2025/12/02 - Amazon Bedrock AgentCore Control - 27 new13 updated api methods
Changes Support for AgentCore Evaluations and Episodic memory strategy for AgentCore Memory.
Deletes an existing policy engine from the AgentCore Policy system. The policy engine must not have any associated policies before deletion. Once deleted, the policy engine and all its configurations become unavailable for policy management and evaluation. This is an asynchronous operation. Use the GetPolicyEngine operation to poll the status field to track completion.
See also: AWS API Documentation
Request Syntax
client.delete_policy_engine(
policyEngineId='string'
)
string
[REQUIRED]
The unique identifier of the policy engine to be deleted. This must be a valid policy engine ID that exists within the account.
dict
Response Syntax
{
'policyEngineId': 'string',
'name': 'string',
'description': 'string',
'createdAt': datetime(2015, 1, 1),
'updatedAt': datetime(2015, 1, 1),
'policyEngineArn': 'string',
'status': 'CREATING'|'ACTIVE'|'UPDATING'|'DELETING'|'CREATE_FAILED'|'UPDATE_FAILED'|'DELETE_FAILED',
'statusReasons': [
'string',
]
}
Response Structure
(dict) --
policyEngineId (string) --
The unique identifier of the policy engine being deleted. This confirms which policy engine the deletion operation targets.
name (string) --
The customer-assigned name of the deleted policy engine.
description (string) --
The human-readable description of the deleted policy engine.
createdAt (datetime) --
The timestamp when the deleted policy engine was originally created.
updatedAt (datetime) --
The timestamp when the deleted policy engine was last modified before deletion. This tracks the final state of the policy engine before it was removed from the system.
policyEngineArn (string) --
The Amazon Resource Name (ARN) of the deleted policy engine. This globally unique identifier confirms which policy engine resource was successfully removed.
status (string) --
The status of the policy engine deletion operation. This provides status about any issues that occurred during the deletion process.
statusReasons (list) --
Additional information about the deletion status. This provides details about the deletion process or any issues that may have occurred.
(string) --
Updates an online evaluation configuration's settings, including rules, data sources, evaluators, and execution status. Changes take effect immediately for ongoing evaluations.
See also: AWS API Documentation
Request Syntax
client.update_online_evaluation_config(
clientToken='string',
onlineEvaluationConfigId='string',
description='string',
rule={
'samplingConfig': {
'samplingPercentage': 123.0
},
'filters': [
{
'key': 'string',
'operator': 'Equals'|'NotEquals'|'GreaterThan'|'LessThan'|'GreaterThanOrEqual'|'LessThanOrEqual'|'Contains'|'NotContains',
'value': {
'stringValue': 'string',
'doubleValue': 123.0,
'booleanValue': True|False
}
},
],
'sessionConfig': {
'sessionTimeoutMinutes': 123
}
},
dataSourceConfig={
'cloudWatchLogs': {
'logGroupNames': [
'string',
],
'serviceNames': [
'string',
]
}
},
evaluators=[
{
'evaluatorId': 'string'
},
],
evaluationExecutionRoleArn='string',
executionStatus='ENABLED'|'DISABLED'
)
string
A unique, case-sensitive identifier to ensure that the API request completes no more than one time. If you don't specify this field, a value is randomly generated for you. If this token matches a previous request, the service ignores the request, but doesn't return an error. For more information, see Ensuring idempotency.
This field is autopopulated if not provided.
string
[REQUIRED]
The unique identifier of the online evaluation configuration to update.
string
The updated description of the online evaluation configuration.
dict
The updated evaluation rule containing sampling configuration, filters, and session settings.
samplingConfig (dict) -- [REQUIRED]
The sampling configuration that determines what percentage of agent traces to evaluate.
samplingPercentage (float) -- [REQUIRED]
The percentage of agent traces to sample for evaluation, ranging from 0.01% to 100%.
filters (list) --
The list of filters that determine which agent traces should be included in the evaluation based on trace properties.
(dict) --
The filter that applies conditions to agent traces during online evaluation to determine which traces should be evaluated.
key (string) -- [REQUIRED]
The key or field name to filter on within the agent trace data.
operator (string) -- [REQUIRED]
The comparison operator to use for filtering.
value (dict) -- [REQUIRED]
The value to compare against using the specified operator.
stringValue (string) --
The string value for text-based filtering.
doubleValue (float) --
The numeric value for numerical filtering and comparisons.
booleanValue (boolean) --
The boolean value for true/false filtering conditions.
sessionConfig (dict) --
The session configuration that defines timeout settings for detecting when agent sessions are complete and ready for evaluation.
sessionTimeoutMinutes (integer) -- [REQUIRED]
The number of minutes of inactivity after which an agent session is considered complete and ready for evaluation. Default is 15 minutes.
dict
The updated data source configuration specifying CloudWatch log groups and service names to monitor.
cloudWatchLogs (dict) --
The CloudWatch logs configuration for reading agent traces from log groups.
logGroupNames (list) -- [REQUIRED]
The list of CloudWatch log group names to monitor for agent traces.
(string) --
serviceNames (list) -- [REQUIRED]
The list of service names to filter traces within the specified log groups. Used to identify relevant agent sessions.
(string) --
list
The updated list of evaluators to apply during online evaluation.
(dict) --
The reference to an evaluator used in online evaluation configurations, containing the evaluator identifier.
evaluatorId (string) --
The unique identifier of the evaluator. Can reference builtin evaluators (e.g., Builtin.Helpfulness) or custom evaluators.
string
The updated Amazon Resource Name (ARN) of the IAM role used for evaluation execution.
string
The updated execution status to enable or disable the online evaluation.
dict
Response Syntax
{
'onlineEvaluationConfigArn': 'string',
'onlineEvaluationConfigId': 'string',
'updatedAt': datetime(2015, 1, 1),
'status': 'ACTIVE'|'CREATING'|'CREATE_FAILED'|'UPDATING'|'UPDATE_FAILED'|'DELETING',
'executionStatus': 'ENABLED'|'DISABLED',
'failureReason': 'string'
}
Response Structure
(dict) --
onlineEvaluationConfigArn (string) --
The Amazon Resource Name (ARN) of the updated online evaluation configuration.
onlineEvaluationConfigId (string) --
The unique identifier of the updated online evaluation configuration.
updatedAt (datetime) --
The timestamp when the online evaluation configuration was last updated.
status (string) --
The status of the online evaluation configuration.
executionStatus (string) --
The execution status indicating whether the online evaluation is currently running.
failureReason (string) --
The reason for failure if the online evaluation configuration update or execution failed.
Retrieves detailed information about a specific policy engine within the AgentCore Policy system. This operation returns the complete policy engine configuration, metadata, and current status, allowing administrators to review and manage policy engine settings.
See also: AWS API Documentation
Request Syntax
client.get_policy_engine(
policyEngineId='string'
)
string
[REQUIRED]
The unique identifier of the policy engine to be retrieved. This must be a valid policy engine ID that exists within the account.
dict
Response Syntax
{
'policyEngineId': 'string',
'name': 'string',
'description': 'string',
'createdAt': datetime(2015, 1, 1),
'updatedAt': datetime(2015, 1, 1),
'policyEngineArn': 'string',
'status': 'CREATING'|'ACTIVE'|'UPDATING'|'DELETING'|'CREATE_FAILED'|'UPDATE_FAILED'|'DELETE_FAILED',
'statusReasons': [
'string',
]
}
Response Structure
(dict) --
policyEngineId (string) --
The unique identifier of the retrieved policy engine. This matches the policy engine ID provided in the request and serves as the system identifier.
name (string) --
The customer-assigned name of the policy engine. This is the human-readable identifier that was specified when the policy engine was created.
description (string) --
The human-readable description of the policy engine's purpose and scope. This helps administrators understand the policy engine's role in governance.
createdAt (datetime) --
The timestamp when the policy engine was originally created.
updatedAt (datetime) --
The timestamp when the policy engine was last modified. This tracks the most recent changes to the policy engine configuration.
policyEngineArn (string) --
The Amazon Resource Name (ARN) of the policy engine. This globally unique identifier can be used for cross-service references and IAM policy statements.
status (string) --
The current status of the policy engine.
statusReasons (list) --
Additional information about the policy engine status. This provides details about any failures or the current state of the policy engine.
(string) --
Lists all online evaluation configurations in the account, providing summary information about each configuration's status and settings.
See also: AWS API Documentation
Request Syntax
client.list_online_evaluation_configs(
nextToken='string',
maxResults=123
)
string
The pagination token from a previous request to retrieve the next page of results.
integer
The maximum number of online evaluation configurations to return in a single response.
dict
Response Syntax
{
'onlineEvaluationConfigs': [
{
'onlineEvaluationConfigArn': 'string',
'onlineEvaluationConfigId': 'string',
'onlineEvaluationConfigName': 'string',
'description': 'string',
'status': 'ACTIVE'|'CREATING'|'CREATE_FAILED'|'UPDATING'|'UPDATE_FAILED'|'DELETING',
'executionStatus': 'ENABLED'|'DISABLED',
'createdAt': datetime(2015, 1, 1),
'updatedAt': datetime(2015, 1, 1),
'failureReason': 'string'
},
],
'nextToken': 'string'
}
Response Structure
(dict) --
onlineEvaluationConfigs (list) --
The list of online evaluation configuration summaries containing basic information about each configuration.
(dict) --
The summary information about an online evaluation configuration, including basic metadata and execution status.
onlineEvaluationConfigArn (string) --
The Amazon Resource Name (ARN) of the online evaluation configuration.
onlineEvaluationConfigId (string) --
The unique identifier of the online evaluation configuration.
onlineEvaluationConfigName (string) --
The name of the online evaluation configuration.
description (string) --
The description of the online evaluation configuration.
status (string) --
The status of the online evaluation configuration.
executionStatus (string) --
The execution status indicating whether the online evaluation is currently running.
createdAt (datetime) --
The timestamp when the online evaluation configuration was created.
updatedAt (datetime) --
The timestamp when the online evaluation configuration was last updated.
failureReason (string) --
The reason for failure if the online evaluation configuration execution failed.
nextToken (string) --
The pagination token to use in a subsequent request to retrieve the next page of results.
Retrieves a list of policies within the AgentCore Policy engine. This operation supports pagination and filtering to help administrators manage and discover policies across policy engines. Results can be filtered by policy engine or resource associations.
See also: AWS API Documentation
Request Syntax
client.list_policies(
nextToken='string',
maxResults=123,
policyEngineId='string',
targetResourceScope='string'
)
string
A pagination token returned from a previous ListPolicies call. Use this token to retrieve the next page of results when the response is paginated.
integer
The maximum number of policies to return in a single response. If not specified, the default is 10 policies per page, with a maximum of 100 per page.
string
[REQUIRED]
The identifier of the policy engine whose policies to retrieve.
string
Optional filter to list policies that apply to a specific resource scope or resource type. This helps narrow down policy results to those relevant for particular Amazon Web Services resources, agent tools, or operational contexts within the policy engine ecosystem.
dict
Response Syntax
{
'policies': [
{
'policyId': 'string',
'name': 'string',
'policyEngineId': 'string',
'definition': {
'cedar': {
'statement': 'string'
}
},
'description': 'string',
'createdAt': datetime(2015, 1, 1),
'updatedAt': datetime(2015, 1, 1),
'policyArn': 'string',
'status': 'CREATING'|'ACTIVE'|'UPDATING'|'DELETING'|'CREATE_FAILED'|'UPDATE_FAILED'|'DELETE_FAILED',
'statusReasons': [
'string',
]
},
],
'nextToken': 'string'
}
Response Structure
(dict) --
policies (list) --
An array of policy objects that match the specified criteria. Each policy object contains the policy metadata, status, and key identifiers for further operations.
(dict) --
Represents a complete policy resource within the AgentCore Policy system. Policies are ARN-able resources that contain Cedar policy statements and associated metadata for controlling agent behavior and access decisions. Each policy belongs to a policy engine and defines fine-grained authorization rules that are evaluated in real-time as agents interact with tools through Gateway. Policies use the Cedar policy language to specify who (principals based on OAuth claims like username, role, or scope) can perform what actions (tool calls) on which resources (Gateways), with optional conditions for attribute-based access control. Multiple policies can apply to a single request, with Cedar's forbid-wins semantics ensuring that security restrictions are never accidentally overridden.
policyId (string) --
The unique identifier for the policy. This system-generated identifier consists of the user name plus a 10-character generated suffix and serves as the primary key for policy operations.
name (string) --
The customer-assigned immutable name for the policy. This human-readable identifier must be unique within the account and cannot exceed 48 characters.
policyEngineId (string) --
The identifier of the policy engine that manages this policy. This establishes the policy engine context for policy evaluation and management.
definition (dict) --
The Cedar policy statement that defines the access control rules. This contains the actual policy logic used for agent behavior control and access decisions.
cedar (dict) --
The Cedar policy definition within the policy definition structure. This contains the Cedar policy statement that defines the authorization logic using Cedar's human-readable, analyzable policy language. Cedar policies specify principals (who can access), actions (what operations are allowed), resources (what can be accessed), and optional conditions for fine-grained control. Cedar provides a formal policy language designed for authorization with deterministic evaluation, making policies testable, reviewable, and auditable. All Cedar policies follow a default-deny model where actions are denied unless explicitly permitted, and forbid policies always override permit policies.
statement (string) --
The Cedar policy statement that defines the authorization logic. This statement follows Cedar syntax and specifies principals, actions, resources, and conditions that determine when access should be allowed or denied.
description (string) --
A human-readable description of the policy's purpose and functionality. Limited to 4,096 characters, this helps administrators understand and manage the policy.
createdAt (datetime) --
The timestamp when the policy was originally created. This is automatically set by the service and used for auditing and lifecycle management.
updatedAt (datetime) --
The timestamp when the policy was last modified. This tracks the most recent changes to the policy configuration or metadata.
policyArn (string) --
The Amazon Resource Name (ARN) of the policy. This globally unique identifier can be used for cross-service references and IAM policy statements.
status (string) --
The current status of the policy.
statusReasons (list) --
Additional information about the policy status. This provides details about any failures or the current state of the policy lifecycle.
(string) --
nextToken (string) --
A pagination token that can be used in subsequent ListPolicies calls to retrieve additional results. This token is only present when there are more results available.
Updates an existing policy within the AgentCore Policy system. This operation allows modification of the policy description and definition while maintaining the policy's identity. The updated policy is validated against the Cedar schema before being applied. This is an asynchronous operation. Use the GetPolicy operation to poll the status field to track completion.
See also: AWS API Documentation
Request Syntax
client.update_policy(
policyEngineId='string',
policyId='string',
description='string',
definition={
'cedar': {
'statement': 'string'
}
},
validationMode='FAIL_ON_ANY_FINDINGS'|'IGNORE_ALL_FINDINGS'
)
string
[REQUIRED]
The identifier of the policy engine that manages the policy to be updated. This ensures the policy is updated within the correct policy engine context.
string
[REQUIRED]
The unique identifier of the policy to be updated. This must be a valid policy ID that exists within the specified policy engine.
string
The new human-readable description for the policy. This optional field allows updating the policy's documentation while keeping the same policy logic.
dict
[REQUIRED]
The new Cedar policy statement that defines the access control rules. This replaces the existing policy definition with new logic while maintaining the policy's identity.
cedar (dict) --
The Cedar policy definition within the policy definition structure. This contains the Cedar policy statement that defines the authorization logic using Cedar's human-readable, analyzable policy language. Cedar policies specify principals (who can access), actions (what operations are allowed), resources (what can be accessed), and optional conditions for fine-grained control. Cedar provides a formal policy language designed for authorization with deterministic evaluation, making policies testable, reviewable, and auditable. All Cedar policies follow a default-deny model where actions are denied unless explicitly permitted, and forbid policies always override permit policies.
statement (string) -- [REQUIRED]
The Cedar policy statement that defines the authorization logic. This statement follows Cedar syntax and specifies principals, actions, resources, and conditions that determine when access should be allowed or denied.
string
The validation mode for the policy update. Determines how Cedar analyzer validation results are handled during policy updates. FAIL_ON_ANY_FINDINGS runs the Cedar analyzer and fails the update if validation issues are detected, ensuring the policy conforms to the Cedar schema and tool context. IGNORE_ALL_FINDINGS runs the Cedar analyzer but allows updates despite validation warnings. Use FAIL_ON_ANY_FINDINGS to ensure policy correctness during updates, especially when modifying policy logic or conditions.
dict
Response Syntax
{
'policyId': 'string',
'name': 'string',
'policyEngineId': 'string',
'definition': {
'cedar': {
'statement': 'string'
}
},
'description': 'string',
'createdAt': datetime(2015, 1, 1),
'updatedAt': datetime(2015, 1, 1),
'policyArn': 'string',
'status': 'CREATING'|'ACTIVE'|'UPDATING'|'DELETING'|'CREATE_FAILED'|'UPDATE_FAILED'|'DELETE_FAILED',
'statusReasons': [
'string',
]
}
Response Structure
(dict) --
policyId (string) --
The unique identifier of the updated policy.
name (string) --
The name of the updated policy.
policyEngineId (string) --
The identifier of the policy engine managing the updated policy.
definition (dict) --
The updated Cedar policy statement.
cedar (dict) --
The Cedar policy definition within the policy definition structure. This contains the Cedar policy statement that defines the authorization logic using Cedar's human-readable, analyzable policy language. Cedar policies specify principals (who can access), actions (what operations are allowed), resources (what can be accessed), and optional conditions for fine-grained control. Cedar provides a formal policy language designed for authorization with deterministic evaluation, making policies testable, reviewable, and auditable. All Cedar policies follow a default-deny model where actions are denied unless explicitly permitted, and forbid policies always override permit policies.
statement (string) --
The Cedar policy statement that defines the authorization logic. This statement follows Cedar syntax and specifies principals, actions, resources, and conditions that determine when access should be allowed or denied.
description (string) --
The updated description of the policy.
createdAt (datetime) --
The original creation timestamp of the policy.
updatedAt (datetime) --
The timestamp when the policy was last updated.
policyArn (string) --
The ARN of the updated policy.
status (string) --
The current status of the updated policy.
statusReasons (list) --
Additional information about the update status.
(string) --
Deletes the resource-based policy for a specified resource.
See also: AWS API Documentation
Request Syntax
client.delete_resource_policy(
resourceArn='string'
)
string
[REQUIRED]
The Amazon Resource Name (ARN) of the resource for which to delete the resource policy.
dict
Response Syntax
{}
Response Structure
(dict) --
Retrieves detailed information about an evaluator, including its configuration, status, and metadata. Works with both built-in and custom evaluators.
See also: AWS API Documentation
Request Syntax
client.get_evaluator(
evaluatorId='string'
)
string
[REQUIRED]
The unique identifier of the evaluator to retrieve. Can be a built-in evaluator ID (e.g., Builtin.Helpfulness) or a custom evaluator ID.
dict
Response Syntax
{
'evaluatorArn': 'string',
'evaluatorId': 'string',
'evaluatorName': 'string',
'description': 'string',
'evaluatorConfig': {
'llmAsAJudge': {
'instructions': 'string',
'ratingScale': {
'numerical': [
{
'definition': 'string',
'value': 123.0,
'label': 'string'
},
],
'categorical': [
{
'definition': 'string',
'label': 'string'
},
]
},
'modelConfig': {
'bedrockEvaluatorModelConfig': {
'modelId': 'string',
'inferenceConfig': {
'maxTokens': 123,
'temperature': ...,
'topP': ...,
'stopSequences': [
'string',
]
},
'additionalModelRequestFields': {...}|[...]|123|123.4|'string'|True|None
}
}
}
},
'level': 'TOOL_CALL'|'TRACE'|'SESSION',
'status': 'ACTIVE'|'CREATING'|'CREATE_FAILED'|'UPDATING'|'UPDATE_FAILED'|'DELETING',
'createdAt': datetime(2015, 1, 1),
'updatedAt': datetime(2015, 1, 1),
'lockedForModification': True|False
}
Response Structure
(dict) --
evaluatorArn (string) --
The Amazon Resource Name (ARN) of the evaluator.
evaluatorId (string) --
The unique identifier of the evaluator.
evaluatorName (string) --
The name of the evaluator.
description (string) --
The description of the evaluator.
evaluatorConfig (dict) --
The configuration of the evaluator, including LLM-as-a-Judge settings for custom evaluators.
llmAsAJudge (dict) --
The LLM-as-a-Judge configuration that uses a language model to evaluate agent performance based on custom instructions and rating scales.
instructions (string) --
The evaluation instructions that guide the language model in assessing agent performance, including criteria and evaluation guidelines.
ratingScale (dict) --
The rating scale that defines how the evaluator should score agent performance, either numerical or categorical.
numerical (list) --
The numerical rating scale with defined score values and descriptions for quantitative evaluation.
(dict) --
The definition of a numerical rating scale option that provides a numeric value with its description for evaluation scoring.
definition (string) --
The description that explains what this numerical rating represents and when it should be used.
value (float) --
The numerical value for this rating scale option.
label (string) --
The label or name that describes this numerical rating option.
categorical (list) --
The categorical rating scale with named categories and definitions for qualitative evaluation.
(dict) --
The definition of a categorical rating scale option that provides a named category with its description for evaluation scoring.
definition (string) --
The description that explains what this categorical rating represents and when it should be used.
label (string) --
The label or name of this categorical rating option.
modelConfig (dict) --
The model configuration that specifies which foundation model to use and how to configure it for evaluation.
bedrockEvaluatorModelConfig (dict) --
The Amazon Bedrock model configuration for evaluation.
modelId (string) --
The identifier of the Amazon Bedrock model to use for evaluation. Must be a supported foundation model available in your region.
inferenceConfig (dict) --
The inference configuration parameters that control model behavior during evaluation, including temperature, token limits, and sampling settings.
maxTokens (integer) --
The maximum number of tokens to generate in the model response during evaluation.
temperature (float) --
The temperature value that controls randomness in the model's responses. Lower values produce more deterministic outputs.
topP (float) --
The top-p sampling parameter that controls the diversity of the model's responses by limiting the cumulative probability of token choices.
stopSequences (list) --
The list of sequences that will cause the model to stop generating tokens when encountered.
(string) --
additionalModelRequestFields (:ref:`document<document>`) --
Additional model-specific request fields to customize model behavior beyond the standard inference configuration.
level (string) --
The evaluation level ( TOOL_CALL, TRACE, or SESSION) that determines the scope of evaluation.
status (string) --
The current status of the evaluator.
createdAt (datetime) --
The timestamp when the evaluator was created.
updatedAt (datetime) --
The timestamp when the evaluator was last updated.
lockedForModification (boolean) --
Whether the evaluator is locked for modification due to being referenced by active online evaluation configurations.
Deletes a custom evaluator. Builtin evaluators cannot be deleted. The evaluator must not be referenced by any active online evaluation configurations.
See also: AWS API Documentation
Request Syntax
client.delete_evaluator(
evaluatorId='string'
)
string
[REQUIRED]
The unique identifier of the evaluator to delete.
dict
Response Syntax
{
'evaluatorArn': 'string',
'evaluatorId': 'string',
'status': 'ACTIVE'|'CREATING'|'CREATE_FAILED'|'UPDATING'|'UPDATE_FAILED'|'DELETING'
}
Response Structure
(dict) --
evaluatorArn (string) --
The Amazon Resource Name (ARN) of the deleted evaluator.
evaluatorId (string) --
The unique identifier of the deleted evaluator.
status (string) --
The status of the evaluator deletion operation.
Retrieves a list of generated policy assets from a policy generation request within the AgentCore Policy system. This operation returns the actual Cedar policies and related artifacts produced by the AI-powered policy generation process, allowing users to review and select from multiple generated policy options.
See also: AWS API Documentation
Request Syntax
client.list_policy_generation_assets(
policyGenerationId='string',
policyEngineId='string',
nextToken='string',
maxResults=123
)
string
[REQUIRED]
The unique identifier of the policy generation request whose assets are to be retrieved. This must be a valid generation ID from a previous StartPolicyGeneration call that has completed processing.
string
[REQUIRED]
The unique identifier of the policy engine associated with the policy generation request. This provides the context for the generation operation and ensures assets are retrieved from the correct policy engine.
string
A pagination token returned from a previous ListPolicyGenerationAssets call. Use this token to retrieve the next page of assets when the response is paginated due to large numbers of generated policy options.
integer
The maximum number of policy generation assets to return in a single response. If not specified, the default is 10 assets per page, with a maximum of 100 per page. This helps control response size when dealing with policy generations that produce many alternative policy options.
dict
Response Syntax
{
'policyGenerationAssets': [
{
'policyGenerationAssetId': 'string',
'definition': {
'cedar': {
'statement': 'string'
}
},
'rawTextFragment': 'string',
'findings': [
{
'type': 'VALID'|'INVALID'|'NOT_TRANSLATABLE'|'ALLOW_ALL'|'ALLOW_NONE'|'DENY_ALL'|'DENY_NONE',
'description': 'string'
},
]
},
],
'nextToken': 'string'
}
Response Structure
(dict) --
policyGenerationAssets (list) --
An array of generated policy assets including Cedar policies and related artifacts from the AI-powered policy generation process. Each asset represents a different policy option or variation generated from the original natural language input.
(dict) --
Represents a generated policy asset from the AI-powered policy generation process within the AgentCore Policy system. Each asset contains a Cedar policy statement generated from natural language input, along with associated metadata and analysis findings to help users evaluate and select the most appropriate policy option.
policyGenerationAssetId (string) --
The unique identifier for this generated policy asset within the policy generation request. This ID can be used to reference specific generated policy options when creating actual policies from the generation results.
definition (dict) --
Represents the definition structure for policies within the AgentCore Policy system. This structure encapsulates different policy formats and languages that can be used to define access control rules.
cedar (dict) --
The Cedar policy definition within the policy definition structure. This contains the Cedar policy statement that defines the authorization logic using Cedar's human-readable, analyzable policy language. Cedar policies specify principals (who can access), actions (what operations are allowed), resources (what can be accessed), and optional conditions for fine-grained control. Cedar provides a formal policy language designed for authorization with deterministic evaluation, making policies testable, reviewable, and auditable. All Cedar policies follow a default-deny model where actions are denied unless explicitly permitted, and forbid policies always override permit policies.
statement (string) --
The Cedar policy statement that defines the authorization logic. This statement follows Cedar syntax and specifies principals, actions, resources, and conditions that determine when access should be allowed or denied.
rawTextFragment (string) --
The portion of the original natural language input that this generated policy asset addresses. This helps users understand which part of their policy description was translated into this specific Cedar policy statement, enabling better policy selection and refinement. When a single natural language input describes multiple authorization requirements, the generation process creates separate policy assets for each requirement, with each asset's rawTextFragment showing which requirement it addresses. Use this mapping to verify that all parts of your natural language input were correctly translated into Cedar policies.
findings (list) --
Analysis findings and insights related to this specific generated policy asset. These findings may include validation results, potential issues, or recommendations for improvement to help users evaluate the quality and appropriateness of the generated policy.
(dict) --
Represents a finding or issue discovered during policy generation or validation. Findings provide insights about potential problems, recommendations, or validation results from policy analysis operations. Finding types include: VALID (policy is ready to use), INVALID (policy has validation errors that must be fixed), NOT_TRANSLATABLE (input couldn't be converted to policy), ALLOW_ALL (policy would allow all actions, potential security risk), ALLOW_NONE (policy would allow no actions, unusable), DENY_ALL (policy would deny all actions, may be too restrictive), and DENY_NONE (policy would deny no actions, ineffective). Review all findings before creating policies from generated assets to ensure they match your security requirements.
type (string) --
The type or category of the finding. This classifies the finding as an error, warning, recommendation, or informational message to help users understand the severity and nature of the issue.
description (string) --
A human-readable description of the finding. This provides detailed information about the issue, recommendation, or validation result to help users understand and address the finding.
nextToken (string) --
A pagination token that can be used in subsequent ListPolicyGenerationAssets calls to retrieve additional assets. This token is only present when there are more generated policy assets available beyond the current response.
