer (dict) --
The MCP server specified as the gateway target.
endpoint (string) --
The endpoint for the MCP server target configuration.
mcpToolSchema (dict) --
The tool schema configuration for the MCP server target. Supported only when the credential provider is configured with an authorization code grant type. Dynamic tool discovery/synchronization will be disabled when target is configured with mcpToolSchema.
s3 (dict) --
The Amazon S3 location of the tool schema. This location contains the schema definition file.
uri (string) --
The URI of the Amazon S3 object. This URI specifies the location of the object in Amazon S3.
bucketOwnerAccountId (string) --
The account ID of the Amazon S3 bucket owner. This ID is used for cross-account access to the bucket.
inlinePayload (string) --
The inline payload containing the MCP tool schema definition.
resourcePriority (integer) --
Priority for resolving MCP server targets with shared resource URIs. Lower values take precedence. Defaults to 1000 when not set.
listingMode (string) --
The listing mode for the MCP server target configuration. MCP resources for default targets are cached at the control plane for faster access. MCP resources for dynamic targets will be dynamically retrieved when listing tools.
apiGateway (dict) --
The configuration for an Amazon API Gateway target.
restApiId (string) --
The ID of the API Gateway REST API.
stage (string) --
The ID of the stage of the REST API to add as a target.
apiGatewayToolConfiguration (dict) --
The configuration for defining REST API tool filters and overrides for the gateway target.
toolOverrides (list) --
A list of explicit tool definitions with optional custom names and descriptions.
(dict) --
Settings to override configurations for a tool.
name (string) --
The name of tool. Identifies the tool in the Model Context Protocol.
description (string) --
The description of the tool. Provides information about the purpose and usage of the tool. If not provided, uses the description from the API's OpenAPI specification.
path (string) --
Resource path in the REST API (e.g., /pets). Must explicitly match an existing path in the REST API.
method (string) --
The HTTP method to expose for the specified path.
toolFilters (list) --
A list of path and method patterns to expose as tools using metadata from the REST API's OpenAPI specification.
(dict) --
Specifies which operations from an API Gateway REST API are exposed as tools. Tool names and descriptions are derived from the operationId and description fields in the API's exported OpenAPI specification.
filterPath (string) --
Resource path to match in the REST API. Supports exact paths (for example, /pets) or wildcard paths (for example, /pets/* to match all paths under /pets). Must match existing paths in the REST API.
methods (list) --
The methods to filter for.
(string) --
credentialProviderConfigurations (list) --
The credential provider configurations for the gateway target.
(dict) --
The configuration for a credential provider. This structure defines how the gateway authenticates with the target endpoint.
credentialProviderType (string) --
The type of credential provider. This field specifies which authentication method the gateway uses.
credentialProvider (dict) --
The credential provider. This field contains the specific configuration for the credential provider type.
oauthCredentialProvider (dict) --
The OAuth credential provider. This provider uses OAuth authentication to access the target endpoint.
providerArn (string) --
The Amazon Resource Name (ARN) of the OAuth credential provider. This ARN identifies the provider in Amazon Web Services.
scopes (list) --
The OAuth scopes for the credential provider. These scopes define the level of access requested from the OAuth provider.
(string) --
customParameters (dict) --
The custom parameters for the OAuth credential provider. These parameters provide additional configuration for the OAuth authentication process.
(string) --
(string) --
grantType (string) --
Specifies the kind of credentials to use for authorization:
CLIENT_CREDENTIALS - Authorization with a client ID and secret.
AUTHORIZATION_CODE - Authorization with a token that is specific to an individual end user.
defaultReturnUrl (string) --
The URL where the end user's browser is redirected after obtaining the authorization code. Generally points to the customer's application.
apiKeyCredentialProvider (dict) --
The API key credential provider. This provider uses an API key to authenticate with the target endpoint.
providerArn (string) --
The Amazon Resource Name (ARN) of the API key credential provider. This ARN identifies the provider in Amazon Web Services.
credentialParameterName (string) --
The name of the credential parameter for the API key. This parameter name is used when sending the API key to the target endpoint.
credentialPrefix (string) --
The prefix for the API key credential. This prefix is added to the API key when sending it to the target endpoint.
credentialLocation (string) --
The location of the API key credential. This field specifies where in the request the API key should be placed.
iamCredentialProvider (dict) --
The IAM credential provider. This provider uses IAM authentication with SigV4 signing to access the target endpoint.
service (string) --
The target Amazon Web Services service name used for SigV4 signing. This value identifies the service that the gateway authenticates with when making requests to the target endpoint.
region (string) --
The Amazon Web Services Region used for SigV4 signing. If not specified, defaults to the gateway's Region.
lastSynchronizedAt (datetime) --
The last synchronization of the target.
metadataConfiguration (dict) --
The metadata configuration for HTTP header and query parameter propagation for the retrieved gateway target.
allowedRequestHeaders (list) --
A list of HTTP headers that are allowed to be propagated from incoming client requests to the target.
(string) --
allowedQueryParameters (list) --
A list of URL query parameters that are allowed to be propagated from incoming gateway URL to the target.
(string) --
allowedResponseHeaders (list) --
A list of HTTP headers that are allowed to be propagated from the target response back to the client.
(string) --
privateEndpoint (dict) --
The private endpoint configuration for the gateway target.
selfManagedLatticeResource (dict) --
Configuration for connecting to a private resource using a self-managed VPC Lattice resource configuration.
resourceConfigurationIdentifier (string) --
The ARN or ID of the VPC Lattice resource configuration.
managedVpcResource (dict) --
Configuration for connecting to a private resource using a managed VPC Lattice resource. The gateway creates and manages the VPC Lattice resources on your behalf.
vpcIdentifier (string) --
The ID of the VPC that contains your private resource.
subnetIds (list) --
The subnet IDs within the VPC where the VPC Lattice resource gateway is placed.
(string) --
endpointIpAddressType (string) --
The IP address type for the resource configuration endpoint.
securityGroupIds (list) --
The security group IDs to associate with the VPC Lattice resource gateway. If not specified, the default security group for the VPC is used.
(string) --
tags (dict) --
Tags to apply to the managed VPC Lattice resource gateway.
(string) --
(string) --
routingDomain (string) --
An intermediate publicly resolvable domain used as the VPC Lattice resource configuration endpoint. Required when your private endpoint uses a domain that is not publicly resolvable.
privateEndpointManagedResources (list) --
The managed resources created by the gateway for private endpoint connectivity.
(dict) --
Details of a resource created and managed by the gateway for private endpoint connectivity.
domain (string) --
The domain associated with this managed resource.
resourceGatewayArn (string) --
The ARN of the VPC Lattice resource gateway created in your account.
resourceAssociationArn (string) --
The ARN of the service network resource association.
authorizationData (dict) --
OAuth2 authorization data for the gateway target. This data is returned when a target is configured with a credential provider with authorization code grant type and requires user federation.
oauth2 (dict) --
OAuth2 authorization data for the gateway target.
authorizationUrl (string) --
The URL to initiate the authorization process. This URL is provided when the OAuth2 access token requires user authorization.
userId (string) --
The user identifier associated with the OAuth2 authorization session that is defined by AgentCore Gateway.
{'harness': {'authorizerConfiguration': {'customJWTAuthorizer': {'privateEndpoint': {'managedVpcResource': {'endpointIpAddressType': 'IPV4 '
'| '
'IPV6',
'routingDomain': 'string',
'securityGroupIds': ['string'],
'subnetIds': ['string'],
'tags': {'string': 'string'},
'vpcIdentifier': 'string'},
'selfManagedLatticeResource': {'resourceConfigurationIdentifier': 'string'}},
'privateEndpointOverrides': [{'domain': 'string',
'privateEndpoint': {'managedVpcResource': {'endpointIpAddressType': 'IPV4 '
'| '
'IPV6',
'routingDomain': 'string',
'securityGroupIds': ['string'],
'subnetIds': ['string'],
'tags': {'string': 'string'},
'vpcIdentifier': 'string'},
'selfManagedLatticeResource': {'resourceConfigurationIdentifier': 'string'}}}]}}}}
Operation to get a single Harness.
See also: AWS API Documentation
Request Syntax
client.get_harness(
harnessId='string'
)
string
[REQUIRED]
The ID of the harness to retrieve.
dict
Response Syntax
{
'harness': {
'harnessId': 'string',
'harnessName': 'string',
'arn': 'string',
'status': 'CREATING'|'CREATE_FAILED'|'UPDATING'|'UPDATE_FAILED'|'READY'|'DELETING'|'DELETE_FAILED',
'executionRoleArn': 'string',
'createdAt': datetime(2015, 1, 1),
'updatedAt': datetime(2015, 1, 1),
'model': {
'bedrockModelConfig': {
'modelId': 'string',
'maxTokens': 123,
'temperature': ...,
'topP': ...
},
'openAiModelConfig': {
'modelId': 'string',
'apiKeyArn': 'string',
'maxTokens': 123,
'temperature': ...,
'topP': ...
},
'geminiModelConfig': {
'modelId': 'string',
'apiKeyArn': 'string',
'maxTokens': 123,
'temperature': ...,
'topP': ...,
'topK': 123
}
},
'systemPrompt': [
{
'text': 'string'
},
],
'tools': [
{
'type': 'remote_mcp'|'agentcore_browser'|'agentcore_gateway'|'inline_function'|'agentcore_code_interpreter',
'name': 'string',
'config': {
'remoteMcp': {
'url': 'string',
'headers': {
'string': 'string'
}
},
'agentCoreBrowser': {
'browserArn': 'string'
},
'agentCoreGateway': {
'gatewayArn': 'string',
'outboundAuth': {
'awsIam': {},
'none': {},
'oauth': {
'providerArn': 'string',
'scopes': [
'string',
],
'customParameters': {
'string': 'string'
},
'grantType': 'CLIENT_CREDENTIALS'|'AUTHORIZATION_CODE',
'defaultReturnUrl': 'string'
}
}
},
'inlineFunction': {
'description': 'string',
'inputSchema': {...}|[...]|123|123.4|'string'|True|None
},
'agentCoreCodeInterpreter': {
'codeInterpreterArn': 'string'
}
}
},
],
'skills': [
{
'path': 'string'
},
],
'allowedTools': [
'string',
],
'truncation': {
'strategy': 'sliding_window'|'summarization'|'none',
'config': {
'slidingWindow': {
'messagesCount': 123
},
'summarization': {
'summaryRatio': ...,
'preserveRecentMessages': 123,
'summarizationSystemPrompt': 'string'
}
}
},
'environment': {
'agentCoreRuntimeEnvironment': {
'agentRuntimeArn': 'string',
'agentRuntimeName': 'string',
'agentRuntimeId': 'string',
'lifecycleConfiguration': {
'idleRuntimeSessionTimeout': 123,
'maxLifetime': 123
},
'networkConfiguration': {
'networkMode': 'PUBLIC'|'VPC',
'networkModeConfig': {
'securityGroups': [
'string',
],
'subnets': [
'string',
]
}
},
'filesystemConfigurations': [
{
'sessionStorage': {
'mountPath': 'string'
}
},
]
}
},
'environmentArtifact': {
'containerConfiguration': {
'containerUri': 'string'
}
},
'environmentVariables': {
'string': 'string'
},
'authorizerConfiguration': {
'customJWTAuthorizer': {
'discoveryUrl': 'string',
'allowedAudience': [
'string',
],
'allowedClients': [
'string',
],
'allowedScopes': [
'string',
],
'customClaims': [
{
'inboundTokenClaimName': 'string',
'inboundTokenClaimValueType': 'STRING'|'STRING_ARRAY',
'authorizingClaimMatchValue': {
'claimMatchValue': {
'matchValueString': 'string',
'matchValueStringList': [
'string',
]
},
'claimMatchOperator': 'EQUALS'|'CONTAINS'|'CONTAINS_ANY'
}
},
],
'privateEndpoint': {
'selfManagedLatticeResource': {
'resourceConfigurationIdentifier': 'string'
},
'managedVpcResource': {
'vpcIdentifier': 'string',
'subnetIds': [
'string',
],
'endpointIpAddressType': 'IPV4'|'IPV6',
'securityGroupIds': [
'string',
],
'tags': {
'string': 'string'
},
'routingDomain': 'string'
}
},
'privateEndpointOverrides': [
{
'domain': 'string',
'privateEndpoint': {
'selfManagedLatticeResource': {
'resourceConfigurationIdentifier': 'string'
},
'managedVpcResource': {
'vpcIdentifier': 'string',
'subnetIds': [
'string',
],
'endpointIpAddressType': 'IPV4'|'IPV6',
'securityGroupIds': [
'string',
],
'tags': {
'string': 'string'
},
'routingDomain': 'string'
}
}
},
]
}
},
'memory': {
'agentCoreMemoryConfiguration': {
'arn': 'string',
'actorId': 'string',
'messagesCount': 123,
'retrievalConfig': {
'string': {
'topK': 123,
'relevanceScore': ...,
'strategyId': 'string'
}
}
}
},
'maxIterations': 123,
'maxTokens': 123,
'timeoutSeconds': 123,
'failureReason': 'string'
}
}
Response Structure
(dict) --
harness (dict) --
The harness resource.
harnessId (string) --
The ID of the Harness.
harnessName (string) --
The name of the Harness.
arn (string) --
The ARN of the Harness.
status (string) --
The status of the Harness.
executionRoleArn (string) --
IAM role the Harness assumes when running.
createdAt (datetime) --
The createdAt time of the Harness.
updatedAt (datetime) --
The updatedAt time of the Harness.
model (dict) --
The configuration of the default model used by the Harness.
bedrockModelConfig (dict) --
Configuration for an Amazon Bedrock model.
modelId (string) --
The Bedrock model ID.
maxTokens (integer) --
The maximum number of tokens to allow in the generated response per iteration.
temperature (float) --
The temperature to set when calling the model.
topP (float) --
The topP set when calling the model.
openAiModelConfig (dict) --
Configuration for an OpenAI model.
modelId (string) --
The OpenAI model ID.
apiKeyArn (string) --
The ARN of your OpenAI API key on AgentCore Identity.
maxTokens (integer) --
The maximum number of tokens to allow in the generated response per iteration.
temperature (float) --
The temperature to set when calling the model.
topP (float) --
The topP set when calling the model.
geminiModelConfig (dict) --
Configuration for a Google Gemini model.
modelId (string) --
The Gemini model ID.
apiKeyArn (string) --
The ARN of your Gemini API key on AgentCore Identity.
maxTokens (integer) --
The maximum number of tokens to allow in the generated response per iteration.
temperature (float) --
The temperature to set when calling the model.
topP (float) --
The topP set when calling the model.
topK (integer) --
The topK set when calling the model.
systemPrompt (list) --
The system prompt of the Harness.
(dict) --
A content block in the system prompt.
text (string) --
The text content of the system prompt block.
tools (list) --
The tools of the Harness.
(dict) --
A tool available to the agent loop.
type (string) --
The type of tool.
name (string) --
Unique name for the tool. If not provided, a name will be inferred or generated.
config (dict) --
Tool-specific configuration.
remoteMcp (dict) --
Configuration for remote MCP server.
url (string) --
URL of the MCP endpoint.
headers (dict) --
Map of key/value pairs for HTTP headers.
(string) --
The key of an HTTP header.
(string) --
The value of an HTTP header.
agentCoreBrowser (dict) --
Configuration for AgentCore Browser.
browserArn (string) --
If not populated, the built-in Browser ARN is used.
agentCoreGateway (dict) --
Configuration for AgentCore Gateway.
gatewayArn (string) --
The ARN of the desired AgentCore Gateway.
outboundAuth (dict) --
How Loopy authenticates to this Gateway. Defaults to AWS_IAM (SigV4) if omitted.
awsIam (dict) --
SigV4-sign requests using the agent's execution role.
none (dict) --
No authentication.
oauth (dict) --
An OAuth credential provider for gateway authentication. This structure contains the configuration for authenticating with the target endpoint using OAuth.
providerArn (string) --
The Amazon Resource Name (ARN) of the OAuth credential provider. This ARN identifies the provider in Amazon Web Services.
scopes (list) --
The OAuth scopes for the credential provider. These scopes define the level of access requested from the OAuth provider.
(string) --
customParameters (dict) --
The custom parameters for the OAuth credential provider. These parameters provide additional configuration for the OAuth authentication process.
(string) --
(string) --
grantType (string) --
Specifies the kind of credentials to use for authorization:
CLIENT_CREDENTIALS - Authorization with a client ID and secret.
AUTHORIZATION_CODE - Authorization with a token that is specific to an individual end user.
defaultReturnUrl (string) --
The URL where the end user's browser is redirected after obtaining the authorization code. Generally points to the customer's application.
inlineFunction (dict) --
Configuration for an inline function tool.
description (string) --
Description of what the tool does, provided to the model.
inputSchema (:ref:`document<document>`) --
JSON Schema describing the tool's input parameters.
agentCoreCodeInterpreter (dict) --
Configuration for AgentCore Code Interpreter.
codeInterpreterArn (string) --
If not populated, the built-in Code Interpreter ARN is used.
skills (list) --
The skills of the Harness.
(dict) --
A skill available to the agent.
path (string) --
The filesystem path to the skill definition.
allowedTools (list) --
The allowed tools of the Harness. All tools are allowed by default.
(string) --
truncation (dict) --
Configuration for truncating model context.
strategy (string) --
The truncation strategy to use.
config (dict) --
The strategy-specific configuration.
slidingWindow (dict) --
Configuration for sliding window truncation.
messagesCount (integer) --
The number of recent messages to retain in the context window.
summarization (dict) --
Configuration for summarization-based truncation.
summaryRatio (float) --
The ratio of content to summarize.
preserveRecentMessages (integer) --
The number of recent messages to preserve without summarization.
summarizationSystemPrompt (string) --
The system prompt used for generating summaries.
environment (dict) --
The compute environment on which the Harness runs.
agentCoreRuntimeEnvironment (dict) --
The AgentCore Runtime environment configuration.
agentRuntimeArn (string) --
The ARN of the underlying AgentCore Runtime.
agentRuntimeName (string) --
The name of the underlying AgentCore Runtime.
agentRuntimeId (string) --
The ID of the underlying AgentCore Runtime.
lifecycleConfiguration (dict) --
LifecycleConfiguration lets you manage the lifecycle of runtime sessions and resources in AgentCore Runtime. This configuration helps optimize resource utilization by automatically cleaning up idle sessions and preventing long-running instances from consuming resources indefinitely.
idleRuntimeSessionTimeout (integer) --
Timeout in seconds for idle runtime sessions. When a session remains idle for this duration, it will be automatically terminated. Default: 900 seconds (15 minutes).
maxLifetime (integer) --
Maximum lifetime for the instance in seconds. Once reached, instances will be automatically terminated and replaced. Default: 28800 seconds (8 hours).
networkConfiguration (dict) --
SecurityConfig for the Agent.
networkMode (string) --
The network mode for the AgentCore Runtime.
networkModeConfig (dict) --
The network mode configuration for the AgentCore Runtime.
securityGroups (list) --
The security groups associated with the VPC configuration.
(string) --
subnets (list) --
The subnets associated with the VPC configuration.
(string) --
filesystemConfigurations (list) --
The filesystem configurations for the runtime environment.
(dict) --
Configuration for a filesystem that can be mounted into the AgentCore Runtime.
sessionStorage (dict) --
Configuration for session storage. Session storage provides persistent storage that is preserved across AgentCore Runtime session invocations.
mountPath (string) --
The mount path for the session storage filesystem inside the AgentCore Runtime. The path must be under /mnt with exactly one subdirectory level (for example, /mnt/data).
environmentArtifact (dict) --
The environment artifact (e.g., container) in which the Harness operates.
containerConfiguration (dict) --
Representation of a container configuration.
containerUri (string) --
The ECR URI of the container.
environmentVariables (dict) --
Environment variables exposed in the environment in which the Harness operates.
(string) --
(string) --
authorizerConfiguration (dict) --
Represents inbound authorization configuration options used to authenticate incoming requests.
customJWTAuthorizer (dict) --
The inbound JWT-based authorization, specifying how incoming requests should be authenticated.
discoveryUrl (string) --
This URL is used to fetch OpenID Connect configuration or authorization server metadata for validating incoming tokens.
allowedAudience (list) --
Represents individual audience values that are validated in the incoming JWT token validation process.
(string) --
allowedClients (list) --
Represents individual client IDs that are validated in the incoming JWT token validation process.
(string) --
allowedScopes (list) --
An array of scopes that are allowed to access the token.
(string) --
customClaims (list) --
An array of objects that define a custom claim validation name, value, and operation
(dict) --
Defines the name of a custom claim field and rules for finding matches to authenticate its value.
inboundTokenClaimName (string) --
The name of the custom claim field to check.
inboundTokenClaimValueType (string) --
The data type of the claim value to check for.
Use STRING if you want to find an exact match to a string you define.
Use STRING_ARRAY if you want to fnd a match to at least one value in an array you define.
authorizingClaimMatchValue (dict) --
Defines the value or values to match for and the relationship of the match.
claimMatchValue (dict) --
The value or values to match for.
matchValueString (string) --
The string value to match for.
matchValueStringList (list) --
An array of strings to check for a match.
(string) --
claimMatchOperator (string) --
Defines the relationship between the claim field value and the value or values you're matching for.
privateEndpoint (dict) --
The private endpoint configuration for a gateway target. Defines how the gateway connects to private resources in your VPC.
selfManagedLatticeResource (dict) --
Configuration for connecting to a private resource using a self-managed VPC Lattice resource configuration.
resourceConfigurationIdentifier (string) --
The ARN or ID of the VPC Lattice resource configuration.
managedVpcResource (dict) --
Configuration for connecting to a private resource using a managed VPC Lattice resource. The gateway creates and manages the VPC Lattice resources on your behalf.
vpcIdentifier (string) --
The ID of the VPC that contains your private resource.
subnetIds (list) --
The subnet IDs within the VPC where the VPC Lattice resource gateway is placed.
(string) --
endpointIpAddressType (string) --
The IP address type for the resource configuration endpoint.
securityGroupIds (list) --
The security group IDs to associate with the VPC Lattice resource gateway. If not specified, the default security group for the VPC is used.
(string) --
tags (dict) --
Tags to apply to the managed VPC Lattice resource gateway.
(string) --
(string) --
routingDomain (string) --
An intermediate publicly resolvable domain used as the VPC Lattice resource configuration endpoint. Required when your private endpoint uses a domain that is not publicly resolvable.
privateEndpointOverrides (list) --
A list of private endpoint overrides for the JWT authorizer. Each override maps a specific domain to a private endpoint, enabling secure connectivity through VPC Lattice resource configurations.
(dict) --
A mapping of a specific domain to a private endpoint for secure connectivity through a VPC Lattice resource configuration.
domain (string) --
The domain to override with a private endpoint.
privateEndpoint (dict) --
The private endpoint configuration for the specified domain.
selfManagedLatticeResource (dict) --
Configuration for connecting to a private resource using a self-managed VPC Lattice resource configuration.
resourceConfigurationIdentifier (string) --
The ARN or ID of the VPC Lattice resource configuration.
managedVpcResource (dict) --
Configuration for connecting to a private resource using a managed VPC Lattice resource. The gateway creates and manages the VPC Lattice resources on your behalf.
vpcIdentifier (string) --
The ID of the VPC that contains your private resource.
subnetIds (list) --
The subnet IDs within the VPC where the VPC Lattice resource gateway is placed.
(string) --
endpointIpAddressType (string) --
The IP address type for the resource configuration endpoint.
securityGroupIds (list) --
The security group IDs to associate with the VPC Lattice resource gateway. If not specified, the default security group for the VPC is used.
(string) --
tags (dict) --
Tags to apply to the managed VPC Lattice resource gateway.
(string) --
(string) --
routingDomain (string) --
An intermediate publicly resolvable domain used as the VPC Lattice resource configuration endpoint. Required when your private endpoint uses a domain that is not publicly resolvable.
memory (dict) --
AgentCore Memory instance configuration for short and long term memory.
agentCoreMemoryConfiguration (dict) --
The AgentCore Memory configuration.
arn (string) --
The ARN of the AgentCore Memory resource.
actorId (string) --
The actor ID for memory operations.
messagesCount (integer) --
The number of messages to retrieve from memory.
retrievalConfig (dict) --
The retrieval configuration for long-term memory, mapping namespace path templates to retrieval settings.
(string) --
(dict) --
Configuration for memory retrieval within a namespace.
topK (integer) --
The maximum number of memory entries to retrieve.
relevanceScore (float) --
The minimum relevance score for retrieved memories.
strategyId (string) --
The ID of the retrieval strategy to use.
maxIterations (integer) --
The maximum number of iterations in the agent loop allowed before exiting per invocation.
maxTokens (integer) --
The maximum number of tokens allowed before exiting per invocation.
timeoutSeconds (integer) --
The maximum duration per invocation.
failureReason (string) --
Reason why create or update operations fail.
{'failureReason': 'string',
'oauth2ProviderConfigOutput': {'customOauth2ProviderConfig': {'privateEndpoint': {'managedVpcResource': {'endpointIpAddressType': 'IPV4 '
'| '
'IPV6',
'routingDomain': 'string',
'securityGroupIds': ['string'],
'subnetIds': ['string'],
'tags': {'string': 'string'},
'vpcIdentifier': 'string'},
'selfManagedLatticeResource': {'resourceConfigurationIdentifier': 'string'}},
'privateEndpointOverrides': [{'domain': 'string',
'privateEndpoint': {'managedVpcResource': {'endpointIpAddressType': 'IPV4 '
'| '
'IPV6',
'routingDomain': 'string',
'securityGroupIds': ['string'],
'subnetIds': ['string'],
'tags': {'string': 'string'},
'vpcIdentifier': 'string'},
'selfManagedLatticeResource': {'resourceConfigurationIdentifier': 'string'}}}]}},
'status': 'CREATING | CREATE_FAILED | UPDATING | UPDATE_FAILED | READY | '
'DELETING | DELETE_FAILED'}
Retrieves information about an OAuth2 credential provider.
