Amazon Bedrock Agent Core Control Plane Fronting Layer

2025/09/30 - Amazon Bedrock Agent Core Control Plane Fronting Layer - 1 updated api methods

Changes  Tagging support for AgentCore Gateway

CreateGateway (updated) Link ΒΆ
Changes (request)
{'tags': {'string': 'string'}}

Creates a gateway for Amazon Bedrock Agent. A gateway serves as an integration point between your agent and external services.

To create a gateway, you must specify a name, protocol type, and IAM role. The role grants the gateway permission to access Amazon Web Services services and resources.

See also: AWS API Documentation

Request Syntax

client.create_gateway(
    name='string',
    description='string',
    clientToken='string',
    roleArn='string',
    protocolType='MCP',
    protocolConfiguration={
        'mcp': {
            'supportedVersions': [
                'string',
            ],
            'instructions': 'string',
            'searchType': 'SEMANTIC'
        }
    },
    authorizerType='CUSTOM_JWT',
    authorizerConfiguration={
        'customJWTAuthorizer': {
            'discoveryUrl': 'string',
            'allowedAudience': [
                'string',
            ],
            'allowedClients': [
                'string',
            ]
        }
    },
    kmsKeyArn='string',
    exceptionLevel='DEBUG',
    tags={
        'string': 'string'
    }
)
type name:

string

param name:

[REQUIRED]

The name of the gateway. The name must be unique within your account.

type description:

string

param description:

The description of the gateway.

type clientToken:

string

param clientToken:

A unique, case-sensitive identifier to ensure that the API request completes no more than one time. If this token matches a previous request, the service ignores the request, but does not return an error. For more information, see Ensuring idempotency.

This field is autopopulated if not provided.

type roleArn:

string

param roleArn:

[REQUIRED]

The Amazon Resource Name (ARN) of the IAM role that provides permissions for the gateway to access Amazon Web Services services.

type protocolType:

string

param protocolType:

[REQUIRED]

The protocol type for the gateway.

type protocolConfiguration:

dict

param protocolConfiguration:

The configuration settings for the protocol specified in the protocolType parameter.

  • mcp (dict) --

    The configuration for the Model Context Protocol (MCP). This protocol enables communication between Amazon Bedrock Agent and external tools.

    • supportedVersions (list) --

      The supported versions of the Model Context Protocol. This field specifies which versions of the protocol the gateway can use.

      • (string) --

    • instructions (string) --

      The instructions for using the Model Context Protocol gateway. These instructions provide guidance on how to interact with the gateway.

    • searchType (string) --

      The search type for the Model Context Protocol gateway. This field specifies how the gateway handles search operations.

type authorizerType:

string

param authorizerType:

[REQUIRED]

The type of authorizer to use for the gateway.

type authorizerConfiguration:

dict

param authorizerConfiguration:

[REQUIRED]

The authorizer configuration for the gateway.

  • customJWTAuthorizer (dict) --

    The inbound JWT-based authorization, specifying how incoming requests should be authenticated.

    • discoveryUrl (string) -- [REQUIRED]

      This URL is used to fetch OpenID Connect configuration or authorization server metadata for validating incoming tokens.

    • allowedAudience (list) --

      Represents individual audience values that are validated in the incoming JWT token validation process.

      • (string) --

    • allowedClients (list) --

      Represents individual client IDs that are validated in the incoming JWT token validation process.

      • (string) --

type kmsKeyArn:

string

param kmsKeyArn:

The Amazon Resource Name (ARN) of the KMS key used to encrypt data associated with the gateway.

type exceptionLevel:

string

param exceptionLevel:

The level of detail in error messages returned when invoking the gateway.

  • If the value is DEBUG, granular exception messages are returned to help a user debug the gateway.

  • If the value is omitted, a generic error message is returned to the end user.

type tags:

dict

param tags:

A map of key-value pairs to associate with the gateway as metadata tags.