Lists all available evaluators, including both builtin evaluators provided by the service and custom evaluators created by the user.
See also: AWS API Documentation
Request Syntax
client.list_evaluators(
nextToken='string',
maxResults=123
)
string
The pagination token from a previous request to retrieve the next page of results.
integer
The maximum number of evaluators to return in a single response.
dict
Response Syntax
{
'evaluators': [
{
'evaluatorArn': 'string',
'evaluatorId': 'string',
'evaluatorName': 'string',
'description': 'string',
'evaluatorType': 'Builtin'|'Custom',
'level': 'TOOL_CALL'|'TRACE'|'SESSION',
'status': 'ACTIVE'|'CREATING'|'CREATE_FAILED'|'UPDATING'|'UPDATE_FAILED'|'DELETING',
'createdAt': datetime(2015, 1, 1),
'updatedAt': datetime(2015, 1, 1),
'lockedForModification': True|False
},
],
'nextToken': 'string'
}
Response Structure
(dict) --
evaluators (list) --
The list of evaluator summaries containing basic information about each evaluator.
(dict) --
The summary information about an evaluator, including basic metadata and status information.
evaluatorArn (string) --
The Amazon Resource Name (ARN) of the evaluator.
evaluatorId (string) --
The unique identifier of the evaluator.
evaluatorName (string) --
The name of the evaluator.
description (string) --
The description of the evaluator.
evaluatorType (string) --
The type of evaluator, indicating whether it is a built-in evaluator provided by the service or a custom evaluator created by the user.
level (string) --
The evaluation level ( TOOL_CALL, TRACE, or SESSION) that determines the scope of evaluation.
status (string) --
The current status of the evaluator.
createdAt (datetime) --
The timestamp when the evaluator was created.
updatedAt (datetime) --
The timestamp when the evaluator was last updated.
lockedForModification (boolean) --
Whether the evaluator is locked for modification due to being referenced by active online evaluation configurations.
nextToken (string) --
The pagination token to use in a subsequent request to retrieve the next page of results.
Creates a new policy engine within the AgentCore Policy system. A policy engine is a collection of policies that evaluates and authorizes agent tool calls. When associated with Gateways (each Gateway can be associated with at most one policy engine, but multiple Gateways can be associated with the same engine), the policy engine intercepts all agent requests and determines whether to allow or deny each action based on the defined policies. This is an asynchronous operation. Use the GetPolicyEngine operation to poll the status field to track completion.
See also: AWS API Documentation
Request Syntax
client.create_policy_engine(
name='string',
description='string',
clientToken='string'
)
string
[REQUIRED]
The customer-assigned immutable name for the policy engine. This name identifies the policy engine and cannot be changed after creation.
string
A human-readable description of the policy engine's purpose and scope (1-4,096 characters). This helps administrators understand the policy engine's role in the overall governance strategy. Document which Gateway this engine will be associated with, what types of tools or workflows it governs, and the team or service responsible for maintaining it. Clear descriptions are essential when managing multiple policy engines across different services or environments.
string
A unique, case-sensitive identifier that you provide to ensure the idempotency of the request. If you retry a request with the same client token, the service returns the same response without creating a duplicate policy engine.
This field is autopopulated if not provided.
dict
Response Syntax
{
'policyEngineId': 'string',
'name': 'string',
'description': 'string',
'createdAt': datetime(2015, 1, 1),
'updatedAt': datetime(2015, 1, 1),
'policyEngineArn': 'string',
'status': 'CREATING'|'ACTIVE'|'UPDATING'|'DELETING'|'CREATE_FAILED'|'UPDATE_FAILED'|'DELETE_FAILED',
'statusReasons': [
'string',
]
}
Response Structure
(dict) --
policyEngineId (string) --
The unique identifier for the created policy engine. This system-generated identifier consists of the user name plus a 10-character generated suffix and is used for all subsequent policy engine operations.
name (string) --
The customer-assigned name of the created policy engine. This matches the name provided in the request and serves as the human-readable identifier.
description (string) --
A human-readable description of the policy engine's purpose.
createdAt (datetime) --
The timestamp when the policy engine was created. This is automatically set by the service and used for auditing and lifecycle management.
updatedAt (datetime) --
The timestamp when the policy engine was last updated. For newly created policy engines, this matches the createdAt timestamp.
policyEngineArn (string) --
The Amazon Resource Name (ARN) of the created policy engine. This globally unique identifier can be used for cross-service references and IAM policy statements.
status (string) --
The current status of the policy engine. A status of ACTIVE indicates the policy engine is ready for use.
statusReasons (list) --
Additional information about the policy engine status. This provides details about any failures or the current state of the policy engine creation process.
(string) --
Creates a custom evaluator for agent quality assessment. Custom evaluators use LLM-as-a-Judge configurations with user-defined prompts, rating scales, and model settings to evaluate agent performance at tool call, trace, or session levels.
See also: AWS API Documentation
Request Syntax
client.create_evaluator(
clientToken='string',
evaluatorName='string',
description='string',
evaluatorConfig={
'llmAsAJudge': {
'instructions': 'string',
'ratingScale': {
'numerical': [
{
'definition': 'string',
'value': 123.0,
'label': 'string'
},
],
'categorical': [
{
'definition': 'string',
'label': 'string'
},
]
},
'modelConfig': {
'bedrockEvaluatorModelConfig': {
'modelId': 'string',
'inferenceConfig': {
'maxTokens': 123,
'temperature': ...,
'topP': ...,
'stopSequences': [
'string',
]
},
'additionalModelRequestFields': {...}|[...]|123|123.4|'string'|True|None
}
}
}
},
level='TOOL_CALL'|'TRACE'|'SESSION'
)
string
A unique, case-sensitive identifier to ensure that the API request completes no more than one time. If you don't specify this field, a value is randomly generated for you. If this token matches a previous request, the service ignores the request, but doesn't return an error. For more information, see Ensuring idempotency.
This field is autopopulated if not provided.
string
[REQUIRED]
The name of the evaluator. Must be unique within your account.
string
The description of the evaluator that explains its purpose and evaluation criteria.
dict
[REQUIRED]
The configuration for the evaluator, including LLM-as-a-Judge settings with instructions, rating scale, and model configuration.
llmAsAJudge (dict) --
The LLM-as-a-Judge configuration that uses a language model to evaluate agent performance based on custom instructions and rating scales.
instructions (string) -- [REQUIRED]
The evaluation instructions that guide the language model in assessing agent performance, including criteria and evaluation guidelines.
ratingScale (dict) -- [REQUIRED]
The rating scale that defines how the evaluator should score agent performance, either numerical or categorical.
numerical (list) --
The numerical rating scale with defined score values and descriptions for quantitative evaluation.
(dict) --
The definition of a numerical rating scale option that provides a numeric value with its description for evaluation scoring.
definition (string) -- [REQUIRED]
The description that explains what this numerical rating represents and when it should be used.
value (float) -- [REQUIRED]
The numerical value for this rating scale option.
label (string) -- [REQUIRED]
The label or name that describes this numerical rating option.
categorical (list) --
The categorical rating scale with named categories and definitions for qualitative evaluation.
(dict) --
The definition of a categorical rating scale option that provides a named category with its description for evaluation scoring.
definition (string) -- [REQUIRED]
The description that explains what this categorical rating represents and when it should be used.
label (string) -- [REQUIRED]
The label or name of this categorical rating option.
modelConfig (dict) -- [REQUIRED]
The model configuration that specifies which foundation model to use and how to configure it for evaluation.
bedrockEvaluatorModelConfig (dict) --
The Amazon Bedrock model configuration for evaluation.
modelId (string) -- [REQUIRED]
The identifier of the Amazon Bedrock model to use for evaluation. Must be a supported foundation model available in your region.
inferenceConfig (dict) --
The inference configuration parameters that control model behavior during evaluation, including temperature, token limits, and sampling settings.
maxTokens (integer) --
The maximum number of tokens to generate in the model response during evaluation.
temperature (float) --
The temperature value that controls randomness in the model's responses. Lower values produce more deterministic outputs.
topP (float) --
The top-p sampling parameter that controls the diversity of the model's responses by limiting the cumulative probability of token choices.
stopSequences (list) --
The list of sequences that will cause the model to stop generating tokens when encountered.
(string) --
additionalModelRequestFields (:ref:`document<document>`) --
Additional model-specific request fields to customize model behavior beyond the standard inference configuration.
string
[REQUIRED]
The evaluation level that determines the scope of evaluation. Valid values are TOOL_CALL for individual tool invocations, TRACE for single request-response interactions, or SESSION for entire conversation sessions.
dict
Response Syntax
{
'evaluatorArn': 'string',
'evaluatorId': 'string',
'createdAt': datetime(2015, 1, 1),
'status': 'ACTIVE'|'CREATING'|'CREATE_FAILED'|'UPDATING'|'UPDATE_FAILED'|'DELETING'
}
Response Structure
(dict) --
evaluatorArn (string) --
The Amazon Resource Name (ARN) of the created evaluator.
evaluatorId (string) --
The unique identifier of the created evaluator.
createdAt (datetime) --
The timestamp when the evaluator was created.
status (string) --
The status of the evaluator creation operation.
Creates a policy within the AgentCore Policy system. Policies provide real-time, deterministic control over agentic interactions with AgentCore Gateway. Using the Cedar policy language, you can define fine-grained policies that specify which interactions with Gateway tools are permitted based on input parameters and OAuth claims, ensuring agents operate within defined boundaries and business rules. The policy is validated during creation against the Cedar schema generated from the Gateway's tools' input schemas, which defines the available tools, their parameters, and expected data types. This is an asynchronous operation. Use the GetPolicy operation to poll the status field to track completion.
See also: AWS API Documentation
Request Syntax
client.create_policy(
name='string',
definition={
'cedar': {
'statement': 'string'
}
},
description='string',
validationMode='FAIL_ON_ANY_FINDINGS'|'IGNORE_ALL_FINDINGS',
policyEngineId='string',
clientToken='string'
)
string
[REQUIRED]
The customer-assigned immutable name for the policy. Must be unique within the account. This name is used for policy identification and cannot be changed after creation.
dict
[REQUIRED]
The Cedar policy statement that defines the access control rules. This contains the actual policy logic written in Cedar policy language, specifying effect (permit or forbid), principals, actions, resources, and conditions for agent behavior control.
cedar (dict) --
The Cedar policy definition within the policy definition structure. This contains the Cedar policy statement that defines the authorization logic using Cedar's human-readable, analyzable policy language. Cedar policies specify principals (who can access), actions (what operations are allowed), resources (what can be accessed), and optional conditions for fine-grained control. Cedar provides a formal policy language designed for authorization with deterministic evaluation, making policies testable, reviewable, and auditable. All Cedar policies follow a default-deny model where actions are denied unless explicitly permitted, and forbid policies always override permit policies.
statement (string) -- [REQUIRED]
The Cedar policy statement that defines the authorization logic. This statement follows Cedar syntax and specifies principals, actions, resources, and conditions that determine when access should be allowed or denied.
string
A human-readable description of the policy's purpose and functionality (1-4,096 characters). This helps policy administrators understand the policy's intent, business rules, and operational scope. Use this field to document why the policy exists, what business requirement it addresses, and any special considerations for maintenance. Clear descriptions are essential for policy governance, auditing, and troubleshooting.
string
The validation mode for the policy creation. Determines how Cedar analyzer validation results are handled during policy creation. FAIL_ON_ANY_FINDINGS (default) runs the Cedar analyzer to validate the policy against the Cedar schema and tool context, failing creation if the analyzer detects any validation issues to ensure strict conformance. IGNORE_ALL_FINDINGS runs the Cedar analyzer but allows policy creation even if validation issues are detected, useful for testing or when the policy schema is evolving. Use FAIL_ON_ANY_FINDINGS for production policies to ensure correctness, and IGNORE_ALL_FINDINGS only when you understand and accept the analyzer findings.
string
[REQUIRED]
The identifier of the policy engine which contains this policy. Policy engines group related policies and provide the execution context for policy evaluation.
string
A unique, case-sensitive identifier to ensure the idempotency of the request. The AWS SDK automatically generates this token, so you don't need to provide it in most cases. If you retry a request with the same client token, the service returns the same response without creating a duplicate policy.
This field is autopopulated if not provided.
dict
Response Syntax
{
'policyId': 'string',
'name': 'string',
'policyEngineId': 'string',
'definition': {
'cedar': {
'statement': 'string'
}
},
'description': 'string',
'createdAt': datetime(2015, 1, 1),
'updatedAt': datetime(2015, 1, 1),
'policyArn': 'string',
'status': 'CREATING'|'ACTIVE'|'UPDATING'|'DELETING'|'CREATE_FAILED'|'UPDATE_FAILED'|'DELETE_FAILED',
'statusReasons': [
'string',
]
}
Response Structure
(dict) --
policyId (string) --
The unique identifier for the created policy. This is a system-generated identifier consisting of the user name plus a 10-character generated suffix, used for all subsequent policy operations.
name (string) --
The customer-assigned name of the created policy. This matches the name provided in the request and serves as the human-readable identifier for the policy.
policyEngineId (string) --
The identifier of the policy engine that manages this policy. This confirms the policy engine assignment and is used for policy evaluation routing.
definition (dict) --
The Cedar policy statement that was created. This is the validated policy definition that will be used for agent behavior control and access decisions.
cedar (dict) --
The Cedar policy definition within the policy definition structure. This contains the Cedar policy statement that defines the authorization logic using Cedar's human-readable, analyzable policy language. Cedar policies specify principals (who can access), actions (what operations are allowed), resources (what can be accessed), and optional conditions for fine-grained control. Cedar provides a formal policy language designed for authorization with deterministic evaluation, making policies testable, reviewable, and auditable. All Cedar policies follow a default-deny model where actions are denied unless explicitly permitted, and forbid policies always override permit policies.
statement (string) --
The Cedar policy statement that defines the authorization logic. This statement follows Cedar syntax and specifies principals, actions, resources, and conditions that determine when access should be allowed or denied.
description (string) --
The human-readable description of the policy's purpose and functionality. This helps administrators understand and manage the policy.
createdAt (datetime) --
The timestamp when the policy was created. This is automatically set by the service and used for auditing and lifecycle management.
updatedAt (datetime) --
The timestamp when the policy was last updated. For newly created policies, this matches the createdAt timestamp.
policyArn (string) --
The Amazon Resource Name (ARN) of the created policy. This globally unique identifier can be used for cross-service references and IAM policy statements.
status (string) --
The current status of the policy. A status of ACTIVE indicates the policy is ready for use.
statusReasons (list) --
Additional information about the policy status. This provides details about any failures or the current state of the policy creation process.
(string) --
Retrieves information about a policy generation request within the AgentCore Policy system. Policy generation converts natural language descriptions into Cedar policy statements using AI-powered translation, enabling non-technical users to create policies.
See also: AWS API Documentation
Request Syntax
client.get_policy_generation(
policyGenerationId='string',
policyEngineId='string'
)
string
[REQUIRED]
The unique identifier of the policy generation request to be retrieved. This must be a valid generation ID from a previous StartPolicyGeneration call.
string
[REQUIRED]
The identifier of the policy engine associated with the policy generation request. This provides the context for the generation operation and schema validation.
dict
Response Syntax
{
'policyEngineId': 'string',
'policyGenerationId': 'string',
'name': 'string',
'policyGenerationArn': 'string',
'resource': {
'arn': 'string'
},
'createdAt': datetime(2015, 1, 1),
'updatedAt': datetime(2015, 1, 1),
'status': 'GENERATING'|'GENERATED'|'GENERATE_FAILED'|'DELETE_FAILED',
'statusReasons': [
'string',
],
'findings': 'string'
}
Response Structure
(dict) --
policyEngineId (string) --
The identifier of the policy engine associated with this policy generation. This confirms the policy engine context for the generation operation.
policyGenerationId (string) --
The unique identifier of the policy generation request. This matches the generation ID provided in the request and serves as the tracking identifier.
name (string) --
The customer-assigned name for the policy generation request. This helps identify and track generation operations across multiple requests.
policyGenerationArn (string) --
The Amazon Resource Name (ARN) of the policy generation. This globally unique identifier can be used for tracking, auditing, and cross-service references.
resource (dict) --
The resource information associated with the policy generation. This provides context about the target resources for which the policies are being generated.
arn (string) --
The Amazon Resource Name (ARN) of the resource. This globally unique identifier specifies the exact resource that policies will be evaluated against for access control decisions.
createdAt (datetime) --
The timestamp when the policy generation request was created. This is used for tracking and auditing generation operations and their lifecycle.
updatedAt (datetime) --
The timestamp when the policy generation was last updated. This tracks the progress of the generation process and any status changes.
status (string) --
The current status of the policy generation. This indicates whether the generation is in progress, completed successfully, or failed during processing.
statusReasons (list) --
Additional information about the generation status. This provides details about any failures, warnings, or the current state of the generation process.
(string) --
findings (string) --
The findings and results from the policy generation process. This includes any issues, recommendations, validation results, or insights from the generated policies.
Retrieves the resource-based policy for a specified resource.
See also: AWS API Documentation
Request Syntax
client.get_resource_policy(
resourceArn='string'
)
string
[REQUIRED]
The Amazon Resource Name (ARN) of the resource for which to retrieve the resource policy.
dict
Response Syntax
{
'policy': 'string'
}
Response Structure
(dict) --
policy (string) --
The resource policy associated with the specified resource.
Deletes an existing policy from the AgentCore Policy system. Once deleted, the policy can no longer be used for agent behavior control and all references to it become invalid. This is an asynchronous operation. Use the GetPolicy operation to poll the status field to track completion.
See also: AWS API Documentation
Request Syntax
client.delete_policy(
policyEngineId='string',
policyId='string'
)
string
[REQUIRED]
The identifier of the policy engine that manages the policy to be deleted. This ensures the policy is deleted from the correct policy engine context.
string
[REQUIRED]
The unique identifier of the policy to be deleted. This must be a valid policy ID that exists within the specified policy engine.
dict
Response Syntax
{
'policyId': 'string',
'name': 'string',
'policyEngineId': 'string',
'definition': {
'cedar': {
'statement': 'string'
}
},
'description': 'string',
'createdAt': datetime(2015, 1, 1),
'updatedAt': datetime(2015, 1, 1),
'policyArn': 'string',
'status': 'CREATING'|'ACTIVE'|'UPDATING'|'DELETING'|'CREATE_FAILED'|'UPDATE_FAILED'|'DELETE_FAILED',
'statusReasons': [
'string',
]
}
Response Structure
(dict) --
policyId (string) --
The unique identifier of the policy being deleted. This confirms which policy the deletion operation targets.
name (string) --
The customer-assigned name of the deleted policy. This confirms which policy was successfully removed from the system and matches the name that was originally assigned during policy creation.
policyEngineId (string) --
The identifier of the policy engine from which the policy was deleted. This confirms the policy engine context for the deletion operation.
definition (dict) --
Represents the definition structure for policies within the AgentCore Policy system. This structure encapsulates different policy formats and languages that can be used to define access control rules.
cedar (dict) --
The Cedar policy definition within the policy definition structure. This contains the Cedar policy statement that defines the authorization logic using Cedar's human-readable, analyzable policy language. Cedar policies specify principals (who can access), actions (what operations are allowed), resources (what can be accessed), and optional conditions for fine-grained control. Cedar provides a formal policy language designed for authorization with deterministic evaluation, making policies testable, reviewable, and auditable. All Cedar policies follow a default-deny model where actions are denied unless explicitly permitted, and forbid policies always override permit policies.
statement (string) --
The Cedar policy statement that defines the authorization logic. This statement follows Cedar syntax and specifies principals, actions, resources, and conditions that determine when access should be allowed or denied.
description (string) --
The human-readable description of the deleted policy.
createdAt (datetime) --
The timestamp when the deleted policy was originally created.
updatedAt (datetime) --
The timestamp when the deleted policy was last modified before deletion. This tracks the final state of the policy before it was removed from the system.
policyArn (string) --
The Amazon Resource Name (ARN) of the deleted policy. This globally unique identifier confirms which policy resource was successfully removed.
status (string) --
The status of the policy deletion operation. This provides information about any issues that occurred during the deletion process.
statusReasons (list) --
Additional information about the deletion status. This provides details about the deletion process or any issues that may have occurred.
(string) --
Retrieves detailed information about an online evaluation configuration, including its rules, data sources, evaluators, and execution status.
See also: AWS API Documentation
Request Syntax
client.get_online_evaluation_config(
onlineEvaluationConfigId='string'
)
string
[REQUIRED]
The unique identifier of the online evaluation configuration to retrieve.
dict
Response Syntax
{
'onlineEvaluationConfigArn': 'string',
'onlineEvaluationConfigId': 'string',
'onlineEvaluationConfigName': 'string',
'description': 'string',
'rule': {
'samplingConfig': {
'samplingPercentage': 123.0
},
'filters': [
{
'key': 'string',
'operator': 'Equals'|'NotEquals'|'GreaterThan'|'LessThan'|'GreaterThanOrEqual'|'LessThanOrEqual'|'Contains'|'NotContains',
'value': {
'stringValue': 'string',
'doubleValue': 123.0,
'booleanValue': True|False
}
},
],
'sessionConfig': {
'sessionTimeoutMinutes': 123
}
},
'dataSourceConfig': {
'cloudWatchLogs': {
'logGroupNames': [
'string',
],
'serviceNames': [
'string',
]
}
},
'evaluators': [
{
'evaluatorId': 'string'
},
],
'outputConfig': {
'cloudWatchConfig': {
'logGroupName': 'string'
}
},
'evaluationExecutionRoleArn': 'string',
'status': 'ACTIVE'|'CREATING'|'CREATE_FAILED'|'UPDATING'|'UPDATE_FAILED'|'DELETING',
'executionStatus': 'ENABLED'|'DISABLED',
'createdAt': datetime(2015, 1, 1),
'updatedAt': datetime(2015, 1, 1),
'failureReason': 'string'
}
Response Structure
(dict) --
onlineEvaluationConfigArn (string) --
The Amazon Resource Name (ARN) of the online evaluation configuration.
onlineEvaluationConfigId (string) --
The unique identifier of the online evaluation configuration.
onlineEvaluationConfigName (string) --
The name of the online evaluation configuration.
description (string) --
The description of the online evaluation configuration.
rule (dict) --
The evaluation rule containing sampling configuration, filters, and session settings.
samplingConfig (dict) --
The sampling configuration that determines what percentage of agent traces to evaluate.
samplingPercentage (float) --
The percentage of agent traces to sample for evaluation, ranging from 0.01% to 100%.
filters (list) --
The list of filters that determine which agent traces should be included in the evaluation based on trace properties.
(dict) --
The filter that applies conditions to agent traces during online evaluation to determine which traces should be evaluated.
key (string) --
The key or field name to filter on within the agent trace data.
operator (string) --
The comparison operator to use for filtering.
value (dict) --
The value to compare against using the specified operator.
stringValue (string) --
The string value for text-based filtering.
doubleValue (float) --
The numeric value for numerical filtering and comparisons.
booleanValue (boolean) --
The boolean value for true/false filtering conditions.
sessionConfig (dict) --
The session configuration that defines timeout settings for detecting when agent sessions are complete and ready for evaluation.
sessionTimeoutMinutes (integer) --
The number of minutes of inactivity after which an agent session is considered complete and ready for evaluation. Default is 15 minutes.
dataSourceConfig (dict) --
The data source configuration specifying CloudWatch log groups and service names to monitor.
cloudWatchLogs (dict) --
The CloudWatch logs configuration for reading agent traces from log groups.
logGroupNames (list) --
The list of CloudWatch log group names to monitor for agent traces.
(string) --
serviceNames (list) --
The list of service names to filter traces within the specified log groups. Used to identify relevant agent sessions.
(string) --
evaluators (list) --
The list of evaluators applied during online evaluation.
(dict) --
The reference to an evaluator used in online evaluation configurations, containing the evaluator identifier.
evaluatorId (string) --
The unique identifier of the evaluator. Can reference builtin evaluators (e.g., Builtin.Helpfulness) or custom evaluators.
outputConfig (dict) --
The output configuration specifying where evaluation results are written.
cloudWatchConfig (dict) --
The CloudWatch configuration for writing evaluation results to CloudWatch logs with embedded metric format.
logGroupName (string) --
The name of the CloudWatch log group where evaluation results will be written. The log group will be created if it doesn't exist.
evaluationExecutionRoleArn (string) --
The Amazon Resource Name (ARN) of the IAM role used for evaluation execution.
status (string) --
The status of the online evaluation configuration.
executionStatus (string) --
The execution status indicating whether the online evaluation is currently running.
createdAt (datetime) --
The timestamp when the online evaluation configuration was created.
updatedAt (datetime) --
The timestamp when the online evaluation configuration was last updated.
failureReason (string) --
The reason for failure if the online evaluation configuration execution failed.
Updates an existing policy engine within the AgentCore Policy system. This operation allows modification of the policy engine description while maintaining its identity. This is an asynchronous operation. Use the GetPolicyEngine operation to poll the status field to track completion.
See also: AWS API Documentation
Request Syntax
client.update_policy_engine(
policyEngineId='string',
description='string'
)
string
[REQUIRED]
The unique identifier of the policy engine to be updated.
string
The new description for the policy engine.
dict
Response Syntax
{
'policyEngineId': 'string',
'name': 'string',
'description': 'string',
'createdAt': datetime(2015, 1, 1),
'updatedAt': datetime(2015, 1, 1),
'policyEngineArn': 'string',
'status': 'CREATING'|'ACTIVE'|'UPDATING'|'DELETING'|'CREATE_FAILED'|'UPDATE_FAILED'|'DELETE_FAILED',
'statusReasons': [
'string',
]
}
Response Structure
(dict) --
policyEngineId (string) --
The unique identifier of the updated policy engine.
name (string) --
The name of the updated policy engine.
description (string) --
The updated description of the policy engine.
createdAt (datetime) --
The original creation timestamp of the policy engine.
updatedAt (datetime) --
The timestamp when the policy engine was last updated.
policyEngineArn (string) --
The ARN of the updated policy engine.
status (string) --
The current status of the updated policy engine.
statusReasons (list) --
Additional information about the update status.
(string) --
Creates or updates a resource-based policy for a resource with the specified resourceArn.
See also: AWS API Documentation
Request Syntax
client.put_resource_policy(
resourceArn='string',
policy='string'
)
string
[REQUIRED]
The Amazon Resource Name (ARN) of the resource for which to create or update the resource policy.
string
[REQUIRED]
The resource policy to create or update.
dict
Response Syntax
{
'policy': 'string'
}
Response Structure
(dict) --
policy (string) --
The resource policy that was created or updated.
Creates an online evaluation configuration for continuous monitoring of agent performance. Online evaluation automatically samples live traffic from CloudWatch logs at specified rates and applies evaluators to assess agent quality in production.