See also: AWS API Documentation
Request Syntax
client.get_oauth2_credential_provider(
name='string'
)
string
[REQUIRED]
The name of the OAuth2 credential provider to retrieve.
dict
Response Syntax
{
'clientSecretArn': {
'secretArn': 'string'
},
'name': 'string',
'credentialProviderArn': 'string',
'credentialProviderVendor': 'GoogleOauth2'|'GithubOauth2'|'SlackOauth2'|'SalesforceOauth2'|'MicrosoftOauth2'|'CustomOauth2'|'AtlassianOauth2'|'LinkedinOauth2'|'XOauth2'|'OktaOauth2'|'OneLoginOauth2'|'PingOneOauth2'|'FacebookOauth2'|'YandexOauth2'|'RedditOauth2'|'ZoomOauth2'|'TwitchOauth2'|'SpotifyOauth2'|'DropboxOauth2'|'NotionOauth2'|'HubspotOauth2'|'CyberArkOauth2'|'FusionAuthOauth2'|'Auth0Oauth2'|'CognitoOauth2',
'callbackUrl': 'string',
'oauth2ProviderConfigOutput': {
'customOauth2ProviderConfig': {
'oauthDiscovery': {
'discoveryUrl': 'string',
'authorizationServerMetadata': {
'issuer': 'string',
'authorizationEndpoint': 'string',
'tokenEndpoint': 'string',
'responseTypes': [
'string',
],
'tokenEndpointAuthMethods': [
'string',
]
}
},
'clientId': 'string',
'privateEndpoint': {
'selfManagedLatticeResource': {
'resourceConfigurationIdentifier': 'string'
},
'managedVpcResource': {
'vpcIdentifier': 'string',
'subnetIds': [
'string',
],
'endpointIpAddressType': 'IPV4'|'IPV6',
'securityGroupIds': [
'string',
],
'tags': {
'string': 'string'
},
'routingDomain': 'string'
}
},
'privateEndpointOverrides': [
{
'domain': 'string',
'privateEndpoint': {
'selfManagedLatticeResource': {
'resourceConfigurationIdentifier': 'string'
},
'managedVpcResource': {
'vpcIdentifier': 'string',
'subnetIds': [
'string',
],
'endpointIpAddressType': 'IPV4'|'IPV6',
'securityGroupIds': [
'string',
],
'tags': {
'string': 'string'
},
'routingDomain': 'string'
}
}
},
]
},
'googleOauth2ProviderConfig': {
'oauthDiscovery': {
'discoveryUrl': 'string',
'authorizationServerMetadata': {
'issuer': 'string',
'authorizationEndpoint': 'string',
'tokenEndpoint': 'string',
'responseTypes': [
'string',
],
'tokenEndpointAuthMethods': [
'string',
]
}
},
'clientId': 'string'
},
'githubOauth2ProviderConfig': {
'oauthDiscovery': {
'discoveryUrl': 'string',
'authorizationServerMetadata': {
'issuer': 'string',
'authorizationEndpoint': 'string',
'tokenEndpoint': 'string',
'responseTypes': [
'string',
],
'tokenEndpointAuthMethods': [
'string',
]
}
},
'clientId': 'string'
},
'slackOauth2ProviderConfig': {
'oauthDiscovery': {
'discoveryUrl': 'string',
'authorizationServerMetadata': {
'issuer': 'string',
'authorizationEndpoint': 'string',
'tokenEndpoint': 'string',
'responseTypes': [
'string',
],
'tokenEndpointAuthMethods': [
'string',
]
}
},
'clientId': 'string'
},
'salesforceOauth2ProviderConfig': {
'oauthDiscovery': {
'discoveryUrl': 'string',
'authorizationServerMetadata': {
'issuer': 'string',
'authorizationEndpoint': 'string',
'tokenEndpoint': 'string',
'responseTypes': [
'string',
],
'tokenEndpointAuthMethods': [
'string',
]
}
},
'clientId': 'string'
},
'microsoftOauth2ProviderConfig': {
'oauthDiscovery': {
'discoveryUrl': 'string',
'authorizationServerMetadata': {
'issuer': 'string',
'authorizationEndpoint': 'string',
'tokenEndpoint': 'string',
'responseTypes': [
'string',
],
'tokenEndpointAuthMethods': [
'string',
]
}
},
'clientId': 'string'
},
'atlassianOauth2ProviderConfig': {
'oauthDiscovery': {
'discoveryUrl': 'string',
'authorizationServerMetadata': {
'issuer': 'string',
'authorizationEndpoint': 'string',
'tokenEndpoint': 'string',
'responseTypes': [
'string',
],
'tokenEndpointAuthMethods': [
'string',
]
}
},
'clientId': 'string'
},
'linkedinOauth2ProviderConfig': {
'oauthDiscovery': {
'discoveryUrl': 'string',
'authorizationServerMetadata': {
'issuer': 'string',
'authorizationEndpoint': 'string',
'tokenEndpoint': 'string',
'responseTypes': [
'string',
],
'tokenEndpointAuthMethods': [
'string',
]
}
},
'clientId': 'string'
},
'includedOauth2ProviderConfig': {
'oauthDiscovery': {
'discoveryUrl': 'string',
'authorizationServerMetadata': {
'issuer': 'string',
'authorizationEndpoint': 'string',
'tokenEndpoint': 'string',
'responseTypes': [
'string',
],
'tokenEndpointAuthMethods': [
'string',
]
}
},
'clientId': 'string'
}
},
'createdTime': datetime(2015, 1, 1),
'lastUpdatedTime': datetime(2015, 1, 1),
'status': 'CREATING'|'CREATE_FAILED'|'UPDATING'|'UPDATE_FAILED'|'READY'|'DELETING'|'DELETE_FAILED',
'failureReason': 'string'
}
Response Structure
(dict) --
clientSecretArn (dict) --
The Amazon Resource Name (ARN) of the client secret in AWS Secrets Manager.
secretArn (string) --
The Amazon Resource Name (ARN) of the secret in AWS Secrets Manager.
name (string) --
The name of the OAuth2 credential provider.
credentialProviderArn (string) --
ARN of the credential provider requested.
credentialProviderVendor (string) --
The vendor of the OAuth2 credential provider.
callbackUrl (string) --
Callback URL to register on the OAuth2 credential provider as an allowed callback URL. This URL is where the OAuth2 authorization server redirects users after they complete the authorization flow.
oauth2ProviderConfigOutput (dict) --
The configuration output for the OAuth2 provider.
customOauth2ProviderConfig (dict) --
The output configuration for a custom OAuth2 provider.
oauthDiscovery (dict) --
The OAuth2 discovery information for the custom provider.
discoveryUrl (string) --
The discovery URL for the OAuth2 provider.
authorizationServerMetadata (dict) --
The authorization server metadata for the OAuth2 provider.
issuer (string) --
The issuer URL for the OAuth2 authorization server.
authorizationEndpoint (string) --
The authorization endpoint URL for the OAuth2 authorization server.
tokenEndpoint (string) --
The token endpoint URL for the OAuth2 authorization server.
responseTypes (list) --
The supported response types for the OAuth2 authorization server.
(string) --
tokenEndpointAuthMethods (list) --
The authentication methods supported by the token endpoint. This specifies how clients can authenticate when requesting tokens from the authorization server.
(string) --
clientId (string) --
The client ID for the custom OAuth2 provider.
privateEndpoint (dict) --
The default private endpoint for the custom OAuth2 provider, enabling secure connectivity through a VPC Lattice resource configuration.
selfManagedLatticeResource (dict) --
Configuration for connecting to a private resource using a self-managed VPC Lattice resource configuration.
resourceConfigurationIdentifier (string) --
The ARN or ID of the VPC Lattice resource configuration.
managedVpcResource (dict) --
Configuration for connecting to a private resource using a managed VPC Lattice resource. The gateway creates and manages the VPC Lattice resources on your behalf.
vpcIdentifier (string) --
The ID of the VPC that contains your private resource.
subnetIds (list) --
The subnet IDs within the VPC where the VPC Lattice resource gateway is placed.
(string) --
endpointIpAddressType (string) --
The IP address type for the resource configuration endpoint.
securityGroupIds (list) --
The security group IDs to associate with the VPC Lattice resource gateway. If not specified, the default security group for the VPC is used.
(string) --
tags (dict) --
Tags to apply to the managed VPC Lattice resource gateway.
(string) --
(string) --
routingDomain (string) --
An intermediate publicly resolvable domain used as the VPC Lattice resource configuration endpoint. Required when your private endpoint uses a domain that is not publicly resolvable.
privateEndpointOverrides (list) --
The list of private endpoint overrides for the custom OAuth2 provider. Each override maps a specific domain to a private endpoint, enabling secure connectivity through VPC Lattice resource configurations.
(dict) --
A mapping of a specific domain to a private endpoint for secure connectivity through a VPC Lattice resource configuration.
domain (string) --
The domain to override with a private endpoint.
privateEndpoint (dict) --
The private endpoint configuration for the specified domain.
selfManagedLatticeResource (dict) --
Configuration for connecting to a private resource using a self-managed VPC Lattice resource configuration.
resourceConfigurationIdentifier (string) --
The ARN or ID of the VPC Lattice resource configuration.
managedVpcResource (dict) --
Configuration for connecting to a private resource using a managed VPC Lattice resource. The gateway creates and manages the VPC Lattice resources on your behalf.
vpcIdentifier (string) --
The ID of the VPC that contains your private resource.
subnetIds (list) --
The subnet IDs within the VPC where the VPC Lattice resource gateway is placed.
(string) --
endpointIpAddressType (string) --
The IP address type for the resource configuration endpoint.
securityGroupIds (list) --
The security group IDs to associate with the VPC Lattice resource gateway. If not specified, the default security group for the VPC is used.
(string) --
tags (dict) --
Tags to apply to the managed VPC Lattice resource gateway.
(string) --
(string) --
routingDomain (string) --
An intermediate publicly resolvable domain used as the VPC Lattice resource configuration endpoint. Required when your private endpoint uses a domain that is not publicly resolvable.
googleOauth2ProviderConfig (dict) --
The output configuration for a Google OAuth2 provider.
oauthDiscovery (dict) --
The OAuth2 discovery information for the Google provider.
discoveryUrl (string) --
The discovery URL for the OAuth2 provider.
authorizationServerMetadata (dict) --
The authorization server metadata for the OAuth2 provider.
issuer (string) --
The issuer URL for the OAuth2 authorization server.
authorizationEndpoint (string) --
The authorization endpoint URL for the OAuth2 authorization server.
tokenEndpoint (string) --
The token endpoint URL for the OAuth2 authorization server.
responseTypes (list) --
The supported response types for the OAuth2 authorization server.
(string) --
tokenEndpointAuthMethods (list) --
The authentication methods supported by the token endpoint. This specifies how clients can authenticate when requesting tokens from the authorization server.
(string) --
clientId (string) --
The client ID for the Google OAuth2 provider.
githubOauth2ProviderConfig (dict) --
The output configuration for a GitHub OAuth2 provider.
oauthDiscovery (dict) --
The OAuth2 discovery information for the GitHub provider.
discoveryUrl (string) --
The discovery URL for the OAuth2 provider.
authorizationServerMetadata (dict) --
The authorization server metadata for the OAuth2 provider.
issuer (string) --
The issuer URL for the OAuth2 authorization server.
authorizationEndpoint (string) --
The authorization endpoint URL for the OAuth2 authorization server.
tokenEndpoint (string) --
The token endpoint URL for the OAuth2 authorization server.
responseTypes (list) --
The supported response types for the OAuth2 authorization server.
(string) --
tokenEndpointAuthMethods (list) --
The authentication methods supported by the token endpoint. This specifies how clients can authenticate when requesting tokens from the authorization server.
(string) --
clientId (string) --
The client ID for the GitHub OAuth2 provider.
slackOauth2ProviderConfig (dict) --
The output configuration for a Slack OAuth2 provider.
oauthDiscovery (dict) --
The OAuth2 discovery information for the Slack provider.
discoveryUrl (string) --
The discovery URL for the OAuth2 provider.
authorizationServerMetadata (dict) --
The authorization server metadata for the OAuth2 provider.
issuer (string) --
The issuer URL for the OAuth2 authorization server.
authorizationEndpoint (string) --
The authorization endpoint URL for the OAuth2 authorization server.
tokenEndpoint (string) --
The token endpoint URL for the OAuth2 authorization server.
responseTypes (list) --
The supported response types for the OAuth2 authorization server.
(string) --
tokenEndpointAuthMethods (list) --
The authentication methods supported by the token endpoint. This specifies how clients can authenticate when requesting tokens from the authorization server.
(string) --
clientId (string) --
The client ID for the Slack OAuth2 provider.
salesforceOauth2ProviderConfig (dict) --
The output configuration for a Salesforce OAuth2 provider.
oauthDiscovery (dict) --
The OAuth2 discovery information for the Salesforce provider.
discoveryUrl (string) --
The discovery URL for the OAuth2 provider.
authorizationServerMetadata (dict) --
The authorization server metadata for the OAuth2 provider.
issuer (string) --
The issuer URL for the OAuth2 authorization server.
authorizationEndpoint (string) --
The authorization endpoint URL for the OAuth2 authorization server.
tokenEndpoint (string) --
The token endpoint URL for the OAuth2 authorization server.
responseTypes (list) --
The supported response types for the OAuth2 authorization server.
(string) --
tokenEndpointAuthMethods (list) --
The authentication methods supported by the token endpoint. This specifies how clients can authenticate when requesting tokens from the authorization server.
(string) --
clientId (string) --
The client ID for the Salesforce OAuth2 provider.
microsoftOauth2ProviderConfig (dict) --
The output configuration for a Microsoft OAuth2 provider.
oauthDiscovery (dict) --
The OAuth2 discovery information for the Microsoft provider.
discoveryUrl (string) --
The discovery URL for the OAuth2 provider.
authorizationServerMetadata (dict) --
The authorization server metadata for the OAuth2 provider.
issuer (string) --
The issuer URL for the OAuth2 authorization server.
authorizationEndpoint (string) --
The authorization endpoint URL for the OAuth2 authorization server.
tokenEndpoint (string) --
The token endpoint URL for the OAuth2 authorization server.
responseTypes (list) --
The supported response types for the OAuth2 authorization server.
(string) --
tokenEndpointAuthMethods (list) --
The authentication methods supported by the token endpoint. This specifies how clients can authenticate when requesting tokens from the authorization server.
(string) --
clientId (string) --
The client ID for the Microsoft OAuth2 provider.
atlassianOauth2ProviderConfig (dict) --
The configuration details for the Atlassian OAuth2 provider.
oauthDiscovery (dict) --
Contains the discovery information for an OAuth2 provider.
discoveryUrl (string) --
The discovery URL for the OAuth2 provider.
authorizationServerMetadata (dict) --
The authorization server metadata for the OAuth2 provider.
issuer (string) --
The issuer URL for the OAuth2 authorization server.
authorizationEndpoint (string) --
The authorization endpoint URL for the OAuth2 authorization server.
tokenEndpoint (string) --
The token endpoint URL for the OAuth2 authorization server.
responseTypes (list) --
The supported response types for the OAuth2 authorization server.
(string) --
tokenEndpointAuthMethods (list) --
The authentication methods supported by the token endpoint. This specifies how clients can authenticate when requesting tokens from the authorization server.
(string) --
clientId (string) --
The client ID for the Atlassian OAuth2 provider.
linkedinOauth2ProviderConfig (dict) --
The configuration details for the LinkedIn OAuth2 provider.
oauthDiscovery (dict) --
Contains the discovery information for an OAuth2 provider.
discoveryUrl (string) --
The discovery URL for the OAuth2 provider.
authorizationServerMetadata (dict) --
The authorization server metadata for the OAuth2 provider.
issuer (string) --
The issuer URL for the OAuth2 authorization server.
authorizationEndpoint (string) --
The authorization endpoint URL for the OAuth2 authorization server.
tokenEndpoint (string) --
The token endpoint URL for the OAuth2 authorization server.
responseTypes (list) --
The supported response types for the OAuth2 authorization server.
(string) --
tokenEndpointAuthMethods (list) --
The authentication methods supported by the token endpoint. This specifies how clients can authenticate when requesting tokens from the authorization server.
(string) --
clientId (string) --
The client ID for the LinkedIn OAuth2 provider.
includedOauth2ProviderConfig (dict) --
The configuration for a non-custom OAuth2 provider. This includes the configuration details for supported OAuth2 providers that have built-in integration support.
oauthDiscovery (dict) --
Contains the discovery information for an OAuth2 provider.
discoveryUrl (string) --
The discovery URL for the OAuth2 provider.
authorizationServerMetadata (dict) --
The authorization server metadata for the OAuth2 provider.
issuer (string) --
The issuer URL for the OAuth2 authorization server.
authorizationEndpoint (string) --
The authorization endpoint URL for the OAuth2 authorization server.
tokenEndpoint (string) --
The token endpoint URL for the OAuth2 authorization server.
responseTypes (list) --
The supported response types for the OAuth2 authorization server.
(string) --
tokenEndpointAuthMethods (list) --
The authentication methods supported by the token endpoint. This specifies how clients can authenticate when requesting tokens from the authorization server.
(string) --
clientId (string) --
The client ID for the supported OAuth2 provider.
createdTime (datetime) --
The timestamp when the OAuth2 credential provider was created.
lastUpdatedTime (datetime) --
The timestamp when the OAuth2 credential provider was last updated.
status (string) --
The current status of the OAuth2 credential provider.
failureReason (string) --
The reason for the failure if the OAuth2 credential provider is in a failed state.
{'authorizerConfiguration': {'customJWTAuthorizer': {'privateEndpoint': {'managedVpcResource': {'endpointIpAddressType': 'IPV4 '
'| '
'IPV6',
'routingDomain': 'string',
'securityGroupIds': ['string'],
'subnetIds': ['string'],
'tags': {'string': 'string'},
'vpcIdentifier': 'string'},
'selfManagedLatticeResource': {'resourceConfigurationIdentifier': 'string'}},
'privateEndpointOverrides': [{'domain': 'string',
'privateEndpoint': {'managedVpcResource': {'endpointIpAddressType': 'IPV4 '
'| '
'IPV6',
'routingDomain': 'string',
'securityGroupIds': ['string'],
'subnetIds': ['string'],
'tags': {'string': 'string'},
'vpcIdentifier': 'string'},
'selfManagedLatticeResource': {'resourceConfigurationIdentifier': 'string'}}}]}}}
Retrieves information about a specific registry.
See also: AWS API Documentation
Request Syntax
client.get_registry(
registryId='string'
)
string
[REQUIRED]
The identifier of the registry to retrieve. You can specify either the Amazon Resource Name (ARN) or the ID of the registry.
dict
Response Syntax
{
'name': 'string',
'description': 'string',
'registryId': 'string',
'registryArn': 'string',
'authorizerType': 'CUSTOM_JWT'|'AWS_IAM',
'authorizerConfiguration': {
'customJWTAuthorizer': {
'discoveryUrl': 'string',
'allowedAudience': [
'string',
],
'allowedClients': [
'string',
],
'allowedScopes': [
'string',
],
'customClaims': [
{
'inboundTokenClaimName': 'string',
'inboundTokenClaimValueType': 'STRING'|'STRING_ARRAY',
'authorizingClaimMatchValue': {
'claimMatchValue': {
'matchValueString': 'string',
'matchValueStringList': [
'string',
]
},
'claimMatchOperator': 'EQUALS'|'CONTAINS'|'CONTAINS_ANY'
}
},
],
'privateEndpoint': {
'selfManagedLatticeResource': {
'resourceConfigurationIdentifier': 'string'
},
'managedVpcResource': {
'vpcIdentifier': 'string',
'subnetIds': [
'string',
],
'endpointIpAddressType': 'IPV4'|'IPV6',
'securityGroupIds': [
'string',
],
'tags': {
'string': 'string'
},
'routingDomain': 'string'
}
},
'privateEndpointOverrides': [
{
'domain': 'string',
'privateEndpoint': {
'selfManagedLatticeResource': {
'resourceConfigurationIdentifier': 'string'
},
'managedVpcResource': {
'vpcIdentifier': 'string',
'subnetIds': [
'string',
],
'endpointIpAddressType': 'IPV4'|'IPV6',
'securityGroupIds': [
'string',
],
'tags': {
'string': 'string'
},
'routingDomain': 'string'
}
}
},
]
}
},
'approvalConfiguration': {
'autoApproval': True|False
},
'status': 'CREATING'|'READY'|'UPDATING'|'CREATE_FAILED'|'UPDATE_FAILED'|'DELETING'|'DELETE_FAILED',
'statusReason': 'string',
'createdAt': datetime(2015, 1, 1),
'updatedAt': datetime(2015, 1, 1)
}
Response Structure
(dict) --
name (string) --
The name of the registry.
description (string) --
The description of the registry.
registryId (string) --
The unique identifier of the registry.
registryArn (string) --
The Amazon Resource Name (ARN) of the registry.
authorizerType (string) --
The type of authorizer used by the registry. This controls the authorization method for the Search and Invoke APIs used by consumers.
CUSTOM_JWT - Authorize with a bearer token.
AWS_IAM - Authorize with your Amazon Web Services IAM credentials.
authorizerConfiguration (dict) --
The authorizer configuration for the registry. For details, see the AuthorizerConfiguration data type.
customJWTAuthorizer (dict) --
The inbound JWT-based authorization, specifying how incoming requests should be authenticated.
discoveryUrl (string) --
This URL is used to fetch OpenID Connect configuration or authorization server metadata for validating incoming tokens.
allowedAudience (list) --
Represents individual audience values that are validated in the incoming JWT token validation process.
(string) --
allowedClients (list) --
Represents individual client IDs that are validated in the incoming JWT token validation process.
(string) --
allowedScopes (list) --
An array of scopes that are allowed to access the token.
(string) --
customClaims (list) --
An array of objects that define a custom claim validation name, value, and operation
(dict) --
Defines the name of a custom claim field and rules for finding matches to authenticate its value.
inboundTokenClaimName (string) --
The name of the custom claim field to check.
inboundTokenClaimValueType (string) --
The data type of the claim value to check for.
Use STRING if you want to find an exact match to a string you define.
Use STRING_ARRAY if you want to fnd a match to at least one value in an array you define.
authorizingClaimMatchValue (dict) --
Defines the value or values to match for and the relationship of the match.
claimMatchValue (dict) --
The value or values to match for.
matchValueString (string) --
The string value to match for.
matchValueStringList (list) --
An array of strings to check for a match.
(string) --
claimMatchOperator (string) --
Defines the relationship between the claim field value and the value or values you're matching for.
privateEndpoint (dict) --
The private endpoint configuration for a gateway target. Defines how the gateway connects to private resources in your VPC.
selfManagedLatticeResource (dict) --
Configuration for connecting to a private resource using a self-managed VPC Lattice resource configuration.
resourceConfigurationIdentifier (string) --
The ARN or ID of the VPC Lattice resource configuration.
managedVpcResource (dict) --
Configuration for connecting to a private resource using a managed VPC Lattice resource. The gateway creates and manages the VPC Lattice resources on your behalf.
vpcIdentifier (string) --
The ID of the VPC that contains your private resource.
subnetIds (list) --
The subnet IDs within the VPC where the VPC Lattice resource gateway is placed.
(string) --
endpointIpAddressType (string) --
The IP address type for the resource configuration endpoint.
securityGroupIds (list) --
The security group IDs to associate with the VPC Lattice resource gateway. If not specified, the default security group for the VPC is used.
(string) --
tags (dict) --
Tags to apply to the managed VPC Lattice resource gateway.
(string) --
(string) --
routingDomain (string) --
An intermediate publicly resolvable domain used as the VPC Lattice resource configuration endpoint. Required when your private endpoint uses a domain that is not publicly resolvable.
privateEndpointOverrides (list) --
A list of private endpoint overrides for the JWT authorizer. Each override maps a specific domain to a private endpoint, enabling secure connectivity through VPC Lattice resource configurations.
(dict) --
A mapping of a specific domain to a private endpoint for secure connectivity through a VPC Lattice resource configuration.
domain (string) --
The domain to override with a private endpoint.
privateEndpoint (dict) --
The private endpoint configuration for the specified domain.
selfManagedLatticeResource (dict) --
Configuration for connecting to a private resource using a self-managed VPC Lattice resource configuration.
resourceConfigurationIdentifier (string) --
The ARN or ID of the VPC Lattice resource configuration.
managedVpcResource (dict) --
Configuration for connecting to a private resource using a managed VPC Lattice resource. The gateway creates and manages the VPC Lattice resources on your behalf.
vpcIdentifier (string) --
The ID of the VPC that contains your private resource.
subnetIds (list) --
The subnet IDs within the VPC where the VPC Lattice resource gateway is placed.
(string) --
endpointIpAddressType (string) --
The IP address type for the resource configuration endpoint.
securityGroupIds (list) --
The security group IDs to associate with the VPC Lattice resource gateway. If not specified, the default security group for the VPC is used.
(string) --
tags (dict) --
Tags to apply to the managed VPC Lattice resource gateway.
(string) --
(string) --
routingDomain (string) --
An intermediate publicly resolvable domain used as the VPC Lattice resource configuration endpoint. Required when your private endpoint uses a domain that is not publicly resolvable.
approvalConfiguration (dict) --
The approval configuration for registry records. For details, see the ApprovalConfiguration data type.
autoApproval (boolean) --
Whether registry records are auto-approved. When set to true, records are automatically approved upon creation. When set to false (the default), records require explicit approval for security purposes.
status (string) --
The current status of the registry. Possible values include CREATING, READY, UPDATING, CREATE_FAILED, UPDATE_FAILED, DELETING, and DELETE_FAILED.
statusReason (string) --
The reason for the current status, typically set when the status is a failure state.
createdAt (datetime) --
The timestamp when the registry was created.
updatedAt (datetime) --
The timestamp when the registry was last updated.
{'targets': {'privateEndpoint': {'managedVpcResource': {'endpointIpAddressType': 'IPV4 '
'| '
'IPV6',
'routingDomain': 'string',
'securityGroupIds': ['string'],
'subnetIds': ['string'],
'tags': {'string': 'string'},
'vpcIdentifier': 'string'}}}}
Synchronizes the gateway targets by fetching the latest tool definitions from the target endpoints.
You cannot synchronize a target that is in a pending authorization state ( CREATE_PENDING_AUTH, UPDATE_PENDING_AUTH, or SYNCHRONIZE_PENDING_AUTH). Wait for the authorization to complete or fail before synchronizing.
You cannot synchronize a target that has a static tool schema ( mcpToolSchema) configured. Remove the static schema through an UpdateGatewayTarget call to enable dynamic tool synchronization.
See also: AWS API Documentation
Request Syntax
client.synchronize_gateway_targets(
gatewayIdentifier='string',
targetIdList=[
'string',
]
)
string
[REQUIRED]
The gateway Identifier.
list
[REQUIRED]
The target ID list.