  • (string) --

    • (string) --

rtype:

dict

returns:

Response Syntax

{
    'gatewayArn': 'string',
    'gatewayId': 'string',
    'gatewayUrl': 'string',
    'createdAt': datetime(2015, 1, 1),
    'updatedAt': datetime(2015, 1, 1),
    'status': 'CREATING'|'UPDATING'|'UPDATE_UNSUCCESSFUL'|'DELETING'|'READY'|'FAILED',
    'statusReasons': [
        'string',
    ],
    'name': 'string',
    'description': 'string',
    'roleArn': 'string',
    'protocolType': 'MCP',
    'protocolConfiguration': {
        'mcp': {
            'supportedVersions': [
                'string',
            ],
            'instructions': 'string',
            'searchType': 'SEMANTIC'
        }
    },
    'authorizerType': 'CUSTOM_JWT',
    'authorizerConfiguration': {
        'customJWTAuthorizer': {
            'discoveryUrl': 'string',
            'allowedAudience': [
                'string',
            ],
            'allowedClients': [
                'string',
            ]
        }
    },
    'kmsKeyArn': 'string',
    'workloadIdentityDetails': {
        'workloadIdentityArn': 'string'
    },
    'exceptionLevel': 'DEBUG'
}

Response Structure

  • (dict) --

    • gatewayArn (string) --

      The Amazon Resource Name (ARN) of the created gateway.

    • gatewayId (string) --

      The unique identifier of the created gateway.

    • gatewayUrl (string) --

      The URL endpoint for the created gateway.

    • createdAt (datetime) --

      The timestamp when the gateway was created.

    • updatedAt (datetime) --

      The timestamp when the gateway was last updated.

    • status (string) --

      The current status of the gateway.

    • statusReasons (list) --

      The reasons for the current status of the gateway.

      • (string) --

    • name (string) --

      The name of the gateway.

    • description (string) --

      The description of the gateway.

    • roleArn (string) --

      The Amazon Resource Name (ARN) of the IAM role associated with the gateway.

    • protocolType (string) --

      The protocol type of the gateway.

    • protocolConfiguration (dict) --

      The configuration settings for the protocol used by the gateway.

      • mcp (dict) --

        The configuration for the Model Context Protocol (MCP). This protocol enables communication between Amazon Bedrock Agent and external tools.

        • supportedVersions (list) --

          The supported versions of the Model Context Protocol. This field specifies which versions of the protocol the gateway can use.

          • (string) --

        • instructions (string) --

          The instructions for using the Model Context Protocol gateway. These instructions provide guidance on how to interact with the gateway.

        • searchType (string) --

          The search type for the Model Context Protocol gateway. This field specifies how the gateway handles search operations.

    • authorizerType (string) --

      The type of authorizer used by the gateway.

    • authorizerConfiguration (dict) --

      The authorizer configuration for the created gateway.

      • customJWTAuthorizer (dict) --

        The inbound JWT-based authorization, specifying how incoming requests should be authenticated.

        • discoveryUrl (string) --

          This URL is used to fetch OpenID Connect configuration or authorization server metadata for validating incoming tokens.

        • allowedAudience (list) --

          Represents individual audience values that are validated in the incoming JWT token validation process.

          • (string) --

        • allowedClients (list) --

          Represents individual client IDs that are validated in the incoming JWT token validation process.

          • (string) --

    • kmsKeyArn (string) --

      The Amazon Resource Name (ARN) of the KMS key used to encrypt data associated with the gateway.

    • workloadIdentityDetails (dict) --

      The workload identity details for the created gateway.

      • workloadIdentityArn (string) --

        The ARN associated with the workload identity.

    • exceptionLevel (string) --

      The level of detail in error messages returned when invoking the gateway.

      • If the value is DEBUG, granular exception messages are returned to help a user debug the gateway.

      • If the value is omitted, a generic error message is returned to the end user.