See also: AWS API Documentation
Request Syntax
client.create_online_evaluation_config(
clientToken='string',
onlineEvaluationConfigName='string',
description='string',
rule={
'samplingConfig': {
'samplingPercentage': 123.0
},
'filters': [
{
'key': 'string',
'operator': 'Equals'|'NotEquals'|'GreaterThan'|'LessThan'|'GreaterThanOrEqual'|'LessThanOrEqual'|'Contains'|'NotContains',
'value': {
'stringValue': 'string',
'doubleValue': 123.0,
'booleanValue': True|False
}
},
],
'sessionConfig': {
'sessionTimeoutMinutes': 123
}
},
dataSourceConfig={
'cloudWatchLogs': {
'logGroupNames': [
'string',
],
'serviceNames': [
'string',
]
}
},
evaluators=[
{
'evaluatorId': 'string'
},
],
evaluationExecutionRoleArn='string',
enableOnCreate=True|False
)
string
A unique, case-sensitive identifier to ensure that the API request completes no more than one time. If you don't specify this field, a value is randomly generated for you. If this token matches a previous request, the service ignores the request, but doesn't return an error. For more information, see Ensuring idempotency.
This field is autopopulated if not provided.
string
[REQUIRED]
The name of the online evaluation configuration. Must be unique within your account.
string
The description of the online evaluation configuration that explains its monitoring purpose and scope.
dict
[REQUIRED]
The evaluation rule that defines sampling configuration, filters, and session detection settings for the online evaluation.
samplingConfig (dict) -- [REQUIRED]
The sampling configuration that determines what percentage of agent traces to evaluate.
samplingPercentage (float) -- [REQUIRED]
The percentage of agent traces to sample for evaluation, ranging from 0.01% to 100%.
filters (list) --
The list of filters that determine which agent traces should be included in the evaluation based on trace properties.
(dict) --
The filter that applies conditions to agent traces during online evaluation to determine which traces should be evaluated.
key (string) -- [REQUIRED]
The key or field name to filter on within the agent trace data.
operator (string) -- [REQUIRED]
The comparison operator to use for filtering.
value (dict) -- [REQUIRED]
The value to compare against using the specified operator.
stringValue (string) --
The string value for text-based filtering.
doubleValue (float) --
The numeric value for numerical filtering and comparisons.
booleanValue (boolean) --
The boolean value for true/false filtering conditions.
sessionConfig (dict) --
The session configuration that defines timeout settings for detecting when agent sessions are complete and ready for evaluation.
sessionTimeoutMinutes (integer) -- [REQUIRED]
The number of minutes of inactivity after which an agent session is considered complete and ready for evaluation. Default is 15 minutes.
dict
[REQUIRED]
The data source configuration that specifies CloudWatch log groups and service names to monitor for agent traces.
cloudWatchLogs (dict) --
The CloudWatch logs configuration for reading agent traces from log groups.
logGroupNames (list) -- [REQUIRED]
The list of CloudWatch log group names to monitor for agent traces.
(string) --
serviceNames (list) -- [REQUIRED]
The list of service names to filter traces within the specified log groups. Used to identify relevant agent sessions.
(string) --
list
[REQUIRED]
The list of evaluators to apply during online evaluation. Can include both built-in evaluators and custom evaluators created with CreateEvaluator.
(dict) --
The reference to an evaluator used in online evaluation configurations, containing the evaluator identifier.
evaluatorId (string) --
The unique identifier of the evaluator. Can reference builtin evaluators (e.g., Builtin.Helpfulness) or custom evaluators.
string
[REQUIRED]
The Amazon Resource Name (ARN) of the IAM role that grants permissions to read from CloudWatch logs, write evaluation results, and invoke Amazon Bedrock models for evaluation.
boolean
[REQUIRED]
Whether to enable the online evaluation configuration immediately upon creation. If true, evaluation begins automatically.
dict
Response Syntax
{
'onlineEvaluationConfigArn': 'string',
'onlineEvaluationConfigId': 'string',
'createdAt': datetime(2015, 1, 1),
'outputConfig': {
'cloudWatchConfig': {
'logGroupName': 'string'
}
},
'status': 'ACTIVE'|'CREATING'|'CREATE_FAILED'|'UPDATING'|'UPDATE_FAILED'|'DELETING',
'executionStatus': 'ENABLED'|'DISABLED',
'failureReason': 'string'
}
Response Structure
(dict) --
onlineEvaluationConfigArn (string) --
The Amazon Resource Name (ARN) of the created online evaluation configuration.
onlineEvaluationConfigId (string) --
The unique identifier of the created online evaluation configuration.
createdAt (datetime) --
The timestamp when the online evaluation configuration was created.
outputConfig (dict) --
The configuration that specifies where evaluation results should be written for monitoring and analysis.
cloudWatchConfig (dict) --
The CloudWatch configuration for writing evaluation results to CloudWatch logs with embedded metric format.
logGroupName (string) --
The name of the CloudWatch log group where evaluation results will be written. The log group will be created if it doesn't exist.
status (string) --
The status of the online evaluation configuration.
executionStatus (string) --
The execution status indicating whether the online evaluation is currently running.
failureReason (string) --
The reason for failure if the online evaluation configuration creation or execution failed.
Retrieves a list of policy generation requests within the AgentCore Policy system. This operation supports pagination and filtering to help track and manage AI-powered policy generation operations.
See also: AWS API Documentation
Request Syntax
client.list_policy_generations(
nextToken='string',
maxResults=123,
policyEngineId='string'
)
string
A pagination token for retrieving additional policy generations when results are paginated.
integer
The maximum number of policy generations to return in a single response.
string
[REQUIRED]
The identifier of the policy engine whose policy generations to retrieve.
dict
Response Syntax
{
'policyGenerations': [
{
'policyEngineId': 'string',
'policyGenerationId': 'string',
'name': 'string',
'policyGenerationArn': 'string',
'resource': {
'arn': 'string'
},
'createdAt': datetime(2015, 1, 1),
'updatedAt': datetime(2015, 1, 1),
'status': 'GENERATING'|'GENERATED'|'GENERATE_FAILED'|'DELETE_FAILED',
'statusReasons': [
'string',
],
'findings': 'string'
},
],
'nextToken': 'string'
}
Response Structure
(dict) --
policyGenerations (list) --
An array of policy generation objects that match the specified criteria.
(dict) --
Represents a policy generation request within the AgentCore Policy system. Tracks the AI-powered conversion of natural language descriptions into Cedar policy statements, enabling users to author policies by describing authorization requirements in plain English. The generation process analyzes the natural language input along with the Gateway's tool context and Cedar schema to produce one or more validated policy options. Each generation request tracks the status of the conversion process and maintains findings about the generated policies, including validation results and potential issues. Generated policy assets remain available for one week after successful generation, allowing time to review and create policies from the generated options.
policyEngineId (string) --
The identifier of the policy engine associated with this generation request.
policyGenerationId (string) --
The unique identifier for this policy generation request.
name (string) --
The customer-assigned name for this policy generation request.
policyGenerationArn (string) --
The ARN of this policy generation request.
resource (dict) --
The resource information associated with this policy generation.
arn (string) --
The Amazon Resource Name (ARN) of the resource. This globally unique identifier specifies the exact resource that policies will be evaluated against for access control decisions.
createdAt (datetime) --
The timestamp when this policy generation request was created.
updatedAt (datetime) --
The timestamp when this policy generation was last updated.
status (string) --
The current status of this policy generation request.
statusReasons (list) --
Additional information about the generation status.
(string) --
findings (string) --
Findings and insights from this policy generation process.
nextToken (string) --
A pagination token for retrieving additional policy generations if more results are available.
Retrieves a list of policy engines within the AgentCore Policy system. This operation supports pagination to help administrators discover and manage policy engines across their account. Each policy engine serves as a container for related policies.
See also: AWS API Documentation
Request Syntax
client.list_policy_engines(
nextToken='string',
maxResults=123
)
string
A pagination token returned from a previous ListPolicyEngines call. Use this token to retrieve the next page of results when the response is paginated.
integer
The maximum number of policy engines to return in a single response. If not specified, the default is 10 policy engines per page, with a maximum of 100 per page.
dict
Response Syntax
{
'policyEngines': [
{
'policyEngineId': 'string',
'name': 'string',
'description': 'string',
'createdAt': datetime(2015, 1, 1),
'updatedAt': datetime(2015, 1, 1),
'policyEngineArn': 'string',
'status': 'CREATING'|'ACTIVE'|'UPDATING'|'DELETING'|'CREATE_FAILED'|'UPDATE_FAILED'|'DELETE_FAILED',
'statusReasons': [
'string',
]
},
],
'nextToken': 'string'
}
Response Structure
(dict) --
policyEngines (list) --
An array of policy engine objects that exist in the account. Each policy engine object contains the engine metadata, status, and key identifiers for further operations.
(dict) --
Represents a policy engine resource within the AgentCore Policy system. Policy engines serve as containers for grouping related policies and provide the execution context for policy evaluation and management. Each policy engine can be associated with one Gateway (one engine per Gateway), where it intercepts all agent tool calls and evaluates them against the contained policies before allowing tools to execute. The policy engine maintains the Cedar schema generated from the Gateway's tool manifest, ensuring that policies are validated against the actual tools and parameters available. Policy engines support two enforcement modes that can be configured when associating with a Gateway: log-only mode for testing (evaluates decisions without blocking) and enforce mode for production (actively allows or denies based on policy evaluation).
policyEngineId (string) --
The unique identifier for the policy engine. This system-generated identifier consists of the user name plus a 10-character generated suffix and serves as the primary key for policy engine operations.
name (string) --
The customer-assigned immutable name for the policy engine. This human-readable identifier must be unique within the account and cannot exceed 48 characters.
description (string) --
A human-readable description of the policy engine's purpose and scope. Limited to 4,096 characters, this helps administrators understand the policy engine's role in the overall governance strategy.
createdAt (datetime) --
The timestamp when the policy engine was originally created. This is automatically set by the service and used for auditing and lifecycle management.
updatedAt (datetime) --
The timestamp when the policy engine was last modified. This tracks the most recent changes to the policy engine configuration or metadata.
policyEngineArn (string) --
The Amazon Resource Name (ARN) of the policy engine. This globally unique identifier can be used for cross-service references and IAM policy statements.
status (string) --
The current status of the policy engine.
statusReasons (list) --
Additional information about the policy engine status. This provides details about any failures or the current state of the policy engine lifecycle.
(string) --
nextToken (string) --
A pagination token that can be used in subsequent ListPolicyEngines calls to retrieve additional results. This token is only present when there are more results available.
Updates a custom evaluator's configuration, description, or evaluation level. Built-in evaluators cannot be updated. The evaluator must not be locked for modification.
See also: AWS API Documentation
Request Syntax
client.update_evaluator(
clientToken='string',
evaluatorId='string',
description='string',
evaluatorConfig={
'llmAsAJudge': {
'instructions': 'string',
'ratingScale': {
'numerical': [
{
'definition': 'string',
'value': 123.0,
'label': 'string'
},
],
'categorical': [
{
'definition': 'string',
'label': 'string'
},
]
},
'modelConfig': {
'bedrockEvaluatorModelConfig': {
'modelId': 'string',
'inferenceConfig': {
'maxTokens': 123,
'temperature': ...,
'topP': ...,
'stopSequences': [
'string',
]
},
'additionalModelRequestFields': {...}|[...]|123|123.4|'string'|True|None
}
}
}
},
level='TOOL_CALL'|'TRACE'|'SESSION'
)
string
A unique, case-sensitive identifier to ensure that the API request completes no more than one time. If you don't specify this field, a value is randomly generated for you. If this token matches a previous request, the service ignores the request, but doesn't return an error. For more information, see Ensuring idempotency.
This field is autopopulated if not provided.
string
[REQUIRED]
The unique identifier of the evaluator to update.
string
The updated description of the evaluator.
dict
The updated configuration for the evaluator, including LLM-as-a-Judge settings with instructions, rating scale, and model configuration.
llmAsAJudge (dict) --
The LLM-as-a-Judge configuration that uses a language model to evaluate agent performance based on custom instructions and rating scales.
instructions (string) -- [REQUIRED]
The evaluation instructions that guide the language model in assessing agent performance, including criteria and evaluation guidelines.
ratingScale (dict) -- [REQUIRED]
The rating scale that defines how the evaluator should score agent performance, either numerical or categorical.
numerical (list) --
The numerical rating scale with defined score values and descriptions for quantitative evaluation.
(dict) --
The definition of a numerical rating scale option that provides a numeric value with its description for evaluation scoring.
definition (string) -- [REQUIRED]
The description that explains what this numerical rating represents and when it should be used.
value (float) -- [REQUIRED]
The numerical value for this rating scale option.
label (string) -- [REQUIRED]
The label or name that describes this numerical rating option.
categorical (list) --
The categorical rating scale with named categories and definitions for qualitative evaluation.
(dict) --
The definition of a categorical rating scale option that provides a named category with its description for evaluation scoring.
definition (string) -- [REQUIRED]
The description that explains what this categorical rating represents and when it should be used.
label (string) -- [REQUIRED]
The label or name of this categorical rating option.
modelConfig (dict) -- [REQUIRED]
The model configuration that specifies which foundation model to use and how to configure it for evaluation.
bedrockEvaluatorModelConfig (dict) --
The Amazon Bedrock model configuration for evaluation.
modelId (string) -- [REQUIRED]
The identifier of the Amazon Bedrock model to use for evaluation. Must be a supported foundation model available in your region.
inferenceConfig (dict) --
The inference configuration parameters that control model behavior during evaluation, including temperature, token limits, and sampling settings.
maxTokens (integer) --
The maximum number of tokens to generate in the model response during evaluation.
temperature (float) --
The temperature value that controls randomness in the model's responses. Lower values produce more deterministic outputs.
topP (float) --
The top-p sampling parameter that controls the diversity of the model's responses by limiting the cumulative probability of token choices.
stopSequences (list) --
The list of sequences that will cause the model to stop generating tokens when encountered.
(string) --
additionalModelRequestFields (:ref:`document<document>`) --
Additional model-specific request fields to customize model behavior beyond the standard inference configuration.
string
The updated evaluation level ( TOOL_CALL, TRACE, or SESSION) that determines the scope of evaluation.
dict
Response Syntax
{
'evaluatorArn': 'string',
'evaluatorId': 'string',
'updatedAt': datetime(2015, 1, 1),
'status': 'ACTIVE'|'CREATING'|'CREATE_FAILED'|'UPDATING'|'UPDATE_FAILED'|'DELETING'
}
Response Structure
(dict) --
evaluatorArn (string) --
The Amazon Resource Name (ARN) of the updated evaluator.
evaluatorId (string) --
The unique identifier of the updated evaluator.
updatedAt (datetime) --
The timestamp when the evaluator was last updated.
status (string) --
The status of the evaluator update operation.
Retrieves detailed information about a specific policy within the AgentCore Policy system. This operation returns the complete policy definition, metadata, and current status, allowing administrators to review and manage policy configurations.
See also: AWS API Documentation
Request Syntax
client.get_policy(
policyEngineId='string',
policyId='string'
)
string
[REQUIRED]
The identifier of the policy engine that manages the policy to be retrieved.
string
[REQUIRED]
The unique identifier of the policy to be retrieved. This must be a valid policy ID that exists within the specified policy engine.
dict
Response Syntax
{
'policyId': 'string',
'name': 'string',
'policyEngineId': 'string',
'definition': {
'cedar': {
'statement': 'string'
}
},
'description': 'string',
'createdAt': datetime(2015, 1, 1),
'updatedAt': datetime(2015, 1, 1),
'policyArn': 'string',
'status': 'CREATING'|'ACTIVE'|'UPDATING'|'DELETING'|'CREATE_FAILED'|'UPDATE_FAILED'|'DELETE_FAILED',
'statusReasons': [
'string',
]
}
Response Structure
(dict) --
policyId (string) --
The unique identifier of the retrieved policy. This matches the policy ID provided in the request and serves as the system identifier for the policy.
name (string) --
The customer-assigned name of the policy. This is the human-readable identifier that was specified when the policy was created.
policyEngineId (string) --
The identifier of the policy engine that manages this policy. This confirms the policy engine context for the retrieved policy.
definition (dict) --
The Cedar policy statement that defines the access control rules. This contains the actual policy logic used for agent behavior control and access decisions.
cedar (dict) --
The Cedar policy definition within the policy definition structure. This contains the Cedar policy statement that defines the authorization logic using Cedar's human-readable, analyzable policy language. Cedar policies specify principals (who can access), actions (what operations are allowed), resources (what can be accessed), and optional conditions for fine-grained control. Cedar provides a formal policy language designed for authorization with deterministic evaluation, making policies testable, reviewable, and auditable. All Cedar policies follow a default-deny model where actions are denied unless explicitly permitted, and forbid policies always override permit policies.
statement (string) --
The Cedar policy statement that defines the authorization logic. This statement follows Cedar syntax and specifies principals, actions, resources, and conditions that determine when access should be allowed or denied.
description (string) --
The human-readable description of the policy's purpose and functionality. This helps administrators understand and manage the policy.
createdAt (datetime) --
The timestamp when the policy was originally created.
updatedAt (datetime) --
The timestamp when the policy was last modified. This tracks the most recent changes to the policy configuration.
policyArn (string) --
The Amazon Resource Name (ARN) of the policy. This globally unique identifier can be used for cross-service references and IAM policy statements.
status (string) --
The current status of the policy.
statusReasons (list) --
Additional information about the policy status. This provides details about any failures or the current state of the policy.
(string) --
Deletes an online evaluation configuration and stops any ongoing evaluation processes associated with it.
See also: AWS API Documentation
Request Syntax
client.delete_online_evaluation_config(
onlineEvaluationConfigId='string'
)
string
[REQUIRED]
The unique identifier of the online evaluation configuration to delete.
dict
Response Syntax
{
'onlineEvaluationConfigArn': 'string',
'onlineEvaluationConfigId': 'string',
'status': 'ACTIVE'|'CREATING'|'CREATE_FAILED'|'UPDATING'|'UPDATE_FAILED'|'DELETING'
}
Response Structure
(dict) --
onlineEvaluationConfigArn (string) --
The Amazon Resource Name (ARN) of the deleted online evaluation configuration.
onlineEvaluationConfigId (string) --
The unique identifier of the deleted online evaluation configuration.
status (string) --
The status of the online evaluation configuration deletion operation.
Initiates the AI-powered generation of Cedar policies from natural language descriptions within the AgentCore Policy system. This feature enables both technical and non-technical users to create policies by describing their authorization requirements in plain English, which is then automatically translated into formal Cedar policy statements. The generation process analyzes the natural language input along with the Gateway's tool context to produce validated policy options. Generated policy assets are automatically deleted after 7 days, so you should review and create policies from the generated assets within this timeframe. Once created, policies are permanent and not subject to this expiration. Generated policies should be reviewed and tested in log-only mode before deploying to production. Use this when you want to describe policy intent naturally rather than learning Cedar syntax, though generated policies may require refinement for complex scenarios.
See also: AWS API Documentation
Request Syntax
client.start_policy_generation(
policyEngineId='string',
resource={
'arn': 'string'
},
content={
'rawText': 'string'
},
name='string',
clientToken='string'
)
string
[REQUIRED]
The identifier of the policy engine that provides the context for policy generation. This engine's schema and tool context are used to ensure generated policies are valid and applicable.
dict
[REQUIRED]
The resource information that provides context for policy generation. This helps the AI understand the target resources and generate appropriate access control rules.
arn (string) --
The Amazon Resource Name (ARN) of the resource. This globally unique identifier specifies the exact resource that policies will be evaluated against for access control decisions.
dict
[REQUIRED]
The natural language description of the desired policy behavior. This content is processed by AI to generate corresponding Cedar policy statements that match the described intent.
rawText (string) --
The raw text content containing natural language descriptions of desired policy behavior. This text is processed by AI to generate corresponding Cedar policy statements that match the described intent.
string
[REQUIRED]
A customer-assigned name for the policy generation request. This helps track and identify generation operations, especially when running multiple generations simultaneously.
string
A unique, case-sensitive identifier to ensure the idempotency of the request. The AWS SDK automatically generates this token, so you don't need to provide it in most cases. If you retry a request with the same client token, the service returns the same response without starting a duplicate generation.
This field is autopopulated if not provided.
dict
Response Syntax
{
'policyEngineId': 'string',
'policyGenerationId': 'string',
'name': 'string',
'policyGenerationArn': 'string',
'resource': {
'arn': 'string'
},
'createdAt': datetime(2015, 1, 1),
'updatedAt': datetime(2015, 1, 1),
'status': 'GENERATING'|'GENERATED'|'GENERATE_FAILED'|'DELETE_FAILED',
'statusReasons': [
'string',
],
'findings': 'string'
}
Response Structure
(dict) --
policyEngineId (string) --
The identifier of the policy engine associated with the started policy generation.
policyGenerationId (string) --
The unique identifier assigned to the policy generation request for tracking progress.
name (string) --
The customer-assigned name for the policy generation request.
policyGenerationArn (string) --
The ARN of the created policy generation request.
resource (dict) --
The resource information associated with the policy generation request.
arn (string) --
The Amazon Resource Name (ARN) of the resource. This globally unique identifier specifies the exact resource that policies will be evaluated against for access control decisions.
createdAt (datetime) --
The timestamp when the policy generation request was created.
updatedAt (datetime) --
The timestamp when the policy generation was last updated.
status (string) --
The initial status of the policy generation request.
statusReasons (list) --
Additional information about the generation status.
(string) --
findings (string) --
Initial findings from the policy generation process.
{'authorizerConfiguration': {'customJWTAuthorizer': {'allowedScopes': ['string'],
'customClaims': [{'authorizingClaimMatchValue': {'claimMatchOperator': 'EQUALS '
'| '
'CONTAINS '
'| '
'CONTAINS_ANY',
'claimMatchValue': {'matchValueString': 'string',
'matchValueStringList': ['string']}},
'inboundTokenClaimName': 'string',
'inboundTokenClaimValueType': 'STRING '
'| '
'STRING_ARRAY'}]}}}
Creates an Amazon Bedrock AgentCore Runtime.
See also: AWS API Documentation
Request Syntax
client.create_agent_runtime(
agentRuntimeName='string',
agentRuntimeArtifact={
'containerConfiguration': {
'containerUri': 'string'
},
'codeConfiguration': {
'code': {
's3': {
'bucket': 'string',
'prefix': 'string',
'versionId': 'string'
}
},
'runtime': 'PYTHON_3_10'|'PYTHON_3_11'|'PYTHON_3_12'|'PYTHON_3_13',
'entryPoint': [
'string',
]
}
},
roleArn='string',
networkConfiguration={
'networkMode': 'PUBLIC'|'VPC',
'networkModeConfig': {
'securityGroups': [
'string',
],
'subnets': [
'string',
]
}
},
clientToken='string',
description='string',
authorizerConfiguration={
'customJWTAuthorizer': {
'discoveryUrl': 'string',
'allowedAudience': [
'string',
],
'allowedClients': [
'string',
],
'allowedScopes': [
'string',
],
'customClaims': [
{
'inboundTokenClaimName': 'string',
'inboundTokenClaimValueType': 'STRING'|'STRING_ARRAY',
'authorizingClaimMatchValue': {
'claimMatchValue': {
'matchValueString': 'string',
'matchValueStringList': [
'string',
]
},
'claimMatchOperator': 'EQUALS'|'CONTAINS'|'CONTAINS_ANY'
}
},
]
}
},
requestHeaderConfiguration={
'requestHeaderAllowlist': [
'string',
]
},
protocolConfiguration={
'serverProtocol': 'MCP'|'HTTP'|'A2A'
},
lifecycleConfiguration={
'idleRuntimeSessionTimeout': 123,
'maxLifetime': 123
},
environmentVariables={
'string': 'string'
},
tags={
'string': 'string'
}
)
string
[REQUIRED]
The name of the AgentCore Runtime.
dict
[REQUIRED]
The artifact of the AgentCore Runtime.
containerConfiguration (dict) --
The container configuration for the agent artifact.
containerUri (string) -- [REQUIRED]
The ECR URI of the container.
codeConfiguration (dict) --
The code configuration for the agent runtime artifact, including the source code location and execution settings.
code (dict) -- [REQUIRED]
The source code location and configuration details.
s3 (dict) --
The Amazon Amazon S3 object that contains the source code for the agent runtime.
bucket (string) -- [REQUIRED]
The name of the Amazon S3 bucket. This bucket contains the stored data.
prefix (string) -- [REQUIRED]
The prefix for objects in the Amazon S3 bucket. This prefix is added to the object keys to organize the data.
versionId (string) --
The version ID of the Amazon Amazon S3 object. If not specified, the latest version of the object is used.
runtime (string) -- [REQUIRED]
The runtime environment for executing the code (for example, Python 3.9 or Node.js 18).
entryPoint (list) -- [REQUIRED]
The entry point for the code execution, specifying the function or method that should be invoked when the code runs.
(string) --
string
[REQUIRED]
The IAM role ARN that provides permissions for the AgentCore Runtime.
dict
[REQUIRED]
The network configuration for the AgentCore Runtime.
networkMode (string) -- [REQUIRED]
The network mode for the AgentCore Runtime.
networkModeConfig (dict) --
The network mode configuration for the AgentCore Runtime.
securityGroups (list) -- [REQUIRED]
The security groups associated with the VPC configuration.
(string) --
subnets (list) -- [REQUIRED]
The subnets associated with the VPC configuration.
(string) --
string
A unique, case-sensitive identifier to ensure idempotency of the request.
This field is autopopulated if not provided.
string
The description of the AgentCore Runtime.
dict
The authorizer configuration for the AgentCore Runtime.
customJWTAuthorizer (dict) --
The inbound JWT-based authorization, specifying how incoming requests should be authenticated.
discoveryUrl (string) -- [REQUIRED]
This URL is used to fetch OpenID Connect configuration or authorization server metadata for validating incoming tokens.
allowedAudience (list) --
Represents individual audience values that are validated in the incoming JWT token validation process.
(string) --
allowedClients (list) --
Represents individual client IDs that are validated in the incoming JWT token validation process.
(string) --
allowedScopes (list) --
An array of scopes that are allowed to access the token.
(string) --
customClaims (list) --
An array of objects that define a custom claim validation name, value, and operation
(dict) --
Defines the name of a custom claim field and rules for finding matches to authenticate its value.
inboundTokenClaimName (string) -- [REQUIRED]
The name of the custom claim field to check.
inboundTokenClaimValueType (string) -- [REQUIRED]
The data type of the claim value to check for.
Use STRING if you want to find an exact match to a string you define.
Use STRING_ARRAY if you want to fnd a match to at least one value in an array you define.
authorizingClaimMatchValue (dict) -- [REQUIRED]
Defines the value or values to match for and the relationship of the match.
claimMatchValue (dict) -- [REQUIRED]
The value or values to match for.
matchValueString (string) --
The string value to match for.
matchValueStringList (list) --
An array of strings to check for a match.
(string) --
claimMatchOperator (string) -- [REQUIRED]
Defines the relationship between the claim field value and the value or values you're matching for.
dict
Configuration for HTTP request headers that will be passed through to the runtime.
requestHeaderAllowlist (list) --
A list of HTTP request headers that are allowed to be passed through to the runtime.
(string) --
dict
The protocol configuration for an agent runtime. This structure defines how the agent runtime communicates with clients.
serverProtocol (string) -- [REQUIRED]
The server protocol for the agent runtime. This field specifies which protocol the agent runtime uses to communicate with clients.
dict
The life cycle configuration for the AgentCore Runtime.
idleRuntimeSessionTimeout (integer) --
Timeout in seconds for idle runtime sessions. When a session remains idle for this duration, it will be automatically terminated. Default: 900 seconds (15 minutes).
maxLifetime (integer) --
Maximum lifetime for the instance in seconds. Once reached, instances will be automatically terminated and replaced. Default: 28800 seconds (8 hours).
dict
Environment variables to set in the AgentCore Runtime environment.