(string) --
dict
Response Syntax
{
'targets': [
{
'gatewayArn': 'string',
'targetId': 'string',
'createdAt': datetime(2015, 1, 1),
'updatedAt': datetime(2015, 1, 1),
'status': 'CREATING'|'UPDATING'|'UPDATE_UNSUCCESSFUL'|'DELETING'|'READY'|'FAILED'|'SYNCHRONIZING'|'SYNCHRONIZE_UNSUCCESSFUL'|'CREATE_PENDING_AUTH'|'UPDATE_PENDING_AUTH'|'SYNCHRONIZE_PENDING_AUTH',
'statusReasons': [
'string',
],
'name': 'string',
'description': 'string',
'targetConfiguration': {
'mcp': {
'openApiSchema': {
's3': {
'uri': 'string',
'bucketOwnerAccountId': 'string'
},
'inlinePayload': 'string'
},
'smithyModel': {
's3': {
'uri': 'string',
'bucketOwnerAccountId': 'string'
},
'inlinePayload': 'string'
},
'lambda': {
'lambdaArn': 'string',
'toolSchema': {
's3': {
'uri': 'string',
'bucketOwnerAccountId': 'string'
},
'inlinePayload': [
{
'name': 'string',
'description': 'string',
'inputSchema': {
'type': 'string'|'number'|'object'|'array'|'boolean'|'integer',
'properties': {
'string': {'... recursive ...'}
},
'required': [
'string',
],
'items': {'... recursive ...'},
'description': 'string'
},
'outputSchema': {
'type': 'string'|'number'|'object'|'array'|'boolean'|'integer',
'properties': {
'string': {'... recursive ...'}
},
'required': [
'string',
],
'items': {'... recursive ...'},
'description': 'string'
}
},
]
}
},
'mcpServer': {
'endpoint': 'string',
'mcpToolSchema': {
's3': {
'uri': 'string',
'bucketOwnerAccountId': 'string'
},
'inlinePayload': 'string'
},
'resourcePriority': 123,
'listingMode': 'DEFAULT'|'DYNAMIC'
},
'apiGateway': {
'restApiId': 'string',
'stage': 'string',
'apiGatewayToolConfiguration': {
'toolOverrides': [
{
'name': 'string',
'description': 'string',
'path': 'string',
'method': 'GET'|'DELETE'|'HEAD'|'OPTIONS'|'PATCH'|'PUT'|'POST'
},
],
'toolFilters': [
{
'filterPath': 'string',
'methods': [
'GET'|'DELETE'|'HEAD'|'OPTIONS'|'PATCH'|'PUT'|'POST',
]
},
]
}
}
}
},
'credentialProviderConfigurations': [
{
'credentialProviderType': 'GATEWAY_IAM_ROLE'|'OAUTH'|'API_KEY',
'credentialProvider': {
'oauthCredentialProvider': {
'providerArn': 'string',
'scopes': [
'string',
],
'customParameters': {
'string': 'string'
},
'grantType': 'CLIENT_CREDENTIALS'|'AUTHORIZATION_CODE',
'defaultReturnUrl': 'string'
},
'apiKeyCredentialProvider': {
'providerArn': 'string',
'credentialParameterName': 'string',
'credentialPrefix': 'string',
'credentialLocation': 'HEADER'|'QUERY_PARAMETER'
},
'iamCredentialProvider': {
'service': 'string',
'region': 'string'
}
}
},
],
'lastSynchronizedAt': datetime(2015, 1, 1),
'metadataConfiguration': {
'allowedRequestHeaders': [
'string',
],
'allowedQueryParameters': [
'string',
],
'allowedResponseHeaders': [
'string',
]
},
'privateEndpoint': {
'selfManagedLatticeResource': {
'resourceConfigurationIdentifier': 'string'
},
'managedVpcResource': {
'vpcIdentifier': 'string',
'subnetIds': [
'string',
],
'endpointIpAddressType': 'IPV4'|'IPV6',
'securityGroupIds': [
'string',
],
'tags': {
'string': 'string'
},
'routingDomain': 'string'
}
},
'privateEndpointManagedResources': [
{
'domain': 'string',
'resourceGatewayArn': 'string',
'resourceAssociationArn': 'string'
},
],
'authorizationData': {
'oauth2': {
'authorizationUrl': 'string',
'userId': 'string'
}
}
},
]
}
Response Structure
(dict) --
targets (list) --
The gateway targets for synchronization.
(dict) --
The gateway target.
gatewayArn (string) --
The Amazon Resource Name (ARN) of the gateway target.
targetId (string) --
The target ID.
createdAt (datetime) --
The date and time at which the target was created.
updatedAt (datetime) --
The date and time at which the target was updated.
status (string) --
The status of the gateway target.
statusReasons (list) --
The status reasons for the target status.
(string) --
name (string) --
The name of the gateway target.
description (string) --
The description for the gateway target.
targetConfiguration (dict) --
The configuration for a gateway target. This structure defines how the gateway connects to and interacts with the target endpoint.
mcp (dict) --
The Model Context Protocol (MCP) configuration for the target. This configuration defines how the gateway uses MCP to communicate with the target.
openApiSchema (dict) --
The OpenAPI schema for the Model Context Protocol target. This schema defines the API structure of the target.
s3 (dict) --
The Amazon S3 configuration for a gateway. This structure defines how the gateway accesses files in Amazon S3.
uri (string) --
The URI of the Amazon S3 object. This URI specifies the location of the object in Amazon S3.
bucketOwnerAccountId (string) --
The account ID of the Amazon S3 bucket owner. This ID is used for cross-account access to the bucket.
inlinePayload (string) --
The inline payload containing the API schema definition.
smithyModel (dict) --
The Smithy model for the Model Context Protocol target. This model defines the API structure of the target using the Smithy specification.
s3 (dict) --
The Amazon S3 configuration for a gateway. This structure defines how the gateway accesses files in Amazon S3.
uri (string) --
The URI of the Amazon S3 object. This URI specifies the location of the object in Amazon S3.
bucketOwnerAccountId (string) --
The account ID of the Amazon S3 bucket owner. This ID is used for cross-account access to the bucket.
inlinePayload (string) --
The inline payload containing the API schema definition.
lambda (dict) --
The Lambda configuration for the Model Context Protocol target. This configuration defines how the gateway uses a Lambda function to communicate with the target.
lambdaArn (string) --
The Amazon Resource Name (ARN) of the Lambda function. This function is invoked by the gateway to communicate with the target.
toolSchema (dict) --
The tool schema for the Lambda function. This schema defines the structure of the tools that the Lambda function provides.
s3 (dict) --
The Amazon S3 location of the tool schema. This location contains the schema definition file.
uri (string) --
The URI of the Amazon S3 object. This URI specifies the location of the object in Amazon S3.
bucketOwnerAccountId (string) --
The account ID of the Amazon S3 bucket owner. This ID is used for cross-account access to the bucket.
inlinePayload (list) --
The inline payload of the tool schema. This payload contains the schema definition directly in the request.
(dict) --
A tool definition for a gateway target. This structure defines a tool that the target exposes through the Model Context Protocol.
name (string) --
The name of the tool. This name identifies the tool in the Model Context Protocol.
description (string) --
The description of the tool. This description provides information about the purpose and usage of the tool.
inputSchema (dict) --
The input schema for the tool. This schema defines the structure of the input that the tool accepts.
type (string) --
The type of the schema definition. This field specifies the data type of the schema.
properties (dict) --
The properties of the schema definition. These properties define the fields in the schema.
(string) --
(dict) --
A schema definition for a gateway target. This structure defines the structure of the API that the target exposes.
required (list) --
The required fields in the schema definition. These fields must be provided when using the schema.
(string) --
items (dict) --
The items in the schema definition. This field is used for array types to define the structure of the array elements.
description (string) --
The description of the schema definition. This description provides information about the purpose and usage of the schema.
outputSchema (dict) --
The output schema for the tool. This schema defines the structure of the output that the tool produces.
type (string) --
The type of the schema definition. This field specifies the data type of the schema.
properties (dict) --
The properties of the schema definition. These properties define the fields in the schema.
(string) --
(dict) --
A schema definition for a gateway target. This structure defines the structure of the API that the target exposes.
required (list) --
The required fields in the schema definition. These fields must be provided when using the schema.
(string) --
items (dict) --
The items in the schema definition. This field is used for array types to define the structure of the array elements.
description (string) --
The description of the schema definition. This description provides information about the purpose and usage of the schema.
mcpServer (dict) --
The MCP server specified as the gateway target.
endpoint (string) --
The endpoint for the MCP server target configuration.
mcpToolSchema (dict) --
The tool schema configuration for the MCP server target. Supported only when the credential provider is configured with an authorization code grant type. Dynamic tool discovery/synchronization will be disabled when target is configured with mcpToolSchema.
s3 (dict) --
The Amazon S3 location of the tool schema. This location contains the schema definition file.
uri (string) --
The URI of the Amazon S3 object. This URI specifies the location of the object in Amazon S3.
bucketOwnerAccountId (string) --
The account ID of the Amazon S3 bucket owner. This ID is used for cross-account access to the bucket.
inlinePayload (string) --
The inline payload containing the MCP tool schema definition.
resourcePriority (integer) --
Priority for resolving MCP server targets with shared resource URIs. Lower values take precedence. Defaults to 1000 when not set.
listingMode (string) --
The listing mode for the MCP server target configuration. MCP resources for default targets are cached at the control plane for faster access. MCP resources for dynamic targets will be dynamically retrieved when listing tools.
apiGateway (dict) --
The configuration for an Amazon API Gateway target.
restApiId (string) --
The ID of the API Gateway REST API.
stage (string) --
The ID of the stage of the REST API to add as a target.
apiGatewayToolConfiguration (dict) --
The configuration for defining REST API tool filters and overrides for the gateway target.
toolOverrides (list) --
A list of explicit tool definitions with optional custom names and descriptions.
(dict) --
Settings to override configurations for a tool.
name (string) --
The name of tool. Identifies the tool in the Model Context Protocol.
description (string) --
The description of the tool. Provides information about the purpose and usage of the tool. If not provided, uses the description from the API's OpenAPI specification.
path (string) --
Resource path in the REST API (e.g., /pets). Must explicitly match an existing path in the REST API.
method (string) --
The HTTP method to expose for the specified path.
toolFilters (list) --
A list of path and method patterns to expose as tools using metadata from the REST API's OpenAPI specification.
(dict) --
Specifies which operations from an API Gateway REST API are exposed as tools. Tool names and descriptions are derived from the operationId and description fields in the API's exported OpenAPI specification.
filterPath (string) --
Resource path to match in the REST API. Supports exact paths (for example, /pets) or wildcard paths (for example, /pets/* to match all paths under /pets). Must match existing paths in the REST API.
methods (list) --
The methods to filter for.
(string) --
credentialProviderConfigurations (list) --
The provider configurations.
(dict) --
The configuration for a credential provider. This structure defines how the gateway authenticates with the target endpoint.
credentialProviderType (string) --
The type of credential provider. This field specifies which authentication method the gateway uses.
credentialProvider (dict) --
The credential provider. This field contains the specific configuration for the credential provider type.
oauthCredentialProvider (dict) --
The OAuth credential provider. This provider uses OAuth authentication to access the target endpoint.
providerArn (string) --
The Amazon Resource Name (ARN) of the OAuth credential provider. This ARN identifies the provider in Amazon Web Services.
scopes (list) --
The OAuth scopes for the credential provider. These scopes define the level of access requested from the OAuth provider.
(string) --
customParameters (dict) --
The custom parameters for the OAuth credential provider. These parameters provide additional configuration for the OAuth authentication process.
(string) --
(string) --
grantType (string) --
Specifies the kind of credentials to use for authorization:
CLIENT_CREDENTIALS - Authorization with a client ID and secret.
AUTHORIZATION_CODE - Authorization with a token that is specific to an individual end user.
defaultReturnUrl (string) --
The URL where the end user's browser is redirected after obtaining the authorization code. Generally points to the customer's application.
apiKeyCredentialProvider (dict) --
The API key credential provider. This provider uses an API key to authenticate with the target endpoint.
providerArn (string) --
The Amazon Resource Name (ARN) of the API key credential provider. This ARN identifies the provider in Amazon Web Services.
credentialParameterName (string) --
The name of the credential parameter for the API key. This parameter name is used when sending the API key to the target endpoint.
credentialPrefix (string) --
The prefix for the API key credential. This prefix is added to the API key when sending it to the target endpoint.
credentialLocation (string) --
The location of the API key credential. This field specifies where in the request the API key should be placed.
iamCredentialProvider (dict) --
The IAM credential provider. This provider uses IAM authentication with SigV4 signing to access the target endpoint.
service (string) --
The target Amazon Web Services service name used for SigV4 signing. This value identifies the service that the gateway authenticates with when making requests to the target endpoint.
region (string) --
The Amazon Web Services Region used for SigV4 signing. If not specified, defaults to the gateway's Region.
lastSynchronizedAt (datetime) --
The last synchronization time.
metadataConfiguration (dict) --
The metadata configuration for HTTP header and query parameter propagation to and from this gateway target.
allowedRequestHeaders (list) --
A list of HTTP headers that are allowed to be propagated from incoming client requests to the target.
(string) --
allowedQueryParameters (list) --
A list of URL query parameters that are allowed to be propagated from incoming gateway URL to the target.
(string) --
allowedResponseHeaders (list) --
A list of HTTP headers that are allowed to be propagated from the target response back to the client.
(string) --
privateEndpoint (dict) --
The private endpoint configuration for a gateway target. Defines how the gateway connects to private resources in your VPC.
selfManagedLatticeResource (dict) --
Configuration for connecting to a private resource using a self-managed VPC Lattice resource configuration.
resourceConfigurationIdentifier (string) --
The ARN or ID of the VPC Lattice resource configuration.
managedVpcResource (dict) --
Configuration for connecting to a private resource using a managed VPC Lattice resource. The gateway creates and manages the VPC Lattice resources on your behalf.
vpcIdentifier (string) --
The ID of the VPC that contains your private resource.
subnetIds (list) --
The subnet IDs within the VPC where the VPC Lattice resource gateway is placed.
(string) --
endpointIpAddressType (string) --
The IP address type for the resource configuration endpoint.
securityGroupIds (list) --
The security group IDs to associate with the VPC Lattice resource gateway. If not specified, the default security group for the VPC is used.
(string) --
tags (dict) --
Tags to apply to the managed VPC Lattice resource gateway.
(string) --
(string) --
routingDomain (string) --
An intermediate publicly resolvable domain used as the VPC Lattice resource configuration endpoint. Required when your private endpoint uses a domain that is not publicly resolvable.
privateEndpointManagedResources (list) --
A list of managed resources created by the gateway for private endpoint connectivity. These resources are created in your account when you use a managed VPC Lattice resource configuration.
(dict) --
Details of a resource created and managed by the gateway for private endpoint connectivity.
domain (string) --
The domain associated with this managed resource.
resourceGatewayArn (string) --
The ARN of the VPC Lattice resource gateway created in your account.
resourceAssociationArn (string) --
The ARN of the service network resource association.
authorizationData (dict) --
OAuth2 authorization data for the gateway target. This data is returned when a target is configured with a credential provider with authorization code grant type and requires user federation.
oauth2 (dict) --
OAuth2 authorization data for the gateway target.
authorizationUrl (string) --
The URL to initiate the authorization process. This URL is provided when the OAuth2 access token requires user authorization.
userId (string) --
The user identifier associated with the OAuth2 authorization session that is defined by AgentCore Gateway.
{'agentRuntimeArtifact': {'codeConfiguration': {'runtime': {'NODE_22'}}},
'authorizerConfiguration': {'customJWTAuthorizer': {'privateEndpoint': {'managedVpcResource': {'endpointIpAddressType': 'IPV4 '
'| '
'IPV6',
'routingDomain': 'string',
'securityGroupIds': ['string'],
'subnetIds': ['string'],
'tags': {'string': 'string'},
'vpcIdentifier': 'string'},
'selfManagedLatticeResource': {'resourceConfigurationIdentifier': 'string'}},
'privateEndpointOverrides': [{'domain': 'string',
'privateEndpoint': {'managedVpcResource': {'endpointIpAddressType': 'IPV4 '
'| '
'IPV6',
'routingDomain': 'string',
'securityGroupIds': ['string'],
'subnetIds': ['string'],
'tags': {'string': 'string'},
'vpcIdentifier': 'string'},
'selfManagedLatticeResource': {'resourceConfigurationIdentifier': 'string'}}}]}}}
Updates an existing Amazon Secure Agent.
See also: AWS API Documentation
Request Syntax
client.update_agent_runtime(
agentRuntimeId='string',
agentRuntimeArtifact={
'containerConfiguration': {
'containerUri': 'string'
},
'codeConfiguration': {
'code': {
's3': {
'bucket': 'string',
'prefix': 'string',
'versionId': 'string'
}
},
'runtime': 'PYTHON_3_10'|'PYTHON_3_11'|'PYTHON_3_12'|'PYTHON_3_13'|'PYTHON_3_14'|'NODE_22',
'entryPoint': [
'string',
]
}
},
roleArn='string',
networkConfiguration={
'networkMode': 'PUBLIC'|'VPC',
'networkModeConfig': {
'securityGroups': [
'string',
],
'subnets': [
'string',
]
}
},
description='string',
authorizerConfiguration={
'customJWTAuthorizer': {
'discoveryUrl': 'string',
'allowedAudience': [
'string',
],
'allowedClients': [
'string',
],
'allowedScopes': [
'string',
],
'customClaims': [
{
'inboundTokenClaimName': 'string',
'inboundTokenClaimValueType': 'STRING'|'STRING_ARRAY',
'authorizingClaimMatchValue': {
'claimMatchValue': {
'matchValueString': 'string',
'matchValueStringList': [
'string',
]
},
'claimMatchOperator': 'EQUALS'|'CONTAINS'|'CONTAINS_ANY'
}
},
],
'privateEndpoint': {
'selfManagedLatticeResource': {
'resourceConfigurationIdentifier': 'string'
},
'managedVpcResource': {
'vpcIdentifier': 'string',
'subnetIds': [
'string',
],
'endpointIpAddressType': 'IPV4'|'IPV6',
'securityGroupIds': [
'string',
],
'tags': {
'string': 'string'
},
'routingDomain': 'string'
}
},
'privateEndpointOverrides': [
{
'domain': 'string',
'privateEndpoint': {
'selfManagedLatticeResource': {
'resourceConfigurationIdentifier': 'string'
},
'managedVpcResource': {
'vpcIdentifier': 'string',
'subnetIds': [
'string',
],
'endpointIpAddressType': 'IPV4'|'IPV6',
'securityGroupIds': [
'string',
],
'tags': {
'string': 'string'
},
'routingDomain': 'string'
}
}
},
]
}
},
requestHeaderConfiguration={
'requestHeaderAllowlist': [
'string',
]
},
protocolConfiguration={
'serverProtocol': 'MCP'|'HTTP'|'A2A'|'AGUI'
},
lifecycleConfiguration={
'idleRuntimeSessionTimeout': 123,
'maxLifetime': 123
},
metadataConfiguration={
'requireMMDSV2': True|False
},
environmentVariables={
'string': 'string'
},
filesystemConfigurations=[
{
'sessionStorage': {
'mountPath': 'string'
}
},
],
clientToken='string'
)
string
[REQUIRED]
The unique identifier of the AgentCore Runtime to update.
dict
[REQUIRED]
The updated artifact of the AgentCore Runtime.
containerConfiguration (dict) --
The container configuration for the agent artifact.
containerUri (string) -- [REQUIRED]
The ECR URI of the container.
codeConfiguration (dict) --
The code configuration for the agent runtime artifact, including the source code location and execution settings.
code (dict) -- [REQUIRED]
The source code location and configuration details.
s3 (dict) --
The Amazon Amazon S3 object that contains the source code for the agent runtime.
bucket (string) -- [REQUIRED]
The name of the Amazon S3 bucket. This bucket contains the stored data.
prefix (string) -- [REQUIRED]
The prefix for objects in the Amazon S3 bucket. This prefix is added to the object keys to organize the data.
versionId (string) --
The version ID of the Amazon Amazon S3 object. If not specified, the latest version of the object is used.
runtime (string) -- [REQUIRED]
The runtime environment for executing the agent code. Specify the programming language and version to use for the agent runtime. For valid values, see the list of supported runtimes.
entryPoint (list) -- [REQUIRED]
The entry point for the code execution, specifying the function or method that should be invoked when the code runs.
(string) --
string
[REQUIRED]
The updated IAM role ARN that provides permissions for the AgentCore Runtime.
dict
[REQUIRED]
The updated network configuration for the AgentCore Runtime.
networkMode (string) -- [REQUIRED]
The network mode for the AgentCore Runtime.
networkModeConfig (dict) --
The network mode configuration for the AgentCore Runtime.
securityGroups (list) -- [REQUIRED]
The security groups associated with the VPC configuration.
(string) --
subnets (list) -- [REQUIRED]
The subnets associated with the VPC configuration.
(string) --
string
The updated description of the AgentCore Runtime.
dict
The updated authorizer configuration for the AgentCore Runtime.
customJWTAuthorizer (dict) --
The inbound JWT-based authorization, specifying how incoming requests should be authenticated.
discoveryUrl (string) -- [REQUIRED]
This URL is used to fetch OpenID Connect configuration or authorization server metadata for validating incoming tokens.
allowedAudience (list) --
Represents individual audience values that are validated in the incoming JWT token validation process.
(string) --
allowedClients (list) --
Represents individual client IDs that are validated in the incoming JWT token validation process.
(string) --
allowedScopes (list) --
An array of scopes that are allowed to access the token.
(string) --
customClaims (list) --
An array of objects that define a custom claim validation name, value, and operation
(dict) --
Defines the name of a custom claim field and rules for finding matches to authenticate its value.
inboundTokenClaimName (string) -- [REQUIRED]
The name of the custom claim field to check.
inboundTokenClaimValueType (string) -- [REQUIRED]
The data type of the claim value to check for.
Use STRING if you want to find an exact match to a string you define.
Use STRING_ARRAY if you want to fnd a match to at least one value in an array you define.
authorizingClaimMatchValue (dict) -- [REQUIRED]
Defines the value or values to match for and the relationship of the match.
claimMatchValue (dict) -- [REQUIRED]
The value or values to match for.
matchValueString (string) --
The string value to match for.
matchValueStringList (list) --
An array of strings to check for a match.
(string) --
claimMatchOperator (string) -- [REQUIRED]
Defines the relationship between the claim field value and the value or values you're matching for.
privateEndpoint (dict) --
The private endpoint configuration for a gateway target. Defines how the gateway connects to private resources in your VPC.
selfManagedLatticeResource (dict) --
Configuration for connecting to a private resource using a self-managed VPC Lattice resource configuration.
resourceConfigurationIdentifier (string) --
The ARN or ID of the VPC Lattice resource configuration.
managedVpcResource (dict) --
Configuration for connecting to a private resource using a managed VPC Lattice resource. The gateway creates and manages the VPC Lattice resources on your behalf.
vpcIdentifier (string) -- [REQUIRED]
The ID of the VPC that contains your private resource.
subnetIds (list) -- [REQUIRED]
The subnet IDs within the VPC where the VPC Lattice resource gateway is placed.
(string) --
endpointIpAddressType (string) -- [REQUIRED]
The IP address type for the resource configuration endpoint.
securityGroupIds (list) --
The security group IDs to associate with the VPC Lattice resource gateway. If not specified, the default security group for the VPC is used.
(string) --
tags (dict) --
Tags to apply to the managed VPC Lattice resource gateway.
(string) --
(string) --
routingDomain (string) --
An intermediate publicly resolvable domain used as the VPC Lattice resource configuration endpoint. Required when your private endpoint uses a domain that is not publicly resolvable.
privateEndpointOverrides (list) --
A list of private endpoint overrides for the JWT authorizer. Each override maps a specific domain to a private endpoint, enabling secure connectivity through VPC Lattice resource configurations.
(dict) --
A mapping of a specific domain to a private endpoint for secure connectivity through a VPC Lattice resource configuration.
domain (string) -- [REQUIRED]
The domain to override with a private endpoint.
privateEndpoint (dict) -- [REQUIRED]
The private endpoint configuration for the specified domain.
selfManagedLatticeResource (dict) --
Configuration for connecting to a private resource using a self-managed VPC Lattice resource configuration.
resourceConfigurationIdentifier (string) --
The ARN or ID of the VPC Lattice resource configuration.
managedVpcResource (dict) --
Configuration for connecting to a private resource using a managed VPC Lattice resource. The gateway creates and manages the VPC Lattice resources on your behalf.
vpcIdentifier (string) -- [REQUIRED]
The ID of the VPC that contains your private resource.
subnetIds (list) -- [REQUIRED]
The subnet IDs within the VPC where the VPC Lattice resource gateway is placed.
(string) --
endpointIpAddressType (string) -- [REQUIRED]
The IP address type for the resource configuration endpoint.
securityGroupIds (list) --
The security group IDs to associate with the VPC Lattice resource gateway. If not specified, the default security group for the VPC is used.
(string) --
tags (dict) --
Tags to apply to the managed VPC Lattice resource gateway.
(string) --
(string) --
routingDomain (string) --
An intermediate publicly resolvable domain used as the VPC Lattice resource configuration endpoint. Required when your private endpoint uses a domain that is not publicly resolvable.
dict
The updated configuration for HTTP request headers that will be passed through to the runtime.
requestHeaderAllowlist (list) --
A list of HTTP request headers that are allowed to be passed through to the runtime.
(string) --
dict
The protocol configuration for an agent runtime. This structure defines how the agent runtime communicates with clients.
serverProtocol (string) -- [REQUIRED]
The server protocol for the agent runtime. This field specifies which protocol the agent runtime uses to communicate with clients.
dict
The updated life cycle configuration for the AgentCore Runtime.
idleRuntimeSessionTimeout (integer) --
Timeout in seconds for idle runtime sessions. When a session remains idle for this duration, it will be automatically terminated. Default: 900 seconds (15 minutes).
maxLifetime (integer) --
Maximum lifetime for the instance in seconds. Once reached, instances will be automatically terminated and replaced. Default: 28800 seconds (8 hours).
dict
The updated configuration for microVM Metadata Service (MMDS) settings for the AgentCore Runtime.
requireMMDSV2 (boolean) -- [REQUIRED]
Enables MMDSv2 (microVM Metadata Service Version 2) requirement for the agent runtime. When set to true, the runtime microVM will only accept MMDSv2 requests.
dict
Updated environment variables to set in the AgentCore Runtime environment.
(string) --
(string) --
list
The updated filesystem configurations to mount into the AgentCore Runtime.
(dict) --
Configuration for a filesystem that can be mounted into the AgentCore Runtime.
sessionStorage (dict) --
Configuration for session storage. Session storage provides persistent storage that is preserved across AgentCore Runtime session invocations.
mountPath (string) -- [REQUIRED]
The mount path for the session storage filesystem inside the AgentCore Runtime. The path must be under /mnt with exactly one subdirectory level (for example, /mnt/data).
string
A unique, case-sensitive identifier to ensure idempotency of the request.