(string) --
(string) --
dict
A map of tag keys and values to assign to the agent runtime. Tags enable you to categorize your resources in different ways, for example, by purpose, owner, or environment.
(string) --
(string) --
dict
Response Syntax
{
'agentRuntimeArn': 'string',
'workloadIdentityDetails': {
'workloadIdentityArn': 'string'
},
'agentRuntimeId': 'string',
'agentRuntimeVersion': 'string',
'createdAt': datetime(2015, 1, 1),
'status': 'CREATING'|'CREATE_FAILED'|'UPDATING'|'UPDATE_FAILED'|'READY'|'DELETING'
}
Response Structure
(dict) --
agentRuntimeArn (string) --
The Amazon Resource Name (ARN) of the AgentCore Runtime.
workloadIdentityDetails (dict) --
The workload identity details for the AgentCore Runtime.
workloadIdentityArn (string) --
The ARN associated with the workload identity.
agentRuntimeId (string) --
The unique identifier of the AgentCore Runtime.
agentRuntimeVersion (string) --
The version of the AgentCore Runtime.
createdAt (datetime) --
The timestamp when the AgentCore Runtime was created.
status (string) --
The current status of the AgentCore Runtime.
{'authorizerConfiguration': {'customJWTAuthorizer': {'allowedScopes': ['string'],
'customClaims': [{'authorizingClaimMatchValue': {'claimMatchOperator': 'EQUALS '
'| '
'CONTAINS '
'| '
'CONTAINS_ANY',
'claimMatchValue': {'matchValueString': 'string',
'matchValueStringList': ['string']}},
'inboundTokenClaimName': 'string',
'inboundTokenClaimValueType': 'STRING '
'| '
'STRING_ARRAY'}]}},
'policyEngineConfiguration': {'arn': 'string', 'mode': 'LOG_ONLY | ENFORCE'}}
Creates a gateway for Amazon Bedrock Agent. A gateway serves as an integration point between your agent and external services.
If you specify CUSTOM_JWT as the authorizerType, you must provide an authorizerConfiguration.
See also: AWS API Documentation
Request Syntax
client.create_gateway(
name='string',
description='string',
clientToken='string',
roleArn='string',
protocolType='MCP',
protocolConfiguration={
'mcp': {
'supportedVersions': [
'string',
],
'instructions': 'string',
'searchType': 'SEMANTIC'
}
},
authorizerType='CUSTOM_JWT'|'AWS_IAM'|'NONE',
authorizerConfiguration={
'customJWTAuthorizer': {
'discoveryUrl': 'string',
'allowedAudience': [
'string',
],
'allowedClients': [
'string',
],
'allowedScopes': [
'string',
],
'customClaims': [
{
'inboundTokenClaimName': 'string',
'inboundTokenClaimValueType': 'STRING'|'STRING_ARRAY',
'authorizingClaimMatchValue': {
'claimMatchValue': {
'matchValueString': 'string',
'matchValueStringList': [
'string',
]
},
'claimMatchOperator': 'EQUALS'|'CONTAINS'|'CONTAINS_ANY'
}
},
]
}
},
kmsKeyArn='string',
interceptorConfigurations=[
{
'interceptor': {
'lambda': {
'arn': 'string'
}
},
'interceptionPoints': [
'REQUEST'|'RESPONSE',
],
'inputConfiguration': {
'passRequestHeaders': True|False
}
},
],
policyEngineConfiguration={
'arn': 'string',
'mode': 'LOG_ONLY'|'ENFORCE'
},
exceptionLevel='DEBUG',
tags={
'string': 'string'
}
)
string
[REQUIRED]
The name of the gateway. The name must be unique within your account.
string
The description of the gateway.
string
A unique, case-sensitive identifier to ensure that the API request completes no more than one time. If you don't specify this field, a value is randomly generated for you. If this token matches a previous request, the service ignores the request, but doesn't return an error. For more information, see Ensuring idempotency.
This field is autopopulated if not provided.
string
[REQUIRED]
The Amazon Resource Name (ARN) of the IAM role that provides permissions for the gateway to access Amazon Web Services services.
string
[REQUIRED]
The protocol type for the gateway.
dict
The configuration settings for the protocol specified in the protocolType parameter.
mcp (dict) --
The configuration for the Model Context Protocol (MCP). This protocol enables communication between Amazon Bedrock Agent and external tools.
supportedVersions (list) --
The supported versions of the Model Context Protocol. This field specifies which versions of the protocol the gateway can use.
(string) --
instructions (string) --
The instructions for using the Model Context Protocol gateway. These instructions provide guidance on how to interact with the gateway.
searchType (string) --
The search type for the Model Context Protocol gateway. This field specifies how the gateway handles search operations.
string
[REQUIRED]
The type of authorizer to use for the gateway.
CUSTOM_JWT - Authorize with a bearer token.
AWS_IAM - Authorize with your Amazon Web Services IAM credentials.
NONE - No authorization
dict
The authorizer configuration for the gateway. Required if authorizerType is CUSTOM_JWT.
customJWTAuthorizer (dict) --
The inbound JWT-based authorization, specifying how incoming requests should be authenticated.
discoveryUrl (string) -- [REQUIRED]
This URL is used to fetch OpenID Connect configuration or authorization server metadata for validating incoming tokens.
allowedAudience (list) --
Represents individual audience values that are validated in the incoming JWT token validation process.
(string) --
allowedClients (list) --
Represents individual client IDs that are validated in the incoming JWT token validation process.
(string) --
allowedScopes (list) --
An array of scopes that are allowed to access the token.
(string) --
customClaims (list) --
An array of objects that define a custom claim validation name, value, and operation
(dict) --
Defines the name of a custom claim field and rules for finding matches to authenticate its value.
inboundTokenClaimName (string) -- [REQUIRED]
The name of the custom claim field to check.
inboundTokenClaimValueType (string) -- [REQUIRED]
The data type of the claim value to check for.
Use STRING if you want to find an exact match to a string you define.
Use STRING_ARRAY if you want to fnd a match to at least one value in an array you define.
authorizingClaimMatchValue (dict) -- [REQUIRED]
Defines the value or values to match for and the relationship of the match.
claimMatchValue (dict) -- [REQUIRED]
The value or values to match for.
matchValueString (string) --
The string value to match for.
matchValueStringList (list) --
An array of strings to check for a match.
(string) --
claimMatchOperator (string) -- [REQUIRED]
Defines the relationship between the claim field value and the value or values you're matching for.
string
The Amazon Resource Name (ARN) of the KMS key used to encrypt data associated with the gateway.
list
A list of configuration settings for a gateway interceptor. Gateway interceptors allow custom code to be invoked during gateway invocations.
(dict) --
The configuration for an interceptor on a gateway. This structure defines settings for an interceptor that will be invoked during the invocation of the gateway.
interceptor (dict) -- [REQUIRED]
The infrastructure settings of an interceptor configuration. This structure defines how the interceptor can be invoked.
lambda (dict) --
The details of the lambda function used for the interceptor.
arn (string) -- [REQUIRED]
The arn of the lambda function to be invoked for the interceptor.
interceptionPoints (list) -- [REQUIRED]
The supported points of interception. This field specifies which points during the gateway invocation to invoke the interceptor
(string) --
inputConfiguration (dict) --
The configuration for the input of the interceptor. This field specifies how the input to the interceptor is constructed
passRequestHeaders (boolean) -- [REQUIRED]
Indicates whether to pass request headers as input into the interceptor. When set to true, request headers will be passed.
dict
The policy engine configuration for the gateway. A policy engine is a collection of policies that evaluates and authorizes agent tool calls. When associated with a gateway, the policy engine intercepts all agent requests and determines whether to allow or deny each action based on the defined policies.
arn (string) -- [REQUIRED]
The ARN of the policy engine. The policy engine contains Cedar policies that define fine-grained authorization rules specifying who can perform what actions on which resources as agents interact through the gateway.
mode (string) -- [REQUIRED]
The enforcement mode for the policy engine. Valid values include:
LOG_ONLY - The policy engine evaluates each action against your policies and adds traces on whether tool calls would be allowed or denied, but does not enforce the decision. Use this mode to test and validate policies before enabling enforcement.
ENFORCE - The policy engine evaluates actions against your policies and enforces decisions by allowing or denying agent operations. Test and validate policies in LOG_ONLY mode before enabling enforcement to avoid unintended denials or adversely affecting production traffic.
string
The level of detail in error messages returned when invoking the gateway.
If the value is DEBUG, granular exception messages are returned to help a user debug the gateway.
If the value is omitted, a generic error message is returned to the end user.
dict
A map of key-value pairs to associate with the gateway as metadata tags.
(string) --
(string) --
dict
Response Syntax
{
'gatewayArn': 'string',
'gatewayId': 'string',
'gatewayUrl': 'string',
'createdAt': datetime(2015, 1, 1),
'updatedAt': datetime(2015, 1, 1),
'status': 'CREATING'|'UPDATING'|'UPDATE_UNSUCCESSFUL'|'DELETING'|'READY'|'FAILED',
'statusReasons': [
'string',
],
'name': 'string',
'description': 'string',
'roleArn': 'string',
'protocolType': 'MCP',
'protocolConfiguration': {
'mcp': {
'supportedVersions': [
'string',
],
'instructions': 'string',
'searchType': 'SEMANTIC'
}
},
'authorizerType': 'CUSTOM_JWT'|'AWS_IAM'|'NONE',
'authorizerConfiguration': {
'customJWTAuthorizer': {
'discoveryUrl': 'string',
'allowedAudience': [
'string',
],
'allowedClients': [
'string',
],
'allowedScopes': [
'string',
],
'customClaims': [
{
'inboundTokenClaimName': 'string',
'inboundTokenClaimValueType': 'STRING'|'STRING_ARRAY',
'authorizingClaimMatchValue': {
'claimMatchValue': {
'matchValueString': 'string',
'matchValueStringList': [
'string',
]
},
'claimMatchOperator': 'EQUALS'|'CONTAINS'|'CONTAINS_ANY'
}
},
]
}
},
'kmsKeyArn': 'string',
'interceptorConfigurations': [
{
'interceptor': {
'lambda': {
'arn': 'string'
}
},
'interceptionPoints': [
'REQUEST'|'RESPONSE',
],
'inputConfiguration': {
'passRequestHeaders': True|False
}
},
],
'policyEngineConfiguration': {
'arn': 'string',
'mode': 'LOG_ONLY'|'ENFORCE'
},
'workloadIdentityDetails': {
'workloadIdentityArn': 'string'
},
'exceptionLevel': 'DEBUG'
}
Response Structure
(dict) --
gatewayArn (string) --
The Amazon Resource Name (ARN) of the created gateway.
gatewayId (string) --
The unique identifier of the created gateway.
gatewayUrl (string) --
The URL endpoint for the created gateway.
createdAt (datetime) --
The timestamp when the gateway was created.
updatedAt (datetime) --
The timestamp when the gateway was last updated.
status (string) --
The current status of the gateway.
statusReasons (list) --
The reasons for the current status of the gateway.
(string) --
name (string) --
The name of the gateway.
description (string) --
The description of the gateway.
roleArn (string) --
The Amazon Resource Name (ARN) of the IAM role associated with the gateway.
protocolType (string) --
The protocol type of the gateway.
protocolConfiguration (dict) --
The configuration settings for the protocol used by the gateway.
mcp (dict) --
The configuration for the Model Context Protocol (MCP). This protocol enables communication between Amazon Bedrock Agent and external tools.
supportedVersions (list) --
The supported versions of the Model Context Protocol. This field specifies which versions of the protocol the gateway can use.
(string) --
instructions (string) --
The instructions for using the Model Context Protocol gateway. These instructions provide guidance on how to interact with the gateway.
searchType (string) --
The search type for the Model Context Protocol gateway. This field specifies how the gateway handles search operations.
authorizerType (string) --
The type of authorizer used by the gateway.
authorizerConfiguration (dict) --
The authorizer configuration for the created gateway.
customJWTAuthorizer (dict) --
The inbound JWT-based authorization, specifying how incoming requests should be authenticated.
discoveryUrl (string) --
This URL is used to fetch OpenID Connect configuration or authorization server metadata for validating incoming tokens.
allowedAudience (list) --
Represents individual audience values that are validated in the incoming JWT token validation process.
(string) --
allowedClients (list) --
Represents individual client IDs that are validated in the incoming JWT token validation process.
(string) --
allowedScopes (list) --
An array of scopes that are allowed to access the token.
(string) --
customClaims (list) --
An array of objects that define a custom claim validation name, value, and operation
(dict) --
Defines the name of a custom claim field and rules for finding matches to authenticate its value.
inboundTokenClaimName (string) --
The name of the custom claim field to check.
inboundTokenClaimValueType (string) --
The data type of the claim value to check for.
Use STRING if you want to find an exact match to a string you define.
Use STRING_ARRAY if you want to fnd a match to at least one value in an array you define.
authorizingClaimMatchValue (dict) --
Defines the value or values to match for and the relationship of the match.
claimMatchValue (dict) --
The value or values to match for.
matchValueString (string) --
The string value to match for.
matchValueStringList (list) --
An array of strings to check for a match.
(string) --
claimMatchOperator (string) --
Defines the relationship between the claim field value and the value or values you're matching for.
kmsKeyArn (string) --
The Amazon Resource Name (ARN) of the KMS key used to encrypt data associated with the gateway.
interceptorConfigurations (list) --
The list of interceptor configurations for the created gateway.
(dict) --
The configuration for an interceptor on a gateway. This structure defines settings for an interceptor that will be invoked during the invocation of the gateway.
interceptor (dict) --
The infrastructure settings of an interceptor configuration. This structure defines how the interceptor can be invoked.
lambda (dict) --
The details of the lambda function used for the interceptor.
arn (string) --
The arn of the lambda function to be invoked for the interceptor.
interceptionPoints (list) --
The supported points of interception. This field specifies which points during the gateway invocation to invoke the interceptor
(string) --
inputConfiguration (dict) --
The configuration for the input of the interceptor. This field specifies how the input to the interceptor is constructed
passRequestHeaders (boolean) --
Indicates whether to pass request headers as input into the interceptor. When set to true, request headers will be passed.
policyEngineConfiguration (dict) --
The policy engine configuration for the created gateway.
arn (string) --
The ARN of the policy engine. The policy engine contains Cedar policies that define fine-grained authorization rules specifying who can perform what actions on which resources as agents interact through the gateway.
mode (string) --
The enforcement mode for the policy engine. Valid values include:
LOG_ONLY - The policy engine evaluates each action against your policies and adds traces on whether tool calls would be allowed or denied, but does not enforce the decision. Use this mode to test and validate policies before enabling enforcement.
ENFORCE - The policy engine evaluates actions against your policies and enforces decisions by allowing or denying agent operations. Test and validate policies in LOG_ONLY mode before enabling enforcement to avoid unintended denials or adversely affecting production traffic.
workloadIdentityDetails (dict) --
The workload identity details for the created gateway.
workloadIdentityArn (string) --
The ARN associated with the workload identity.
exceptionLevel (string) --
The level of detail in error messages returned when invoking the gateway.
If the value is DEBUG, granular exception messages are returned to help a user debug the gateway.
If the value is omitted, a generic error message is returned to the end user.
{'credentialProviderConfigurations': {'credentialProvider': {'oauthCredentialProvider': {'defaultReturnUrl': 'string',
'grantType': 'CLIENT_CREDENTIALS '
'| '
'AUTHORIZATION_CODE'}}},
'targetConfiguration': {'mcp': {'apiGateway': {'apiGatewayToolConfiguration': {'toolFilters': [{'filterPath': 'string',
'methods': ['GET '
'| '
'DELETE '
'| '
'HEAD '
'| '
'OPTIONS '
'| '
'PATCH '
'| '
'PUT '
'| '
'POST']}],
'toolOverrides': [{'description': 'string',
'method': 'GET '
'| '
'DELETE '
'| '
'HEAD '
'| '
'OPTIONS '
'| '
'PATCH '
'| '
'PUT '
'| '
'POST',
'name': 'string',
'path': 'string'}]},
'restApiId': 'string',
'stage': 'string'}}}}
Creates a target for a gateway. A target defines an endpoint that the gateway can connect to.
See also: AWS API Documentation
Request Syntax
client.create_gateway_target(
gatewayIdentifier='string',
name='string',
description='string',
clientToken='string',
targetConfiguration={
'mcp': {
'openApiSchema': {
's3': {
'uri': 'string',
'bucketOwnerAccountId': 'string'
},
'inlinePayload': 'string'
},
'smithyModel': {
's3': {
'uri': 'string',
'bucketOwnerAccountId': 'string'
},
'inlinePayload': 'string'
},
'lambda': {
'lambdaArn': 'string',
'toolSchema': {
's3': {
'uri': 'string',
'bucketOwnerAccountId': 'string'
},
'inlinePayload': [
{
'name': 'string',
'description': 'string',
'inputSchema': {
'type': 'string'|'number'|'object'|'array'|'boolean'|'integer',
'properties': {
'string': {'... recursive ...'}
},
'required': [
'string',
],
'items': {'... recursive ...'},
'description': 'string'
},
'outputSchema': {
'type': 'string'|'number'|'object'|'array'|'boolean'|'integer',
'properties': {
'string': {'... recursive ...'}
},
'required': [
'string',
],
'items': {'... recursive ...'},
'description': 'string'
}
},
]
}
},
'mcpServer': {
'endpoint': 'string'
},
'apiGateway': {
'restApiId': 'string',
'stage': 'string',
'apiGatewayToolConfiguration': {
'toolOverrides': [
{
'name': 'string',
'description': 'string',
'path': 'string',
'method': 'GET'|'DELETE'|'HEAD'|'OPTIONS'|'PATCH'|'PUT'|'POST'
},
],
'toolFilters': [
{
'filterPath': 'string',
'methods': [
'GET'|'DELETE'|'HEAD'|'OPTIONS'|'PATCH'|'PUT'|'POST',
]
},
]
}
}
}
},
credentialProviderConfigurations=[
{
'credentialProviderType': 'GATEWAY_IAM_ROLE'|'OAUTH'|'API_KEY',
'credentialProvider': {
'oauthCredentialProvider': {
'providerArn': 'string',
'scopes': [
'string',
],
'customParameters': {
'string': 'string'
},
'grantType': 'CLIENT_CREDENTIALS'|'AUTHORIZATION_CODE',
'defaultReturnUrl': 'string'
},
'apiKeyCredentialProvider': {
'providerArn': 'string',
'credentialParameterName': 'string',
'credentialPrefix': 'string',
'credentialLocation': 'HEADER'|'QUERY_PARAMETER'
}
}
},
]
)
string
[REQUIRED]
The identifier of the gateway to create a target for.
string
[REQUIRED]
The name of the gateway target. The name must be unique within the gateway.
string
The description of the gateway target.
string
A unique, case-sensitive identifier to ensure that the API request completes no more than one time. If you don't specify this field, a value is randomly generated for you. If this token matches a previous request, the service ignores the request, but doesn't return an error. For more information, see Ensuring idempotency.
This field is autopopulated if not provided.
dict
[REQUIRED]
The configuration settings for the target, including endpoint information and schema definitions.
mcp (dict) --
The Model Context Protocol (MCP) configuration for the target. This configuration defines how the gateway uses MCP to communicate with the target.
openApiSchema (dict) --
The OpenAPI schema for the Model Context Protocol target. This schema defines the API structure of the target.
s3 (dict) --
The Amazon S3 configuration for a gateway. This structure defines how the gateway accesses files in Amazon S3.
uri (string) --
The URI of the Amazon S3 object. This URI specifies the location of the object in Amazon S3.
bucketOwnerAccountId (string) --
The account ID of the Amazon S3 bucket owner. This ID is used for cross-account access to the bucket.
inlinePayload (string) --
The inline payload containing the API schema definition.
smithyModel (dict) --
The Smithy model for the Model Context Protocol target. This model defines the API structure of the target using the Smithy specification.
s3 (dict) --
The Amazon S3 configuration for a gateway. This structure defines how the gateway accesses files in Amazon S3.
uri (string) --
The URI of the Amazon S3 object. This URI specifies the location of the object in Amazon S3.
bucketOwnerAccountId (string) --
The account ID of the Amazon S3 bucket owner. This ID is used for cross-account access to the bucket.
inlinePayload (string) --
The inline payload containing the API schema definition.
lambda (dict) --
The Lambda configuration for the Model Context Protocol target. This configuration defines how the gateway uses a Lambda function to communicate with the target.
lambdaArn (string) -- [REQUIRED]
The Amazon Resource Name (ARN) of the Lambda function. This function is invoked by the gateway to communicate with the target.
toolSchema (dict) -- [REQUIRED]
The tool schema for the Lambda function. This schema defines the structure of the tools that the Lambda function provides.
s3 (dict) --
The Amazon S3 location of the tool schema. This location contains the schema definition file.
uri (string) --
The URI of the Amazon S3 object. This URI specifies the location of the object in Amazon S3.
bucketOwnerAccountId (string) --
The account ID of the Amazon S3 bucket owner. This ID is used for cross-account access to the bucket.
inlinePayload (list) --
The inline payload of the tool schema. This payload contains the schema definition directly in the request.
(dict) --
A tool definition for a gateway target. This structure defines a tool that the target exposes through the Model Context Protocol.
name (string) -- [REQUIRED]
The name of the tool. This name identifies the tool in the Model Context Protocol.
description (string) -- [REQUIRED]
The description of the tool. This description provides information about the purpose and usage of the tool.
inputSchema (dict) -- [REQUIRED]
The input schema for the tool. This schema defines the structure of the input that the tool accepts.
type (string) -- [REQUIRED]
The type of the schema definition. This field specifies the data type of the schema.
properties (dict) --
The properties of the schema definition. These properties define the fields in the schema.
(string) --
(dict) --
A schema definition for a gateway target. This structure defines the structure of the API that the target exposes.
required (list) --
The required fields in the schema definition. These fields must be provided when using the schema.
(string) --
items (dict) --
The items in the schema definition. This field is used for array types to define the structure of the array elements.
description (string) --
The description of the schema definition. This description provides information about the purpose and usage of the schema.
outputSchema (dict) --
The output schema for the tool. This schema defines the structure of the output that the tool produces.
type (string) -- [REQUIRED]
The type of the schema definition. This field specifies the data type of the schema.
properties (dict) --
The properties of the schema definition. These properties define the fields in the schema.
(string) --
(dict) --
A schema definition for a gateway target. This structure defines the structure of the API that the target exposes.
required (list) --
The required fields in the schema definition. These fields must be provided when using the schema.
(string) --
items (dict) --
The items in the schema definition. This field is used for array types to define the structure of the array elements.
description (string) --
The description of the schema definition. This description provides information about the purpose and usage of the schema.
mcpServer (dict) --
The MCP server specified as the gateway target.
endpoint (string) -- [REQUIRED]
The endpoint for the MCP server target configuration.
apiGateway (dict) --
The configuration for an Amazon API Gateway target.
restApiId (string) -- [REQUIRED]
The ID of the API Gateway REST API.
stage (string) -- [REQUIRED]
The ID of the stage of the REST API to add as a target.
apiGatewayToolConfiguration (dict) -- [REQUIRED]
The configuration for defining REST API tool filters and overrides for the gateway target.
toolOverrides (list) --
A list of explicit tool definitions with optional custom names and descriptions.
(dict) --
Settings to override configurations for a tool.
name (string) -- [REQUIRED]
The name of tool. Identifies the tool in the Model Context Protocol.
description (string) --
The description of the tool. Provides information about the purpose and usage of the tool. If not provided, uses the description from the API's OpenAPI specification.
path (string) -- [REQUIRED]
Resource path in the REST API (e.g., /pets). Must explicitly match an existing path in the REST API.
method (string) -- [REQUIRED]
The HTTP method to expose for the specified path.
toolFilters (list) -- [REQUIRED]
A list of path and method patterns to expose as tools using metadata from the REST API's OpenAPI specification.
(dict) --
Specifies which operations from an API Gateway REST API are exposed as tools. Tool names and descriptions are derived from the operationId and description fields in the API's exported OpenAPI specification.
filterPath (string) -- [REQUIRED]
Resource path to match in the REST API. Supports exact paths (for example, /pets) or wildcard paths (for example, /pets/* to match all paths under /pets). Must match existing paths in the REST API.
methods (list) -- [REQUIRED]
The methods to filter for.
(string) --
list
The credential provider configurations for the target. These configurations specify how the gateway authenticates with the target endpoint.
(dict) --
The configuration for a credential provider. This structure defines how the gateway authenticates with the target endpoint.
credentialProviderType (string) -- [REQUIRED]
The type of credential provider. This field specifies which authentication method the gateway uses.
credentialProvider (dict) --
The credential provider. This field contains the specific configuration for the credential provider type.
oauthCredentialProvider (dict) --
The OAuth credential provider. This provider uses OAuth authentication to access the target endpoint.
providerArn (string) -- [REQUIRED]
The Amazon Resource Name (ARN) of the OAuth credential provider. This ARN identifies the provider in Amazon Web Services.
scopes (list) -- [REQUIRED]
The OAuth scopes for the credential provider. These scopes define the level of access requested from the OAuth provider.
(string) --
customParameters (dict) --
The custom parameters for the OAuth credential provider. These parameters provide additional configuration for the OAuth authentication process.
(string) --
(string) --
grantType (string) --
Specifies the kind of credentials to use for authorization:
CLIENT_CREDENTIALS - Authorization with a client ID and secret.
AUTHORIZATION_CODE - Authorization with a token that is specific to an individual end user.
defaultReturnUrl (string) --
The URL where the end user's browser is redirected after obtaining the authorization code. Generally points to the customer's application.
apiKeyCredentialProvider (dict) --
The API key credential provider. This provider uses an API key to authenticate with the target endpoint.
providerArn (string) -- [REQUIRED]
The Amazon Resource Name (ARN) of the API key credential provider. This ARN identifies the provider in Amazon Web Services.
credentialParameterName (string) --
The name of the credential parameter for the API key. This parameter name is used when sending the API key to the target endpoint.
credentialPrefix (string) --
The prefix for the API key credential. This prefix is added to the API key when sending it to the target endpoint.
credentialLocation (string) --
The location of the API key credential. This field specifies where in the request the API key should be placed.
dict
Response Syntax
{
'gatewayArn': 'string',
'targetId': 'string',
'createdAt': datetime(2015, 1, 1),
'updatedAt': datetime(2015, 1, 1),
'status': 'CREATING'|'UPDATING'|'UPDATE_UNSUCCESSFUL'|'DELETING'|'READY'|'FAILED'|'SYNCHRONIZING'|'SYNCHRONIZE_UNSUCCESSFUL',
'statusReasons': [
'string',
],
'name': 'string',
'description': 'string',
'targetConfiguration': {
'mcp': {
'openApiSchema': {
's3': {
'uri': 'string',
'bucketOwnerAccountId': 'string'
},
'inlinePayload': 'string'
},
'smithyModel': {
's3': {
'uri': 'string',
'bucketOwnerAccountId': 'string'
},
'inlinePayload': 'string'
},
'lambda': {
'lambdaArn': 'string',
'toolSchema': {
's3': {
'uri': 'string',
'bucketOwnerAccountId': 'string'
},
'inlinePayload': [
{
'name': 'string',
'description': 'string',
'inputSchema': {
'type': 'string'|'number'|'object'|'array'|'boolean'|'integer',
'properties': {
'string': {'... recursive ...'}
},
'required': [
'string',
],
'items': {'... recursive ...'},
'description': 'string'
},
'outputSchema': {
'type': 'string'|'number'|'object'|'array'|'boolean'|'integer',
'properties': {
'string': {'... recursive ...'}
},
'required': [
'string',
],
'items': {'... recursive ...'},
'description': 'string'
}
},
]
}
},
'mcpServer': {
'endpoint': 'string'
},
'apiGateway': {
'restApiId': 'string',
'stage': 'string',
'apiGatewayToolConfiguration': {
'toolOverrides': [
{
'name': 'string',
'description': 'string',
'path': 'string',
'method': 'GET'|'DELETE'|'HEAD'|'OPTIONS'|'PATCH'|'PUT'|'POST'
},
],
'toolFilters': [
{
'filterPath': 'string',
'methods': [
'GET'|'DELETE'|'HEAD'|'OPTIONS'|'PATCH'|'PUT'|'POST',
]
},
]
}
}
}
},
'credentialProviderConfigurations': [
{
'credentialProviderType': 'GATEWAY_IAM_ROLE'|'OAUTH'|'API_KEY',
'credentialProvider': {
'oauthCredentialProvider': {
'providerArn': 'string',
'scopes': [
'string',
],
'customParameters': {
'string': 'string'
},
'grantType': 'CLIENT_CREDENTIALS'|'AUTHORIZATION_CODE',
'defaultReturnUrl': 'string'
},
'apiKeyCredentialProvider': {
'providerArn': 'string',
'credentialParameterName': 'string',
'credentialPrefix': 'string',
'credentialLocation': 'HEADER'|'QUERY_PARAMETER'
}
}
},
],
'lastSynchronizedAt': datetime(2015, 1, 1)
}
Response Structure
(dict) --
gatewayArn (string) --
The Amazon Resource Name (ARN) of the gateway.
targetId (string) --
The unique identifier of the created target.
createdAt (datetime) --
The timestamp when the target was created.
updatedAt (datetime) --
The timestamp when the target was last updated.
status (string) --
The current status of the target.
statusReasons (list) --
The reasons for the current status of the target.