This field is autopopulated if not provided.
dict
Response Syntax
{
'agentRuntimeArn': 'string',
'agentRuntimeId': 'string',
'workloadIdentityDetails': {
'workloadIdentityArn': 'string'
},
'agentRuntimeVersion': 'string',
'createdAt': datetime(2015, 1, 1),
'lastUpdatedAt': datetime(2015, 1, 1),
'status': 'CREATING'|'CREATE_FAILED'|'UPDATING'|'UPDATE_FAILED'|'READY'|'DELETING'
}
Response Structure
(dict) --
agentRuntimeArn (string) --
The Amazon Resource Name (ARN) of the updated AgentCore Runtime.
agentRuntimeId (string) --
The unique identifier of the updated AgentCore Runtime.
workloadIdentityDetails (dict) --
The workload identity details for the updated AgentCore Runtime.
workloadIdentityArn (string) --
The ARN associated with the workload identity.
agentRuntimeVersion (string) --
The version of the updated AgentCore Runtime.
createdAt (datetime) --
The timestamp when the AgentCore Runtime was created.
lastUpdatedAt (datetime) --
The timestamp when the AgentCore Runtime was last updated.
status (string) --
The current status of the updated AgentCore Runtime.
{'authorizerConfiguration': {'customJWTAuthorizer': {'privateEndpoint': {'managedVpcResource': {'endpointIpAddressType': 'IPV4 '
'| '
'IPV6',
'routingDomain': 'string',
'securityGroupIds': ['string'],
'subnetIds': ['string'],
'tags': {'string': 'string'},
'vpcIdentifier': 'string'},
'selfManagedLatticeResource': {'resourceConfigurationIdentifier': 'string'}},
'privateEndpointOverrides': [{'domain': 'string',
'privateEndpoint': {'managedVpcResource': {'endpointIpAddressType': 'IPV4 '
'| '
'IPV6',
'routingDomain': 'string',
'securityGroupIds': ['string'],
'subnetIds': ['string'],
'tags': {'string': 'string'},
'vpcIdentifier': 'string'},
'selfManagedLatticeResource': {'resourceConfigurationIdentifier': 'string'}}}]}}}
Updates an existing gateway.
See also: AWS API Documentation
Request Syntax
client.update_gateway(
gatewayIdentifier='string',
name='string',
description='string',
roleArn='string',
protocolType='MCP',
protocolConfiguration={
'mcp': {
'supportedVersions': [
'string',
],
'instructions': 'string',
'searchType': 'SEMANTIC'
}
},
authorizerType='CUSTOM_JWT'|'AWS_IAM'|'NONE',
authorizerConfiguration={
'customJWTAuthorizer': {
'discoveryUrl': 'string',
'allowedAudience': [
'string',
],
'allowedClients': [
'string',
],
'allowedScopes': [
'string',
],
'customClaims': [
{
'inboundTokenClaimName': 'string',
'inboundTokenClaimValueType': 'STRING'|'STRING_ARRAY',
'authorizingClaimMatchValue': {
'claimMatchValue': {
'matchValueString': 'string',
'matchValueStringList': [
'string',
]
},
'claimMatchOperator': 'EQUALS'|'CONTAINS'|'CONTAINS_ANY'
}
},
],
'privateEndpoint': {
'selfManagedLatticeResource': {
'resourceConfigurationIdentifier': 'string'
},
'managedVpcResource': {
'vpcIdentifier': 'string',
'subnetIds': [
'string',
],
'endpointIpAddressType': 'IPV4'|'IPV6',
'securityGroupIds': [
'string',
],
'tags': {
'string': 'string'
},
'routingDomain': 'string'
}
},
'privateEndpointOverrides': [
{
'domain': 'string',
'privateEndpoint': {
'selfManagedLatticeResource': {
'resourceConfigurationIdentifier': 'string'
},
'managedVpcResource': {
'vpcIdentifier': 'string',
'subnetIds': [
'string',
],
'endpointIpAddressType': 'IPV4'|'IPV6',
'securityGroupIds': [
'string',
],
'tags': {
'string': 'string'
},
'routingDomain': 'string'
}
}
},
]
}
},
kmsKeyArn='string',
interceptorConfigurations=[
{
'interceptor': {
'lambda': {
'arn': 'string'
}
},
'interceptionPoints': [
'REQUEST'|'RESPONSE',
],
'inputConfiguration': {
'passRequestHeaders': True|False
}
},
],
policyEngineConfiguration={
'arn': 'string',
'mode': 'LOG_ONLY'|'ENFORCE'
},
exceptionLevel='DEBUG'
)
string
[REQUIRED]
The identifier of the gateway to update.
string
[REQUIRED]
The name of the gateway. This name must be the same as the one when the gateway was created.
string
The updated description for the gateway.
string
[REQUIRED]
The updated IAM role ARN that provides permissions for the gateway.
string
[REQUIRED]
The updated protocol type for the gateway.
dict
The configuration for a gateway protocol. This structure defines how the gateway communicates with external services.
mcp (dict) --
The configuration for the Model Context Protocol (MCP). This protocol enables communication between Amazon Bedrock Agent and external tools.
supportedVersions (list) --
The supported versions of the Model Context Protocol. This field specifies which versions of the protocol the gateway can use.
(string) --
instructions (string) --
The instructions for using the Model Context Protocol gateway. These instructions provide guidance on how to interact with the gateway.
searchType (string) --
The search type for the Model Context Protocol gateway. This field specifies how the gateway handles search operations.
string
[REQUIRED]
The updated authorizer type for the gateway.
dict
The updated authorizer configuration for the gateway.
customJWTAuthorizer (dict) --
The inbound JWT-based authorization, specifying how incoming requests should be authenticated.
discoveryUrl (string) -- [REQUIRED]
This URL is used to fetch OpenID Connect configuration or authorization server metadata for validating incoming tokens.
allowedAudience (list) --
Represents individual audience values that are validated in the incoming JWT token validation process.
(string) --
allowedClients (list) --
Represents individual client IDs that are validated in the incoming JWT token validation process.
(string) --
allowedScopes (list) --
An array of scopes that are allowed to access the token.
(string) --
customClaims (list) --
An array of objects that define a custom claim validation name, value, and operation
(dict) --
Defines the name of a custom claim field and rules for finding matches to authenticate its value.
inboundTokenClaimName (string) -- [REQUIRED]
The name of the custom claim field to check.
inboundTokenClaimValueType (string) -- [REQUIRED]
The data type of the claim value to check for.
Use STRING if you want to find an exact match to a string you define.
Use STRING_ARRAY if you want to fnd a match to at least one value in an array you define.
authorizingClaimMatchValue (dict) -- [REQUIRED]
Defines the value or values to match for and the relationship of the match.
claimMatchValue (dict) -- [REQUIRED]
The value or values to match for.
matchValueString (string) --
The string value to match for.
matchValueStringList (list) --
An array of strings to check for a match.
(string) --
claimMatchOperator (string) -- [REQUIRED]
Defines the relationship between the claim field value and the value or values you're matching for.
privateEndpoint (dict) --
The private endpoint configuration for a gateway target. Defines how the gateway connects to private resources in your VPC.
selfManagedLatticeResource (dict) --
Configuration for connecting to a private resource using a self-managed VPC Lattice resource configuration.
resourceConfigurationIdentifier (string) --
The ARN or ID of the VPC Lattice resource configuration.
managedVpcResource (dict) --
Configuration for connecting to a private resource using a managed VPC Lattice resource. The gateway creates and manages the VPC Lattice resources on your behalf.
vpcIdentifier (string) -- [REQUIRED]
The ID of the VPC that contains your private resource.
subnetIds (list) -- [REQUIRED]
The subnet IDs within the VPC where the VPC Lattice resource gateway is placed.
(string) --
endpointIpAddressType (string) -- [REQUIRED]
The IP address type for the resource configuration endpoint.
securityGroupIds (list) --
The security group IDs to associate with the VPC Lattice resource gateway. If not specified, the default security group for the VPC is used.
(string) --
tags (dict) --
Tags to apply to the managed VPC Lattice resource gateway.
(string) --
(string) --
routingDomain (string) --
An intermediate publicly resolvable domain used as the VPC Lattice resource configuration endpoint. Required when your private endpoint uses a domain that is not publicly resolvable.
privateEndpointOverrides (list) --
A list of private endpoint overrides for the JWT authorizer. Each override maps a specific domain to a private endpoint, enabling secure connectivity through VPC Lattice resource configurations.
(dict) --
A mapping of a specific domain to a private endpoint for secure connectivity through a VPC Lattice resource configuration.
domain (string) -- [REQUIRED]
The domain to override with a private endpoint.
privateEndpoint (dict) -- [REQUIRED]
The private endpoint configuration for the specified domain.
selfManagedLatticeResource (dict) --
Configuration for connecting to a private resource using a self-managed VPC Lattice resource configuration.
resourceConfigurationIdentifier (string) --
The ARN or ID of the VPC Lattice resource configuration.
managedVpcResource (dict) --
Configuration for connecting to a private resource using a managed VPC Lattice resource. The gateway creates and manages the VPC Lattice resources on your behalf.
vpcIdentifier (string) -- [REQUIRED]
The ID of the VPC that contains your private resource.
subnetIds (list) -- [REQUIRED]
The subnet IDs within the VPC where the VPC Lattice resource gateway is placed.
(string) --
endpointIpAddressType (string) -- [REQUIRED]
The IP address type for the resource configuration endpoint.
securityGroupIds (list) --
The security group IDs to associate with the VPC Lattice resource gateway. If not specified, the default security group for the VPC is used.
(string) --
tags (dict) --
Tags to apply to the managed VPC Lattice resource gateway.
(string) --
(string) --
routingDomain (string) --
An intermediate publicly resolvable domain used as the VPC Lattice resource configuration endpoint. Required when your private endpoint uses a domain that is not publicly resolvable.
string
The updated ARN of the KMS key used to encrypt the gateway.
list
The updated interceptor configurations for the gateway.
(dict) --
The configuration for an interceptor on a gateway. This structure defines settings for an interceptor that will be invoked during the invocation of the gateway.
interceptor (dict) -- [REQUIRED]
The infrastructure settings of an interceptor configuration. This structure defines how the interceptor can be invoked.
lambda (dict) --
The details of the lambda function used for the interceptor.
arn (string) -- [REQUIRED]
The arn of the lambda function to be invoked for the interceptor.
interceptionPoints (list) -- [REQUIRED]
The supported points of interception. This field specifies which points during the gateway invocation to invoke the interceptor
(string) --
inputConfiguration (dict) --
The configuration for the input of the interceptor. This field specifies how the input to the interceptor is constructed
passRequestHeaders (boolean) -- [REQUIRED]
Indicates whether to pass request headers as input into the interceptor. When set to true, request headers will be passed.
dict
The updated policy engine configuration for the gateway. A policy engine is a collection of policies that evaluates and authorizes agent tool calls. When associated with a gateway, the policy engine intercepts all agent requests and determines whether to allow or deny each action based on the defined policies.
arn (string) -- [REQUIRED]
The ARN of the policy engine. The policy engine contains Cedar policies that define fine-grained authorization rules specifying who can perform what actions on which resources as agents interact through the gateway.
mode (string) -- [REQUIRED]
The enforcement mode for the policy engine. Valid values include:
LOG_ONLY - The policy engine evaluates each action against your policies and adds traces on whether tool calls would be allowed or denied, but does not enforce the decision. Use this mode to test and validate policies before enabling enforcement.
ENFORCE - The policy engine evaluates actions against your policies and enforces decisions by allowing or denying agent operations. Test and validate policies in LOG_ONLY mode before enabling enforcement to avoid unintended denials or adversely affecting production traffic.
string
The level of detail in error messages returned when invoking the gateway.
If the value is DEBUG, granular exception messages are returned to help a user debug the gateway.
If the value is omitted, a generic error message is returned to the end user.
dict
Response Syntax
{
'gatewayArn': 'string',
'gatewayId': 'string',
'gatewayUrl': 'string',
'createdAt': datetime(2015, 1, 1),
'updatedAt': datetime(2015, 1, 1),
'status': 'CREATING'|'UPDATING'|'UPDATE_UNSUCCESSFUL'|'DELETING'|'READY'|'FAILED',
'statusReasons': [
'string',
],
'name': 'string',
'description': 'string',
'roleArn': 'string',
'protocolType': 'MCP',
'protocolConfiguration': {
'mcp': {
'supportedVersions': [
'string',
],
'instructions': 'string',
'searchType': 'SEMANTIC'
}
},
'authorizerType': 'CUSTOM_JWT'|'AWS_IAM'|'NONE',
'authorizerConfiguration': {
'customJWTAuthorizer': {
'discoveryUrl': 'string',
'allowedAudience': [
'string',
],
'allowedClients': [
'string',
],
'allowedScopes': [
'string',
],
'customClaims': [
{
'inboundTokenClaimName': 'string',
'inboundTokenClaimValueType': 'STRING'|'STRING_ARRAY',
'authorizingClaimMatchValue': {
'claimMatchValue': {
'matchValueString': 'string',
'matchValueStringList': [
'string',
]
},
'claimMatchOperator': 'EQUALS'|'CONTAINS'|'CONTAINS_ANY'
}
},
],
'privateEndpoint': {
'selfManagedLatticeResource': {
'resourceConfigurationIdentifier': 'string'
},
'managedVpcResource': {
'vpcIdentifier': 'string',
'subnetIds': [
'string',
],
'endpointIpAddressType': 'IPV4'|'IPV6',
'securityGroupIds': [
'string',
],
'tags': {
'string': 'string'
},
'routingDomain': 'string'
}
},
'privateEndpointOverrides': [
{
'domain': 'string',
'privateEndpoint': {
'selfManagedLatticeResource': {
'resourceConfigurationIdentifier': 'string'
},
'managedVpcResource': {
'vpcIdentifier': 'string',
'subnetIds': [
'string',
],
'endpointIpAddressType': 'IPV4'|'IPV6',
'securityGroupIds': [
'string',
],
'tags': {
'string': 'string'
},
'routingDomain': 'string'
}
}
},
]
}
},
'kmsKeyArn': 'string',
'interceptorConfigurations': [
{
'interceptor': {
'lambda': {
'arn': 'string'
}
},
'interceptionPoints': [
'REQUEST'|'RESPONSE',
],
'inputConfiguration': {
'passRequestHeaders': True|False
}
},
],
'policyEngineConfiguration': {
'arn': 'string',
'mode': 'LOG_ONLY'|'ENFORCE'
},
'workloadIdentityDetails': {
'workloadIdentityArn': 'string'
},
'exceptionLevel': 'DEBUG'
}
Response Structure
(dict) --
gatewayArn (string) --
The Amazon Resource Name (ARN) of the updated gateway.
gatewayId (string) --
The unique identifier of the updated gateway.
gatewayUrl (string) --
An endpoint for invoking the updated gateway.
createdAt (datetime) --
The timestamp when the gateway was created.
updatedAt (datetime) --
The timestamp when the gateway was last updated.
status (string) --
The current status of the updated gateway.
statusReasons (list) --
The reasons for the current status of the updated gateway.
(string) --
name (string) --
The name of the gateway.
description (string) --
The updated description of the gateway.
roleArn (string) --
The updated IAM role ARN that provides permissions for the gateway.
protocolType (string) --
The updated protocol type for the gateway.
protocolConfiguration (dict) --
The configuration for a gateway protocol. This structure defines how the gateway communicates with external services.
mcp (dict) --
The configuration for the Model Context Protocol (MCP). This protocol enables communication between Amazon Bedrock Agent and external tools.
supportedVersions (list) --
The supported versions of the Model Context Protocol. This field specifies which versions of the protocol the gateway can use.
(string) --
instructions (string) --
The instructions for using the Model Context Protocol gateway. These instructions provide guidance on how to interact with the gateway.
searchType (string) --
The search type for the Model Context Protocol gateway. This field specifies how the gateway handles search operations.
authorizerType (string) --
The updated authorizer type for the gateway.
authorizerConfiguration (dict) --
The updated authorizer configuration for the gateway.
customJWTAuthorizer (dict) --
The inbound JWT-based authorization, specifying how incoming requests should be authenticated.
discoveryUrl (string) --
This URL is used to fetch OpenID Connect configuration or authorization server metadata for validating incoming tokens.
allowedAudience (list) --
Represents individual audience values that are validated in the incoming JWT token validation process.
(string) --
allowedClients (list) --
Represents individual client IDs that are validated in the incoming JWT token validation process.
(string) --
allowedScopes (list) --
An array of scopes that are allowed to access the token.
(string) --
customClaims (list) --
An array of objects that define a custom claim validation name, value, and operation
(dict) --
Defines the name of a custom claim field and rules for finding matches to authenticate its value.
inboundTokenClaimName (string) --
The name of the custom claim field to check.
inboundTokenClaimValueType (string) --
The data type of the claim value to check for.
Use STRING if you want to find an exact match to a string you define.
Use STRING_ARRAY if you want to fnd a match to at least one value in an array you define.
authorizingClaimMatchValue (dict) --
Defines the value or values to match for and the relationship of the match.
claimMatchValue (dict) --
The value or values to match for.
matchValueString (string) --
The string value to match for.
matchValueStringList (list) --
An array of strings to check for a match.
(string) --
claimMatchOperator (string) --
Defines the relationship between the claim field value and the value or values you're matching for.
privateEndpoint (dict) --
The private endpoint configuration for a gateway target. Defines how the gateway connects to private resources in your VPC.
selfManagedLatticeResource (dict) --
Configuration for connecting to a private resource using a self-managed VPC Lattice resource configuration.
resourceConfigurationIdentifier (string) --
The ARN or ID of the VPC Lattice resource configuration.
managedVpcResource (dict) --
Configuration for connecting to a private resource using a managed VPC Lattice resource. The gateway creates and manages the VPC Lattice resources on your behalf.
vpcIdentifier (string) --
The ID of the VPC that contains your private resource.
subnetIds (list) --
The subnet IDs within the VPC where the VPC Lattice resource gateway is placed.
(string) --
endpointIpAddressType (string) --
The IP address type for the resource configuration endpoint.
securityGroupIds (list) --
The security group IDs to associate with the VPC Lattice resource gateway. If not specified, the default security group for the VPC is used.
(string) --
tags (dict) --
Tags to apply to the managed VPC Lattice resource gateway.
(string) --
(string) --
routingDomain (string) --
An intermediate publicly resolvable domain used as the VPC Lattice resource configuration endpoint. Required when your private endpoint uses a domain that is not publicly resolvable.
privateEndpointOverrides (list) --
A list of private endpoint overrides for the JWT authorizer. Each override maps a specific domain to a private endpoint, enabling secure connectivity through VPC Lattice resource configurations.
(dict) --
A mapping of a specific domain to a private endpoint for secure connectivity through a VPC Lattice resource configuration.
domain (string) --
The domain to override with a private endpoint.
privateEndpoint (dict) --
The private endpoint configuration for the specified domain.
selfManagedLatticeResource (dict) --
Configuration for connecting to a private resource using a self-managed VPC Lattice resource configuration.
resourceConfigurationIdentifier (string) --
The ARN or ID of the VPC Lattice resource configuration.
managedVpcResource (dict) --
Configuration for connecting to a private resource using a managed VPC Lattice resource. The gateway creates and manages the VPC Lattice resources on your behalf.
vpcIdentifier (string) --
The ID of the VPC that contains your private resource.
subnetIds (list) --
The subnet IDs within the VPC where the VPC Lattice resource gateway is placed.
(string) --
endpointIpAddressType (string) --
The IP address type for the resource configuration endpoint.
securityGroupIds (list) --
The security group IDs to associate with the VPC Lattice resource gateway. If not specified, the default security group for the VPC is used.
(string) --
tags (dict) --
Tags to apply to the managed VPC Lattice resource gateway.
(string) --
(string) --
routingDomain (string) --
An intermediate publicly resolvable domain used as the VPC Lattice resource configuration endpoint. Required when your private endpoint uses a domain that is not publicly resolvable.
kmsKeyArn (string) --
The updated ARN of the KMS key used to encrypt the gateway.
interceptorConfigurations (list) --
The updated interceptor configurations for the gateway.
(dict) --
The configuration for an interceptor on a gateway. This structure defines settings for an interceptor that will be invoked during the invocation of the gateway.
interceptor (dict) --
The infrastructure settings of an interceptor configuration. This structure defines how the interceptor can be invoked.
lambda (dict) --
The details of the lambda function used for the interceptor.
arn (string) --
The arn of the lambda function to be invoked for the interceptor.
interceptionPoints (list) --
The supported points of interception. This field specifies which points during the gateway invocation to invoke the interceptor
(string) --
inputConfiguration (dict) --
The configuration for the input of the interceptor. This field specifies how the input to the interceptor is constructed
passRequestHeaders (boolean) --
Indicates whether to pass request headers as input into the interceptor. When set to true, request headers will be passed.
policyEngineConfiguration (dict) --
The updated policy engine configuration for the gateway.
arn (string) --
The ARN of the policy engine. The policy engine contains Cedar policies that define fine-grained authorization rules specifying who can perform what actions on which resources as agents interact through the gateway.
mode (string) --
The enforcement mode for the policy engine. Valid values include:
LOG_ONLY - The policy engine evaluates each action against your policies and adds traces on whether tool calls would be allowed or denied, but does not enforce the decision. Use this mode to test and validate policies before enabling enforcement.
ENFORCE - The policy engine evaluates actions against your policies and enforces decisions by allowing or denying agent operations. Test and validate policies in LOG_ONLY mode before enabling enforcement to avoid unintended denials or adversely affecting production traffic.
workloadIdentityDetails (dict) --
The workload identity details for the updated gateway.
workloadIdentityArn (string) --
The ARN associated with the workload identity.
exceptionLevel (string) --
The level of detail in error messages returned when invoking the gateway.
If the value is DEBUG, granular exception messages are returned to help a user debug the gateway.
If the value is omitted, a generic error message is returned to the end user.
{'privateEndpoint': {'managedVpcResource': {'endpointIpAddressType': 'IPV4 | '
'IPV6',
'routingDomain': 'string',
'securityGroupIds': ['string'],
'subnetIds': ['string'],
'tags': {'string': 'string'},
'vpcIdentifier': 'string'}}}
Updates an existing gateway target.
You cannot update a target that is in a pending authorization state ( CREATE_PENDING_AUTH, UPDATE_PENDING_AUTH, or SYNCHRONIZE_PENDING_AUTH). Wait for the authorization to complete or fail before updating the target.
See also: AWS API Documentation
Request Syntax
client.update_gateway_target(
gatewayIdentifier='string',
targetId='string',
name='string',
description='string',
targetConfiguration={
'mcp': {
'openApiSchema': {
's3': {
'uri': 'string',
'bucketOwnerAccountId': 'string'
},
'inlinePayload': 'string'
},
'smithyModel': {
's3': {
'uri': 'string',
'bucketOwnerAccountId': 'string'
},
'inlinePayload': 'string'
},
'lambda': {
'lambdaArn': 'string',
'toolSchema': {
's3': {
'uri': 'string',
'bucketOwnerAccountId': 'string'
},
'inlinePayload': [
{
'name': 'string',
'description': 'string',
'inputSchema': {
'type': 'string'|'number'|'object'|'array'|'boolean'|'integer',
'properties': {
'string': {'... recursive ...'}
},
'required': [
'string',
],
'items': {'... recursive ...'},
'description': 'string'
},
'outputSchema': {
'type': 'string'|'number'|'object'|'array'|'boolean'|'integer',
'properties': {
'string': {'... recursive ...'}
},
'required': [
'string',
],
'items': {'... recursive ...'},
'description': 'string'
}
},
]
}
},
'mcpServer': {
'endpoint': 'string',
'mcpToolSchema': {
's3': {
'uri': 'string',
'bucketOwnerAccountId': 'string'
},
'inlinePayload': 'string'
},
'resourcePriority': 123,
'listingMode': 'DEFAULT'|'DYNAMIC'
},
'apiGateway': {
'restApiId': 'string',
'stage': 'string',
'apiGatewayToolConfiguration': {
'toolOverrides': [
{
'name': 'string',
'description': 'string',
'path': 'string',
'method': 'GET'|'DELETE'|'HEAD'|'OPTIONS'|'PATCH'|'PUT'|'POST'
},
],
'toolFilters': [
{
'filterPath': 'string',
'methods': [
'GET'|'DELETE'|'HEAD'|'OPTIONS'|'PATCH'|'PUT'|'POST',
]
},
]
}
}
}
},
credentialProviderConfigurations=[
{
'credentialProviderType': 'GATEWAY_IAM_ROLE'|'OAUTH'|'API_KEY',
'credentialProvider': {
'oauthCredentialProvider': {
'providerArn': 'string',
'scopes': [
'string',
],
'customParameters': {
'string': 'string'
},
'grantType': 'CLIENT_CREDENTIALS'|'AUTHORIZATION_CODE',
'defaultReturnUrl': 'string'
},
'apiKeyCredentialProvider': {
'providerArn': 'string',
'credentialParameterName': 'string',
'credentialPrefix': 'string',
'credentialLocation': 'HEADER'|'QUERY_PARAMETER'
},
'iamCredentialProvider': {
'service': 'string',
'region': 'string'
}
}
},
],
metadataConfiguration={
'allowedRequestHeaders': [
'string',
],
'allowedQueryParameters': [
'string',
],
'allowedResponseHeaders': [
'string',
]
},
privateEndpoint={
'selfManagedLatticeResource': {
'resourceConfigurationIdentifier': 'string'
},
'managedVpcResource': {
'vpcIdentifier': 'string',
'subnetIds': [
'string',
],
'endpointIpAddressType': 'IPV4'|'IPV6',
'securityGroupIds': [
'string',
],
'tags': {
'string': 'string'
},
'routingDomain': 'string'
}
}
)
string
[REQUIRED]
The unique identifier of the gateway associated with the target.
string
[REQUIRED]
The unique identifier of the gateway target to update.
string
[REQUIRED]
The updated name for the gateway target.
string
The updated description for the gateway target.
dict
[REQUIRED]
The configuration for a gateway target. This structure defines how the gateway connects to and interacts with the target endpoint.
mcp (dict) --
The Model Context Protocol (MCP) configuration for the target. This configuration defines how the gateway uses MCP to communicate with the target.
openApiSchema (dict) --
The OpenAPI schema for the Model Context Protocol target. This schema defines the API structure of the target.
s3 (dict) --
The Amazon S3 configuration for a gateway. This structure defines how the gateway accesses files in Amazon S3.
uri (string) --
The URI of the Amazon S3 object. This URI specifies the location of the object in Amazon S3.
bucketOwnerAccountId (string) --
The account ID of the Amazon S3 bucket owner. This ID is used for cross-account access to the bucket.
inlinePayload (string) --
The inline payload containing the API schema definition.
smithyModel (dict) --
The Smithy model for the Model Context Protocol target. This model defines the API structure of the target using the Smithy specification.
s3 (dict) --
The Amazon S3 configuration for a gateway. This structure defines how the gateway accesses files in Amazon S3.
uri (string) --
The URI of the Amazon S3 object. This URI specifies the location of the object in Amazon S3.
bucketOwnerAccountId (string) --
The account ID of the Amazon S3 bucket owner. This ID is used for cross-account access to the bucket.
inlinePayload (string) --
The inline payload containing the API schema definition.
lambda (dict) --
The Lambda configuration for the Model Context Protocol target. This configuration defines how the gateway uses a Lambda function to communicate with the target.
lambdaArn (string) -- [REQUIRED]
The Amazon Resource Name (ARN) of the Lambda function. This function is invoked by the gateway to communicate with the target.
toolSchema (dict) -- [REQUIRED]
The tool schema for the Lambda function. This schema defines the structure of the tools that the Lambda function provides.
s3 (dict) --
The Amazon S3 location of the tool schema. This location contains the schema definition file.
uri (string) --
The URI of the Amazon S3 object. This URI specifies the location of the object in Amazon S3.
bucketOwnerAccountId (string) --
The account ID of the Amazon S3 bucket owner. This ID is used for cross-account access to the bucket.
inlinePayload (list) --
The inline payload of the tool schema. This payload contains the schema definition directly in the request.
(dict) --
A tool definition for a gateway target. This structure defines a tool that the target exposes through the Model Context Protocol.
name (string) -- [REQUIRED]
The name of the tool. This name identifies the tool in the Model Context Protocol.
description (string) -- [REQUIRED]
The description of the tool. This description provides information about the purpose and usage of the tool.
inputSchema (dict) -- [REQUIRED]
The input schema for the tool. This schema defines the structure of the input that the tool accepts.
type (string) -- [REQUIRED]
The type of the schema definition. This field specifies the data type of the schema.
properties (dict) --
The properties of the schema definition. These properties define the fields in the schema.
(string) --
(dict) --
A schema definition for a gateway target. This structure defines the structure of the API that the target exposes.
required (list) --
The required fields in the schema definition. These fields must be provided when using the schema.
(string) --
items (dict) --
The items in the schema definition. This field is used for array types to define the structure of the array elements.
description (string) --
The description of the schema definition. This description provides information about the purpose and usage of the schema.
outputSchema (dict) --
The output schema for the tool. This schema defines the structure of the output that the tool produces.
type (string) -- [REQUIRED]
The type of the schema definition. This field specifies the data type of the schema.
properties (dict) --
The properties of the schema definition. These properties define the fields in the schema.
(string) --
(dict) --
A schema definition for a gateway target. This structure defines the structure of the API that the target exposes.
required (list) --
The required fields in the schema definition. These fields must be provided when using the schema.
(string) --
items (dict) --
The items in the schema definition. This field is used for array types to define the structure of the array elements.
description (string) --
The description of the schema definition. This description provides information about the purpose and usage of the schema.
mcpServer (dict) --
The MCP server specified as the gateway target.
endpoint (string) -- [REQUIRED]
The endpoint for the MCP server target configuration.
mcpToolSchema (dict) --
The tool schema configuration for the MCP server target. Supported only when the credential provider is configured with an authorization code grant type. Dynamic tool discovery/synchronization will be disabled when target is configured with mcpToolSchema.
s3 (dict) --
The Amazon S3 location of the tool schema. This location contains the schema definition file.
uri (string) --
The URI of the Amazon S3 object. This URI specifies the location of the object in Amazon S3.
bucketOwnerAccountId (string) --
The account ID of the Amazon S3 bucket owner. This ID is used for cross-account access to the bucket.
inlinePayload (string) --
The inline payload containing the MCP tool schema definition.
resourcePriority (integer) --
Priority for resolving MCP server targets with shared resource URIs. Lower values take precedence. Defaults to 1000 when not set.
listingMode (string) --
The listing mode for the MCP server target configuration. MCP resources for default targets are cached at the control plane for faster access. MCP resources for dynamic targets will be dynamically retrieved when listing tools.
apiGateway (dict) --
The configuration for an Amazon API Gateway target.
restApiId (string) -- [REQUIRED]
The ID of the API Gateway REST API.
stage (string) -- [REQUIRED]
The ID of the stage of the REST API to add as a target.
apiGatewayToolConfiguration (dict) -- [REQUIRED]
The configuration for defining REST API tool filters and overrides for the gateway target.
toolOverrides (list) --
A list of explicit tool definitions with optional custom names and descriptions.
(dict) --
Settings to override configurations for a tool.
name (string) -- [REQUIRED]
The name of tool. Identifies the tool in the Model Context Protocol.
description (string) --
The description of the tool. Provides information about the purpose and usage of the tool. If not provided, uses the description from the API's OpenAPI specification.
path (string) -- [REQUIRED]
Resource path in the REST API (e.g., /pets). Must explicitly match an existing path in the REST API.
method (string) -- [REQUIRED]
The HTTP method to expose for the specified path.
toolFilters (list) -- [REQUIRED]
A list of path and method patterns to expose as tools using metadata from the REST API's OpenAPI specification.
(dict) --
Specifies which operations from an API Gateway REST API are exposed as tools. Tool names and descriptions are derived from the operationId and description fields in the API's exported OpenAPI specification.
filterPath (string) -- [REQUIRED]
Resource path to match in the REST API. Supports exact paths (for example, /pets) or wildcard paths (for example, /pets/* to match all paths under /pets). Must match existing paths in the REST API.
methods (list) -- [REQUIRED]
The methods to filter for.
(string) --
list
The updated credential provider configurations for the gateway target.
(dict) --
The configuration for a credential provider. This structure defines how the gateway authenticates with the target endpoint.
credentialProviderType (string) -- [REQUIRED]
The type of credential provider. This field specifies which authentication method the gateway uses.
credentialProvider (dict) --
The credential provider. This field contains the specific configuration for the credential provider type.
oauthCredentialProvider (dict) --
The OAuth credential provider. This provider uses OAuth authentication to access the target endpoint.
providerArn (string) -- [REQUIRED]
The Amazon Resource Name (ARN) of the OAuth credential provider. This ARN identifies the provider in Amazon Web Services.
scopes (list) -- [REQUIRED]
The OAuth scopes for the credential provider. These scopes define the level of access requested from the OAuth provider.
(string) --
customParameters (dict) --
The custom parameters for the OAuth credential provider. These parameters provide additional configuration for the OAuth authentication process.
(string) --
(string) --
grantType (string) --
Specifies the kind of credentials to use for authorization:
CLIENT_CREDENTIALS - Authorization with a client ID and secret.
AUTHORIZATION_CODE - Authorization with a token that is specific to an individual end user.
defaultReturnUrl (string) --
The URL where the end user's browser is redirected after obtaining the authorization code. Generally points to the customer's application.
apiKeyCredentialProvider (dict) --
The API key credential provider. This provider uses an API key to authenticate with the target endpoint.
providerArn (string) -- [REQUIRED]
The Amazon Resource Name (ARN) of the API key credential provider. This ARN identifies the provider in Amazon Web Services.
credentialParameterName (string) --
The name of the credential parameter for the API key. This parameter name is used when sending the API key to the target endpoint.
credentialPrefix (string) --
The prefix for the API key credential. This prefix is added to the API key when sending it to the target endpoint.
credentialLocation (string) --
The location of the API key credential. This field specifies where in the request the API key should be placed.
iamCredentialProvider (dict) --
The IAM credential provider. This provider uses IAM authentication with SigV4 signing to access the target endpoint.
service (string) -- [REQUIRED]
The target Amazon Web Services service name used for SigV4 signing. This value identifies the service that the gateway authenticates with when making requests to the target endpoint.
region (string) --
The Amazon Web Services Region used for SigV4 signing. If not specified, defaults to the gateway's Region.
dict
Configuration for HTTP header and query parameter propagation to the gateway target.
allowedRequestHeaders (list) --
A list of HTTP headers that are allowed to be propagated from incoming client requests to the target.
(string) --
allowedQueryParameters (list) --
A list of URL query parameters that are allowed to be propagated from incoming gateway URL to the target.
(string) --
allowedResponseHeaders (list) --
A list of HTTP headers that are allowed to be propagated from the target response back to the client.
(string) --
dict
The private endpoint configuration for the gateway target. Use this to connect the gateway to private resources in your VPC.
selfManagedLatticeResource (dict) --
Configuration for connecting to a private resource using a self-managed VPC Lattice resource configuration.
resourceConfigurationIdentifier (string) --
The ARN or ID of the VPC Lattice resource configuration.
managedVpcResource (dict) --
Configuration for connecting to a private resource using a managed VPC Lattice resource. The gateway creates and manages the VPC Lattice resources on your behalf.
vpcIdentifier (string) -- [REQUIRED]
The ID of the VPC that contains your private resource.
subnetIds (list) -- [REQUIRED]
The subnet IDs within the VPC where the VPC Lattice resource gateway is placed.
(string) --
endpointIpAddressType (string) -- [REQUIRED]
The IP address type for the resource configuration endpoint.
securityGroupIds (list) --
The security group IDs to associate with the VPC Lattice resource gateway. If not specified, the default security group for the VPC is used.
(string) --
tags (dict) --
Tags to apply to the managed VPC Lattice resource gateway.
(string) --
(string) --
routingDomain (string) --
An intermediate publicly resolvable domain used as the VPC Lattice resource configuration endpoint. Required when your private endpoint uses a domain that is not publicly resolvable.
dict
Response Syntax
{
'gatewayArn': 'string',
'targetId': 'string',
'createdAt': datetime(2015, 1, 1),
'updatedAt': datetime(2015, 1, 1),
'status': 'CREATING'|'UPDATING'|'UPDATE_UNSUCCESSFUL'|'DELETING'|'READY'|'FAILED'|'SYNCHRONIZING'|'SYNCHRONIZE_UNSUCCESSFUL'|'CREATE_PENDING_AUTH'|'UPDATE_PENDING_AUTH'|'SYNCHRONIZE_PENDING_AUTH',
'statusReasons': [
'string',
],
'name': 'string',
'description': 'string',
'targetConfiguration': {
'mcp': {
'openApiSchema': {
's3': {
'uri': 'string',
'bucketOwnerAccountId': 'string'
},
'inlinePayload': 'string'
},
'smithyModel': {
's3': {
'uri': 'string',
'bucketOwnerAccountId': 'string'
},
'inlinePayload': 'string'
},
'lambda': {
'lambdaArn': 'string',
'toolSchema': {
's3': {
'uri': 'string',
'bucketOwnerAccountId': 'string'
},
'inlinePayload': [
{
'name': 'string',
'description': 'string',
'inputSchema': {
'type': 'string'|'number'|'object'|'array'|'boolean'|'integer',
'properties': {
'string': {'... recursive ...'}
},
'required': [
'string',
],
'items': {'... recursive ...'},
'description': 'string'
},
'outputSchema': {
'type': 'string'|'number'|'object'|'array'|'boolean'|'integer',
'properties': {
'string': {'... recursive ...'}
},
'required': [
'string',
],
'items': {'... recursive ...'},
'description': 'string'
}
},
]
}
},
'mcpServer': {
'endpoint': 'string',
'mcpToolSchema': {
's3': {
'uri': 'string',
'bucketOwnerAccountId': 'string'
},
'inlinePayload': 'string'
},
'resourcePriority': 123,
'listingMode': 'DEFAULT'|'DYNAMIC'
},
'apiGateway': {
'restApiId': 'string',
'stage': 'string',
'apiGatewayToolConfiguration': {
'toolOverrides': [
{
'name': 'string',
'description': 'string',
'path': 'string',
'method': 'GET'|'DELETE'|'HEAD'|'OPTIONS'|'PATCH'|'PUT'|'POST'
},
],
'toolFilters': [
{
'filterPath': 'string',
'methods': [
'GET'|'DELETE'|'HEAD'|'OPTIONS'|'PATCH'|'PUT'|'POST',
]
},
]
}
}
}
},
'credentialProviderConfigurations': [
{
'credentialProviderType': 'GATEWAY_IAM_ROLE'|'OAUTH'|'API_KEY',
'credentialProvider': {
'oauthCredentialProvider': {
'providerArn': 'string',
'scopes': [
'string',
],
'customParameters': {
'string': 'string'
},
'grantType': 'CLIENT_CREDENTIALS'|'AUTHORIZATION_CODE',
'defaultReturnUrl': 'string'
},
'apiKeyCredentialProvider': {
'providerArn': 'string',
'credentialParameterName': 'string',
'credentialPrefix': 'string',
'credentialLocation': 'HEADER'|'QUERY_PARAMETER'
},
'iamCredentialProvider': {
'service': 'string',
'region': 'string'
}
}
},
],
'lastSynchronizedAt': datetime(2015, 1, 1),
'metadataConfiguration': {
'allowedRequestHeaders': [
'string',
],
'allowedQueryParameters': [
'string',
],
'allowedResponseHeaders': [
'string',
]
},
'privateEndpoint': {
'selfManagedLatticeResource': {
'resourceConfigurationIdentifier': 'string'
},
'managedVpcResource': {
'vpcIdentifier': 'string',
'subnetIds': [
'string',
],
'endpointIpAddressType': 'IPV4'|'IPV6',
'securityGroupIds': [
'string',
],
'tags': {
'string': 'string'
},
'routingDomain': 'string'
}
},
'privateEndpointManagedResources': [
{
'domain': 'string',
'resourceGatewayArn': 'string',
'resourceAssociationArn': 'string'
},
],
'authorizationData': {
'oauth2': {
'authorizationUrl': 'string',
'userId': 'string'
}
}
}
Response Structure
(dict) --
gatewayArn (string) --
The Amazon Resource Name (ARN) of the gateway.
targetId (string) --
The unique identifier of the updated gateway target.
createdAt (datetime) --
The timestamp when the gateway target was created.
updatedAt (datetime) --
The timestamp when the gateway target was last updated.
status (string) --
The current status of the updated gateway target.
statusReasons (list) --
The reasons for the current status of the updated gateway target.
(string) --
name (string) --
The updated name of the gateway target.
description (string) --
The updated description of the gateway target.
targetConfiguration (dict) --
The configuration for a gateway target. This structure defines how the gateway connects to and interacts with the target endpoint.
mcp (dict) --
The Model Context Protocol (MCP) configuration for the target. This configuration defines how the gateway uses MCP to communicate with the target.
openApiSchema (dict) --
The OpenAPI schema for the Model Context Protocol target. This schema defines the API structure of the target.
s3 (dict) --
The Amazon S3 configuration for a gateway. This structure defines how the gateway accesses files in Amazon S3.
uri (string) --
The URI of the Amazon S3 object. This URI specifies the location of the object in Amazon S3.
bucketOwnerAccountId (string) --
The account ID of the Amazon S3 bucket owner. This ID is used for cross-account access to the bucket.
inlinePayload (string) --
The inline payload containing the API schema definition.
smithyModel (dict) --
The Smithy model for the Model Context Protocol target. This model defines the API structure of the target using the Smithy specification.
s3 (dict) --
The Amazon S3 configuration for a gateway. This structure defines how the gateway accesses files in Amazon S3.
uri (string) --
The URI of the Amazon S3 object. This URI specifies the location of the object in Amazon S3.
bucketOwnerAccountId (string) --
The account ID of the Amazon S3 bucket owner. This ID is used for cross-account access to the bucket.
inlinePayload (string) --
The inline payload containing the API schema definition.
lambda (dict) --
The Lambda configuration for the Model Context Protocol target. This configuration defines how the gateway uses a Lambda function to communicate with the target.
lambdaArn (string) --
The Amazon Resource Name (ARN) of the Lambda function. This function is invoked by the gateway to communicate with the target.
toolSchema (dict) --
The tool schema for the Lambda function. This schema defines the structure of the tools that the Lambda function provides.
s3 (dict) --
The Amazon S3 location of the tool schema. This location contains the schema definition file.
uri (string) --
The URI of the Amazon S3 object. This URI specifies the location of the object in Amazon S3.
bucketOwnerAccountId (string) --
The account ID of the Amazon S3 bucket owner. This ID is used for cross-account access to the bucket.
inlinePayload (list) --
The inline payload of the tool schema. This payload contains the schema definition directly in the request.
(dict) --
A tool definition for a gateway target. This structure defines a tool that the target exposes through the Model Context Protocol.
name (string) --
The name of the tool. This name identifies the tool in the Model Context Protocol.
description (string) --
The description of the tool. This description provides information about the purpose and usage of the tool.
inputSchema (dict) --
The input schema for the tool. This schema defines the structure of the input that the tool accepts.
type (string) --
The type of the schema definition. This field specifies the data type of the schema.
properties (dict) --
The properties of the schema definition. These properties define the fields in the schema.
(string) --
(dict) --
A schema definition for a gateway target. This structure defines the structure of the API that the target exposes.
required (list) --
The required fields in the schema definition. These fields must be provided when using the schema.
(string) --
items (dict) --
The items in the schema definition. This field is used for array types to define the structure of the array elements.
description (string) --
The description of the schema definition. This description provides information about the purpose and usage of the schema.
outputSchema (dict) --
The output schema for the tool. This schema defines the structure of the output that the tool produces.
type (string) --
The type of the schema definition. This field specifies the data type of the schema.
properties (dict) --
The properties of the schema definition. These properties define the fields in the schema.
(string) --
(dict) --
A schema definition for a gateway target. This structure defines the structure of the API that the target exposes.
required (list) --
The required fields in the schema definition. These fields must be provided when using the schema.
(string) --
items (dict) --
The items in the schema definition. This field is used for array types to define the structure of the array elements.
description (string) --
The description of the schema definition. This description provides information about the purpose and usage of the schema.
mcpServer (dict) --
The MCP server specified as the gateway target.
endpoint (string) --
The endpoint for the MCP server target configuration.
mcpToolSchema (dict) --
The tool schema configuration for the MCP server target. Supported only when the credential provider is configured with an authorization code grant type. Dynamic tool discovery/synchronization will be disabled when target is configured with mcpToolSchema.
s3 (dict) --
The Amazon S3 location of the tool schema. This location contains the schema definition file.
uri (string) --
The URI of the Amazon S3 object. This URI specifies the location of the object in Amazon S3.
bucketOwnerAccountId (string) --
The account ID of the Amazon S3 bucket owner. This ID is used for cross-account access to the bucket.
inlinePayload (string) --
The inline payload containing the MCP tool schema definition.
resourcePriority (integer) --
Priority for resolving MCP server targets with shared resource URIs. Lower values take precedence. Defaults to 1000 when not set.
listingMode (string) --
The listing mode for the MCP server target configuration. MCP resources for default targets are cached at the control plane for faster access. MCP resources for dynamic targets will be dynamically retrieved when listing tools.
apiGateway (dict) --
The configuration for an Amazon API Gateway target.
restApiId (string) --
The ID of the API Gateway REST API.
stage (string) --
The ID of the stage of the REST API to add as a target.
apiGatewayToolConfiguration (dict) --
The configuration for defining REST API tool filters and overrides for the gateway target.
toolOverrides (list) --
A list of explicit tool definitions with optional custom names and descriptions.
(dict) --
Settings to override configurations for a tool.
name (string) --
The name of tool. Identifies the tool in the Model Context Protocol.
description (string) --
The description of the tool. Provides information about the purpose and usage of the tool. If not provided, uses the description from the API's OpenAPI specification.
path (string) --
Resource path in the REST API (e.g., /pets). Must explicitly match an existing path in the REST API.
method (string) --
The HTTP method to expose for the specified path.
toolFilters (list) --
A list of path and method patterns to expose as tools using metadata from the REST API's OpenAPI specification.
(dict) --
Specifies which operations from an API Gateway REST API are exposed as tools. Tool names and descriptions are derived from the operationId and description fields in the API's exported OpenAPI specification.
filterPath (string) --
Resource path to match in the REST API. Supports exact paths (for example, /pets) or wildcard paths (for example, /pets/* to match all paths under /pets). Must match existing paths in the REST API.
methods (list) --
The methods to filter for.
(string) --
credentialProviderConfigurations (list) --
The updated credential provider configurations for the gateway target.
(dict) --
The configuration for a credential provider. This structure defines how the gateway authenticates with the target endpoint.
credentialProviderType (string) --
The type of credential provider. This field specifies which authentication method the gateway uses.
credentialProvider (dict) --
The credential provider. This field contains the specific configuration for the credential provider type.
oauthCredentialProvider (dict) --
The OAuth credential provider. This provider uses OAuth authentication to access the target endpoint.
providerArn (string) --
The Amazon Resource Name (ARN) of the OAuth credential provider. This ARN identifies the provider in Amazon Web Services.
scopes (list) --
The OAuth scopes for the credential provider. These scopes define the level of access requested from the OAuth provider.
(string) --
customParameters (dict) --
The custom parameters for the OAuth credential provider. These parameters provide additional configuration for the OAuth authentication process.
(string) --
(string) --
grantType (string) --
Specifies the kind of credentials to use for authorization:
CLIENT_CREDENTIALS - Authorization with a client ID and secret.
AUTHORIZATION_CODE - Authorization with a token that is specific to an individual end user.
defaultReturnUrl (string) --
The URL where the end user's browser is redirected after obtaining the authorization code. Generally points to the customer's application.
apiKeyCredentialProvider (dict) --
The API key credential provider. This provider uses an API key to authenticate with the target endpoint.
providerArn (string) --
The Amazon Resource Name (ARN) of the API key credential provider. This ARN identifies the provider in Amazon Web Services.
credentialParameterName (string) --
The name of the credential parameter for the API key. This parameter name is used when sending the API key to the target endpoint.
credentialPrefix (string) --
The prefix for the API key credential. This prefix is added to the API key when sending it to the target endpoint.
credentialLocation (string) --
The location of the API key credential. This field specifies where in the request the API key should be placed.
iamCredentialProvider (dict) --
The IAM credential provider. This provider uses IAM authentication with SigV4 signing to access the target endpoint.
service (string) --
The target Amazon Web Services service name used for SigV4 signing. This value identifies the service that the gateway authenticates with when making requests to the target endpoint.
region (string) --
The Amazon Web Services Region used for SigV4 signing. If not specified, defaults to the gateway's Region.
lastSynchronizedAt (datetime) --
The date and time at which the targets were last synchronized.
metadataConfiguration (dict) --
The metadata configuration that was applied to the gateway target.
allowedRequestHeaders (list) --
A list of HTTP headers that are allowed to be propagated from incoming client requests to the target.
(string) --
allowedQueryParameters (list) --
A list of URL query parameters that are allowed to be propagated from incoming gateway URL to the target.
(string) --
allowedResponseHeaders (list) --
A list of HTTP headers that are allowed to be propagated from the target response back to the client.
(string) --
privateEndpoint (dict) --
The private endpoint configuration for the gateway target.
selfManagedLatticeResource (dict) --
Configuration for connecting to a private resource using a self-managed VPC Lattice resource configuration.
resourceConfigurationIdentifier (string) --
The ARN or ID of the VPC Lattice resource configuration.
managedVpcResource (dict) --
Configuration for connecting to a private resource using a managed VPC Lattice resource. The gateway creates and manages the VPC Lattice resources on your behalf.
vpcIdentifier (string) --
The ID of the VPC that contains your private resource.
subnetIds (list) --
The subnet IDs within the VPC where the VPC Lattice resource gateway is placed.
(string) --
endpointIpAddressType (string) --
The IP address type for the resource configuration endpoint.
securityGroupIds (list) --
The security group IDs to associate with the VPC Lattice resource gateway. If not specified, the default security group for the VPC is used.
(string) --
tags (dict) --
Tags to apply to the managed VPC Lattice resource gateway.
(string) --
(string) --
routingDomain (string) --
An intermediate publicly resolvable domain used as the VPC Lattice resource configuration endpoint. Required when your private endpoint uses a domain that is not publicly resolvable.
privateEndpointManagedResources (list) --
The managed resources created by the gateway for private endpoint connectivity.
(dict) --
Details of a resource created and managed by the gateway for private endpoint connectivity.
domain (string) --
The domain associated with this managed resource.
resourceGatewayArn (string) --
The ARN of the VPC Lattice resource gateway created in your account.
resourceAssociationArn (string) --
The ARN of the service network resource association.
authorizationData (dict) --
OAuth2 authorization data for the updated gateway target. This data is returned when a target is configured with a credential provider with authorization code grant type and requires user federation.
oauth2 (dict) --
OAuth2 authorization data for the gateway target.
authorizationUrl (string) --
The URL to initiate the authorization process. This URL is provided when the OAuth2 access token requires user authorization.
userId (string) --
The user identifier associated with the OAuth2 authorization session that is defined by AgentCore Gateway.
{'authorizerConfiguration': {'optionalValue': {'customJWTAuthorizer': {'privateEndpoint': {'managedVpcResource': {'endpointIpAddressType': 'IPV4 '
'| '
'IPV6',
'routingDomain': 'string',
'securityGroupIds': ['string'],
'subnetIds': ['string'],
'tags': {'string': 'string'},
'vpcIdentifier': 'string'},
'selfManagedLatticeResource': {'resourceConfigurationIdentifier': 'string'}},
'privateEndpointOverrides': [{'domain': 'string',
'privateEndpoint': {'managedVpcResource': {'endpointIpAddressType': 'IPV4 '
'| '
'IPV6',
'routingDomain': 'string',
'securityGroupIds': ['string'],
'subnetIds': ['string'],
'tags': {'string': 'string'},
'vpcIdentifier': 'string'},
'selfManagedLatticeResource': {'resourceConfigurationIdentifier': 'string'}}}]}}}}
Response {'harness': {'authorizerConfiguration': {'customJWTAuthorizer': {'privateEndpoint': {'managedVpcResource': {'endpointIpAddressType': 'IPV4 '
'| '
'IPV6',
'routingDomain': 'string',
'securityGroupIds': ['string'],
'subnetIds': ['string'],
'tags': {'string': 'string'},
'vpcIdentifier': 'string'},
'selfManagedLatticeResource': {'resourceConfigurationIdentifier': 'string'}},
'privateEndpointOverrides': [{'domain': 'string',
'privateEndpoint': {'managedVpcResource': {'endpointIpAddressType': 'IPV4 '
'| '
'IPV6',
'routingDomain': 'string',
'securityGroupIds': ['string'],
'subnetIds': ['string'],
'tags': {'string': 'string'},
'vpcIdentifier': 'string'},
'selfManagedLatticeResource': {'resourceConfigurationIdentifier': 'string'}}}]}}}}
Operation to update a Harness.