(string) --
name (string) --
The name of the target.
description (string) --
The description of the target.
targetConfiguration (dict) --
The configuration settings for the target.
mcp (dict) --
The Model Context Protocol (MCP) configuration for the target. This configuration defines how the gateway uses MCP to communicate with the target.
openApiSchema (dict) --
The OpenAPI schema for the Model Context Protocol target. This schema defines the API structure of the target.
s3 (dict) --
The Amazon S3 configuration for a gateway. This structure defines how the gateway accesses files in Amazon S3.
uri (string) --
The URI of the Amazon S3 object. This URI specifies the location of the object in Amazon S3.
bucketOwnerAccountId (string) --
The account ID of the Amazon S3 bucket owner. This ID is used for cross-account access to the bucket.
inlinePayload (string) --
The inline payload containing the API schema definition.
smithyModel (dict) --
The Smithy model for the Model Context Protocol target. This model defines the API structure of the target using the Smithy specification.
s3 (dict) --
The Amazon S3 configuration for a gateway. This structure defines how the gateway accesses files in Amazon S3.
uri (string) --
The URI of the Amazon S3 object. This URI specifies the location of the object in Amazon S3.
bucketOwnerAccountId (string) --
The account ID of the Amazon S3 bucket owner. This ID is used for cross-account access to the bucket.
inlinePayload (string) --
The inline payload containing the API schema definition.
lambda (dict) --
The Lambda configuration for the Model Context Protocol target. This configuration defines how the gateway uses a Lambda function to communicate with the target.
lambdaArn (string) --
The Amazon Resource Name (ARN) of the Lambda function. This function is invoked by the gateway to communicate with the target.
toolSchema (dict) --
The tool schema for the Lambda function. This schema defines the structure of the tools that the Lambda function provides.
s3 (dict) --
The Amazon S3 location of the tool schema. This location contains the schema definition file.
uri (string) --
The URI of the Amazon S3 object. This URI specifies the location of the object in Amazon S3.
bucketOwnerAccountId (string) --
The account ID of the Amazon S3 bucket owner. This ID is used for cross-account access to the bucket.
inlinePayload (list) --
The inline payload of the tool schema. This payload contains the schema definition directly in the request.
(dict) --
A tool definition for a gateway target. This structure defines a tool that the target exposes through the Model Context Protocol.
name (string) --
The name of the tool. This name identifies the tool in the Model Context Protocol.
description (string) --
The description of the tool. This description provides information about the purpose and usage of the tool.
inputSchema (dict) --
The input schema for the tool. This schema defines the structure of the input that the tool accepts.
type (string) --
The type of the schema definition. This field specifies the data type of the schema.
properties (dict) --
The properties of the schema definition. These properties define the fields in the schema.
(string) --
(dict) --
A schema definition for a gateway target. This structure defines the structure of the API that the target exposes.
required (list) --
The required fields in the schema definition. These fields must be provided when using the schema.
(string) --
items (dict) --
The items in the schema definition. This field is used for array types to define the structure of the array elements.
description (string) --
The description of the schema definition. This description provides information about the purpose and usage of the schema.
outputSchema (dict) --
The output schema for the tool. This schema defines the structure of the output that the tool produces.
type (string) --
The type of the schema definition. This field specifies the data type of the schema.
properties (dict) --
The properties of the schema definition. These properties define the fields in the schema.
(string) --
(dict) --
A schema definition for a gateway target. This structure defines the structure of the API that the target exposes.
required (list) --
The required fields in the schema definition. These fields must be provided when using the schema.
(string) --
items (dict) --
The items in the schema definition. This field is used for array types to define the structure of the array elements.
description (string) --
The description of the schema definition. This description provides information about the purpose and usage of the schema.
mcpServer (dict) --
The MCP server specified as the gateway target.
endpoint (string) --
The endpoint for the MCP server target configuration.
apiGateway (dict) --
The configuration for an Amazon API Gateway target.
restApiId (string) --
The ID of the API Gateway REST API.
stage (string) --
The ID of the stage of the REST API to add as a target.
apiGatewayToolConfiguration (dict) --
The configuration for defining REST API tool filters and overrides for the gateway target.
toolOverrides (list) --
A list of explicit tool definitions with optional custom names and descriptions.
(dict) --
Settings to override configurations for a tool.
name (string) --
The name of tool. Identifies the tool in the Model Context Protocol.
description (string) --
The description of the tool. Provides information about the purpose and usage of the tool. If not provided, uses the description from the API's OpenAPI specification.
path (string) --
Resource path in the REST API (e.g., /pets). Must explicitly match an existing path in the REST API.
method (string) --
The HTTP method to expose for the specified path.
toolFilters (list) --
A list of path and method patterns to expose as tools using metadata from the REST API's OpenAPI specification.
(dict) --
Specifies which operations from an API Gateway REST API are exposed as tools. Tool names and descriptions are derived from the operationId and description fields in the API's exported OpenAPI specification.
filterPath (string) --
Resource path to match in the REST API. Supports exact paths (for example, /pets) or wildcard paths (for example, /pets/* to match all paths under /pets). Must match existing paths in the REST API.
methods (list) --
The methods to filter for.
(string) --
credentialProviderConfigurations (list) --
The credential provider configurations for the target.
(dict) --
The configuration for a credential provider. This structure defines how the gateway authenticates with the target endpoint.
credentialProviderType (string) --
The type of credential provider. This field specifies which authentication method the gateway uses.
credentialProvider (dict) --
The credential provider. This field contains the specific configuration for the credential provider type.
oauthCredentialProvider (dict) --
The OAuth credential provider. This provider uses OAuth authentication to access the target endpoint.
providerArn (string) --
The Amazon Resource Name (ARN) of the OAuth credential provider. This ARN identifies the provider in Amazon Web Services.
scopes (list) --
The OAuth scopes for the credential provider. These scopes define the level of access requested from the OAuth provider.
(string) --
customParameters (dict) --
The custom parameters for the OAuth credential provider. These parameters provide additional configuration for the OAuth authentication process.
(string) --
(string) --
grantType (string) --
Specifies the kind of credentials to use for authorization:
CLIENT_CREDENTIALS - Authorization with a client ID and secret.
AUTHORIZATION_CODE - Authorization with a token that is specific to an individual end user.
defaultReturnUrl (string) --
The URL where the end user's browser is redirected after obtaining the authorization code. Generally points to the customer's application.
apiKeyCredentialProvider (dict) --
The API key credential provider. This provider uses an API key to authenticate with the target endpoint.
providerArn (string) --
The Amazon Resource Name (ARN) of the API key credential provider. This ARN identifies the provider in Amazon Web Services.
credentialParameterName (string) --
The name of the credential parameter for the API key. This parameter name is used when sending the API key to the target endpoint.
credentialPrefix (string) --
The prefix for the API key credential. This prefix is added to the API key when sending it to the target endpoint.
credentialLocation (string) --
The location of the API key credential. This field specifies where in the request the API key should be placed.
lastSynchronizedAt (datetime) --
The last synchronization of the target.
{'memoryStrategies': {'customMemoryStrategy': {'configuration': {'episodicOverride': {'consolidation': {'appendToPrompt': 'string',
'modelId': 'string'},
'extraction': {'appendToPrompt': 'string',
'modelId': 'string'},
'reflection': {'appendToPrompt': 'string',
'modelId': 'string',
'namespaces': ['string']}}}},
'episodicMemoryStrategy': {'description': 'string',
'name': 'string',
'namespaces': ['string'],
'reflectionConfiguration': {'namespaces': ['string']}}}}
Response {'memory': {'strategies': {'configuration': {'consolidation': {'customConsolidationConfiguration': {'episodicConsolidationOverride': {'appendToPrompt': 'string',
'modelId': 'string'}}},
'extraction': {'customExtractionConfiguration': {'episodicExtractionOverride': {'appendToPrompt': 'string',
'modelId': 'string'}}},
'reflection': {'customReflectionConfiguration': {'episodicReflectionOverride': {'appendToPrompt': 'string',
'modelId': 'string',
'namespaces': ['string']}},
'episodicReflectionConfiguration': {'namespaces': ['string']}},
'type': {'EPISODIC_OVERRIDE'}},
'type': {'EPISODIC'}}}}
Creates a new Amazon Bedrock AgentCore Memory resource.
See also: AWS API Documentation
Request Syntax
client.create_memory(
clientToken='string',
name='string',
description='string',
encryptionKeyArn='string',
memoryExecutionRoleArn='string',
eventExpiryDuration=123,
memoryStrategies=[
{
'semanticMemoryStrategy': {
'name': 'string',
'description': 'string',
'namespaces': [
'string',
]
},
'summaryMemoryStrategy': {
'name': 'string',
'description': 'string',
'namespaces': [
'string',
]
},
'userPreferenceMemoryStrategy': {
'name': 'string',
'description': 'string',
'namespaces': [
'string',
]
},
'customMemoryStrategy': {
'name': 'string',
'description': 'string',
'namespaces': [
'string',
],
'configuration': {
'semanticOverride': {
'extraction': {
'appendToPrompt': 'string',
'modelId': 'string'
},
'consolidation': {
'appendToPrompt': 'string',
'modelId': 'string'
}
},
'summaryOverride': {
'consolidation': {
'appendToPrompt': 'string',
'modelId': 'string'
}
},
'userPreferenceOverride': {
'extraction': {
'appendToPrompt': 'string',
'modelId': 'string'
},
'consolidation': {
'appendToPrompt': 'string',
'modelId': 'string'
}
},
'episodicOverride': {
'extraction': {
'appendToPrompt': 'string',
'modelId': 'string'
},
'consolidation': {
'appendToPrompt': 'string',
'modelId': 'string'
},
'reflection': {
'appendToPrompt': 'string',
'modelId': 'string',
'namespaces': [
'string',
]
}
},
'selfManagedConfiguration': {
'triggerConditions': [
{
'messageBasedTrigger': {
'messageCount': 123
},
'tokenBasedTrigger': {
'tokenCount': 123
},
'timeBasedTrigger': {
'idleSessionTimeout': 123
}
},
],
'invocationConfiguration': {
'topicArn': 'string',
'payloadDeliveryBucketName': 'string'
},
'historicalContextWindowSize': 123
}
}
},
'episodicMemoryStrategy': {
'name': 'string',
'description': 'string',
'namespaces': [
'string',
],
'reflectionConfiguration': {
'namespaces': [
'string',
]
}
}
},
],
tags={
'string': 'string'
}
)
string
A unique, case-sensitive identifier to ensure that the operation completes no more than one time. If this token matches a previous request, Amazon Bedrock ignores the request but does not return an error.
This field is autopopulated if not provided.
string
[REQUIRED]
The name of the memory. The name must be unique within your account.
string
The description of the memory.
string
The Amazon Resource Name (ARN) of the KMS key used to encrypt the memory data.
string
The Amazon Resource Name (ARN) of the IAM role that provides permissions for the memory to access Amazon Web Services services.
integer
[REQUIRED]
The duration after which memory events expire. Specified as an ISO 8601 duration.
list
The memory strategies to use for this memory. Strategies define how information is extracted, processed, and consolidated.
(dict) --
Contains input information for creating a memory strategy.
semanticMemoryStrategy (dict) --
Input for creating a semantic memory strategy.
name (string) -- [REQUIRED]
The name of the semantic memory strategy.
description (string) --
The description of the semantic memory strategy.
namespaces (list) --
The namespaces associated with the semantic memory strategy.
(string) --
summaryMemoryStrategy (dict) --
Input for creating a summary memory strategy.
name (string) -- [REQUIRED]
The name of the summary memory strategy.
description (string) --
The description of the summary memory strategy.
namespaces (list) --
The namespaces associated with the summary memory strategy.
(string) --
userPreferenceMemoryStrategy (dict) --
Input for creating a user preference memory strategy.
name (string) -- [REQUIRED]
The name of the user preference memory strategy.
description (string) --
The description of the user preference memory strategy.
namespaces (list) --
The namespaces associated with the user preference memory strategy.
(string) --
customMemoryStrategy (dict) --
Input for creating a custom memory strategy.
name (string) -- [REQUIRED]
The name of the custom memory strategy.
description (string) --
The description of the custom memory strategy.
namespaces (list) --
The namespaces associated with the custom memory strategy.
(string) --
configuration (dict) --
The configuration for the custom memory strategy.
semanticOverride (dict) --
The semantic override configuration for a custom memory strategy.
extraction (dict) --
The extraction configuration for a semantic override.
appendToPrompt (string) -- [REQUIRED]
The text to append to the prompt for semantic extraction.
modelId (string) -- [REQUIRED]
The model ID to use for semantic extraction.
consolidation (dict) --
The consolidation configuration for a semantic override.
appendToPrompt (string) -- [REQUIRED]
The text to append to the prompt for semantic consolidation.
modelId (string) -- [REQUIRED]
The model ID to use for semantic consolidation.
summaryOverride (dict) --
The summary override configuration for a custom memory strategy.
consolidation (dict) --
The consolidation configuration for a summary override.
appendToPrompt (string) -- [REQUIRED]
The text to append to the prompt for summary consolidation.
modelId (string) -- [REQUIRED]
The model ID to use for summary consolidation.
userPreferenceOverride (dict) --
The user preference override configuration for a custom memory strategy.
extraction (dict) --
The extraction configuration for a user preference override.
appendToPrompt (string) -- [REQUIRED]
The text to append to the prompt for user preference extraction.
modelId (string) -- [REQUIRED]
The model ID to use for user preference extraction.
consolidation (dict) --
The consolidation configuration for a user preference override.
appendToPrompt (string) -- [REQUIRED]
The text to append to the prompt for user preference consolidation.
modelId (string) -- [REQUIRED]
The model ID to use for user preference consolidation.
episodicOverride (dict) --
The episodic memory strategy override configuration for a custom memory strategy.
extraction (dict) --
Contains configurations for overriding the extraction step of the episodic memory strategy.
appendToPrompt (string) -- [REQUIRED]
The text to append to the prompt for the extraction step of the episodic memory strategy.
modelId (string) -- [REQUIRED]
The model ID to use for the extraction step of the episodic memory strategy.
consolidation (dict) --
Contains configurations for overriding the consolidation step of the episodic memory strategy.
appendToPrompt (string) -- [REQUIRED]
The text to append to the prompt for the consolidation step of the episodic memory strategy.
modelId (string) -- [REQUIRED]
The model ID to use for the consolidation step of the episodic memory strategy.
reflection (dict) --
Contains configurations for overriding the reflection step of the episodic memory strategy.
appendToPrompt (string) -- [REQUIRED]
The text to append to the prompt for reflection step of the episodic memory strategy.
modelId (string) -- [REQUIRED]
The model ID to use for the reflection step of the episodic memory strategy.
namespaces (list) --
The namespaces to use for episodic reflection. Can be less nested than the episodic namespaces.
(string) --
selfManagedConfiguration (dict) --
The self managed configuration for a custom memory strategy.
triggerConditions (list) --
A list of conditions that trigger memory processing.
(dict) --
Condition that triggers memory processing.
messageBasedTrigger (dict) --
Message based trigger configuration.
messageCount (integer) --
The number of messages that trigger memory processing.
tokenBasedTrigger (dict) --
Token based trigger configuration.
tokenCount (integer) --
Number of tokens that trigger memory processing.
timeBasedTrigger (dict) --
Time based trigger configuration.
idleSessionTimeout (integer) --
Idle session timeout (seconds) that triggers memory processing.
invocationConfiguration (dict) -- [REQUIRED]
Configuration to invoke a self-managed memory processing pipeline with.
topicArn (string) -- [REQUIRED]
The ARN of the SNS topic for job notifications.
payloadDeliveryBucketName (string) -- [REQUIRED]
The S3 bucket name for event payload delivery.
historicalContextWindowSize (integer) --
Number of historical messages to include in processing context.
episodicMemoryStrategy (dict) --
Input for creating an episodic memory strategy
name (string) -- [REQUIRED]
The name of the episodic memory strategy.
description (string) --
The description of the episodic memory strategy.
namespaces (list) --
The namespaces for which to create episodes.
(string) --
reflectionConfiguration (dict) --
The configuration for the reflections created with the episodic memory strategy.
namespaces (list) -- [REQUIRED]
The namespaces over which to create reflections. Can be less nested than episode namespaces.
(string) --
dict
A map of tag keys and values to assign to an AgentCore Memory. Tags enable you to categorize your resources in different ways, for example, by purpose, owner, or environment.
(string) --
(string) --
dict
Response Syntax
{
'memory': {
'arn': 'string',
'id': 'string',
'name': 'string',
'description': 'string',
'encryptionKeyArn': 'string',
'memoryExecutionRoleArn': 'string',
'eventExpiryDuration': 123,
'status': 'CREATING'|'ACTIVE'|'FAILED'|'DELETING',
'failureReason': 'string',
'createdAt': datetime(2015, 1, 1),
'updatedAt': datetime(2015, 1, 1),
'strategies': [
{
'strategyId': 'string',
'name': 'string',
'description': 'string',
'configuration': {
'type': 'SEMANTIC_OVERRIDE'|'SUMMARY_OVERRIDE'|'USER_PREFERENCE_OVERRIDE'|'SELF_MANAGED'|'EPISODIC_OVERRIDE',
'extraction': {
'customExtractionConfiguration': {
'semanticExtractionOverride': {
'appendToPrompt': 'string',
'modelId': 'string'
},
'userPreferenceExtractionOverride': {
'appendToPrompt': 'string',
'modelId': 'string'
},
'episodicExtractionOverride': {
'appendToPrompt': 'string',
'modelId': 'string'
}
}
},
'consolidation': {
'customConsolidationConfiguration': {
'semanticConsolidationOverride': {
'appendToPrompt': 'string',
'modelId': 'string'
},
'summaryConsolidationOverride': {
'appendToPrompt': 'string',
'modelId': 'string'
},
'userPreferenceConsolidationOverride': {
'appendToPrompt': 'string',
'modelId': 'string'
},
'episodicConsolidationOverride': {
'appendToPrompt': 'string',
'modelId': 'string'
}
}
},
'reflection': {
'customReflectionConfiguration': {
'episodicReflectionOverride': {
'appendToPrompt': 'string',
'modelId': 'string',
'namespaces': [
'string',
]
}
},
'episodicReflectionConfiguration': {
'namespaces': [
'string',
]
}
},
'selfManagedConfiguration': {
'triggerConditions': [
{
'messageBasedTrigger': {
'messageCount': 123
},
'tokenBasedTrigger': {
'tokenCount': 123
},
'timeBasedTrigger': {
'idleSessionTimeout': 123
}
},
],
'invocationConfiguration': {
'topicArn': 'string',
'payloadDeliveryBucketName': 'string'
},
'historicalContextWindowSize': 123
}
},
'type': 'SEMANTIC'|'SUMMARIZATION'|'USER_PREFERENCE'|'CUSTOM'|'EPISODIC',
'namespaces': [
'string',
],
'createdAt': datetime(2015, 1, 1),
'updatedAt': datetime(2015, 1, 1),
'status': 'CREATING'|'ACTIVE'|'DELETING'|'FAILED'
},
]
}
}
Response Structure
(dict) --
memory (dict) --
The details of the created memory, including its ID, ARN, name, description, and configuration settings.
arn (string) --
The Amazon Resource Name (ARN) of the memory.
id (string) --
The unique identifier of the memory.
name (string) --
The name of the memory.
description (string) --
The description of the memory.
encryptionKeyArn (string) --
The ARN of the KMS key used to encrypt the memory.
memoryExecutionRoleArn (string) --
The ARN of the IAM role that provides permissions for the memory.
eventExpiryDuration (integer) --
The number of days after which memory events will expire.
status (string) --
The current status of the memory.
failureReason (string) --
The reason for failure if the memory is in a failed state.
createdAt (datetime) --
The timestamp when the memory was created.
updatedAt (datetime) --
The timestamp when the memory was last updated.
strategies (list) --
The list of memory strategies associated with this memory.
(dict) --
Contains information about a memory strategy.
strategyId (string) --
The unique identifier of the memory strategy.
name (string) --
The name of the memory strategy.
description (string) --
The description of the memory strategy.
configuration (dict) --
The configuration of the memory strategy.
type (string) --
The type of override for the strategy configuration.
extraction (dict) --
The extraction configuration for the memory strategy.
customExtractionConfiguration (dict) --
The custom extraction configuration.
semanticExtractionOverride (dict) --
The semantic extraction override configuration.
appendToPrompt (string) --
The text to append to the prompt for semantic extraction.
modelId (string) --
The model ID to use for semantic extraction.
userPreferenceExtractionOverride (dict) --
The user preference extraction override configuration.
appendToPrompt (string) --
The text to append to the prompt for user preference extraction.
modelId (string) --
The model ID to use for user preference extraction.
episodicExtractionOverride (dict) --
The configurations to override the default extraction step for the episodic memory strategy.
appendToPrompt (string) --
The text appended to the prompt for the extraction step of the episodic memory strategy.
modelId (string) --
The model ID used for the extraction step of the episodic memory strategy.
consolidation (dict) --
The consolidation configuration for the memory strategy.
customConsolidationConfiguration (dict) --
The custom consolidation configuration.
semanticConsolidationOverride (dict) --
The semantic consolidation override configuration.
appendToPrompt (string) --
The text to append to the prompt for semantic consolidation.
modelId (string) --
The model ID to use for semantic consolidation.
summaryConsolidationOverride (dict) --
The summary consolidation override configuration.
appendToPrompt (string) --
The text to append to the prompt for summary consolidation.
modelId (string) --
The model ID to use for summary consolidation.
userPreferenceConsolidationOverride (dict) --
The user preference consolidation override configuration.
appendToPrompt (string) --
The text to append to the prompt for user preference consolidation.
modelId (string) --
The model ID to use for user preference consolidation.
episodicConsolidationOverride (dict) --
The configurations to override the default consolidation step for the episodic memory strategy.
appendToPrompt (string) --
The text appended to the prompt for the consolidation step of the episodic memory strategy.
modelId (string) --
The model ID used for the consolidation step of the episodic memory strategy.
reflection (dict) --
The reflection configuration for the memory strategy.
customReflectionConfiguration (dict) --
The configuration for a custom reflection strategy.
episodicReflectionOverride (dict) --
The configuration for a reflection strategy to override the default one.
appendToPrompt (string) --
The text appended to the prompt for the reflection step of the episodic memory strategy.
modelId (string) --
The model ID used for the reflection step of the episodic memory strategy.
namespaces (list) --
The namespaces over which reflections were created. Can be less nested than the episodic namespaces.
(string) --
episodicReflectionConfiguration (dict) --
The configuration for the episodic reflection strategy.
namespaces (list) --
The namespaces for which to create reflections. Can be less nested than the episodic namespaces.
(string) --
selfManagedConfiguration (dict) --
Self-managed configuration settings.
triggerConditions (list) --
A list of conditions that trigger memory processing.
(dict) --
Condition that triggers memory processing.
messageBasedTrigger (dict) --
Message based trigger configuration.
messageCount (integer) --
The number of messages that trigger memory processing.
tokenBasedTrigger (dict) --
Token based trigger configuration.
tokenCount (integer) --
Number of tokens that trigger memory processing.
timeBasedTrigger (dict) --
Time based trigger configuration.
idleSessionTimeout (integer) --
Idle session timeout (seconds) that triggers memory processing.
invocationConfiguration (dict) --
The configuration to use when invoking memory processing.
topicArn (string) --
The ARN of the SNS topic for job notifications.
payloadDeliveryBucketName (string) --
The S3 bucket name for event payload delivery.
historicalContextWindowSize (integer) --
The number of historical messages to include in processing context.
type (string) --
The type of the memory strategy.
namespaces (list) --
The namespaces associated with the memory strategy.
(string) --
createdAt (datetime) --
The timestamp when the memory strategy was created.
updatedAt (datetime) --
The timestamp when the memory strategy was last updated.
status (string) --
The current status of the memory strategy.
{'authorizerConfiguration': {'customJWTAuthorizer': {'allowedScopes': ['string'],
'customClaims': [{'authorizingClaimMatchValue': {'claimMatchOperator': 'EQUALS '
'| '
'CONTAINS '
'| '
'CONTAINS_ANY',
'claimMatchValue': {'matchValueString': 'string',
'matchValueStringList': ['string']}},
'inboundTokenClaimName': 'string',
'inboundTokenClaimValueType': 'STRING '
'| '
'STRING_ARRAY'}]}},
'failureReason': 'string'}
Gets an Amazon Bedrock AgentCore Runtime.