See also: AWS API Documentation
Request Syntax
client.update_harness(
harnessId='string',
clientToken='string',
executionRoleArn='string',
environment={
'agentCoreRuntimeEnvironment': {
'lifecycleConfiguration': {
'idleRuntimeSessionTimeout': 123,
'maxLifetime': 123
},
'networkConfiguration': {
'networkMode': 'PUBLIC'|'VPC',
'networkModeConfig': {
'securityGroups': [
'string',
],
'subnets': [
'string',
]
}
},
'filesystemConfigurations': [
{
'sessionStorage': {
'mountPath': 'string'
}
},
]
}
},
environmentArtifact={
'optionalValue': {
'containerConfiguration': {
'containerUri': 'string'
}
}
},
environmentVariables={
'string': 'string'
},
authorizerConfiguration={
'optionalValue': {
'customJWTAuthorizer': {
'discoveryUrl': 'string',
'allowedAudience': [
'string',
],
'allowedClients': [
'string',
],
'allowedScopes': [
'string',
],
'customClaims': [
{
'inboundTokenClaimName': 'string',
'inboundTokenClaimValueType': 'STRING'|'STRING_ARRAY',
'authorizingClaimMatchValue': {
'claimMatchValue': {
'matchValueString': 'string',
'matchValueStringList': [
'string',
]
},
'claimMatchOperator': 'EQUALS'|'CONTAINS'|'CONTAINS_ANY'
}
},
],
'privateEndpoint': {
'selfManagedLatticeResource': {
'resourceConfigurationIdentifier': 'string'
},
'managedVpcResource': {
'vpcIdentifier': 'string',
'subnetIds': [
'string',
],
'endpointIpAddressType': 'IPV4'|'IPV6',
'securityGroupIds': [
'string',
],
'tags': {
'string': 'string'
},
'routingDomain': 'string'
}
},
'privateEndpointOverrides': [
{
'domain': 'string',
'privateEndpoint': {
'selfManagedLatticeResource': {
'resourceConfigurationIdentifier': 'string'
},
'managedVpcResource': {
'vpcIdentifier': 'string',
'subnetIds': [
'string',
],
'endpointIpAddressType': 'IPV4'|'IPV6',
'securityGroupIds': [
'string',
],
'tags': {
'string': 'string'
},
'routingDomain': 'string'
}
}
},
]
}
}
},
model={
'bedrockModelConfig': {
'modelId': 'string',
'maxTokens': 123,
'temperature': ...,
'topP': ...
},
'openAiModelConfig': {
'modelId': 'string',
'apiKeyArn': 'string',
'maxTokens': 123,
'temperature': ...,
'topP': ...
},
'geminiModelConfig': {
'modelId': 'string',
'apiKeyArn': 'string',
'maxTokens': 123,
'temperature': ...,
'topP': ...,
'topK': 123
}
},
systemPrompt=[
{
'text': 'string'
},
],
tools=[
{
'type': 'remote_mcp'|'agentcore_browser'|'agentcore_gateway'|'inline_function'|'agentcore_code_interpreter',
'name': 'string',
'config': {
'remoteMcp': {
'url': 'string',
'headers': {
'string': 'string'
}
},
'agentCoreBrowser': {
'browserArn': 'string'
},
'agentCoreGateway': {
'gatewayArn': 'string',
'outboundAuth': {
'awsIam': {}
,
'none': {}
,
'oauth': {
'providerArn': 'string',
'scopes': [
'string',
],
'customParameters': {
'string': 'string'
},
'grantType': 'CLIENT_CREDENTIALS'|'AUTHORIZATION_CODE',
'defaultReturnUrl': 'string'
}
}
},
'inlineFunction': {
'description': 'string',
'inputSchema': {...}|[...]|123|123.4|'string'|True|None
},
'agentCoreCodeInterpreter': {
'codeInterpreterArn': 'string'
}
}
},
],
skills=[
{
'path': 'string'
},
],
allowedTools=[
'string',
],
memory={
'optionalValue': {
'agentCoreMemoryConfiguration': {
'arn': 'string',
'actorId': 'string',
'messagesCount': 123,
'retrievalConfig': {
'string': {
'topK': 123,
'relevanceScore': ...,
'strategyId': 'string'
}
}
}
}
},
truncation={
'strategy': 'sliding_window'|'summarization'|'none',
'config': {
'slidingWindow': {
'messagesCount': 123
},
'summarization': {
'summaryRatio': ...,
'preserveRecentMessages': 123,
'summarizationSystemPrompt': 'string'
}
}
},
maxIterations=123,
maxTokens=123,
timeoutSeconds=123
)
string
[REQUIRED]
The ID of the harness to update.
string
A unique, case-sensitive identifier to ensure idempotency of the request.
This field is autopopulated if not provided.
string
The ARN of the IAM role that the harness assumes when running. If not specified, the existing value is retained.
dict
The compute environment configuration for the harness. If not specified, the existing value is retained.
agentCoreRuntimeEnvironment (dict) --
The AgentCore Runtime environment configuration.
lifecycleConfiguration (dict) --
LifecycleConfiguration lets you manage the lifecycle of runtime sessions and resources in AgentCore Runtime. This configuration helps optimize resource utilization by automatically cleaning up idle sessions and preventing long-running instances from consuming resources indefinitely.
idleRuntimeSessionTimeout (integer) --
Timeout in seconds for idle runtime sessions. When a session remains idle for this duration, it will be automatically terminated. Default: 900 seconds (15 minutes).
maxLifetime (integer) --
Maximum lifetime for the instance in seconds. Once reached, instances will be automatically terminated and replaced. Default: 28800 seconds (8 hours).
networkConfiguration (dict) --
SecurityConfig for the Agent.
networkMode (string) -- [REQUIRED]
The network mode for the AgentCore Runtime.
networkModeConfig (dict) --
The network mode configuration for the AgentCore Runtime.
securityGroups (list) -- [REQUIRED]
The security groups associated with the VPC configuration.
(string) --
subnets (list) -- [REQUIRED]
The subnets associated with the VPC configuration.
(string) --
filesystemConfigurations (list) --
The filesystem configurations for the runtime environment.
(dict) --
Configuration for a filesystem that can be mounted into the AgentCore Runtime.
sessionStorage (dict) --
Configuration for session storage. Session storage provides persistent storage that is preserved across AgentCore Runtime session invocations.
mountPath (string) -- [REQUIRED]
The mount path for the session storage filesystem inside the AgentCore Runtime. The path must be under /mnt with exactly one subdirectory level (for example, /mnt/data).
dict
The environment artifact for the harness. Use the optionalValue wrapper to set a new value, or set it to null to clear the existing configuration.
optionalValue (dict) --
The updated environment artifact value, or null to clear the existing configuration.
containerConfiguration (dict) --
Representation of a container configuration.
containerUri (string) -- [REQUIRED]
The ECR URI of the container.
dict
Environment variables to set in the harness runtime environment. If specified, this replaces all existing environment variables. If not specified, the existing value is retained.
(string) --
(string) --
dict
Wrapper for updating an optional AuthorizerConfiguration field with PATCH semantics. When present in an update request, the authorizer configuration is replaced with optionalValue. When absent, the authorizer configuration is left unchanged. To unset, include the wrapper with optionalValue not specified.
optionalValue (dict) --
The updated authorizer configuration value. If not specified, it will clear the current authorizer configuration of the resource.
customJWTAuthorizer (dict) --
The inbound JWT-based authorization, specifying how incoming requests should be authenticated.
discoveryUrl (string) -- [REQUIRED]
This URL is used to fetch OpenID Connect configuration or authorization server metadata for validating incoming tokens.
allowedAudience (list) --
Represents individual audience values that are validated in the incoming JWT token validation process.
(string) --
allowedClients (list) --
Represents individual client IDs that are validated in the incoming JWT token validation process.
(string) --
allowedScopes (list) --
An array of scopes that are allowed to access the token.
(string) --
customClaims (list) --
An array of objects that define a custom claim validation name, value, and operation
(dict) --
Defines the name of a custom claim field and rules for finding matches to authenticate its value.
inboundTokenClaimName (string) -- [REQUIRED]
The name of the custom claim field to check.
inboundTokenClaimValueType (string) -- [REQUIRED]
The data type of the claim value to check for.
Use STRING if you want to find an exact match to a string you define.
Use STRING_ARRAY if you want to fnd a match to at least one value in an array you define.
authorizingClaimMatchValue (dict) -- [REQUIRED]
Defines the value or values to match for and the relationship of the match.
claimMatchValue (dict) -- [REQUIRED]
The value or values to match for.
matchValueString (string) --
The string value to match for.
matchValueStringList (list) --
An array of strings to check for a match.
(string) --
claimMatchOperator (string) -- [REQUIRED]
Defines the relationship between the claim field value and the value or values you're matching for.
privateEndpoint (dict) --
The private endpoint configuration for a gateway target. Defines how the gateway connects to private resources in your VPC.
selfManagedLatticeResource (dict) --
Configuration for connecting to a private resource using a self-managed VPC Lattice resource configuration.
resourceConfigurationIdentifier (string) --
The ARN or ID of the VPC Lattice resource configuration.
managedVpcResource (dict) --
Configuration for connecting to a private resource using a managed VPC Lattice resource. The gateway creates and manages the VPC Lattice resources on your behalf.
vpcIdentifier (string) -- [REQUIRED]
The ID of the VPC that contains your private resource.
subnetIds (list) -- [REQUIRED]
The subnet IDs within the VPC where the VPC Lattice resource gateway is placed.
(string) --
endpointIpAddressType (string) -- [REQUIRED]
The IP address type for the resource configuration endpoint.
securityGroupIds (list) --
The security group IDs to associate with the VPC Lattice resource gateway. If not specified, the default security group for the VPC is used.
(string) --
tags (dict) --
Tags to apply to the managed VPC Lattice resource gateway.
(string) --
(string) --
routingDomain (string) --
An intermediate publicly resolvable domain used as the VPC Lattice resource configuration endpoint. Required when your private endpoint uses a domain that is not publicly resolvable.
privateEndpointOverrides (list) --
A list of private endpoint overrides for the JWT authorizer. Each override maps a specific domain to a private endpoint, enabling secure connectivity through VPC Lattice resource configurations.
(dict) --
A mapping of a specific domain to a private endpoint for secure connectivity through a VPC Lattice resource configuration.
domain (string) -- [REQUIRED]
The domain to override with a private endpoint.
privateEndpoint (dict) -- [REQUIRED]
The private endpoint configuration for the specified domain.
selfManagedLatticeResource (dict) --
Configuration for connecting to a private resource using a self-managed VPC Lattice resource configuration.
resourceConfigurationIdentifier (string) --
The ARN or ID of the VPC Lattice resource configuration.
managedVpcResource (dict) --
Configuration for connecting to a private resource using a managed VPC Lattice resource. The gateway creates and manages the VPC Lattice resources on your behalf.
vpcIdentifier (string) -- [REQUIRED]
The ID of the VPC that contains your private resource.
subnetIds (list) -- [REQUIRED]
The subnet IDs within the VPC where the VPC Lattice resource gateway is placed.
(string) --
endpointIpAddressType (string) -- [REQUIRED]
The IP address type for the resource configuration endpoint.
securityGroupIds (list) --
The security group IDs to associate with the VPC Lattice resource gateway. If not specified, the default security group for the VPC is used.
(string) --
tags (dict) --
Tags to apply to the managed VPC Lattice resource gateway.
(string) --
(string) --
routingDomain (string) --
An intermediate publicly resolvable domain used as the VPC Lattice resource configuration endpoint. Required when your private endpoint uses a domain that is not publicly resolvable.
dict
The model configuration for the harness. If not specified, the existing value is retained.
bedrockModelConfig (dict) --
Configuration for an Amazon Bedrock model.
modelId (string) -- [REQUIRED]
The Bedrock model ID.
maxTokens (integer) --
The maximum number of tokens to allow in the generated response per iteration.
temperature (float) --
The temperature to set when calling the model.
topP (float) --
The topP set when calling the model.
openAiModelConfig (dict) --
Configuration for an OpenAI model.
modelId (string) -- [REQUIRED]
The OpenAI model ID.
apiKeyArn (string) -- [REQUIRED]
The ARN of your OpenAI API key on AgentCore Identity.
maxTokens (integer) --
The maximum number of tokens to allow in the generated response per iteration.
temperature (float) --
The temperature to set when calling the model.
topP (float) --
The topP set when calling the model.
geminiModelConfig (dict) --
Configuration for a Google Gemini model.
modelId (string) -- [REQUIRED]
The Gemini model ID.
apiKeyArn (string) -- [REQUIRED]
The ARN of your Gemini API key on AgentCore Identity.
maxTokens (integer) --
The maximum number of tokens to allow in the generated response per iteration.
temperature (float) --
The temperature to set when calling the model.
topP (float) --
The topP set when calling the model.
topK (integer) --
The topK set when calling the model.
list
The system prompt that defines the agent's behavior. If not specified, the existing value is retained.
(dict) --
A content block in the system prompt.
text (string) --
The text content of the system prompt block.
list
The tools available to the agent. If specified, this replaces all existing tools. If not specified, the existing value is retained.
(dict) --
A tool available to the agent loop.
type (string) -- [REQUIRED]
The type of tool.
name (string) --
Unique name for the tool. If not provided, a name will be inferred or generated.
config (dict) --
Tool-specific configuration.
remoteMcp (dict) --
Configuration for remote MCP server.
url (string) -- [REQUIRED]
URL of the MCP endpoint.
headers (dict) --
Map of key/value pairs for HTTP headers.
(string) --
The key of an HTTP header.
(string) --
The value of an HTTP header.
agentCoreBrowser (dict) --
Configuration for AgentCore Browser.
browserArn (string) --
If not populated, the built-in Browser ARN is used.
agentCoreGateway (dict) --
Configuration for AgentCore Gateway.
gatewayArn (string) -- [REQUIRED]
The ARN of the desired AgentCore Gateway.
outboundAuth (dict) --
How Loopy authenticates to this Gateway. Defaults to AWS_IAM (SigV4) if omitted.
awsIam (dict) --
SigV4-sign requests using the agent's execution role.
none (dict) --
No authentication.
oauth (dict) --
An OAuth credential provider for gateway authentication. This structure contains the configuration for authenticating with the target endpoint using OAuth.
providerArn (string) -- [REQUIRED]
The Amazon Resource Name (ARN) of the OAuth credential provider. This ARN identifies the provider in Amazon Web Services.
scopes (list) -- [REQUIRED]
The OAuth scopes for the credential provider. These scopes define the level of access requested from the OAuth provider.
(string) --
customParameters (dict) --
The custom parameters for the OAuth credential provider. These parameters provide additional configuration for the OAuth authentication process.
(string) --
(string) --
grantType (string) --
Specifies the kind of credentials to use for authorization:
CLIENT_CREDENTIALS - Authorization with a client ID and secret.
AUTHORIZATION_CODE - Authorization with a token that is specific to an individual end user.
defaultReturnUrl (string) --
The URL where the end user's browser is redirected after obtaining the authorization code. Generally points to the customer's application.
inlineFunction (dict) --
Configuration for an inline function tool.
description (string) -- [REQUIRED]
Description of what the tool does, provided to the model.
inputSchema (:ref:`document<document>`) -- [REQUIRED]
JSON Schema describing the tool's input parameters.
agentCoreCodeInterpreter (dict) --
Configuration for AgentCore Code Interpreter.
codeInterpreterArn (string) --
If not populated, the built-in Code Interpreter ARN is used.
list
The skills available to the agent. If specified, this replaces all existing skills. If not specified, the existing value is retained.
(dict) --
A skill available to the agent.
path (string) --
The filesystem path to the skill definition.
list
The tools that the agent is allowed to use. If specified, this replaces all existing allowed tools. If not specified, the existing value is retained.
(string) --
dict
The AgentCore Memory configuration. Use the optionalValue wrapper to set a new value, or set it to null to clear the existing configuration.
optionalValue (dict) --
The updated memory configuration value, or null to clear the existing configuration.
agentCoreMemoryConfiguration (dict) --
The AgentCore Memory configuration.
arn (string) -- [REQUIRED]
The ARN of the AgentCore Memory resource.
actorId (string) --
The actor ID for memory operations.
messagesCount (integer) --
The number of messages to retrieve from memory.
retrievalConfig (dict) --
The retrieval configuration for long-term memory, mapping namespace path templates to retrieval settings.
(string) --
(dict) --
Configuration for memory retrieval within a namespace.
topK (integer) --
The maximum number of memory entries to retrieve.
relevanceScore (float) --
The minimum relevance score for retrieved memories.
strategyId (string) --
The ID of the retrieval strategy to use.
dict
The truncation configuration for managing conversation context. If not specified, the existing value is retained.
strategy (string) -- [REQUIRED]
The truncation strategy to use.
config (dict) --
The strategy-specific configuration.
slidingWindow (dict) --
Configuration for sliding window truncation.
messagesCount (integer) --
The number of recent messages to retain in the context window.
summarization (dict) --
Configuration for summarization-based truncation.
summaryRatio (float) --
The ratio of content to summarize.
preserveRecentMessages (integer) --
The number of recent messages to preserve without summarization.
summarizationSystemPrompt (string) --
The system prompt used for generating summaries.
integer
The maximum number of iterations the agent loop can execute per invocation. If not specified, the existing value is retained.
integer
The maximum number of tokens the agent can generate per iteration. If not specified, the existing value is retained.
integer
The maximum duration in seconds for the agent loop execution per invocation. If not specified, the existing value is retained.
dict
Response Syntax
{
'harness': {
'harnessId': 'string',
'harnessName': 'string',
'arn': 'string',
'status': 'CREATING'|'CREATE_FAILED'|'UPDATING'|'UPDATE_FAILED'|'READY'|'DELETING'|'DELETE_FAILED',
'executionRoleArn': 'string',
'createdAt': datetime(2015, 1, 1),
'updatedAt': datetime(2015, 1, 1),
'model': {
'bedrockModelConfig': {
'modelId': 'string',
'maxTokens': 123,
'temperature': ...,
'topP': ...
},
'openAiModelConfig': {
'modelId': 'string',
'apiKeyArn': 'string',
'maxTokens': 123,
'temperature': ...,
'topP': ...
},
'geminiModelConfig': {
'modelId': 'string',
'apiKeyArn': 'string',
'maxTokens': 123,
'temperature': ...,
'topP': ...,
'topK': 123
}
},
'systemPrompt': [
{
'text': 'string'
},
],
'tools': [
{
'type': 'remote_mcp'|'agentcore_browser'|'agentcore_gateway'|'inline_function'|'agentcore_code_interpreter',
'name': 'string',
'config': {
'remoteMcp': {
'url': 'string',
'headers': {
'string': 'string'
}
},
'agentCoreBrowser': {
'browserArn': 'string'
},
'agentCoreGateway': {
'gatewayArn': 'string',
'outboundAuth': {
'awsIam': {},
'none': {},
'oauth': {
'providerArn': 'string',
'scopes': [
'string',
],
'customParameters': {
'string': 'string'
},
'grantType': 'CLIENT_CREDENTIALS'|'AUTHORIZATION_CODE',
'defaultReturnUrl': 'string'
}
}
},
'inlineFunction': {
'description': 'string',
'inputSchema': {...}|[...]|123|123.4|'string'|True|None
},
'agentCoreCodeInterpreter': {
'codeInterpreterArn': 'string'
}
}
},
],
'skills': [
{
'path': 'string'
},
],
'allowedTools': [
'string',
],
'truncation': {
'strategy': 'sliding_window'|'summarization'|'none',
'config': {
'slidingWindow': {
'messagesCount': 123
},
'summarization': {
'summaryRatio': ...,
'preserveRecentMessages': 123,
'summarizationSystemPrompt': 'string'
}
}
},
'environment': {
'agentCoreRuntimeEnvironment': {
'agentRuntimeArn': 'string',
'agentRuntimeName': 'string',
'agentRuntimeId': 'string',
'lifecycleConfiguration': {
'idleRuntimeSessionTimeout': 123,
'maxLifetime': 123
},
'networkConfiguration': {
'networkMode': 'PUBLIC'|'VPC',
'networkModeConfig': {
'securityGroups': [
'string',
],
'subnets': [
'string',
]
}
},
'filesystemConfigurations': [
{
'sessionStorage': {
'mountPath': 'string'
}
},
]
}
},
'environmentArtifact': {
'containerConfiguration': {
'containerUri': 'string'
}
},
'environmentVariables': {
'string': 'string'
},
'authorizerConfiguration': {
'customJWTAuthorizer': {
'discoveryUrl': 'string',
'allowedAudience': [
'string',
],
'allowedClients': [
'string',
],
'allowedScopes': [
'string',
],
'customClaims': [
{
'inboundTokenClaimName': 'string',
'inboundTokenClaimValueType': 'STRING'|'STRING_ARRAY',
'authorizingClaimMatchValue': {
'claimMatchValue': {
'matchValueString': 'string',
'matchValueStringList': [
'string',
]
},
'claimMatchOperator': 'EQUALS'|'CONTAINS'|'CONTAINS_ANY'
}
},
],
'privateEndpoint': {
'selfManagedLatticeResource': {
'resourceConfigurationIdentifier': 'string'
},
'managedVpcResource': {
'vpcIdentifier': 'string',
'subnetIds': [
'string',
],
'endpointIpAddressType': 'IPV4'|'IPV6',
'securityGroupIds': [
'string',
],
'tags': {
'string': 'string'
},
'routingDomain': 'string'
}
},
'privateEndpointOverrides': [
{
'domain': 'string',
'privateEndpoint': {
'selfManagedLatticeResource': {
'resourceConfigurationIdentifier': 'string'
},
'managedVpcResource': {
'vpcIdentifier': 'string',
'subnetIds': [
'string',
],
'endpointIpAddressType': 'IPV4'|'IPV6',
'securityGroupIds': [
'string',
],
'tags': {
'string': 'string'
},
'routingDomain': 'string'
}
}
},
]
}
},
'memory': {
'agentCoreMemoryConfiguration': {
'arn': 'string',
'actorId': 'string',
'messagesCount': 123,
'retrievalConfig': {
'string': {
'topK': 123,
'relevanceScore': ...,
'strategyId': 'string'
}
}
}
},
'maxIterations': 123,
'maxTokens': 123,
'timeoutSeconds': 123,
'failureReason': 'string'
}
}
Response Structure
(dict) --
harness (dict) --
The updated harness.
harnessId (string) --
The ID of the Harness.
harnessName (string) --
The name of the Harness.
arn (string) --
The ARN of the Harness.
status (string) --
The status of the Harness.
executionRoleArn (string) --
IAM role the Harness assumes when running.
createdAt (datetime) --
The createdAt time of the Harness.
updatedAt (datetime) --
The updatedAt time of the Harness.
model (dict) --
The configuration of the default model used by the Harness.
bedrockModelConfig (dict) --
Configuration for an Amazon Bedrock model.
modelId (string) --
The Bedrock model ID.
maxTokens (integer) --
The maximum number of tokens to allow in the generated response per iteration.
temperature (float) --
The temperature to set when calling the model.
topP (float) --
The topP set when calling the model.
openAiModelConfig (dict) --
Configuration for an OpenAI model.
modelId (string) --
The OpenAI model ID.
apiKeyArn (string) --
The ARN of your OpenAI API key on AgentCore Identity.
maxTokens (integer) --
The maximum number of tokens to allow in the generated response per iteration.
temperature (float) --
The temperature to set when calling the model.
topP (float) --
The topP set when calling the model.
geminiModelConfig (dict) --
Configuration for a Google Gemini model.
modelId (string) --
The Gemini model ID.
apiKeyArn (string) --
The ARN of your Gemini API key on AgentCore Identity.
maxTokens (integer) --
The maximum number of tokens to allow in the generated response per iteration.
temperature (float) --
The temperature to set when calling the model.
topP (float) --
The topP set when calling the model.
topK (integer) --
The topK set when calling the model.
systemPrompt (list) --
The system prompt of the Harness.
(dict) --
A content block in the system prompt.
text (string) --
The text content of the system prompt block.
tools (list) --
The tools of the Harness.
(dict) --
A tool available to the agent loop.
type (string) --
The type of tool.
name (string) --
Unique name for the tool. If not provided, a name will be inferred or generated.
config (dict) --
Tool-specific configuration.
remoteMcp (dict) --
Configuration for remote MCP server.
url (string) --
URL of the MCP endpoint.
headers (dict) --
Map of key/value pairs for HTTP headers.
(string) --
The key of an HTTP header.
(string) --
The value of an HTTP header.
agentCoreBrowser (dict) --
Configuration for AgentCore Browser.
browserArn (string) --
If not populated, the built-in Browser ARN is used.
agentCoreGateway (dict) --
Configuration for AgentCore Gateway.
gatewayArn (string) --
The ARN of the desired AgentCore Gateway.
outboundAuth (dict) --
How Loopy authenticates to this Gateway. Defaults to AWS_IAM (SigV4) if omitted.
awsIam (dict) --
SigV4-sign requests using the agent's execution role.
none (dict) --
No authentication.
oauth (dict) --
An OAuth credential provider for gateway authentication. This structure contains the configuration for authenticating with the target endpoint using OAuth.
providerArn (string) --
The Amazon Resource Name (ARN) of the OAuth credential provider. This ARN identifies the provider in Amazon Web Services.
scopes (list) --
The OAuth scopes for the credential provider. These scopes define the level of access requested from the OAuth provider.
(string) --
customParameters (dict) --
The custom parameters for the OAuth credential provider. These parameters provide additional configuration for the OAuth authentication process.
(string) --
(string) --
grantType (string) --
Specifies the kind of credentials to use for authorization:
CLIENT_CREDENTIALS - Authorization with a client ID and secret.
AUTHORIZATION_CODE - Authorization with a token that is specific to an individual end user.
defaultReturnUrl (string) --
The URL where the end user's browser is redirected after obtaining the authorization code. Generally points to the customer's application.
inlineFunction (dict) --
Configuration for an inline function tool.
description (string) --
Description of what the tool does, provided to the model.
inputSchema (:ref:`document<document>`) --
JSON Schema describing the tool's input parameters.
agentCoreCodeInterpreter (dict) --
Configuration for AgentCore Code Interpreter.
codeInterpreterArn (string) --
If not populated, the built-in Code Interpreter ARN is used.
skills (list) --
The skills of the Harness.
(dict) --
A skill available to the agent.
path (string) --
The filesystem path to the skill definition.
allowedTools (list) --
The allowed tools of the Harness. All tools are allowed by default.
(string) --
truncation (dict) --
Configuration for truncating model context.
strategy (string) --
The truncation strategy to use.
config (dict) --
The strategy-specific configuration.
slidingWindow (dict) --
Configuration for sliding window truncation.
messagesCount (integer) --
The number of recent messages to retain in the context window.
summarization (dict) --
Configuration for summarization-based truncation.
summaryRatio (float) --
The ratio of content to summarize.
preserveRecentMessages (integer) --
The number of recent messages to preserve without summarization.
summarizationSystemPrompt (string) --
The system prompt used for generating summaries.
environment (dict) --
The compute environment on which the Harness runs.
agentCoreRuntimeEnvironment (dict) --
The AgentCore Runtime environment configuration.
agentRuntimeArn (string) --
The ARN of the underlying AgentCore Runtime.
agentRuntimeName (string) --
The name of the underlying AgentCore Runtime.
agentRuntimeId (string) --
The ID of the underlying AgentCore Runtime.
lifecycleConfiguration (dict) --
LifecycleConfiguration lets you manage the lifecycle of runtime sessions and resources in AgentCore Runtime. This configuration helps optimize resource utilization by automatically cleaning up idle sessions and preventing long-running instances from consuming resources indefinitely.
idleRuntimeSessionTimeout (integer) --
Timeout in seconds for idle runtime sessions. When a session remains idle for this duration, it will be automatically terminated. Default: 900 seconds (15 minutes).
maxLifetime (integer) --
Maximum lifetime for the instance in seconds. Once reached, instances will be automatically terminated and replaced. Default: 28800 seconds (8 hours).
networkConfiguration (dict) --
SecurityConfig for the Agent.
networkMode (string) --
The network mode for the AgentCore Runtime.
networkModeConfig (dict) --
The network mode configuration for the AgentCore Runtime.
securityGroups (list) --
The security groups associated with the VPC configuration.
(string) --
subnets (list) --
The subnets associated with the VPC configuration.
(string) --
filesystemConfigurations (list) --
The filesystem configurations for the runtime environment.
(dict) --
Configuration for a filesystem that can be mounted into the AgentCore Runtime.
sessionStorage (dict) --
Configuration for session storage. Session storage provides persistent storage that is preserved across AgentCore Runtime session invocations.
mountPath (string) --
The mount path for the session storage filesystem inside the AgentCore Runtime. The path must be under /mnt with exactly one subdirectory level (for example, /mnt/data).
environmentArtifact (dict) --
The environment artifact (e.g., container) in which the Harness operates.
containerConfiguration (dict) --
Representation of a container configuration.
containerUri (string) --
The ECR URI of the container.
environmentVariables (dict) --
Environment variables exposed in the environment in which the Harness operates.
(string) --
(string) --
authorizerConfiguration (dict) --
Represents inbound authorization configuration options used to authenticate incoming requests.
customJWTAuthorizer (dict) --
The inbound JWT-based authorization, specifying how incoming requests should be authenticated.
discoveryUrl (string) --
This URL is used to fetch OpenID Connect configuration or authorization server metadata for validating incoming tokens.
allowedAudience (list) --
Represents individual audience values that are validated in the incoming JWT token validation process.
(string) --
allowedClients (list) --
Represents individual client IDs that are validated in the incoming JWT token validation process.
(string) --
allowedScopes (list) --
An array of scopes that are allowed to access the token.
(string) --
customClaims (list) --
An array of objects that define a custom claim validation name, value, and operation
(dict) --
Defines the name of a custom claim field and rules for finding matches to authenticate its value.
inboundTokenClaimName (string) --
The name of the custom claim field to check.
inboundTokenClaimValueType (string) --
The data type of the claim value to check for.
Use STRING if you want to find an exact match to a string you define.
Use STRING_ARRAY if you want to fnd a match to at least one value in an array you define.
authorizingClaimMatchValue (dict) --
Defines the value or values to match for and the relationship of the match.
claimMatchValue (dict) --
The value or values to match for.
matchValueString (string) --
The string value to match for.
matchValueStringList (list) --
An array of strings to check for a match.
(string) --
claimMatchOperator (string) --
Defines the relationship between the claim field value and the value or values you're matching for.
privateEndpoint (dict) --
The private endpoint configuration for a gateway target. Defines how the gateway connects to private resources in your VPC.
selfManagedLatticeResource (dict) --
Configuration for connecting to a private resource using a self-managed VPC Lattice resource configuration.
resourceConfigurationIdentifier (string) --
The ARN or ID of the VPC Lattice resource configuration.
managedVpcResource (dict) --
Configuration for connecting to a private resource using a managed VPC Lattice resource. The gateway creates and manages the VPC Lattice resources on your behalf.
vpcIdentifier (string) --
The ID of the VPC that contains your private resource.
subnetIds (list) --
The subnet IDs within the VPC where the VPC Lattice resource gateway is placed.
(string) --
endpointIpAddressType (string) --
The IP address type for the resource configuration endpoint.
securityGroupIds (list) --
The security group IDs to associate with the VPC Lattice resource gateway. If not specified, the default security group for the VPC is used.
(string) --
tags (dict) --
Tags to apply to the managed VPC Lattice resource gateway.
(string) --
(string) --
routingDomain (string) --
An intermediate publicly resolvable domain used as the VPC Lattice resource configuration endpoint. Required when your private endpoint uses a domain that is not publicly resolvable.
privateEndpointOverrides (list) --
A list of private endpoint overrides for the JWT authorizer. Each override maps a specific domain to a private endpoint, enabling secure connectivity through VPC Lattice resource configurations.
(dict) --
A mapping of a specific domain to a private endpoint for secure connectivity through a VPC Lattice resource configuration.
domain (string) --
The domain to override with a private endpoint.
privateEndpoint (dict) --
The private endpoint configuration for the specified domain.
selfManagedLatticeResource (dict) --
Configuration for connecting to a private resource using a self-managed VPC Lattice resource configuration.
resourceConfigurationIdentifier (string) --
The ARN or ID of the VPC Lattice resource configuration.
managedVpcResource (dict) --
Configuration for connecting to a private resource using a managed VPC Lattice resource. The gateway creates and manages the VPC Lattice resources on your behalf.
vpcIdentifier (string) --
The ID of the VPC that contains your private resource.
subnetIds (list) --
The subnet IDs within the VPC where the VPC Lattice resource gateway is placed.
(string) --
endpointIpAddressType (string) --
The IP address type for the resource configuration endpoint.
securityGroupIds (list) --
The security group IDs to associate with the VPC Lattice resource gateway. If not specified, the default security group for the VPC is used.
(string) --
tags (dict) --
Tags to apply to the managed VPC Lattice resource gateway.
(string) --
(string) --
routingDomain (string) --
An intermediate publicly resolvable domain used as the VPC Lattice resource configuration endpoint. Required when your private endpoint uses a domain that is not publicly resolvable.
memory (dict) --
AgentCore Memory instance configuration for short and long term memory.
agentCoreMemoryConfiguration (dict) --
The AgentCore Memory configuration.
arn (string) --
The ARN of the AgentCore Memory resource.
actorId (string) --
The actor ID for memory operations.
messagesCount (integer) --
The number of messages to retrieve from memory.
retrievalConfig (dict) --
The retrieval configuration for long-term memory, mapping namespace path templates to retrieval settings.
(string) --
(dict) --
Configuration for memory retrieval within a namespace.
topK (integer) --
The maximum number of memory entries to retrieve.
relevanceScore (float) --
The minimum relevance score for retrieved memories.
strategyId (string) --
The ID of the retrieval strategy to use.
maxIterations (integer) --
The maximum number of iterations in the agent loop allowed before exiting per invocation.
maxTokens (integer) --
The maximum number of tokens allowed before exiting per invocation.
timeoutSeconds (integer) --
The maximum duration per invocation.
failureReason (string) --
Reason why create or update operations fail.
{'oauth2ProviderConfigInput': {'customOauth2ProviderConfig': {'privateEndpoint': {'managedVpcResource': {'endpointIpAddressType': 'IPV4 '
'| '
'IPV6',
'routingDomain': 'string',
'securityGroupIds': ['string'],
'subnetIds': ['string'],
'tags': {'string': 'string'},
'vpcIdentifier': 'string'},
'selfManagedLatticeResource': {'resourceConfigurationIdentifier': 'string'}},
'privateEndpointOverrides': [{'domain': 'string',
'privateEndpoint': {'managedVpcResource': {'endpointIpAddressType': 'IPV4 '
'| '
'IPV6',
'routingDomain': 'string',
'securityGroupIds': ['string'],
'subnetIds': ['string'],
'tags': {'string': 'string'},
'vpcIdentifier': 'string'},
'selfManagedLatticeResource': {'resourceConfigurationIdentifier': 'string'}}}]}}}
Response {'oauth2ProviderConfigOutput': {'customOauth2ProviderConfig': {'privateEndpoint': {'managedVpcResource': {'endpointIpAddressType': 'IPV4 '
'| '
'IPV6',
'routingDomain': 'string',
'securityGroupIds': ['string'],
'subnetIds': ['string'],
'tags': {'string': 'string'},
'vpcIdentifier': 'string'},
'selfManagedLatticeResource': {'resourceConfigurationIdentifier': 'string'}},
'privateEndpointOverrides': [{'domain': 'string',
'privateEndpoint': {'managedVpcResource': {'endpointIpAddressType': 'IPV4 '
'| '
'IPV6',
'routingDomain': 'string',
'securityGroupIds': ['string'],
'subnetIds': ['string'],
'tags': {'string': 'string'},
'vpcIdentifier': 'string'},
'selfManagedLatticeResource': {'resourceConfigurationIdentifier': 'string'}}}]}},
'status': 'CREATING | CREATE_FAILED | UPDATING | UPDATE_FAILED | READY | '
'DELETING | DELETE_FAILED'}
Updates an existing OAuth2 credential provider.
See also: AWS API Documentation
Request Syntax
client.update_oauth2_credential_provider(
name='string',
credentialProviderVendor='GoogleOauth2'|'GithubOauth2'|'SlackOauth2'|'SalesforceOauth2'|'MicrosoftOauth2'|'CustomOauth2'|'AtlassianOauth2'|'LinkedinOauth2'|'XOauth2'|'OktaOauth2'|'OneLoginOauth2'|'PingOneOauth2'|'FacebookOauth2'|'YandexOauth2'|'RedditOauth2'|'ZoomOauth2'|'TwitchOauth2'|'SpotifyOauth2'|'DropboxOauth2'|'NotionOauth2'|'HubspotOauth2'|'CyberArkOauth2'|'FusionAuthOauth2'|'Auth0Oauth2'|'CognitoOauth2',
oauth2ProviderConfigInput={
'customOauth2ProviderConfig': {
'oauthDiscovery': {
'discoveryUrl': 'string',
'authorizationServerMetadata': {
'issuer': 'string',
'authorizationEndpoint': 'string',
'tokenEndpoint': 'string',
'responseTypes': [
'string',
],
'tokenEndpointAuthMethods': [
'string',
]
}
},
'clientId': 'string',
'clientSecret': 'string',
'privateEndpoint': {
'selfManagedLatticeResource': {
'resourceConfigurationIdentifier': 'string'
},
'managedVpcResource': {
'vpcIdentifier': 'string',
'subnetIds': [
'string',
],
'endpointIpAddressType': 'IPV4'|'IPV6',
'securityGroupIds': [
'string',
],
'tags': {
'string': 'string'
},
'routingDomain': 'string'
}
},
'privateEndpointOverrides': [
{
'domain': 'string',
'privateEndpoint': {
'selfManagedLatticeResource': {
'resourceConfigurationIdentifier': 'string'
},
'managedVpcResource': {
'vpcIdentifier': 'string',
'subnetIds': [
'string',
],
'endpointIpAddressType': 'IPV4'|'IPV6',
'securityGroupIds': [
'string',
],
'tags': {
'string': 'string'
},
'routingDomain': 'string'
}
}
},
]
},
'googleOauth2ProviderConfig': {
'clientId': 'string',
'clientSecret': 'string'
},
'githubOauth2ProviderConfig': {
'clientId': 'string',
'clientSecret': 'string'
},
'slackOauth2ProviderConfig': {
'clientId': 'string',
'clientSecret': 'string'
},
'salesforceOauth2ProviderConfig': {
'clientId': 'string',
'clientSecret': 'string'
},
'microsoftOauth2ProviderConfig': {
'clientId': 'string',
'clientSecret': 'string',
'tenantId': 'string'
},
'atlassianOauth2ProviderConfig': {
'clientId': 'string',
'clientSecret': 'string'
},
'linkedinOauth2ProviderConfig': {
'clientId': 'string',
'clientSecret': 'string'
},
'includedOauth2ProviderConfig': {
'clientId': 'string',
'clientSecret': 'string',
'issuer': 'string',
'authorizationEndpoint': 'string',
'tokenEndpoint': 'string'
}
}
)
string
[REQUIRED]
The name of the OAuth2 credential provider to update.
string
[REQUIRED]
The vendor of the OAuth2 credential provider.
dict
[REQUIRED]
The configuration input for the OAuth2 provider.
customOauth2ProviderConfig (dict) --
The configuration for a custom OAuth2 provider.
oauthDiscovery (dict) -- [REQUIRED]
The OAuth2 discovery information for the custom provider.
discoveryUrl (string) --
The discovery URL for the OAuth2 provider.
authorizationServerMetadata (dict) --
The authorization server metadata for the OAuth2 provider.
issuer (string) -- [REQUIRED]
The issuer URL for the OAuth2 authorization server.
authorizationEndpoint (string) -- [REQUIRED]
The authorization endpoint URL for the OAuth2 authorization server.
tokenEndpoint (string) -- [REQUIRED]
The token endpoint URL for the OAuth2 authorization server.
responseTypes (list) --
The supported response types for the OAuth2 authorization server.
(string) --
tokenEndpointAuthMethods (list) --
The authentication methods supported by the token endpoint. This specifies how clients can authenticate when requesting tokens from the authorization server.
(string) --
clientId (string) -- [REQUIRED]
The client ID for the custom OAuth2 provider.
clientSecret (string) -- [REQUIRED]
The client secret for the custom OAuth2 provider.
privateEndpoint (dict) --
The default private endpoint for the custom OAuth2 provider, enabling secure connectivity through a VPC Lattice resource configuration.
selfManagedLatticeResource (dict) --
Configuration for connecting to a private resource using a self-managed VPC Lattice resource configuration.
resourceConfigurationIdentifier (string) --
The ARN or ID of the VPC Lattice resource configuration.
managedVpcResource (dict) --
Configuration for connecting to a private resource using a managed VPC Lattice resource. The gateway creates and manages the VPC Lattice resources on your behalf.
vpcIdentifier (string) -- [REQUIRED]
The ID of the VPC that contains your private resource.
subnetIds (list) -- [REQUIRED]
The subnet IDs within the VPC where the VPC Lattice resource gateway is placed.
(string) --
endpointIpAddressType (string) -- [REQUIRED]
The IP address type for the resource configuration endpoint.
securityGroupIds (list) --
The security group IDs to associate with the VPC Lattice resource gateway. If not specified, the default security group for the VPC is used.
(string) --
tags (dict) --
Tags to apply to the managed VPC Lattice resource gateway.
(string) --
(string) --
routingDomain (string) --
An intermediate publicly resolvable domain used as the VPC Lattice resource configuration endpoint. Required when your private endpoint uses a domain that is not publicly resolvable.
privateEndpointOverrides (list) --
The list of private endpoint overrides for the custom OAuth2 provider. Each override maps a specific domain to a private endpoint, enabling secure connectivity through VPC Lattice resource configurations.
(dict) --
A mapping of a specific domain to a private endpoint for secure connectivity through a VPC Lattice resource configuration.
domain (string) -- [REQUIRED]
The domain to override with a private endpoint.
privateEndpoint (dict) -- [REQUIRED]
The private endpoint configuration for the specified domain.
selfManagedLatticeResource (dict) --
Configuration for connecting to a private resource using a self-managed VPC Lattice resource configuration.
resourceConfigurationIdentifier (string) --
The ARN or ID of the VPC Lattice resource configuration.
managedVpcResource (dict) --
Configuration for connecting to a private resource using a managed VPC Lattice resource. The gateway creates and manages the VPC Lattice resources on your behalf.
vpcIdentifier (string) -- [REQUIRED]
The ID of the VPC that contains your private resource.
subnetIds (list) -- [REQUIRED]
The subnet IDs within the VPC where the VPC Lattice resource gateway is placed.
(string) --
endpointIpAddressType (string) -- [REQUIRED]
The IP address type for the resource configuration endpoint.
securityGroupIds (list) --
The security group IDs to associate with the VPC Lattice resource gateway. If not specified, the default security group for the VPC is used.
(string) --
tags (dict) --
Tags to apply to the managed VPC Lattice resource gateway.
(string) --
(string) --
routingDomain (string) --
An intermediate publicly resolvable domain used as the VPC Lattice resource configuration endpoint. Required when your private endpoint uses a domain that is not publicly resolvable.
googleOauth2ProviderConfig (dict) --
The configuration for a Google OAuth2 provider.
clientId (string) -- [REQUIRED]
The client ID for the Google OAuth2 provider.
clientSecret (string) -- [REQUIRED]
The client secret for the Google OAuth2 provider.
githubOauth2ProviderConfig (dict) --
The configuration for a GitHub OAuth2 provider.
clientId (string) -- [REQUIRED]
The client ID for the GitHub OAuth2 provider.
clientSecret (string) -- [REQUIRED]
The client secret for the GitHub OAuth2 provider.
slackOauth2ProviderConfig (dict) --
The configuration for a Slack OAuth2 provider.
clientId (string) -- [REQUIRED]
The client ID for the Slack OAuth2 provider.
clientSecret (string) -- [REQUIRED]
The client secret for the Slack OAuth2 provider.
salesforceOauth2ProviderConfig (dict) --
The configuration for a Salesforce OAuth2 provider.
clientId (string) -- [REQUIRED]
The client ID for the Salesforce OAuth2 provider.
clientSecret (string) -- [REQUIRED]
The client secret for the Salesforce OAuth2 provider.
microsoftOauth2ProviderConfig (dict) --
The configuration for a Microsoft OAuth2 provider.
clientId (string) -- [REQUIRED]
The client ID for the Microsoft OAuth2 provider.
clientSecret (string) -- [REQUIRED]
The client secret for the Microsoft OAuth2 provider.
tenantId (string) --
The Microsoft Entra ID (formerly Azure AD) tenant ID for your organization. This identifies the specific tenant within Microsoft's identity platform where your application is registered.
atlassianOauth2ProviderConfig (dict) --
Configuration settings for Atlassian OAuth2 provider integration.
clientId (string) -- [REQUIRED]
The client ID for the Atlassian OAuth2 provider. This identifier is assigned by Atlassian when you register your application.
clientSecret (string) -- [REQUIRED]
The client secret for the Atlassian OAuth2 provider. This secret is assigned by Atlassian and used along with the client ID to authenticate your application.
linkedinOauth2ProviderConfig (dict) --
Configuration settings for LinkedIn OAuth2 provider integration.
clientId (string) -- [REQUIRED]
The client ID for the LinkedIn OAuth2 provider. This identifier is assigned by LinkedIn when you register your application.
clientSecret (string) -- [REQUIRED]
The client secret for the LinkedIn OAuth2 provider. This secret is assigned by LinkedIn and used along with the client ID to authenticate your application.
includedOauth2ProviderConfig (dict) --
The configuration for a non-custom OAuth2 provider. This includes settings for supported OAuth2 providers that have built-in integration support.
clientId (string) -- [REQUIRED]
The client ID for the supported OAuth2 provider. This identifier is assigned by the OAuth2 provider when you register your application.
clientSecret (string) -- [REQUIRED]
The client secret for the supported OAuth2 provider. This secret is assigned by the OAuth2 provider and used along with the client ID to authenticate your application.
issuer (string) --
Token issuer of your isolated OAuth2 application tenant. This URL identifies the authorization server that issues tokens for this provider.
authorizationEndpoint (string) --
OAuth2 authorization endpoint for your isolated OAuth2 application tenant. This is where users are redirected to authenticate and authorize access to their resources.
tokenEndpoint (string) --
OAuth2 token endpoint for your isolated OAuth2 application tenant. This is where authorization codes are exchanged for access tokens.
dict
Response Syntax
{
'clientSecretArn': {
'secretArn': 'string'
},
'name': 'string',
'credentialProviderVendor': 'GoogleOauth2'|'GithubOauth2'|'SlackOauth2'|'SalesforceOauth2'|'MicrosoftOauth2'|'CustomOauth2'|'AtlassianOauth2'|'LinkedinOauth2'|'XOauth2'|'OktaOauth2'|'OneLoginOauth2'|'PingOneOauth2'|'FacebookOauth2'|'YandexOauth2'|'RedditOauth2'|'ZoomOauth2'|'TwitchOauth2'|'SpotifyOauth2'|'DropboxOauth2'|'NotionOauth2'|'HubspotOauth2'|'CyberArkOauth2'|'FusionAuthOauth2'|'Auth0Oauth2'|'CognitoOauth2',
'credentialProviderArn': 'string',
'callbackUrl': 'string',
'oauth2ProviderConfigOutput': {
'customOauth2ProviderConfig': {
'oauthDiscovery': {
'discoveryUrl': 'string',
'authorizationServerMetadata': {
'issuer': 'string',
'authorizationEndpoint': 'string',
'tokenEndpoint': 'string',
'responseTypes': [
'string',
],
'tokenEndpointAuthMethods': [
'string',
]
}
},
'clientId': 'string',
'privateEndpoint': {
'selfManagedLatticeResource': {
'resourceConfigurationIdentifier': 'string'
},
'managedVpcResource': {
'vpcIdentifier': 'string',
'subnetIds': [
'string',
],
'endpointIpAddressType': 'IPV4'|'IPV6',
'securityGroupIds': [
'string',
],
'tags': {
'string': 'string'
},
'routingDomain': 'string'
}
},
'privateEndpointOverrides': [
{
'domain': 'string',
'privateEndpoint': {
'selfManagedLatticeResource': {
'resourceConfigurationIdentifier': 'string'
},
'managedVpcResource': {
'vpcIdentifier': 'string',
'subnetIds': [
'string',
],
'endpointIpAddressType': 'IPV4'|'IPV6',
'securityGroupIds': [
'string',
],
'tags': {
'string': 'string'
},
'routingDomain': 'string'
}
}
},
]
},
'googleOauth2ProviderConfig': {
'oauthDiscovery': {
'discoveryUrl': 'string',
'authorizationServerMetadata': {
'issuer': 'string',
'authorizationEndpoint': 'string',
'tokenEndpoint': 'string',
'responseTypes': [
'string',
],
'tokenEndpointAuthMethods': [
'string',
]
}
},
'clientId': 'string'
},
'githubOauth2ProviderConfig': {
'oauthDiscovery': {
'discoveryUrl': 'string',
'authorizationServerMetadata': {
'issuer': 'string',
'authorizationEndpoint': 'string',
'tokenEndpoint': 'string',
'responseTypes': [
'string',
],
'tokenEndpointAuthMethods': [
'string',
]
}
},
'clientId': 'string'
},
'slackOauth2ProviderConfig': {
'oauthDiscovery': {
'discoveryUrl': 'string',
'authorizationServerMetadata': {
'issuer': 'string',
'authorizationEndpoint': 'string',
'tokenEndpoint': 'string',
'responseTypes': [
'string',
],
'tokenEndpointAuthMethods': [
'string',
]
}
},
'clientId': 'string'
},
'salesforceOauth2ProviderConfig': {
'oauthDiscovery': {
'discoveryUrl': 'string',
'authorizationServerMetadata': {
'issuer': 'string',
'authorizationEndpoint': 'string',
'tokenEndpoint': 'string',
'responseTypes': [
'string',
],
'tokenEndpointAuthMethods': [
'string',
]
}
},
'clientId': 'string'
},
'microsoftOauth2ProviderConfig': {
'oauthDiscovery': {
'discoveryUrl': 'string',
'authorizationServerMetadata': {
'issuer': 'string',
'authorizationEndpoint': 'string',
'tokenEndpoint': 'string',
'responseTypes': [
'string',
],
'tokenEndpointAuthMethods': [
'string',
]
}
},
'clientId': 'string'
},
'atlassianOauth2ProviderConfig': {
'oauthDiscovery': {
'discoveryUrl': 'string',
'authorizationServerMetadata': {
'issuer': 'string',
'authorizationEndpoint': 'string',
'tokenEndpoint': 'string',
'responseTypes': [
'string',
],
'tokenEndpointAuthMethods': [
'string',
]
}
},
'clientId': 'string'
},
'linkedinOauth2ProviderConfig': {
'oauthDiscovery': {
'discoveryUrl': 'string',
'authorizationServerMetadata': {
'issuer': 'string',
'authorizationEndpoint': 'string',
'tokenEndpoint': 'string',
'responseTypes': [
'string',
],
'tokenEndpointAuthMethods': [
'string',
]
}
},
'clientId': 'string'
},
'includedOauth2ProviderConfig': {
'oauthDiscovery': {
'discoveryUrl': 'string',
'authorizationServerMetadata': {
'issuer': 'string',
'authorizationEndpoint': 'string',
'tokenEndpoint': 'string',
'responseTypes': [
'string',
],
'tokenEndpointAuthMethods': [
'string',
]
}
},
'clientId': 'string'
}
},
'createdTime': datetime(2015, 1, 1),
'lastUpdatedTime': datetime(2015, 1, 1),
'status': 'CREATING'|'CREATE_FAILED'|'UPDATING'|'UPDATE_FAILED'|'READY'|'DELETING'|'DELETE_FAILED'
}
Response Structure
(dict) --
clientSecretArn (dict) --
The Amazon Resource Name (ARN) of the client secret in AWS Secrets Manager.
secretArn (string) --
The Amazon Resource Name (ARN) of the secret in AWS Secrets Manager.
name (string) --
The name of the OAuth2 credential provider.
credentialProviderVendor (string) --
The vendor of the OAuth2 credential provider.
credentialProviderArn (string) --
The Amazon Resource Name (ARN) of the OAuth2 credential provider.
callbackUrl (string) --
Callback URL to register on the OAuth2 credential provider as an allowed callback URL. This URL is where the OAuth2 authorization server redirects users after they complete the authorization flow.
oauth2ProviderConfigOutput (dict) --
The configuration output for the OAuth2 provider.
customOauth2ProviderConfig (dict) --
The output configuration for a custom OAuth2 provider.
oauthDiscovery (dict) --
The OAuth2 discovery information for the custom provider.
discoveryUrl (string) --
The discovery URL for the OAuth2 provider.
authorizationServerMetadata (dict) --
The authorization server metadata for the OAuth2 provider.
issuer (string) --
The issuer URL for the OAuth2 authorization server.
authorizationEndpoint (string) --
The authorization endpoint URL for the OAuth2 authorization server.
tokenEndpoint (string) --
The token endpoint URL for the OAuth2 authorization server.
responseTypes (list) --
The supported response types for the OAuth2 authorization server.