See also: AWS API Documentation
Request Syntax
client.get_agent_runtime(
agentRuntimeId='string',
agentRuntimeVersion='string'
)
string
[REQUIRED]
The unique identifier of the AgentCore Runtime to retrieve.
string
The version of the AgentCore Runtime to retrieve.
dict
Response Syntax
{
'agentRuntimeArn': 'string',
'agentRuntimeName': 'string',
'agentRuntimeId': 'string',
'agentRuntimeVersion': 'string',
'createdAt': datetime(2015, 1, 1),
'lastUpdatedAt': datetime(2015, 1, 1),
'roleArn': 'string',
'networkConfiguration': {
'networkMode': 'PUBLIC'|'VPC',
'networkModeConfig': {
'securityGroups': [
'string',
],
'subnets': [
'string',
]
}
},
'status': 'CREATING'|'CREATE_FAILED'|'UPDATING'|'UPDATE_FAILED'|'READY'|'DELETING',
'lifecycleConfiguration': {
'idleRuntimeSessionTimeout': 123,
'maxLifetime': 123
},
'failureReason': 'string',
'description': 'string',
'workloadIdentityDetails': {
'workloadIdentityArn': 'string'
},
'agentRuntimeArtifact': {
'containerConfiguration': {
'containerUri': 'string'
},
'codeConfiguration': {
'code': {
's3': {
'bucket': 'string',
'prefix': 'string',
'versionId': 'string'
}
},
'runtime': 'PYTHON_3_10'|'PYTHON_3_11'|'PYTHON_3_12'|'PYTHON_3_13',
'entryPoint': [
'string',
]
}
},
'protocolConfiguration': {
'serverProtocol': 'MCP'|'HTTP'|'A2A'
},
'environmentVariables': {
'string': 'string'
},
'authorizerConfiguration': {
'customJWTAuthorizer': {
'discoveryUrl': 'string',
'allowedAudience': [
'string',
],
'allowedClients': [
'string',
],
'allowedScopes': [
'string',
],
'customClaims': [
{
'inboundTokenClaimName': 'string',
'inboundTokenClaimValueType': 'STRING'|'STRING_ARRAY',
'authorizingClaimMatchValue': {
'claimMatchValue': {
'matchValueString': 'string',
'matchValueStringList': [
'string',
]
},
'claimMatchOperator': 'EQUALS'|'CONTAINS'|'CONTAINS_ANY'
}
},
]
}
},
'requestHeaderConfiguration': {
'requestHeaderAllowlist': [
'string',
]
}
}
Response Structure
(dict) --
agentRuntimeArn (string) --
The Amazon Resource Name (ARN) of the AgentCore Runtime.
agentRuntimeName (string) --
The name of the AgentCore Runtime.
agentRuntimeId (string) --
The unique identifier of the AgentCore Runtime.
agentRuntimeVersion (string) --
The version of the AgentCore Runtime.
createdAt (datetime) --
The timestamp when the AgentCore Runtime was created.
lastUpdatedAt (datetime) --
The timestamp when the AgentCore Runtime was last updated.
roleArn (string) --
The IAM role ARN that provides permissions for the AgentCore Runtime.
networkConfiguration (dict) --
The network configuration for the AgentCore Runtime.
networkMode (string) --
The network mode for the AgentCore Runtime.
networkModeConfig (dict) --
The network mode configuration for the AgentCore Runtime.
securityGroups (list) --
The security groups associated with the VPC configuration.
(string) --
subnets (list) --
The subnets associated with the VPC configuration.
(string) --
status (string) --
The current status of the AgentCore Runtime.
lifecycleConfiguration (dict) --
The life cycle configuration for the AgentCore Runtime.
idleRuntimeSessionTimeout (integer) --
Timeout in seconds for idle runtime sessions. When a session remains idle for this duration, it will be automatically terminated. Default: 900 seconds (15 minutes).
maxLifetime (integer) --
Maximum lifetime for the instance in seconds. Once reached, instances will be automatically terminated and replaced. Default: 28800 seconds (8 hours).
failureReason (string) --
The reason for failure if the AgentCore Runtime is in a failed state.
description (string) --
The description of the AgentCore Runtime.
workloadIdentityDetails (dict) --
The workload identity details for the AgentCore Runtime.
workloadIdentityArn (string) --
The ARN associated with the workload identity.
agentRuntimeArtifact (dict) --
The artifact of the AgentCore Runtime.
containerConfiguration (dict) --
The container configuration for the agent artifact.
containerUri (string) --
The ECR URI of the container.
codeConfiguration (dict) --
The code configuration for the agent runtime artifact, including the source code location and execution settings.
code (dict) --
The source code location and configuration details.
s3 (dict) --
The Amazon Amazon S3 object that contains the source code for the agent runtime.
bucket (string) --
The name of the Amazon S3 bucket. This bucket contains the stored data.
prefix (string) --
The prefix for objects in the Amazon S3 bucket. This prefix is added to the object keys to organize the data.
versionId (string) --
The version ID of the Amazon Amazon S3 object. If not specified, the latest version of the object is used.
runtime (string) --
The runtime environment for executing the code (for example, Python 3.9 or Node.js 18).
entryPoint (list) --
The entry point for the code execution, specifying the function or method that should be invoked when the code runs.
(string) --
protocolConfiguration (dict) --
The protocol configuration for an agent runtime. This structure defines how the agent runtime communicates with clients.
serverProtocol (string) --
The server protocol for the agent runtime. This field specifies which protocol the agent runtime uses to communicate with clients.
environmentVariables (dict) --
Environment variables set in the AgentCore Runtime environment.
(string) --
(string) --
authorizerConfiguration (dict) --
The authorizer configuration for the AgentCore Runtime.
customJWTAuthorizer (dict) --
The inbound JWT-based authorization, specifying how incoming requests should be authenticated.
discoveryUrl (string) --
This URL is used to fetch OpenID Connect configuration or authorization server metadata for validating incoming tokens.
allowedAudience (list) --
Represents individual audience values that are validated in the incoming JWT token validation process.
(string) --
allowedClients (list) --
Represents individual client IDs that are validated in the incoming JWT token validation process.
(string) --
allowedScopes (list) --
An array of scopes that are allowed to access the token.
(string) --
customClaims (list) --
An array of objects that define a custom claim validation name, value, and operation
(dict) --
Defines the name of a custom claim field and rules for finding matches to authenticate its value.
inboundTokenClaimName (string) --
The name of the custom claim field to check.
inboundTokenClaimValueType (string) --
The data type of the claim value to check for.
Use STRING if you want to find an exact match to a string you define.
Use STRING_ARRAY if you want to fnd a match to at least one value in an array you define.
authorizingClaimMatchValue (dict) --
Defines the value or values to match for and the relationship of the match.
claimMatchValue (dict) --
The value or values to match for.
matchValueString (string) --
The string value to match for.
matchValueStringList (list) --
An array of strings to check for a match.
(string) --
claimMatchOperator (string) --
Defines the relationship between the claim field value and the value or values you're matching for.
requestHeaderConfiguration (dict) --
Configuration for HTTP request headers that will be passed through to the runtime.
requestHeaderAllowlist (list) --
A list of HTTP request headers that are allowed to be passed through to the runtime.
(string) --
{'authorizerConfiguration': {'customJWTAuthorizer': {'allowedScopes': ['string'],
'customClaims': [{'authorizingClaimMatchValue': {'claimMatchOperator': 'EQUALS '
'| '
'CONTAINS '
'| '
'CONTAINS_ANY',
'claimMatchValue': {'matchValueString': 'string',
'matchValueStringList': ['string']}},
'inboundTokenClaimName': 'string',
'inboundTokenClaimValueType': 'STRING '
'| '
'STRING_ARRAY'}]}},
'policyEngineConfiguration': {'arn': 'string', 'mode': 'LOG_ONLY | ENFORCE'}}
Retrieves information about a specific Gateway.
See also: AWS API Documentation
Request Syntax
client.get_gateway(
gatewayIdentifier='string'
)
string
[REQUIRED]
The identifier of the gateway to retrieve.
dict
Response Syntax
{
'gatewayArn': 'string',
'gatewayId': 'string',
'gatewayUrl': 'string',
'createdAt': datetime(2015, 1, 1),
'updatedAt': datetime(2015, 1, 1),
'status': 'CREATING'|'UPDATING'|'UPDATE_UNSUCCESSFUL'|'DELETING'|'READY'|'FAILED',
'statusReasons': [
'string',
],
'name': 'string',
'description': 'string',
'roleArn': 'string',
'protocolType': 'MCP',
'protocolConfiguration': {
'mcp': {
'supportedVersions': [
'string',
],
'instructions': 'string',
'searchType': 'SEMANTIC'
}
},
'authorizerType': 'CUSTOM_JWT'|'AWS_IAM'|'NONE',
'authorizerConfiguration': {
'customJWTAuthorizer': {
'discoveryUrl': 'string',
'allowedAudience': [
'string',
],
'allowedClients': [
'string',
],
'allowedScopes': [
'string',
],
'customClaims': [
{
'inboundTokenClaimName': 'string',
'inboundTokenClaimValueType': 'STRING'|'STRING_ARRAY',
'authorizingClaimMatchValue': {
'claimMatchValue': {
'matchValueString': 'string',
'matchValueStringList': [
'string',
]
},
'claimMatchOperator': 'EQUALS'|'CONTAINS'|'CONTAINS_ANY'
}
},
]
}
},
'kmsKeyArn': 'string',
'interceptorConfigurations': [
{
'interceptor': {
'lambda': {
'arn': 'string'
}
},
'interceptionPoints': [
'REQUEST'|'RESPONSE',
],
'inputConfiguration': {
'passRequestHeaders': True|False
}
},
],
'policyEngineConfiguration': {
'arn': 'string',
'mode': 'LOG_ONLY'|'ENFORCE'
},
'workloadIdentityDetails': {
'workloadIdentityArn': 'string'
},
'exceptionLevel': 'DEBUG'
}
Response Structure
(dict) --
gatewayArn (string) --
The Amazon Resource Name (ARN) of the gateway.
gatewayId (string) --
The unique identifier of the gateway.
gatewayUrl (string) --
An endpoint for invoking gateway.
createdAt (datetime) --
The timestamp when the gateway was created.
updatedAt (datetime) --
The timestamp when the gateway was last updated.
status (string) --
The current status of the gateway.
statusReasons (list) --
The reasons for the current status of the gateway.
(string) --
name (string) --
The name of the gateway.
description (string) --
The description of the gateway.
roleArn (string) --
The IAM role ARN that provides permissions for the gateway.
protocolType (string) --
Protocol applied to a gateway.
protocolConfiguration (dict) --
The configuration for a gateway protocol. This structure defines how the gateway communicates with external services.
mcp (dict) --
The configuration for the Model Context Protocol (MCP). This protocol enables communication between Amazon Bedrock Agent and external tools.
supportedVersions (list) --
The supported versions of the Model Context Protocol. This field specifies which versions of the protocol the gateway can use.
(string) --
instructions (string) --
The instructions for using the Model Context Protocol gateway. These instructions provide guidance on how to interact with the gateway.
searchType (string) --
The search type for the Model Context Protocol gateway. This field specifies how the gateway handles search operations.
authorizerType (string) --
Authorizer type for the gateway.
authorizerConfiguration (dict) --
The authorizer configuration for the gateway.
customJWTAuthorizer (dict) --
The inbound JWT-based authorization, specifying how incoming requests should be authenticated.
discoveryUrl (string) --
This URL is used to fetch OpenID Connect configuration or authorization server metadata for validating incoming tokens.
allowedAudience (list) --
Represents individual audience values that are validated in the incoming JWT token validation process.
(string) --
allowedClients (list) --
Represents individual client IDs that are validated in the incoming JWT token validation process.
(string) --
allowedScopes (list) --
An array of scopes that are allowed to access the token.
(string) --
customClaims (list) --
An array of objects that define a custom claim validation name, value, and operation
(dict) --
Defines the name of a custom claim field and rules for finding matches to authenticate its value.
inboundTokenClaimName (string) --
The name of the custom claim field to check.
inboundTokenClaimValueType (string) --
The data type of the claim value to check for.
Use STRING if you want to find an exact match to a string you define.
Use STRING_ARRAY if you want to fnd a match to at least one value in an array you define.
authorizingClaimMatchValue (dict) --
Defines the value or values to match for and the relationship of the match.
claimMatchValue (dict) --
The value or values to match for.
matchValueString (string) --
The string value to match for.
matchValueStringList (list) --
An array of strings to check for a match.
(string) --
claimMatchOperator (string) --
Defines the relationship between the claim field value and the value or values you're matching for.
kmsKeyArn (string) --
The Amazon Resource Name (ARN) of the KMS key used to encrypt the gateway.
interceptorConfigurations (list) --
The interceptors configured on the gateway.
(dict) --
The configuration for an interceptor on a gateway. This structure defines settings for an interceptor that will be invoked during the invocation of the gateway.
interceptor (dict) --
The infrastructure settings of an interceptor configuration. This structure defines how the interceptor can be invoked.
lambda (dict) --
The details of the lambda function used for the interceptor.
arn (string) --
The arn of the lambda function to be invoked for the interceptor.
interceptionPoints (list) --
The supported points of interception. This field specifies which points during the gateway invocation to invoke the interceptor
(string) --
inputConfiguration (dict) --
The configuration for the input of the interceptor. This field specifies how the input to the interceptor is constructed
passRequestHeaders (boolean) --
Indicates whether to pass request headers as input into the interceptor. When set to true, request headers will be passed.
policyEngineConfiguration (dict) --
The policy engine configuration for the gateway.
arn (string) --
The ARN of the policy engine. The policy engine contains Cedar policies that define fine-grained authorization rules specifying who can perform what actions on which resources as agents interact through the gateway.
mode (string) --
The enforcement mode for the policy engine. Valid values include:
LOG_ONLY - The policy engine evaluates each action against your policies and adds traces on whether tool calls would be allowed or denied, but does not enforce the decision. Use this mode to test and validate policies before enabling enforcement.
ENFORCE - The policy engine evaluates actions against your policies and enforces decisions by allowing or denying agent operations. Test and validate policies in LOG_ONLY mode before enabling enforcement to avoid unintended denials or adversely affecting production traffic.
workloadIdentityDetails (dict) --
The workload identity details for the gateway.
workloadIdentityArn (string) --
The ARN associated with the workload identity.
exceptionLevel (string) --
The level of detail in error messages returned when invoking the gateway.
If the value is DEBUG, granular exception messages are returned to help a user debug the gateway.
If the value is omitted, a generic error message is returned to the end user.
{'credentialProviderConfigurations': {'credentialProvider': {'oauthCredentialProvider': {'defaultReturnUrl': 'string',
'grantType': 'CLIENT_CREDENTIALS '
'| '
'AUTHORIZATION_CODE'}}},
'targetConfiguration': {'mcp': {'apiGateway': {'apiGatewayToolConfiguration': {'toolFilters': [{'filterPath': 'string',
'methods': ['GET '
'| '
'DELETE '
'| '
'HEAD '
'| '
'OPTIONS '
'| '
'PATCH '
'| '
'PUT '
'| '
'POST']}],
'toolOverrides': [{'description': 'string',
'method': 'GET '
'| '
'DELETE '
'| '
'HEAD '
'| '
'OPTIONS '
'| '
'PATCH '
'| '
'PUT '
'| '
'POST',
'name': 'string',
'path': 'string'}]},
'restApiId': 'string',
'stage': 'string'}}}}
Retrieves information about a specific gateway target.
See also: AWS API Documentation
Request Syntax
client.get_gateway_target(
gatewayIdentifier='string',
targetId='string'
)
string
[REQUIRED]
The identifier of the gateway that contains the target.
string
[REQUIRED]
The unique identifier of the target to retrieve.
dict
Response Syntax
{
'gatewayArn': 'string',
'targetId': 'string',
'createdAt': datetime(2015, 1, 1),
'updatedAt': datetime(2015, 1, 1),
'status': 'CREATING'|'UPDATING'|'UPDATE_UNSUCCESSFUL'|'DELETING'|'READY'|'FAILED'|'SYNCHRONIZING'|'SYNCHRONIZE_UNSUCCESSFUL',
'statusReasons': [
'string',
],
'name': 'string',
'description': 'string',
'targetConfiguration': {
'mcp': {
'openApiSchema': {
's3': {
'uri': 'string',
'bucketOwnerAccountId': 'string'
},
'inlinePayload': 'string'
},
'smithyModel': {
's3': {
'uri': 'string',
'bucketOwnerAccountId': 'string'
},
'inlinePayload': 'string'
},
'lambda': {
'lambdaArn': 'string',
'toolSchema': {
's3': {
'uri': 'string',
'bucketOwnerAccountId': 'string'
},
'inlinePayload': [
{
'name': 'string',
'description': 'string',
'inputSchema': {
'type': 'string'|'number'|'object'|'array'|'boolean'|'integer',
'properties': {
'string': {'... recursive ...'}
},
'required': [
'string',
],
'items': {'... recursive ...'},
'description': 'string'
},
'outputSchema': {
'type': 'string'|'number'|'object'|'array'|'boolean'|'integer',
'properties': {
'string': {'... recursive ...'}
},
'required': [
'string',
],
'items': {'... recursive ...'},
'description': 'string'
}
},
]
}
},
'mcpServer': {
'endpoint': 'string'
},
'apiGateway': {
'restApiId': 'string',
'stage': 'string',
'apiGatewayToolConfiguration': {
'toolOverrides': [
{
'name': 'string',
'description': 'string',
'path': 'string',
'method': 'GET'|'DELETE'|'HEAD'|'OPTIONS'|'PATCH'|'PUT'|'POST'
},
],
'toolFilters': [
{
'filterPath': 'string',
'methods': [
'GET'|'DELETE'|'HEAD'|'OPTIONS'|'PATCH'|'PUT'|'POST',
]
},
]
}
}
}
},
'credentialProviderConfigurations': [
{
'credentialProviderType': 'GATEWAY_IAM_ROLE'|'OAUTH'|'API_KEY',
'credentialProvider': {
'oauthCredentialProvider': {
'providerArn': 'string',
'scopes': [
'string',
],
'customParameters': {
'string': 'string'
},
'grantType': 'CLIENT_CREDENTIALS'|'AUTHORIZATION_CODE',
'defaultReturnUrl': 'string'
},
'apiKeyCredentialProvider': {
'providerArn': 'string',
'credentialParameterName': 'string',
'credentialPrefix': 'string',
'credentialLocation': 'HEADER'|'QUERY_PARAMETER'
}
}
},
],
'lastSynchronizedAt': datetime(2015, 1, 1)
}
Response Structure
(dict) --
gatewayArn (string) --
The Amazon Resource Name (ARN) of the gateway.
targetId (string) --
The unique identifier of the gateway target.
createdAt (datetime) --
The timestamp when the gateway target was created.
updatedAt (datetime) --
The timestamp when the gateway target was last updated.
status (string) --
The current status of the gateway target.
statusReasons (list) --
The reasons for the current status of the gateway target.
(string) --
name (string) --
The name of the gateway target.
description (string) --
The description of the gateway target.
targetConfiguration (dict) --
The configuration for a gateway target. This structure defines how the gateway connects to and interacts with the target endpoint.
mcp (dict) --
The Model Context Protocol (MCP) configuration for the target. This configuration defines how the gateway uses MCP to communicate with the target.
openApiSchema (dict) --
The OpenAPI schema for the Model Context Protocol target. This schema defines the API structure of the target.
s3 (dict) --
The Amazon S3 configuration for a gateway. This structure defines how the gateway accesses files in Amazon S3.
uri (string) --
The URI of the Amazon S3 object. This URI specifies the location of the object in Amazon S3.
bucketOwnerAccountId (string) --
The account ID of the Amazon S3 bucket owner. This ID is used for cross-account access to the bucket.
inlinePayload (string) --
The inline payload containing the API schema definition.
smithyModel (dict) --
The Smithy model for the Model Context Protocol target. This model defines the API structure of the target using the Smithy specification.
s3 (dict) --
The Amazon S3 configuration for a gateway. This structure defines how the gateway accesses files in Amazon S3.
uri (string) --
The URI of the Amazon S3 object. This URI specifies the location of the object in Amazon S3.
bucketOwnerAccountId (string) --
The account ID of the Amazon S3 bucket owner. This ID is used for cross-account access to the bucket.
inlinePayload (string) --
The inline payload containing the API schema definition.
lambda (dict) --
The Lambda configuration for the Model Context Protocol target. This configuration defines how the gateway uses a Lambda function to communicate with the target.
lambdaArn (string) --
The Amazon Resource Name (ARN) of the Lambda function. This function is invoked by the gateway to communicate with the target.
toolSchema (dict) --
The tool schema for the Lambda function. This schema defines the structure of the tools that the Lambda function provides.
s3 (dict) --
The Amazon S3 location of the tool schema. This location contains the schema definition file.
uri (string) --
The URI of the Amazon S3 object. This URI specifies the location of the object in Amazon S3.
bucketOwnerAccountId (string) --
The account ID of the Amazon S3 bucket owner. This ID is used for cross-account access to the bucket.
inlinePayload (list) --
The inline payload of the tool schema. This payload contains the schema definition directly in the request.
(dict) --
A tool definition for a gateway target. This structure defines a tool that the target exposes through the Model Context Protocol.
name (string) --
The name of the tool. This name identifies the tool in the Model Context Protocol.
description (string) --
The description of the tool. This description provides information about the purpose and usage of the tool.
inputSchema (dict) --
The input schema for the tool. This schema defines the structure of the input that the tool accepts.
type (string) --
The type of the schema definition. This field specifies the data type of the schema.
properties (dict) --
The properties of the schema definition. These properties define the fields in the schema.
(string) --
(dict) --
A schema definition for a gateway target. This structure defines the structure of the API that the target exposes.
required (list) --
The required fields in the schema definition. These fields must be provided when using the schema.
(string) --
items (dict) --
The items in the schema definition. This field is used for array types to define the structure of the array elements.
description (string) --
The description of the schema definition. This description provides information about the purpose and usage of the schema.
outputSchema (dict) --
The output schema for the tool. This schema defines the structure of the output that the tool produces.
type (string) --
The type of the schema definition. This field specifies the data type of the schema.
properties (dict) --
The properties of the schema definition. These properties define the fields in the schema.
(string) --
(dict) --
A schema definition for a gateway target. This structure defines the structure of the API that the target exposes.
required (list) --
The required fields in the schema definition. These fields must be provided when using the schema.
(string) --
items (dict) --
The items in the schema definition. This field is used for array types to define the structure of the array elements.
description (string) --
The description of the schema definition. This description provides information about the purpose and usage of the schema.
mcpServer (dict) --
The MCP server specified as the gateway target.
endpoint (string) --
The endpoint for the MCP server target configuration.
apiGateway (dict) --
The configuration for an Amazon API Gateway target.
restApiId (string) --
The ID of the API Gateway REST API.
stage (string) --
The ID of the stage of the REST API to add as a target.
apiGatewayToolConfiguration (dict) --
The configuration for defining REST API tool filters and overrides for the gateway target.
toolOverrides (list) --
A list of explicit tool definitions with optional custom names and descriptions.
(dict) --
Settings to override configurations for a tool.
name (string) --
The name of tool. Identifies the tool in the Model Context Protocol.
description (string) --
The description of the tool. Provides information about the purpose and usage of the tool. If not provided, uses the description from the API's OpenAPI specification.
path (string) --
Resource path in the REST API (e.g., /pets). Must explicitly match an existing path in the REST API.
method (string) --
The HTTP method to expose for the specified path.
toolFilters (list) --
A list of path and method patterns to expose as tools using metadata from the REST API's OpenAPI specification.
(dict) --
Specifies which operations from an API Gateway REST API are exposed as tools. Tool names and descriptions are derived from the operationId and description fields in the API's exported OpenAPI specification.
filterPath (string) --
Resource path to match in the REST API. Supports exact paths (for example, /pets) or wildcard paths (for example, /pets/* to match all paths under /pets). Must match existing paths in the REST API.
methods (list) --
The methods to filter for.
(string) --
credentialProviderConfigurations (list) --
The credential provider configurations for the gateway target.
(dict) --
The configuration for a credential provider. This structure defines how the gateway authenticates with the target endpoint.
credentialProviderType (string) --
The type of credential provider. This field specifies which authentication method the gateway uses.
credentialProvider (dict) --
The credential provider. This field contains the specific configuration for the credential provider type.
oauthCredentialProvider (dict) --
The OAuth credential provider. This provider uses OAuth authentication to access the target endpoint.
providerArn (string) --
The Amazon Resource Name (ARN) of the OAuth credential provider. This ARN identifies the provider in Amazon Web Services.
scopes (list) --
The OAuth scopes for the credential provider. These scopes define the level of access requested from the OAuth provider.
(string) --
customParameters (dict) --
The custom parameters for the OAuth credential provider. These parameters provide additional configuration for the OAuth authentication process.
(string) --
(string) --
grantType (string) --
Specifies the kind of credentials to use for authorization:
CLIENT_CREDENTIALS - Authorization with a client ID and secret.
AUTHORIZATION_CODE - Authorization with a token that is specific to an individual end user.
defaultReturnUrl (string) --
The URL where the end user's browser is redirected after obtaining the authorization code. Generally points to the customer's application.
apiKeyCredentialProvider (dict) --
The API key credential provider. This provider uses an API key to authenticate with the target endpoint.
providerArn (string) --
The Amazon Resource Name (ARN) of the API key credential provider. This ARN identifies the provider in Amazon Web Services.
credentialParameterName (string) --
The name of the credential parameter for the API key. This parameter name is used when sending the API key to the target endpoint.
credentialPrefix (string) --
The prefix for the API key credential. This prefix is added to the API key when sending it to the target endpoint.
credentialLocation (string) --
The location of the API key credential. This field specifies where in the request the API key should be placed.
lastSynchronizedAt (datetime) --
The last synchronization of the target.
{'memory': {'strategies': {'configuration': {'consolidation': {'customConsolidationConfiguration': {'episodicConsolidationOverride': {'appendToPrompt': 'string',
'modelId': 'string'}}},
'extraction': {'customExtractionConfiguration': {'episodicExtractionOverride': {'appendToPrompt': 'string',
'modelId': 'string'}}},
'reflection': {'customReflectionConfiguration': {'episodicReflectionOverride': {'appendToPrompt': 'string',
'modelId': 'string',
'namespaces': ['string']}},
'episodicReflectionConfiguration': {'namespaces': ['string']}},
'type': {'EPISODIC_OVERRIDE'}},
'type': {'EPISODIC'}}}}
Retrieve an existing Amazon Bedrock AgentCore Memory resource.
See also: AWS API Documentation
Request Syntax
client.get_memory(
memoryId='string'
)
string
[REQUIRED]
The unique identifier of the memory to retrieve.
dict
Response Syntax
{
'memory': {
'arn': 'string',
'id': 'string',
'name': 'string',
'description': 'string',
'encryptionKeyArn': 'string',
'memoryExecutionRoleArn': 'string',
'eventExpiryDuration': 123,
'status': 'CREATING'|'ACTIVE'|'FAILED'|'DELETING',
'failureReason': 'string',
'createdAt': datetime(2015, 1, 1),
'updatedAt': datetime(2015, 1, 1),
'strategies': [
{
'strategyId': 'string',
'name': 'string',
'description': 'string',
'configuration': {
'type': 'SEMANTIC_OVERRIDE'|'SUMMARY_OVERRIDE'|'USER_PREFERENCE_OVERRIDE'|'SELF_MANAGED'|'EPISODIC_OVERRIDE',
'extraction': {
'customExtractionConfiguration': {
'semanticExtractionOverride': {
'appendToPrompt': 'string',
'modelId': 'string'
},
'userPreferenceExtractionOverride': {
'appendToPrompt': 'string',
'modelId': 'string'
},
'episodicExtractionOverride': {
'appendToPrompt': 'string',
'modelId': 'string'
}
}
},
'consolidation': {
'customConsolidationConfiguration': {
'semanticConsolidationOverride': {
'appendToPrompt': 'string',
'modelId': 'string'
},
'summaryConsolidationOverride': {
'appendToPrompt': 'string',
'modelId': 'string'
},
'userPreferenceConsolidationOverride': {
'appendToPrompt': 'string',
'modelId': 'string'
},
'episodicConsolidationOverride': {
'appendToPrompt': 'string',
'modelId': 'string'
}
}
},
'reflection': {
'customReflectionConfiguration': {
'episodicReflectionOverride': {
'appendToPrompt': 'string',
'modelId': 'string',
'namespaces': [
'string',
]
}
},
'episodicReflectionConfiguration': {
'namespaces': [
'string',
]
}
},
'selfManagedConfiguration': {
'triggerConditions': [
{
'messageBasedTrigger': {
'messageCount': 123
},
'tokenBasedTrigger': {
'tokenCount': 123
},
'timeBasedTrigger': {
'idleSessionTimeout': 123
}
},
],
'invocationConfiguration': {
'topicArn': 'string',
'payloadDeliveryBucketName': 'string'
},
'historicalContextWindowSize': 123
}
},
'type': 'SEMANTIC'|'SUMMARIZATION'|'USER_PREFERENCE'|'CUSTOM'|'EPISODIC',
'namespaces': [
'string',
],
'createdAt': datetime(2015, 1, 1),
'updatedAt': datetime(2015, 1, 1),
'status': 'CREATING'|'ACTIVE'|'DELETING'|'FAILED'
},
]
}
}
Response Structure
(dict) --
memory (dict) --
The retrieved AgentCore Memory resource details.
arn (string) --
The Amazon Resource Name (ARN) of the memory.
id (string) --
The unique identifier of the memory.
name (string) --
The name of the memory.
description (string) --
The description of the memory.
encryptionKeyArn (string) --
The ARN of the KMS key used to encrypt the memory.
memoryExecutionRoleArn (string) --
The ARN of the IAM role that provides permissions for the memory.
eventExpiryDuration (integer) --
The number of days after which memory events will expire.
status (string) --
The current status of the memory.
failureReason (string) --
The reason for failure if the memory is in a failed state.
createdAt (datetime) --
The timestamp when the memory was created.
updatedAt (datetime) --
The timestamp when the memory was last updated.
strategies (list) --
The list of memory strategies associated with this memory.