(string) --
tokenEndpointAuthMethods (list) --
The authentication methods supported by the token endpoint. This specifies how clients can authenticate when requesting tokens from the authorization server.
(string) --
clientId (string) --
The client ID for the custom OAuth2 provider.
privateEndpoint (dict) --
The default private endpoint for the custom OAuth2 provider, enabling secure connectivity through a VPC Lattice resource configuration.
selfManagedLatticeResource (dict) --
Configuration for connecting to a private resource using a self-managed VPC Lattice resource configuration.
resourceConfigurationIdentifier (string) --
The ARN or ID of the VPC Lattice resource configuration.
managedVpcResource (dict) --
Configuration for connecting to a private resource using a managed VPC Lattice resource. The gateway creates and manages the VPC Lattice resources on your behalf.
vpcIdentifier (string) --
The ID of the VPC that contains your private resource.
subnetIds (list) --
The subnet IDs within the VPC where the VPC Lattice resource gateway is placed.
(string) --
endpointIpAddressType (string) --
The IP address type for the resource configuration endpoint.
securityGroupIds (list) --
The security group IDs to associate with the VPC Lattice resource gateway. If not specified, the default security group for the VPC is used.
(string) --
tags (dict) --
Tags to apply to the managed VPC Lattice resource gateway.
(string) --
(string) --
routingDomain (string) --
An intermediate publicly resolvable domain used as the VPC Lattice resource configuration endpoint. Required when your private endpoint uses a domain that is not publicly resolvable.
privateEndpointOverrides (list) --
The list of private endpoint overrides for the custom OAuth2 provider. Each override maps a specific domain to a private endpoint, enabling secure connectivity through VPC Lattice resource configurations.
(dict) --
A mapping of a specific domain to a private endpoint for secure connectivity through a VPC Lattice resource configuration.
domain (string) --
The domain to override with a private endpoint.
privateEndpoint (dict) --
The private endpoint configuration for the specified domain.
selfManagedLatticeResource (dict) --
Configuration for connecting to a private resource using a self-managed VPC Lattice resource configuration.
resourceConfigurationIdentifier (string) --
The ARN or ID of the VPC Lattice resource configuration.
managedVpcResource (dict) --
Configuration for connecting to a private resource using a managed VPC Lattice resource. The gateway creates and manages the VPC Lattice resources on your behalf.
vpcIdentifier (string) --
The ID of the VPC that contains your private resource.
subnetIds (list) --
The subnet IDs within the VPC where the VPC Lattice resource gateway is placed.
(string) --
endpointIpAddressType (string) --
The IP address type for the resource configuration endpoint.
securityGroupIds (list) --
The security group IDs to associate with the VPC Lattice resource gateway. If not specified, the default security group for the VPC is used.
(string) --
tags (dict) --
Tags to apply to the managed VPC Lattice resource gateway.
(string) --
(string) --
routingDomain (string) --
An intermediate publicly resolvable domain used as the VPC Lattice resource configuration endpoint. Required when your private endpoint uses a domain that is not publicly resolvable.
googleOauth2ProviderConfig (dict) --
The output configuration for a Google OAuth2 provider.
oauthDiscovery (dict) --
The OAuth2 discovery information for the Google provider.
discoveryUrl (string) --
The discovery URL for the OAuth2 provider.
authorizationServerMetadata (dict) --
The authorization server metadata for the OAuth2 provider.
issuer (string) --
The issuer URL for the OAuth2 authorization server.
authorizationEndpoint (string) --
The authorization endpoint URL for the OAuth2 authorization server.
tokenEndpoint (string) --
The token endpoint URL for the OAuth2 authorization server.
responseTypes (list) --
The supported response types for the OAuth2 authorization server.
(string) --
tokenEndpointAuthMethods (list) --
The authentication methods supported by the token endpoint. This specifies how clients can authenticate when requesting tokens from the authorization server.
(string) --
clientId (string) --
The client ID for the Google OAuth2 provider.
githubOauth2ProviderConfig (dict) --
The output configuration for a GitHub OAuth2 provider.
oauthDiscovery (dict) --
The OAuth2 discovery information for the GitHub provider.
discoveryUrl (string) --
The discovery URL for the OAuth2 provider.
authorizationServerMetadata (dict) --
The authorization server metadata for the OAuth2 provider.
issuer (string) --
The issuer URL for the OAuth2 authorization server.
authorizationEndpoint (string) --
The authorization endpoint URL for the OAuth2 authorization server.
tokenEndpoint (string) --
The token endpoint URL for the OAuth2 authorization server.
responseTypes (list) --
The supported response types for the OAuth2 authorization server.
(string) --
tokenEndpointAuthMethods (list) --
The authentication methods supported by the token endpoint. This specifies how clients can authenticate when requesting tokens from the authorization server.
(string) --
clientId (string) --
The client ID for the GitHub OAuth2 provider.
slackOauth2ProviderConfig (dict) --
The output configuration for a Slack OAuth2 provider.
oauthDiscovery (dict) --
The OAuth2 discovery information for the Slack provider.
discoveryUrl (string) --
The discovery URL for the OAuth2 provider.
authorizationServerMetadata (dict) --
The authorization server metadata for the OAuth2 provider.
issuer (string) --
The issuer URL for the OAuth2 authorization server.
authorizationEndpoint (string) --
The authorization endpoint URL for the OAuth2 authorization server.
tokenEndpoint (string) --
The token endpoint URL for the OAuth2 authorization server.
responseTypes (list) --
The supported response types for the OAuth2 authorization server.
(string) --
tokenEndpointAuthMethods (list) --
The authentication methods supported by the token endpoint. This specifies how clients can authenticate when requesting tokens from the authorization server.
(string) --
clientId (string) --
The client ID for the Slack OAuth2 provider.
salesforceOauth2ProviderConfig (dict) --
The output configuration for a Salesforce OAuth2 provider.
oauthDiscovery (dict) --
The OAuth2 discovery information for the Salesforce provider.
discoveryUrl (string) --
The discovery URL for the OAuth2 provider.
authorizationServerMetadata (dict) --
The authorization server metadata for the OAuth2 provider.
issuer (string) --
The issuer URL for the OAuth2 authorization server.
authorizationEndpoint (string) --
The authorization endpoint URL for the OAuth2 authorization server.
tokenEndpoint (string) --
The token endpoint URL for the OAuth2 authorization server.
responseTypes (list) --
The supported response types for the OAuth2 authorization server.
(string) --
tokenEndpointAuthMethods (list) --
The authentication methods supported by the token endpoint. This specifies how clients can authenticate when requesting tokens from the authorization server.
(string) --
clientId (string) --
The client ID for the Salesforce OAuth2 provider.
microsoftOauth2ProviderConfig (dict) --
The output configuration for a Microsoft OAuth2 provider.
oauthDiscovery (dict) --
The OAuth2 discovery information for the Microsoft provider.
discoveryUrl (string) --
The discovery URL for the OAuth2 provider.
authorizationServerMetadata (dict) --
The authorization server metadata for the OAuth2 provider.
issuer (string) --
The issuer URL for the OAuth2 authorization server.
authorizationEndpoint (string) --
The authorization endpoint URL for the OAuth2 authorization server.
tokenEndpoint (string) --
The token endpoint URL for the OAuth2 authorization server.
responseTypes (list) --
The supported response types for the OAuth2 authorization server.
(string) --
tokenEndpointAuthMethods (list) --
The authentication methods supported by the token endpoint. This specifies how clients can authenticate when requesting tokens from the authorization server.
(string) --
clientId (string) --
The client ID for the Microsoft OAuth2 provider.
atlassianOauth2ProviderConfig (dict) --
The configuration details for the Atlassian OAuth2 provider.
oauthDiscovery (dict) --
Contains the discovery information for an OAuth2 provider.
discoveryUrl (string) --
The discovery URL for the OAuth2 provider.
authorizationServerMetadata (dict) --
The authorization server metadata for the OAuth2 provider.
issuer (string) --
The issuer URL for the OAuth2 authorization server.
authorizationEndpoint (string) --
The authorization endpoint URL for the OAuth2 authorization server.
tokenEndpoint (string) --
The token endpoint URL for the OAuth2 authorization server.
responseTypes (list) --
The supported response types for the OAuth2 authorization server.
(string) --
tokenEndpointAuthMethods (list) --
The authentication methods supported by the token endpoint. This specifies how clients can authenticate when requesting tokens from the authorization server.
(string) --
clientId (string) --
The client ID for the Atlassian OAuth2 provider.
linkedinOauth2ProviderConfig (dict) --
The configuration details for the LinkedIn OAuth2 provider.
oauthDiscovery (dict) --
Contains the discovery information for an OAuth2 provider.
discoveryUrl (string) --
The discovery URL for the OAuth2 provider.
authorizationServerMetadata (dict) --
The authorization server metadata for the OAuth2 provider.
issuer (string) --
The issuer URL for the OAuth2 authorization server.
authorizationEndpoint (string) --
The authorization endpoint URL for the OAuth2 authorization server.
tokenEndpoint (string) --
The token endpoint URL for the OAuth2 authorization server.
responseTypes (list) --
The supported response types for the OAuth2 authorization server.
(string) --
tokenEndpointAuthMethods (list) --
The authentication methods supported by the token endpoint. This specifies how clients can authenticate when requesting tokens from the authorization server.
(string) --
clientId (string) --
The client ID for the LinkedIn OAuth2 provider.
includedOauth2ProviderConfig (dict) --
The configuration for a non-custom OAuth2 provider. This includes the configuration details for supported OAuth2 providers that have built-in integration support.
oauthDiscovery (dict) --
Contains the discovery information for an OAuth2 provider.
discoveryUrl (string) --
The discovery URL for the OAuth2 provider.
authorizationServerMetadata (dict) --
The authorization server metadata for the OAuth2 provider.
issuer (string) --
The issuer URL for the OAuth2 authorization server.
authorizationEndpoint (string) --
The authorization endpoint URL for the OAuth2 authorization server.
tokenEndpoint (string) --
The token endpoint URL for the OAuth2 authorization server.
responseTypes (list) --
The supported response types for the OAuth2 authorization server.
(string) --
tokenEndpointAuthMethods (list) --
The authentication methods supported by the token endpoint. This specifies how clients can authenticate when requesting tokens from the authorization server.
(string) --
clientId (string) --
The client ID for the supported OAuth2 provider.
createdTime (datetime) --
The timestamp when the OAuth2 credential provider was created.
lastUpdatedTime (datetime) --
The timestamp when the OAuth2 credential provider was last updated.
status (string) --
The current status of the OAuth2 credential provider.
{'authorizerConfiguration': {'optionalValue': {'customJWTAuthorizer': {'privateEndpoint': {'managedVpcResource': {'endpointIpAddressType': 'IPV4 '
'| '
'IPV6',
'routingDomain': 'string',
'securityGroupIds': ['string'],
'subnetIds': ['string'],
'tags': {'string': 'string'},
'vpcIdentifier': 'string'},
'selfManagedLatticeResource': {'resourceConfigurationIdentifier': 'string'}},
'privateEndpointOverrides': [{'domain': 'string',
'privateEndpoint': {'managedVpcResource': {'endpointIpAddressType': 'IPV4 '
'| '
'IPV6',
'routingDomain': 'string',
'securityGroupIds': ['string'],
'subnetIds': ['string'],
'tags': {'string': 'string'},
'vpcIdentifier': 'string'},
'selfManagedLatticeResource': {'resourceConfigurationIdentifier': 'string'}}}]}}}}
Response {'authorizerConfiguration': {'customJWTAuthorizer': {'privateEndpoint': {'managedVpcResource': {'endpointIpAddressType': 'IPV4 '
'| '
'IPV6',
'routingDomain': 'string',
'securityGroupIds': ['string'],
'subnetIds': ['string'],
'tags': {'string': 'string'},
'vpcIdentifier': 'string'},
'selfManagedLatticeResource': {'resourceConfigurationIdentifier': 'string'}},
'privateEndpointOverrides': [{'domain': 'string',
'privateEndpoint': {'managedVpcResource': {'endpointIpAddressType': 'IPV4 '
'| '
'IPV6',
'routingDomain': 'string',
'securityGroupIds': ['string'],
'subnetIds': ['string'],
'tags': {'string': 'string'},
'vpcIdentifier': 'string'},
'selfManagedLatticeResource': {'resourceConfigurationIdentifier': 'string'}}}]}}}
Updates an existing registry. This operation uses PATCH semantics, so you only need to specify the fields you want to change.
See also: AWS API Documentation
Request Syntax
client.update_registry(
registryId='string',
name='string',
description={
'optionalValue': 'string'
},
authorizerConfiguration={
'optionalValue': {
'customJWTAuthorizer': {
'discoveryUrl': 'string',
'allowedAudience': [
'string',
],
'allowedClients': [
'string',
],
'allowedScopes': [
'string',
],
'customClaims': [
{
'inboundTokenClaimName': 'string',
'inboundTokenClaimValueType': 'STRING'|'STRING_ARRAY',
'authorizingClaimMatchValue': {
'claimMatchValue': {
'matchValueString': 'string',
'matchValueStringList': [
'string',
]
},
'claimMatchOperator': 'EQUALS'|'CONTAINS'|'CONTAINS_ANY'
}
},
],
'privateEndpoint': {
'selfManagedLatticeResource': {
'resourceConfigurationIdentifier': 'string'
},
'managedVpcResource': {
'vpcIdentifier': 'string',
'subnetIds': [
'string',
],
'endpointIpAddressType': 'IPV4'|'IPV6',
'securityGroupIds': [
'string',
],
'tags': {
'string': 'string'
},
'routingDomain': 'string'
}
},
'privateEndpointOverrides': [
{
'domain': 'string',
'privateEndpoint': {
'selfManagedLatticeResource': {
'resourceConfigurationIdentifier': 'string'
},
'managedVpcResource': {
'vpcIdentifier': 'string',
'subnetIds': [
'string',
],
'endpointIpAddressType': 'IPV4'|'IPV6',
'securityGroupIds': [
'string',
],
'tags': {
'string': 'string'
},
'routingDomain': 'string'
}
}
},
]
}
}
},
approvalConfiguration={
'optionalValue': {
'autoApproval': True|False
}
}
)
string
[REQUIRED]
The identifier of the registry to update. You can specify either the Amazon Resource Name (ARN) or the ID of the registry.
string
The updated name of the registry.
dict
The updated description of the registry. To clear the description, include the UpdatedDescription wrapper with optionalValue not specified.
optionalValue (string) --
Represents an optional value that is used to update the human-readable description of the resource. If not specified, it will clear the current description of the resource.
dict
The updated authorizer configuration for the registry. Changing the authorizer configuration can break existing consumers of the registry who are using the authorization type prior to the update.
optionalValue (dict) --
The updated authorizer configuration value. If not specified, it will clear the current authorizer configuration of the resource.
customJWTAuthorizer (dict) --
The inbound JWT-based authorization, specifying how incoming requests should be authenticated.
discoveryUrl (string) -- [REQUIRED]
This URL is used to fetch OpenID Connect configuration or authorization server metadata for validating incoming tokens.
allowedAudience (list) --
Represents individual audience values that are validated in the incoming JWT token validation process.
(string) --
allowedClients (list) --
Represents individual client IDs that are validated in the incoming JWT token validation process.
(string) --
allowedScopes (list) --
An array of scopes that are allowed to access the token.
(string) --
customClaims (list) --
An array of objects that define a custom claim validation name, value, and operation
(dict) --
Defines the name of a custom claim field and rules for finding matches to authenticate its value.
inboundTokenClaimName (string) -- [REQUIRED]
The name of the custom claim field to check.
inboundTokenClaimValueType (string) -- [REQUIRED]
The data type of the claim value to check for.
Use STRING if you want to find an exact match to a string you define.
Use STRING_ARRAY if you want to fnd a match to at least one value in an array you define.
authorizingClaimMatchValue (dict) -- [REQUIRED]
Defines the value or values to match for and the relationship of the match.
claimMatchValue (dict) -- [REQUIRED]
The value or values to match for.
matchValueString (string) --
The string value to match for.
matchValueStringList (list) --
An array of strings to check for a match.
(string) --
claimMatchOperator (string) -- [REQUIRED]
Defines the relationship between the claim field value and the value or values you're matching for.
privateEndpoint (dict) --
The private endpoint configuration for a gateway target. Defines how the gateway connects to private resources in your VPC.
selfManagedLatticeResource (dict) --
Configuration for connecting to a private resource using a self-managed VPC Lattice resource configuration.
resourceConfigurationIdentifier (string) --
The ARN or ID of the VPC Lattice resource configuration.
managedVpcResource (dict) --
Configuration for connecting to a private resource using a managed VPC Lattice resource. The gateway creates and manages the VPC Lattice resources on your behalf.
vpcIdentifier (string) -- [REQUIRED]
The ID of the VPC that contains your private resource.
subnetIds (list) -- [REQUIRED]
The subnet IDs within the VPC where the VPC Lattice resource gateway is placed.
(string) --
endpointIpAddressType (string) -- [REQUIRED]
The IP address type for the resource configuration endpoint.
securityGroupIds (list) --
The security group IDs to associate with the VPC Lattice resource gateway. If not specified, the default security group for the VPC is used.
(string) --
tags (dict) --
Tags to apply to the managed VPC Lattice resource gateway.
(string) --
(string) --
routingDomain (string) --
An intermediate publicly resolvable domain used as the VPC Lattice resource configuration endpoint. Required when your private endpoint uses a domain that is not publicly resolvable.
privateEndpointOverrides (list) --
A list of private endpoint overrides for the JWT authorizer. Each override maps a specific domain to a private endpoint, enabling secure connectivity through VPC Lattice resource configurations.
(dict) --
A mapping of a specific domain to a private endpoint for secure connectivity through a VPC Lattice resource configuration.
domain (string) -- [REQUIRED]
The domain to override with a private endpoint.
privateEndpoint (dict) -- [REQUIRED]
The private endpoint configuration for the specified domain.
selfManagedLatticeResource (dict) --
Configuration for connecting to a private resource using a self-managed VPC Lattice resource configuration.
resourceConfigurationIdentifier (string) --
The ARN or ID of the VPC Lattice resource configuration.
managedVpcResource (dict) --
Configuration for connecting to a private resource using a managed VPC Lattice resource. The gateway creates and manages the VPC Lattice resources on your behalf.
vpcIdentifier (string) -- [REQUIRED]
The ID of the VPC that contains your private resource.
subnetIds (list) -- [REQUIRED]
The subnet IDs within the VPC where the VPC Lattice resource gateway is placed.
(string) --
endpointIpAddressType (string) -- [REQUIRED]
The IP address type for the resource configuration endpoint.
securityGroupIds (list) --
The security group IDs to associate with the VPC Lattice resource gateway. If not specified, the default security group for the VPC is used.
(string) --
tags (dict) --
Tags to apply to the managed VPC Lattice resource gateway.
(string) --
(string) --
routingDomain (string) --
An intermediate publicly resolvable domain used as the VPC Lattice resource configuration endpoint. Required when your private endpoint uses a domain that is not publicly resolvable.
dict
The updated approval configuration for registry records. The updated configuration only affects new records that move to PENDING_APPROVAL status after the change. Existing records already in PENDING_APPROVAL status are not affected.
optionalValue (dict) --
The updated approval configuration value. Set to null to unset the approval configuration.
autoApproval (boolean) --
Whether registry records are auto-approved. When set to true, records are automatically approved upon creation. When set to false (the default), records require explicit approval for security purposes.
dict
Response Syntax
{
'name': 'string',
'description': 'string',
'registryId': 'string',
'registryArn': 'string',
'authorizerType': 'CUSTOM_JWT'|'AWS_IAM',
'authorizerConfiguration': {
'customJWTAuthorizer': {
'discoveryUrl': 'string',
'allowedAudience': [
'string',
],
'allowedClients': [
'string',
],
'allowedScopes': [
'string',
],
'customClaims': [
{
'inboundTokenClaimName': 'string',
'inboundTokenClaimValueType': 'STRING'|'STRING_ARRAY',
'authorizingClaimMatchValue': {
'claimMatchValue': {
'matchValueString': 'string',
'matchValueStringList': [
'string',
]
},
'claimMatchOperator': 'EQUALS'|'CONTAINS'|'CONTAINS_ANY'
}
},
],
'privateEndpoint': {
'selfManagedLatticeResource': {
'resourceConfigurationIdentifier': 'string'
},
'managedVpcResource': {
'vpcIdentifier': 'string',
'subnetIds': [
'string',
],
'endpointIpAddressType': 'IPV4'|'IPV6',
'securityGroupIds': [
'string',
],
'tags': {
'string': 'string'
},
'routingDomain': 'string'
}
},
'privateEndpointOverrides': [
{
'domain': 'string',
'privateEndpoint': {
'selfManagedLatticeResource': {
'resourceConfigurationIdentifier': 'string'
},
'managedVpcResource': {
'vpcIdentifier': 'string',
'subnetIds': [
'string',
],
'endpointIpAddressType': 'IPV4'|'IPV6',
'securityGroupIds': [
'string',
],
'tags': {
'string': 'string'
},
'routingDomain': 'string'
}
}
},
]
}
},
'approvalConfiguration': {
'autoApproval': True|False
},
'status': 'CREATING'|'READY'|'UPDATING'|'CREATE_FAILED'|'UPDATE_FAILED'|'DELETING'|'DELETE_FAILED',
'statusReason': 'string',
'createdAt': datetime(2015, 1, 1),
'updatedAt': datetime(2015, 1, 1)
}
Response Structure
(dict) --
name (string) --
The name of the updated registry.
description (string) --
The description of the updated registry.
registryId (string) --
The unique identifier of the updated registry.
registryArn (string) --
The Amazon Resource Name (ARN) of the updated registry.
authorizerType (string) --
The type of authorizer used by the updated registry. This controls the authorization method for the Search and Invoke APIs used by consumers.
CUSTOM_JWT - Authorize with a bearer token.
AWS_IAM - Authorize with your Amazon Web Services IAM credentials.
authorizerConfiguration (dict) --
The authorizer configuration for the updated registry. For details, see the AuthorizerConfiguration data type.
customJWTAuthorizer (dict) --
The inbound JWT-based authorization, specifying how incoming requests should be authenticated.
discoveryUrl (string) --
This URL is used to fetch OpenID Connect configuration or authorization server metadata for validating incoming tokens.
allowedAudience (list) --
Represents individual audience values that are validated in the incoming JWT token validation process.
(string) --
allowedClients (list) --
Represents individual client IDs that are validated in the incoming JWT token validation process.
(string) --
allowedScopes (list) --
An array of scopes that are allowed to access the token.
(string) --
customClaims (list) --
An array of objects that define a custom claim validation name, value, and operation
(dict) --
Defines the name of a custom claim field and rules for finding matches to authenticate its value.
inboundTokenClaimName (string) --
The name of the custom claim field to check.
inboundTokenClaimValueType (string) --
The data type of the claim value to check for.
Use STRING if you want to find an exact match to a string you define.
Use STRING_ARRAY if you want to fnd a match to at least one value in an array you define.
authorizingClaimMatchValue (dict) --
Defines the value or values to match for and the relationship of the match.
claimMatchValue (dict) --
The value or values to match for.
matchValueString (string) --
The string value to match for.
matchValueStringList (list) --
An array of strings to check for a match.
(string) --
claimMatchOperator (string) --
Defines the relationship between the claim field value and the value or values you're matching for.
privateEndpoint (dict) --
The private endpoint configuration for a gateway target. Defines how the gateway connects to private resources in your VPC.
selfManagedLatticeResource (dict) --
Configuration for connecting to a private resource using a self-managed VPC Lattice resource configuration.
resourceConfigurationIdentifier (string) --
The ARN or ID of the VPC Lattice resource configuration.
managedVpcResource (dict) --
Configuration for connecting to a private resource using a managed VPC Lattice resource. The gateway creates and manages the VPC Lattice resources on your behalf.
vpcIdentifier (string) --
The ID of the VPC that contains your private resource.
subnetIds (list) --
The subnet IDs within the VPC where the VPC Lattice resource gateway is placed.
(string) --
endpointIpAddressType (string) --
The IP address type for the resource configuration endpoint.
securityGroupIds (list) --
The security group IDs to associate with the VPC Lattice resource gateway. If not specified, the default security group for the VPC is used.
(string) --
tags (dict) --
Tags to apply to the managed VPC Lattice resource gateway.
(string) --
(string) --
routingDomain (string) --
An intermediate publicly resolvable domain used as the VPC Lattice resource configuration endpoint. Required when your private endpoint uses a domain that is not publicly resolvable.
privateEndpointOverrides (list) --
A list of private endpoint overrides for the JWT authorizer. Each override maps a specific domain to a private endpoint, enabling secure connectivity through VPC Lattice resource configurations.
(dict) --
A mapping of a specific domain to a private endpoint for secure connectivity through a VPC Lattice resource configuration.
domain (string) --
The domain to override with a private endpoint.
privateEndpoint (dict) --
The private endpoint configuration for the specified domain.
selfManagedLatticeResource (dict) --
Configuration for connecting to a private resource using a self-managed VPC Lattice resource configuration.
resourceConfigurationIdentifier (string) --
The ARN or ID of the VPC Lattice resource configuration.
managedVpcResource (dict) --
Configuration for connecting to a private resource using a managed VPC Lattice resource. The gateway creates and manages the VPC Lattice resources on your behalf.
vpcIdentifier (string) --
The ID of the VPC that contains your private resource.
subnetIds (list) --
The subnet IDs within the VPC where the VPC Lattice resource gateway is placed.
(string) --
endpointIpAddressType (string) --
The IP address type for the resource configuration endpoint.
securityGroupIds (list) --
The security group IDs to associate with the VPC Lattice resource gateway. If not specified, the default security group for the VPC is used.
(string) --
tags (dict) --
Tags to apply to the managed VPC Lattice resource gateway.
(string) --
(string) --
routingDomain (string) --
An intermediate publicly resolvable domain used as the VPC Lattice resource configuration endpoint. Required when your private endpoint uses a domain that is not publicly resolvable.
approvalConfiguration (dict) --
The approval configuration for the updated registry. For details, see the ApprovalConfiguration data type.
autoApproval (boolean) --
Whether registry records are auto-approved. When set to true, records are automatically approved upon creation. When set to false (the default), records require explicit approval for security purposes.
status (string) --
The current status of the updated registry. Possible values include CREATING, READY, UPDATING, CREATE_FAILED, UPDATE_FAILED, DELETING, and DELETE_FAILED.
statusReason (string) --
The reason for the current status of the updated registry.
createdAt (datetime) --
The timestamp when the registry was created.
updatedAt (datetime) --
The timestamp when the registry was last updated.