(dict) --
Contains information about a memory strategy.
strategyId (string) --
The unique identifier of the memory strategy.
name (string) --
The name of the memory strategy.
description (string) --
The description of the memory strategy.
configuration (dict) --
The configuration of the memory strategy.
type (string) --
The type of override for the strategy configuration.
extraction (dict) --
The extraction configuration for the memory strategy.
customExtractionConfiguration (dict) --
The custom extraction configuration.
semanticExtractionOverride (dict) --
The semantic extraction override configuration.
appendToPrompt (string) --
The text to append to the prompt for semantic extraction.
modelId (string) --
The model ID to use for semantic extraction.
userPreferenceExtractionOverride (dict) --
The user preference extraction override configuration.
appendToPrompt (string) --
The text to append to the prompt for user preference extraction.
modelId (string) --
The model ID to use for user preference extraction.
episodicExtractionOverride (dict) --
The configurations to override the default extraction step for the episodic memory strategy.
appendToPrompt (string) --
The text appended to the prompt for the extraction step of the episodic memory strategy.
modelId (string) --
The model ID used for the extraction step of the episodic memory strategy.
consolidation (dict) --
The consolidation configuration for the memory strategy.
customConsolidationConfiguration (dict) --
The custom consolidation configuration.
semanticConsolidationOverride (dict) --
The semantic consolidation override configuration.
appendToPrompt (string) --
The text to append to the prompt for semantic consolidation.
modelId (string) --
The model ID to use for semantic consolidation.
summaryConsolidationOverride (dict) --
The summary consolidation override configuration.
appendToPrompt (string) --
The text to append to the prompt for summary consolidation.
modelId (string) --
The model ID to use for summary consolidation.
userPreferenceConsolidationOverride (dict) --
The user preference consolidation override configuration.
appendToPrompt (string) --
The text to append to the prompt for user preference consolidation.
modelId (string) --
The model ID to use for user preference consolidation.
episodicConsolidationOverride (dict) --
The configurations to override the default consolidation step for the episodic memory strategy.
appendToPrompt (string) --
The text appended to the prompt for the consolidation step of the episodic memory strategy.
modelId (string) --
The model ID used for the consolidation step of the episodic memory strategy.
reflection (dict) --
The reflection configuration for the memory strategy.
customReflectionConfiguration (dict) --
The configuration for a custom reflection strategy.
episodicReflectionOverride (dict) --
The configuration for a reflection strategy to override the default one.
appendToPrompt (string) --
The text appended to the prompt for the reflection step of the episodic memory strategy.
modelId (string) --
The model ID used for the reflection step of the episodic memory strategy.
namespaces (list) --
The namespaces over which reflections were created. Can be less nested than the episodic namespaces.
(string) --
episodicReflectionConfiguration (dict) --
The configuration for the episodic reflection strategy.
namespaces (list) --
The namespaces for which to create reflections. Can be less nested than the episodic namespaces.
(string) --
selfManagedConfiguration (dict) --
Self-managed configuration settings.
triggerConditions (list) --
A list of conditions that trigger memory processing.
(dict) --
Condition that triggers memory processing.
messageBasedTrigger (dict) --
Message based trigger configuration.
messageCount (integer) --
The number of messages that trigger memory processing.
tokenBasedTrigger (dict) --
Token based trigger configuration.
tokenCount (integer) --
Number of tokens that trigger memory processing.
timeBasedTrigger (dict) --
Time based trigger configuration.
idleSessionTimeout (integer) --
Idle session timeout (seconds) that triggers memory processing.
invocationConfiguration (dict) --
The configuration to use when invoking memory processing.
topicArn (string) --
The ARN of the SNS topic for job notifications.
payloadDeliveryBucketName (string) --
The S3 bucket name for event payload delivery.
historicalContextWindowSize (integer) --
The number of historical messages to include in processing context.
type (string) --
The type of the memory strategy.
namespaces (list) --
The namespaces associated with the memory strategy.
(string) --
createdAt (datetime) --
The timestamp when the memory strategy was created.
updatedAt (datetime) --
The timestamp when the memory strategy was last updated.
status (string) --
The current status of the memory strategy.
{'targets': {'credentialProviderConfigurations': {'credentialProvider': {'oauthCredentialProvider': {'defaultReturnUrl': 'string',
'grantType': 'CLIENT_CREDENTIALS '
'| '
'AUTHORIZATION_CODE'}}},
'targetConfiguration': {'mcp': {'apiGateway': {'apiGatewayToolConfiguration': {'toolFilters': [{'filterPath': 'string',
'methods': ['GET '
'| '
'DELETE '
'| '
'HEAD '
'| '
'OPTIONS '
'| '
'PATCH '
'| '
'PUT '
'| '
'POST']}],
'toolOverrides': [{'description': 'string',
'method': 'GET '
'| '
'DELETE '
'| '
'HEAD '
'| '
'OPTIONS '
'| '
'PATCH '
'| '
'PUT '
'| '
'POST',
'name': 'string',
'path': 'string'}]},
'restApiId': 'string',
'stage': 'string'}}}}}
The gateway targets.
See also: AWS API Documentation
Request Syntax
client.synchronize_gateway_targets(
gatewayIdentifier='string',
targetIdList=[
'string',
]
)
string
[REQUIRED]
The gateway Identifier.
list
[REQUIRED]
The target ID list.
(string) --
dict
Response Syntax
{
'targets': [
{
'gatewayArn': 'string',
'targetId': 'string',
'createdAt': datetime(2015, 1, 1),
'updatedAt': datetime(2015, 1, 1),
'status': 'CREATING'|'UPDATING'|'UPDATE_UNSUCCESSFUL'|'DELETING'|'READY'|'FAILED'|'SYNCHRONIZING'|'SYNCHRONIZE_UNSUCCESSFUL',
'statusReasons': [
'string',
],
'name': 'string',
'description': 'string',
'targetConfiguration': {
'mcp': {
'openApiSchema': {
's3': {
'uri': 'string',
'bucketOwnerAccountId': 'string'
},
'inlinePayload': 'string'
},
'smithyModel': {
's3': {
'uri': 'string',
'bucketOwnerAccountId': 'string'
},
'inlinePayload': 'string'
},
'lambda': {
'lambdaArn': 'string',
'toolSchema': {
's3': {
'uri': 'string',
'bucketOwnerAccountId': 'string'
},
'inlinePayload': [
{
'name': 'string',
'description': 'string',
'inputSchema': {
'type': 'string'|'number'|'object'|'array'|'boolean'|'integer',
'properties': {
'string': {'... recursive ...'}
},
'required': [
'string',
],
'items': {'... recursive ...'},
'description': 'string'
},
'outputSchema': {
'type': 'string'|'number'|'object'|'array'|'boolean'|'integer',
'properties': {
'string': {'... recursive ...'}
},
'required': [
'string',
],
'items': {'... recursive ...'},
'description': 'string'
}
},
]
}
},
'mcpServer': {
'endpoint': 'string'
},
'apiGateway': {
'restApiId': 'string',
'stage': 'string',
'apiGatewayToolConfiguration': {
'toolOverrides': [
{
'name': 'string',
'description': 'string',
'path': 'string',
'method': 'GET'|'DELETE'|'HEAD'|'OPTIONS'|'PATCH'|'PUT'|'POST'
},
],
'toolFilters': [
{
'filterPath': 'string',
'methods': [
'GET'|'DELETE'|'HEAD'|'OPTIONS'|'PATCH'|'PUT'|'POST',
]
},
]
}
}
}
},
'credentialProviderConfigurations': [
{
'credentialProviderType': 'GATEWAY_IAM_ROLE'|'OAUTH'|'API_KEY',
'credentialProvider': {
'oauthCredentialProvider': {
'providerArn': 'string',
'scopes': [
'string',
],
'customParameters': {
'string': 'string'
},
'grantType': 'CLIENT_CREDENTIALS'|'AUTHORIZATION_CODE',
'defaultReturnUrl': 'string'
},
'apiKeyCredentialProvider': {
'providerArn': 'string',
'credentialParameterName': 'string',
'credentialPrefix': 'string',
'credentialLocation': 'HEADER'|'QUERY_PARAMETER'
}
}
},
],
'lastSynchronizedAt': datetime(2015, 1, 1)
},
]
}
Response Structure
(dict) --
targets (list) --
The gateway targets for synchronization.
(dict) --
The gateway target.
gatewayArn (string) --
The Amazon Resource Name (ARN) of the gateway target.
targetId (string) --
The target ID.
createdAt (datetime) --
The date and time at which the target was created.
updatedAt (datetime) --
The date and time at which the target was updated.
status (string) --
The status of the gateway target.
statusReasons (list) --
The status reasons for the target status.
(string) --
name (string) --
The name of the gateway target.
description (string) --
The description for the gateway target.
targetConfiguration (dict) --
The configuration for a gateway target. This structure defines how the gateway connects to and interacts with the target endpoint.
mcp (dict) --
The Model Context Protocol (MCP) configuration for the target. This configuration defines how the gateway uses MCP to communicate with the target.
openApiSchema (dict) --
The OpenAPI schema for the Model Context Protocol target. This schema defines the API structure of the target.
s3 (dict) --
The Amazon S3 configuration for a gateway. This structure defines how the gateway accesses files in Amazon S3.
uri (string) --
The URI of the Amazon S3 object. This URI specifies the location of the object in Amazon S3.
bucketOwnerAccountId (string) --
The account ID of the Amazon S3 bucket owner. This ID is used for cross-account access to the bucket.
inlinePayload (string) --
The inline payload containing the API schema definition.
smithyModel (dict) --
The Smithy model for the Model Context Protocol target. This model defines the API structure of the target using the Smithy specification.
s3 (dict) --
The Amazon S3 configuration for a gateway. This structure defines how the gateway accesses files in Amazon S3.
uri (string) --
The URI of the Amazon S3 object. This URI specifies the location of the object in Amazon S3.
bucketOwnerAccountId (string) --
The account ID of the Amazon S3 bucket owner. This ID is used for cross-account access to the bucket.
inlinePayload (string) --
The inline payload containing the API schema definition.
lambda (dict) --
The Lambda configuration for the Model Context Protocol target. This configuration defines how the gateway uses a Lambda function to communicate with the target.
lambdaArn (string) --
The Amazon Resource Name (ARN) of the Lambda function. This function is invoked by the gateway to communicate with the target.
toolSchema (dict) --
The tool schema for the Lambda function. This schema defines the structure of the tools that the Lambda function provides.
s3 (dict) --
The Amazon S3 location of the tool schema. This location contains the schema definition file.
uri (string) --
The URI of the Amazon S3 object. This URI specifies the location of the object in Amazon S3.
bucketOwnerAccountId (string) --
The account ID of the Amazon S3 bucket owner. This ID is used for cross-account access to the bucket.
inlinePayload (list) --
The inline payload of the tool schema. This payload contains the schema definition directly in the request.
(dict) --
A tool definition for a gateway target. This structure defines a tool that the target exposes through the Model Context Protocol.
name (string) --
The name of the tool. This name identifies the tool in the Model Context Protocol.
description (string) --
The description of the tool. This description provides information about the purpose and usage of the tool.
inputSchema (dict) --
The input schema for the tool. This schema defines the structure of the input that the tool accepts.
type (string) --
The type of the schema definition. This field specifies the data type of the schema.
properties (dict) --
The properties of the schema definition. These properties define the fields in the schema.
(string) --
(dict) --
A schema definition for a gateway target. This structure defines the structure of the API that the target exposes.
required (list) --
The required fields in the schema definition. These fields must be provided when using the schema.
(string) --
items (dict) --
The items in the schema definition. This field is used for array types to define the structure of the array elements.
description (string) --
The description of the schema definition. This description provides information about the purpose and usage of the schema.
outputSchema (dict) --
The output schema for the tool. This schema defines the structure of the output that the tool produces.
type (string) --
The type of the schema definition. This field specifies the data type of the schema.
properties (dict) --
The properties of the schema definition. These properties define the fields in the schema.
(string) --
(dict) --
A schema definition for a gateway target. This structure defines the structure of the API that the target exposes.
required (list) --
The required fields in the schema definition. These fields must be provided when using the schema.
(string) --
items (dict) --
The items in the schema definition. This field is used for array types to define the structure of the array elements.
description (string) --
The description of the schema definition. This description provides information about the purpose and usage of the schema.
mcpServer (dict) --
The MCP server specified as the gateway target.
endpoint (string) --
The endpoint for the MCP server target configuration.
apiGateway (dict) --
The configuration for an Amazon API Gateway target.
restApiId (string) --
The ID of the API Gateway REST API.
stage (string) --
The ID of the stage of the REST API to add as a target.
apiGatewayToolConfiguration (dict) --
The configuration for defining REST API tool filters and overrides for the gateway target.
toolOverrides (list) --
A list of explicit tool definitions with optional custom names and descriptions.
(dict) --
Settings to override configurations for a tool.
name (string) --
The name of tool. Identifies the tool in the Model Context Protocol.
description (string) --
The description of the tool. Provides information about the purpose and usage of the tool. If not provided, uses the description from the API's OpenAPI specification.
path (string) --
Resource path in the REST API (e.g., /pets). Must explicitly match an existing path in the REST API.
method (string) --
The HTTP method to expose for the specified path.
toolFilters (list) --
A list of path and method patterns to expose as tools using metadata from the REST API's OpenAPI specification.
(dict) --
Specifies which operations from an API Gateway REST API are exposed as tools. Tool names and descriptions are derived from the operationId and description fields in the API's exported OpenAPI specification.
filterPath (string) --
Resource path to match in the REST API. Supports exact paths (for example, /pets) or wildcard paths (for example, /pets/* to match all paths under /pets). Must match existing paths in the REST API.
methods (list) --
The methods to filter for.
(string) --
credentialProviderConfigurations (list) --
The provider configurations.
(dict) --
The configuration for a credential provider. This structure defines how the gateway authenticates with the target endpoint.
credentialProviderType (string) --
The type of credential provider. This field specifies which authentication method the gateway uses.
credentialProvider (dict) --
The credential provider. This field contains the specific configuration for the credential provider type.
oauthCredentialProvider (dict) --
The OAuth credential provider. This provider uses OAuth authentication to access the target endpoint.
providerArn (string) --
The Amazon Resource Name (ARN) of the OAuth credential provider. This ARN identifies the provider in Amazon Web Services.
scopes (list) --
The OAuth scopes for the credential provider. These scopes define the level of access requested from the OAuth provider.
(string) --
customParameters (dict) --
The custom parameters for the OAuth credential provider. These parameters provide additional configuration for the OAuth authentication process.
(string) --
(string) --
grantType (string) --
Specifies the kind of credentials to use for authorization:
CLIENT_CREDENTIALS - Authorization with a client ID and secret.
AUTHORIZATION_CODE - Authorization with a token that is specific to an individual end user.
defaultReturnUrl (string) --
The URL where the end user's browser is redirected after obtaining the authorization code. Generally points to the customer's application.
apiKeyCredentialProvider (dict) --
The API key credential provider. This provider uses an API key to authenticate with the target endpoint.
providerArn (string) --
The Amazon Resource Name (ARN) of the API key credential provider. This ARN identifies the provider in Amazon Web Services.
credentialParameterName (string) --
The name of the credential parameter for the API key. This parameter name is used when sending the API key to the target endpoint.
credentialPrefix (string) --
The prefix for the API key credential. This prefix is added to the API key when sending it to the target endpoint.
credentialLocation (string) --
The location of the API key credential. This field specifies where in the request the API key should be placed.
lastSynchronizedAt (datetime) --
The last synchronization time.
{'authorizerConfiguration': {'customJWTAuthorizer': {'allowedScopes': ['string'],
'customClaims': [{'authorizingClaimMatchValue': {'claimMatchOperator': 'EQUALS '
'| '
'CONTAINS '
'| '
'CONTAINS_ANY',
'claimMatchValue': {'matchValueString': 'string',
'matchValueStringList': ['string']}},
'inboundTokenClaimName': 'string',
'inboundTokenClaimValueType': 'STRING '
'| '
'STRING_ARRAY'}]}}}
Updates an existing Amazon Secure Agent.
See also: AWS API Documentation
Request Syntax
client.update_agent_runtime(
agentRuntimeId='string',
agentRuntimeArtifact={
'containerConfiguration': {
'containerUri': 'string'
},
'codeConfiguration': {
'code': {
's3': {
'bucket': 'string',
'prefix': 'string',
'versionId': 'string'
}
},
'runtime': 'PYTHON_3_10'|'PYTHON_3_11'|'PYTHON_3_12'|'PYTHON_3_13',
'entryPoint': [
'string',
]
}
},
roleArn='string',
networkConfiguration={
'networkMode': 'PUBLIC'|'VPC',
'networkModeConfig': {
'securityGroups': [
'string',
],
'subnets': [
'string',
]
}
},
description='string',
authorizerConfiguration={
'customJWTAuthorizer': {
'discoveryUrl': 'string',
'allowedAudience': [
'string',
],
'allowedClients': [
'string',
],
'allowedScopes': [
'string',
],
'customClaims': [
{
'inboundTokenClaimName': 'string',
'inboundTokenClaimValueType': 'STRING'|'STRING_ARRAY',
'authorizingClaimMatchValue': {
'claimMatchValue': {
'matchValueString': 'string',
'matchValueStringList': [
'string',
]
},
'claimMatchOperator': 'EQUALS'|'CONTAINS'|'CONTAINS_ANY'
}
},
]
}
},
requestHeaderConfiguration={
'requestHeaderAllowlist': [
'string',
]
},
protocolConfiguration={
'serverProtocol': 'MCP'|'HTTP'|'A2A'
},
lifecycleConfiguration={
'idleRuntimeSessionTimeout': 123,
'maxLifetime': 123
},
environmentVariables={
'string': 'string'
},
clientToken='string'
)
string
[REQUIRED]
The unique identifier of the AgentCore Runtime to update.
dict
[REQUIRED]
The updated artifact of the AgentCore Runtime.
containerConfiguration (dict) --
The container configuration for the agent artifact.
containerUri (string) -- [REQUIRED]
The ECR URI of the container.
codeConfiguration (dict) --
The code configuration for the agent runtime artifact, including the source code location and execution settings.
code (dict) -- [REQUIRED]
The source code location and configuration details.
s3 (dict) --
The Amazon Amazon S3 object that contains the source code for the agent runtime.
bucket (string) -- [REQUIRED]
The name of the Amazon S3 bucket. This bucket contains the stored data.
prefix (string) -- [REQUIRED]
The prefix for objects in the Amazon S3 bucket. This prefix is added to the object keys to organize the data.
versionId (string) --
The version ID of the Amazon Amazon S3 object. If not specified, the latest version of the object is used.
runtime (string) -- [REQUIRED]
The runtime environment for executing the code (for example, Python 3.9 or Node.js 18).
entryPoint (list) -- [REQUIRED]
The entry point for the code execution, specifying the function or method that should be invoked when the code runs.
(string) --
string
[REQUIRED]
The updated IAM role ARN that provides permissions for the AgentCore Runtime.
dict
[REQUIRED]
The updated network configuration for the AgentCore Runtime.
networkMode (string) -- [REQUIRED]
The network mode for the AgentCore Runtime.
networkModeConfig (dict) --
The network mode configuration for the AgentCore Runtime.
securityGroups (list) -- [REQUIRED]
The security groups associated with the VPC configuration.
(string) --
subnets (list) -- [REQUIRED]
The subnets associated with the VPC configuration.
(string) --
string
The updated description of the AgentCore Runtime.
dict
The updated authorizer configuration for the AgentCore Runtime.
customJWTAuthorizer (dict) --
The inbound JWT-based authorization, specifying how incoming requests should be authenticated.
discoveryUrl (string) -- [REQUIRED]
This URL is used to fetch OpenID Connect configuration or authorization server metadata for validating incoming tokens.
allowedAudience (list) --
Represents individual audience values that are validated in the incoming JWT token validation process.
(string) --
allowedClients (list) --
Represents individual client IDs that are validated in the incoming JWT token validation process.
(string) --
allowedScopes (list) --
An array of scopes that are allowed to access the token.
(string) --
customClaims (list) --
An array of objects that define a custom claim validation name, value, and operation
(dict) --
Defines the name of a custom claim field and rules for finding matches to authenticate its value.
inboundTokenClaimName (string) -- [REQUIRED]
The name of the custom claim field to check.
inboundTokenClaimValueType (string) -- [REQUIRED]
The data type of the claim value to check for.
Use STRING if you want to find an exact match to a string you define.
Use STRING_ARRAY if you want to fnd a match to at least one value in an array you define.
authorizingClaimMatchValue (dict) -- [REQUIRED]
Defines the value or values to match for and the relationship of the match.
claimMatchValue (dict) -- [REQUIRED]
The value or values to match for.
matchValueString (string) --
The string value to match for.
matchValueStringList (list) --
An array of strings to check for a match.
(string) --
claimMatchOperator (string) -- [REQUIRED]
Defines the relationship between the claim field value and the value or values you're matching for.
dict
The updated configuration for HTTP request headers that will be passed through to the runtime.
requestHeaderAllowlist (list) --
A list of HTTP request headers that are allowed to be passed through to the runtime.
(string) --
dict
The protocol configuration for an agent runtime. This structure defines how the agent runtime communicates with clients.
serverProtocol (string) -- [REQUIRED]
The server protocol for the agent runtime. This field specifies which protocol the agent runtime uses to communicate with clients.
dict
The updated life cycle configuration for the AgentCore Runtime.
idleRuntimeSessionTimeout (integer) --
Timeout in seconds for idle runtime sessions. When a session remains idle for this duration, it will be automatically terminated. Default: 900 seconds (15 minutes).
maxLifetime (integer) --
Maximum lifetime for the instance in seconds. Once reached, instances will be automatically terminated and replaced. Default: 28800 seconds (8 hours).
dict
Updated environment variables to set in the AgentCore Runtime environment.
(string) --
(string) --
string
A unique, case-sensitive identifier to ensure idempotency of the request.
This field is autopopulated if not provided.
dict
Response Syntax
{
'agentRuntimeArn': 'string',
'agentRuntimeId': 'string',
'workloadIdentityDetails': {
'workloadIdentityArn': 'string'
},
'agentRuntimeVersion': 'string',
'createdAt': datetime(2015, 1, 1),
'lastUpdatedAt': datetime(2015, 1, 1),
'status': 'CREATING'|'CREATE_FAILED'|'UPDATING'|'UPDATE_FAILED'|'READY'|'DELETING'
}
Response Structure
(dict) --
agentRuntimeArn (string) --
The Amazon Resource Name (ARN) of the updated AgentCore Runtime.
agentRuntimeId (string) --
The unique identifier of the updated AgentCore Runtime.
workloadIdentityDetails (dict) --
The workload identity details for the updated AgentCore Runtime.
workloadIdentityArn (string) --
The ARN associated with the workload identity.
agentRuntimeVersion (string) --
The version of the updated AgentCore Runtime.
createdAt (datetime) --
The timestamp when the AgentCore Runtime was created.
lastUpdatedAt (datetime) --
The timestamp when the AgentCore Runtime was last updated.
status (string) --
The current status of the updated AgentCore Runtime.
{'authorizerConfiguration': {'customJWTAuthorizer': {'allowedScopes': ['string'],
'customClaims': [{'authorizingClaimMatchValue': {'claimMatchOperator': 'EQUALS '
'| '
'CONTAINS '
'| '
'CONTAINS_ANY',
'claimMatchValue': {'matchValueString': 'string',
'matchValueStringList': ['string']}},
'inboundTokenClaimName': 'string',
'inboundTokenClaimValueType': 'STRING '
'| '
'STRING_ARRAY'}]}},
'policyEngineConfiguration': {'arn': 'string', 'mode': 'LOG_ONLY | ENFORCE'}}
Updates an existing gateway.
See also: AWS API Documentation
Request Syntax
client.update_gateway(
gatewayIdentifier='string',
name='string',
description='string',
roleArn='string',
protocolType='MCP',
protocolConfiguration={
'mcp': {
'supportedVersions': [
'string',
],
'instructions': 'string',
'searchType': 'SEMANTIC'
}
},
authorizerType='CUSTOM_JWT'|'AWS_IAM'|'NONE',
authorizerConfiguration={
'customJWTAuthorizer': {
'discoveryUrl': 'string',
'allowedAudience': [
'string',
],
'allowedClients': [
'string',
],
'allowedScopes': [
'string',
],
'customClaims': [
{
'inboundTokenClaimName': 'string',
'inboundTokenClaimValueType': 'STRING'|'STRING_ARRAY',
'authorizingClaimMatchValue': {
'claimMatchValue': {
'matchValueString': 'string',
'matchValueStringList': [
'string',
]
},
'claimMatchOperator': 'EQUALS'|'CONTAINS'|'CONTAINS_ANY'
}
},
]
}
},
kmsKeyArn='string',
interceptorConfigurations=[
{
'interceptor': {
'lambda': {
'arn': 'string'
}
},
'interceptionPoints': [
'REQUEST'|'RESPONSE',
],
'inputConfiguration': {
'passRequestHeaders': True|False
}
},
],
policyEngineConfiguration={
'arn': 'string',
'mode': 'LOG_ONLY'|'ENFORCE'
},
exceptionLevel='DEBUG'
)
string
[REQUIRED]
The identifier of the gateway to update.
string
[REQUIRED]
The name of the gateway. This name must be the same as the one when the gateway was created.
string
The updated description for the gateway.
string
[REQUIRED]
The updated IAM role ARN that provides permissions for the gateway.
string
[REQUIRED]
The updated protocol type for the gateway.
dict
The configuration for a gateway protocol. This structure defines how the gateway communicates with external services.
mcp (dict) --
The configuration for the Model Context Protocol (MCP). This protocol enables communication between Amazon Bedrock Agent and external tools.
supportedVersions (list) --
The supported versions of the Model Context Protocol. This field specifies which versions of the protocol the gateway can use.
(string) --
instructions (string) --
The instructions for using the Model Context Protocol gateway. These instructions provide guidance on how to interact with the gateway.
searchType (string) --
The search type for the Model Context Protocol gateway. This field specifies how the gateway handles search operations.
string
[REQUIRED]
The updated authorizer type for the gateway.
dict
The updated authorizer configuration for the gateway.
customJWTAuthorizer (dict) --
The inbound JWT-based authorization, specifying how incoming requests should be authenticated.
discoveryUrl (string) -- [REQUIRED]
This URL is used to fetch OpenID Connect configuration or authorization server metadata for validating incoming tokens.
allowedAudience (list) --
Represents individual audience values that are validated in the incoming JWT token validation process.
(string) --
allowedClients (list) --
Represents individual client IDs that are validated in the incoming JWT token validation process.
(string) --
allowedScopes (list) --
An array of scopes that are allowed to access the token.
(string) --
customClaims (list) --
An array of objects that define a custom claim validation name, value, and operation
(dict) --
Defines the name of a custom claim field and rules for finding matches to authenticate its value.
inboundTokenClaimName (string) -- [REQUIRED]
The name of the custom claim field to check.
inboundTokenClaimValueType (string) -- [REQUIRED]
The data type of the claim value to check for.
Use STRING if you want to find an exact match to a string you define.
Use STRING_ARRAY if you want to fnd a match to at least one value in an array you define.
authorizingClaimMatchValue (dict) -- [REQUIRED]
Defines the value or values to match for and the relationship of the match.
claimMatchValue (dict) -- [REQUIRED]
The value or values to match for.
matchValueString (string) --
The string value to match for.
matchValueStringList (list) --
An array of strings to check for a match.
(string) --
claimMatchOperator (string) -- [REQUIRED]
Defines the relationship between the claim field value and the value or values you're matching for.
string
The updated ARN of the KMS key used to encrypt the gateway.
list
The updated interceptor configurations for the gateway.
(dict) --
The configuration for an interceptor on a gateway. This structure defines settings for an interceptor that will be invoked during the invocation of the gateway.
interceptor (dict) -- [REQUIRED]
The infrastructure settings of an interceptor configuration. This structure defines how the interceptor can be invoked.
lambda (dict) --
The details of the lambda function used for the interceptor.
arn (string) -- [REQUIRED]
The arn of the lambda function to be invoked for the interceptor.
interceptionPoints (list) -- [REQUIRED]
The supported points of interception. This field specifies which points during the gateway invocation to invoke the interceptor
(string) --
inputConfiguration (dict) --
The configuration for the input of the interceptor. This field specifies how the input to the interceptor is constructed
passRequestHeaders (boolean) -- [REQUIRED]
Indicates whether to pass request headers as input into the interceptor. When set to true, request headers will be passed.
dict
The updated policy engine configuration for the gateway. A policy engine is a collection of policies that evaluates and authorizes agent tool calls. When associated with a gateway, the policy engine intercepts all agent requests and determines whether to allow or deny each action based on the defined policies.
arn (string) -- [REQUIRED]
The ARN of the policy engine. The policy engine contains Cedar policies that define fine-grained authorization rules specifying who can perform what actions on which resources as agents interact through the gateway.
mode (string) -- [REQUIRED]
The enforcement mode for the policy engine. Valid values include:
LOG_ONLY - The policy engine evaluates each action against your policies and adds traces on whether tool calls would be allowed or denied, but does not enforce the decision. Use this mode to test and validate policies before enabling enforcement.
ENFORCE - The policy engine evaluates actions against your policies and enforces decisions by allowing or denying agent operations. Test and validate policies in LOG_ONLY mode before enabling enforcement to avoid unintended denials or adversely affecting production traffic.
string
The level of detail in error messages returned when invoking the gateway.
If the value is DEBUG, granular exception messages are returned to help a user debug the gateway.
If the value is omitted, a generic error message is returned to the end user.
dict
Response Syntax
{
'gatewayArn': 'string',
'gatewayId': 'string',
'gatewayUrl': 'string',
'createdAt': datetime(2015, 1, 1),
'updatedAt': datetime(2015, 1, 1),
'status': 'CREATING'|'UPDATING'|'UPDATE_UNSUCCESSFUL'|'DELETING'|'READY'|'FAILED',
'statusReasons': [
'string',
],
'name': 'string',
'description': 'string',
'roleArn': 'string',
'protocolType': 'MCP',
'protocolConfiguration': {
'mcp': {
'supportedVersions': [
'string',
],
'instructions': 'string',
'searchType': 'SEMANTIC'
}
},
'authorizerType': 'CUSTOM_JWT'|'AWS_IAM'|'NONE',
'authorizerConfiguration': {
'customJWTAuthorizer': {
'discoveryUrl': 'string',
'allowedAudience': [
'string',
],
'allowedClients': [
'string',
],
'allowedScopes': [
'string',
],
'customClaims': [
{
'inboundTokenClaimName': 'string',
'inboundTokenClaimValueType': 'STRING'|'STRING_ARRAY',
'authorizingClaimMatchValue': {
'claimMatchValue': {
'matchValueString': 'string',
'matchValueStringList': [
'string',
]
},
'claimMatchOperator': 'EQUALS'|'CONTAINS'|'CONTAINS_ANY'
}
},
]
}
},
'kmsKeyArn': 'string',
'interceptorConfigurations': [
{
'interceptor': {
'lambda': {
'arn': 'string'
}
},
'interceptionPoints': [
'REQUEST'|'RESPONSE',
],
'inputConfiguration': {
'passRequestHeaders': True|False
}
},
],
'policyEngineConfiguration': {
'arn': 'string',
'mode': 'LOG_ONLY'|'ENFORCE'
},
'workloadIdentityDetails': {
'workloadIdentityArn': 'string'
},
'exceptionLevel': 'DEBUG'
}
Response Structure
(dict) --
gatewayArn (string) --
The Amazon Resource Name (ARN) of the updated gateway.
gatewayId (string) --
The unique identifier of the updated gateway.
gatewayUrl (string) --
An endpoint for invoking the updated gateway.
createdAt (datetime) --
The timestamp when the gateway was created.
updatedAt (datetime) --
The timestamp when the gateway was last updated.
status (string) --
The current status of the updated gateway.
statusReasons (list) --
The reasons for the current status of the updated gateway.
(string) --
name (string) --
The name of the gateway.
description (string) --
The updated description of the gateway.
roleArn (string) --
The updated IAM role ARN that provides permissions for the gateway.
protocolType (string) --
The updated protocol type for the gateway.
protocolConfiguration (dict) --
The configuration for a gateway protocol. This structure defines how the gateway communicates with external services.
mcp (dict) --
The configuration for the Model Context Protocol (MCP). This protocol enables communication between Amazon Bedrock Agent and external tools.
supportedVersions (list) --
The supported versions of the Model Context Protocol. This field specifies which versions of the protocol the gateway can use.
(string) --
instructions (string) --
The instructions for using the Model Context Protocol gateway. These instructions provide guidance on how to interact with the gateway.
searchType (string) --
The search type for the Model Context Protocol gateway. This field specifies how the gateway handles search operations.
authorizerType (string) --
The updated authorizer type for the gateway.
authorizerConfiguration (dict) --
The updated authorizer configuration for the gateway.
customJWTAuthorizer (dict) --
The inbound JWT-based authorization, specifying how incoming requests should be authenticated.
discoveryUrl (string) --
This URL is used to fetch OpenID Connect configuration or authorization server metadata for validating incoming tokens.
allowedAudience (list) --
Represents individual audience values that are validated in the incoming JWT token validation process.
(string) --
allowedClients (list) --
Represents individual client IDs that are validated in the incoming JWT token validation process.
(string) --
allowedScopes (list) --
An array of scopes that are allowed to access the token.
(string) --
customClaims (list) --
An array of objects that define a custom claim validation name, value, and operation
(dict) --
Defines the name of a custom claim field and rules for finding matches to authenticate its value.
inboundTokenClaimName (string) --
The name of the custom claim field to check.
inboundTokenClaimValueType (string) --
The data type of the claim value to check for.
Use STRING if you want to find an exact match to a string you define.
Use STRING_ARRAY if you want to fnd a match to at least one value in an array you define.
authorizingClaimMatchValue (dict) --
Defines the value or values to match for and the relationship of the match.
claimMatchValue (dict) --
The value or values to match for.
matchValueString (string) --
The string value to match for.
matchValueStringList (list) --
An array of strings to check for a match.
(string) --
claimMatchOperator (string) --
Defines the relationship between the claim field value and the value or values you're matching for.
kmsKeyArn (string) --
The updated ARN of the KMS key used to encrypt the gateway.
interceptorConfigurations (list) --
The updated interceptor configurations for the gateway.
(dict) --
The configuration for an interceptor on a gateway. This structure defines settings for an interceptor that will be invoked during the invocation of the gateway.
interceptor (dict) --
The infrastructure settings of an interceptor configuration. This structure defines how the interceptor can be invoked.
lambda (dict) --
The details of the lambda function used for the interceptor.
arn (string) --
The arn of the lambda function to be invoked for the interceptor.
interceptionPoints (list) --
The supported points of interception. This field specifies which points during the gateway invocation to invoke the interceptor
(string) --
inputConfiguration (dict) --
The configuration for the input of the interceptor. This field specifies how the input to the interceptor is constructed
passRequestHeaders (boolean) --
Indicates whether to pass request headers as input into the interceptor. When set to true, request headers will be passed.
policyEngineConfiguration (dict) --
The updated policy engine configuration for the gateway.
arn (string) --
The ARN of the policy engine. The policy engine contains Cedar policies that define fine-grained authorization rules specifying who can perform what actions on which resources as agents interact through the gateway.
mode (string) --
The enforcement mode for the policy engine. Valid values include:
LOG_ONLY - The policy engine evaluates each action against your policies and adds traces on whether tool calls would be allowed or denied, but does not enforce the decision. Use this mode to test and validate policies before enabling enforcement.
ENFORCE - The policy engine evaluates actions against your policies and enforces decisions by allowing or denying agent operations. Test and validate policies in LOG_ONLY mode before enabling enforcement to avoid unintended denials or adversely affecting production traffic.
workloadIdentityDetails (dict) --
The workload identity details for the updated gateway.
workloadIdentityArn (string) --
The ARN associated with the workload identity.
exceptionLevel (string) --
The level of detail in error messages returned when invoking the gateway.
If the value is DEBUG, granular exception messages are returned to help a user debug the gateway.
If the value is omitted, a generic error message is returned to the end user.
{'credentialProviderConfigurations': {'credentialProvider': {'oauthCredentialProvider': {'defaultReturnUrl': 'string',
'grantType': 'CLIENT_CREDENTIALS '
'| '
'AUTHORIZATION_CODE'}}},
'targetConfiguration': {'mcp': {'apiGateway': {'apiGatewayToolConfiguration': {'toolFilters': [{'filterPath': 'string',
'methods': ['GET '
'| '
'DELETE '
'| '
'HEAD '
'| '
'OPTIONS '
'| '
'PATCH '
'| '
'PUT '
'| '
'POST']}],
'toolOverrides': [{'description': 'string',
'method': 'GET '
'| '
'DELETE '
'| '
'HEAD '
'| '
'OPTIONS '
'| '
'PATCH '
'| '
'PUT '
'| '
'POST',
'name': 'string',
'path': 'string'}]},
'restApiId': 'string',
'stage': 'string'}}}}
Updates an existing gateway target.
See also: AWS API Documentation
Request Syntax
client.update_gateway_target(
gatewayIdentifier='string',
targetId='string',
name='string',
description='string',
targetConfiguration={
'mcp': {
'openApiSchema': {
's3': {
'uri': 'string',
'bucketOwnerAccountId': 'string'
},
'inlinePayload': 'string'
},
'smithyModel': {
's3': {
'uri': 'string',
'bucketOwnerAccountId': 'string'
},
'inlinePayload': 'string'
},
'lambda': {
'lambdaArn': 'string',
'toolSchema': {
's3': {
'uri': 'string',
'bucketOwnerAccountId': 'string'
},
'inlinePayload': [
{
'name': 'string',
'description': 'string',
'inputSchema': {
'type': 'string'|'number'|'object'|'array'|'boolean'|'integer',
'properties': {
'string': {'... recursive ...'}
},
'required': [
'string',
],
'items': {'... recursive ...'},
'description': 'string'
},
'outputSchema': {
'type': 'string'|'number'|'object'|'array'|'boolean'|'integer',
'properties': {
'string': {'... recursive ...'}
},
'required': [
'string',
],
'items': {'... recursive ...'},
'description': 'string'
}
},
]
}
},
'mcpServer': {
'endpoint': 'string'
},
'apiGateway': {
'restApiId': 'string',
'stage': 'string',
'apiGatewayToolConfiguration': {
'toolOverrides': [
{
'name': 'string',
'description': 'string',
'path': 'string',
'method': 'GET'|'DELETE'|'HEAD'|'OPTIONS'|'PATCH'|'PUT'|'POST'
},
],
'toolFilters': [
{
'filterPath': 'string',
'methods': [
'GET'|'DELETE'|'HEAD'|'OPTIONS'|'PATCH'|'PUT'|'POST',
]
},
]
}
}
}
},
credentialProviderConfigurations=[
{
'credentialProviderType': 'GATEWAY_IAM_ROLE'|'OAUTH'|'API_KEY',
'credentialProvider': {
'oauthCredentialProvider': {
'providerArn': 'string',
'scopes': [
'string',
],
'customParameters': {
'string': 'string'
},
'grantType': 'CLIENT_CREDENTIALS'|'AUTHORIZATION_CODE',
'defaultReturnUrl': 'string'
},
'apiKeyCredentialProvider': {
'providerArn': 'string',
'credentialParameterName': 'string',
'credentialPrefix': 'string',
'credentialLocation': 'HEADER'|'QUERY_PARAMETER'
}
}
},
]
)
string
[REQUIRED]
The unique identifier of the gateway associated with the target.
string
[REQUIRED]
The unique identifier of the gateway target to update.
string
[REQUIRED]
The updated name for the gateway target.
string
The updated description for the gateway target.
dict
[REQUIRED]
The configuration for a gateway target. This structure defines how the gateway connects to and interacts with the target endpoint.
mcp (dict) --
The Model Context Protocol (MCP) configuration for the target. This configuration defines how the gateway uses MCP to communicate with the target.
openApiSchema (dict) --
The OpenAPI schema for the Model Context Protocol target. This schema defines the API structure of the target.
s3 (dict) --
The Amazon S3 configuration for a gateway. This structure defines how the gateway accesses files in Amazon S3.
uri (string) --
The URI of the Amazon S3 object. This URI specifies the location of the object in Amazon S3.
bucketOwnerAccountId (string) --
The account ID of the Amazon S3 bucket owner. This ID is used for cross-account access to the bucket.
inlinePayload (string) --
The inline payload containing the API schema definition.
smithyModel (dict) --
The Smithy model for the Model Context Protocol target. This model defines the API structure of the target using the Smithy specification.
s3 (dict) --
The Amazon S3 configuration for a gateway. This structure defines how the gateway accesses files in Amazon S3.
uri (string) --
The URI of the Amazon S3 object. This URI specifies the location of the object in Amazon S3.
bucketOwnerAccountId (string) --
The account ID of the Amazon S3 bucket owner. This ID is used for cross-account access to the bucket.
inlinePayload (string) --
The inline payload containing the API schema definition.
lambda (dict) --
The Lambda configuration for the Model Context Protocol target. This configuration defines how the gateway uses a Lambda function to communicate with the target.
lambdaArn (string) -- [REQUIRED]
The Amazon Resource Name (ARN) of the Lambda function. This function is invoked by the gateway to communicate with the target.
toolSchema (dict) -- [REQUIRED]
The tool schema for the Lambda function. This schema defines the structure of the tools that the Lambda function provides.
s3 (dict) --
The Amazon S3 location of the tool schema. This location contains the schema definition file.
uri (string) --
The URI of the Amazon S3 object. This URI specifies the location of the object in Amazon S3.
bucketOwnerAccountId (string) --
The account ID of the Amazon S3 bucket owner. This ID is used for cross-account access to the bucket.
inlinePayload (list) --
The inline payload of the tool schema. This payload contains the schema definition directly in the request.
(dict) --
A tool definition for a gateway target. This structure defines a tool that the target exposes through the Model Context Protocol.
name (string) -- [REQUIRED]
The name of the tool. This name identifies the tool in the Model Context Protocol.
description (string) -- [REQUIRED]
The description of the tool. This description provides information about the purpose and usage of the tool.
inputSchema (dict) -- [REQUIRED]
The input schema for the tool. This schema defines the structure of the input that the tool accepts.
type (string) -- [REQUIRED]
The type of the schema definition. This field specifies the data type of the schema.
properties (dict) --
The properties of the schema definition. These properties define the fields in the schema.
(string) --
(dict) --
A schema definition for a gateway target. This structure defines the structure of the API that the target exposes.
required (list) --
The required fields in the schema definition. These fields must be provided when using the schema.
(string) --
items (dict) --
The items in the schema definition. This field is used for array types to define the structure of the array elements.
description (string) --
The description of the schema definition. This description provides information about the purpose and usage of the schema.
outputSchema (dict) --
The output schema for the tool. This schema defines the structure of the output that the tool produces.
type (string) -- [REQUIRED]
The type of the schema definition. This field specifies the data type of the schema.
properties (dict) --
The properties of the schema definition. These properties define the fields in the schema.
(string) --
(dict) --
A schema definition for a gateway target. This structure defines the structure of the API that the target exposes.
required (list) --
The required fields in the schema definition. These fields must be provided when using the schema.
(string) --
items (dict) --
The items in the schema definition. This field is used for array types to define the structure of the array elements.
description (string) --
The description of the schema definition. This description provides information about the purpose and usage of the schema.
mcpServer (dict) --
The MCP server specified as the gateway target.
endpoint (string) -- [REQUIRED]
The endpoint for the MCP server target configuration.
apiGateway (dict) --
The configuration for an Amazon API Gateway target.
restApiId (string) -- [REQUIRED]
The ID of the API Gateway REST API.
stage (string) -- [REQUIRED]
The ID of the stage of the REST API to add as a target.
apiGatewayToolConfiguration (dict) -- [REQUIRED]
The configuration for defining REST API tool filters and overrides for the gateway target.
toolOverrides (list) --
A list of explicit tool definitions with optional custom names and descriptions.
(dict) --
Settings to override configurations for a tool.
name (string) -- [REQUIRED]
The name of tool. Identifies the tool in the Model Context Protocol.
description (string) --
The description of the tool. Provides information about the purpose and usage of the tool. If not provided, uses the description from the API's OpenAPI specification.
path (string) -- [REQUIRED]
Resource path in the REST API (e.g., /pets). Must explicitly match an existing path in the REST API.
method (string) -- [REQUIRED]
The HTTP method to expose for the specified path.
toolFilters (list) -- [REQUIRED]
A list of path and method patterns to expose as tools using metadata from the REST API's OpenAPI specification.
(dict) --
Specifies which operations from an API Gateway REST API are exposed as tools. Tool names and descriptions are derived from the operationId and description fields in the API's exported OpenAPI specification.
filterPath (string) -- [REQUIRED]
Resource path to match in the REST API. Supports exact paths (for example, /pets) or wildcard paths (for example, /pets/* to match all paths under /pets). Must match existing paths in the REST API.
methods (list) -- [REQUIRED]
The methods to filter for.
(string) --
list
The updated credential provider configurations for the gateway target.
(dict) --
The configuration for a credential provider. This structure defines how the gateway authenticates with the target endpoint.
credentialProviderType (string) -- [REQUIRED]
The type of credential provider. This field specifies which authentication method the gateway uses.
credentialProvider (dict) --
The credential provider. This field contains the specific configuration for the credential provider type.
oauthCredentialProvider (dict) --
The OAuth credential provider. This provider uses OAuth authentication to access the target endpoint.
providerArn (string) -- [REQUIRED]
The Amazon Resource Name (ARN) of the OAuth credential provider. This ARN identifies the provider in Amazon Web Services.
scopes (list) -- [REQUIRED]
The OAuth scopes for the credential provider. These scopes define the level of access requested from the OAuth provider.
(string) --
customParameters (dict) --
The custom parameters for the OAuth credential provider. These parameters provide additional configuration for the OAuth authentication process.
(string) --
(string) --
grantType (string) --
Specifies the kind of credentials to use for authorization:
CLIENT_CREDENTIALS - Authorization with a client ID and secret.
AUTHORIZATION_CODE - Authorization with a token that is specific to an individual end user.
defaultReturnUrl (string) --
The URL where the end user's browser is redirected after obtaining the authorization code. Generally points to the customer's application.
apiKeyCredentialProvider (dict) --
The API key credential provider. This provider uses an API key to authenticate with the target endpoint.
providerArn (string) -- [REQUIRED]
The Amazon Resource Name (ARN) of the API key credential provider. This ARN identifies the provider in Amazon Web Services.
credentialParameterName (string) --
The name of the credential parameter for the API key. This parameter name is used when sending the API key to the target endpoint.
credentialPrefix (string) --
The prefix for the API key credential. This prefix is added to the API key when sending it to the target endpoint.
credentialLocation (string) --
The location of the API key credential. This field specifies where in the request the API key should be placed.
dict
Response Syntax
{
'gatewayArn': 'string',
'targetId': 'string',
'createdAt': datetime(2015, 1, 1),
'updatedAt': datetime(2015, 1, 1),
'status': 'CREATING'|'UPDATING'|'UPDATE_UNSUCCESSFUL'|'DELETING'|'READY'|'FAILED'|'SYNCHRONIZING'|'SYNCHRONIZE_UNSUCCESSFUL',
'statusReasons': [
'string',
],
'name': 'string',
'description': 'string',
'targetConfiguration': {
'mcp': {
'openApiSchema': {
's3': {
'uri': 'string',
'bucketOwnerAccountId': 'string'
},
'inlinePayload': 'string'
},
'smithyModel': {
's3': {
'uri': 'string',
'bucketOwnerAccountId': 'string'
},
'inlinePayload': 'string'
},
'lambda': {
'lambdaArn': 'string',
'toolSchema': {
's3': {
'uri': 'string',
'bucketOwnerAccountId': 'string'
},
'inlinePayload': [
{
'name': 'string',
'description': 'string',
'inputSchema': {
'type': 'string'|'number'|'object'|'array'|'boolean'|'integer',
'properties': {
'string': {'... recursive ...'}
},
'required': [
'string',
],
'items': {'... recursive ...'},
'description': 'string'
},
'outputSchema': {
'type': 'string'|'number'|'object'|'array'|'boolean'|'integer',
'properties': {
'string': {'... recursive ...'}
},
'required': [
'string',
],
'items': {'... recursive ...'},
'description': 'string'
}
},
]
}
},
'mcpServer': {
'endpoint': 'string'
},
'apiGateway': {
'restApiId': 'string',
'stage': 'string',
'apiGatewayToolConfiguration': {
'toolOverrides': [
{
'name': 'string',
'description': 'string',
'path': 'string',
'method': 'GET'|'DELETE'|'HEAD'|'OPTIONS'|'PATCH'|'PUT'|'POST'
},
],
'toolFilters': [
{
'filterPath': 'string',
'methods': [
'GET'|'DELETE'|'HEAD'|'OPTIONS'|'PATCH'|'PUT'|'POST',
]
},
]
}
}
}
},
'credentialProviderConfigurations': [
{
'credentialProviderType': 'GATEWAY_IAM_ROLE'|'OAUTH'|'API_KEY',
'credentialProvider': {
'oauthCredentialProvider': {
'providerArn': 'string',
'scopes': [
'string',
],
'customParameters': {
'string': 'string'
},
'grantType': 'CLIENT_CREDENTIALS'|'AUTHORIZATION_CODE',
'defaultReturnUrl': 'string'
},
'apiKeyCredentialProvider': {
'providerArn': 'string',
'credentialParameterName': 'string',
'credentialPrefix': 'string',
'credentialLocation': 'HEADER'|'QUERY_PARAMETER'
}
}
},
],
'lastSynchronizedAt': datetime(2015, 1, 1)
}
Response Structure
(dict) --
gatewayArn (string) --
The Amazon Resource Name (ARN) of the gateway.
targetId (string) --
The unique identifier of the updated gateway target.
createdAt (datetime) --
The timestamp when the gateway target was created.
updatedAt (datetime) --
The timestamp when the gateway target was last updated.
status (string) --
The current status of the updated gateway target.
statusReasons (list) --
The reasons for the current status of the updated gateway target.
(string) --
name (string) --
The updated name of the gateway target.
description (string) --
The updated description of the gateway target.
targetConfiguration (dict) --
The configuration for a gateway target. This structure defines how the gateway connects to and interacts with the target endpoint.
mcp (dict) --
The Model Context Protocol (MCP) configuration for the target. This configuration defines how the gateway uses MCP to communicate with the target.
openApiSchema (dict) --
The OpenAPI schema for the Model Context Protocol target. This schema defines the API structure of the target.
s3 (dict) --
The Amazon S3 configuration for a gateway. This structure defines how the gateway accesses files in Amazon S3.
uri (string) --
The URI of the Amazon S3 object. This URI specifies the location of the object in Amazon S3.
bucketOwnerAccountId (string) --
The account ID of the Amazon S3 bucket owner. This ID is used for cross-account access to the bucket.
inlinePayload (string) --
The inline payload containing the API schema definition.
smithyModel (dict) --
The Smithy model for the Model Context Protocol target. This model defines the API structure of the target using the Smithy specification.
s3 (dict) --
The Amazon S3 configuration for a gateway. This structure defines how the gateway accesses files in Amazon S3.
uri (string) --
The URI of the Amazon S3 object. This URI specifies the location of the object in Amazon S3.
bucketOwnerAccountId (string) --
The account ID of the Amazon S3 bucket owner. This ID is used for cross-account access to the bucket.
inlinePayload (string) --
The inline payload containing the API schema definition.
lambda (dict) --
The Lambda configuration for the Model Context Protocol target. This configuration defines how the gateway uses a Lambda function to communicate with the target.
lambdaArn (string) --
The Amazon Resource Name (ARN) of the Lambda function. This function is invoked by the gateway to communicate with the target.
toolSchema (dict) --
The tool schema for the Lambda function. This schema defines the structure of the tools that the Lambda function provides.
s3 (dict) --
The Amazon S3 location of the tool schema. This location contains the schema definition file.
uri (string) --
The URI of the Amazon S3 object. This URI specifies the location of the object in Amazon S3.
bucketOwnerAccountId (string) --
The account ID of the Amazon S3 bucket owner. This ID is used for cross-account access to the bucket.
inlinePayload (list) --
The inline payload of the tool schema. This payload contains the schema definition directly in the request.
(dict) --
A tool definition for a gateway target. This structure defines a tool that the target exposes through the Model Context Protocol.
name (string) --
The name of the tool. This name identifies the tool in the Model Context Protocol.
description (string) --
The description of the tool. This description provides information about the purpose and usage of the tool.
inputSchema (dict) --
The input schema for the tool. This schema defines the structure of the input that the tool accepts.
type (string) --
The type of the schema definition. This field specifies the data type of the schema.
properties (dict) --
The properties of the schema definition. These properties define the fields in the schema.
(string) --
(dict) --
A schema definition for a gateway target. This structure defines the structure of the API that the target exposes.
required (list) --
The required fields in the schema definition. These fields must be provided when using the schema.
(string) --
items (dict) --
The items in the schema definition. This field is used for array types to define the structure of the array elements.
description (string) --
The description of the schema definition. This description provides information about the purpose and usage of the schema.
outputSchema (dict) --
The output schema for the tool. This schema defines the structure of the output that the tool produces.
type (string) --
The type of the schema definition. This field specifies the data type of the schema.
properties (dict) --
The properties of the schema definition. These properties define the fields in the schema.
(string) --
(dict) --
A schema definition for a gateway target. This structure defines the structure of the API that the target exposes.
required (list) --
The required fields in the schema definition. These fields must be provided when using the schema.
(string) --
items (dict) --
The items in the schema definition. This field is used for array types to define the structure of the array elements.
description (string) --
The description of the schema definition. This description provides information about the purpose and usage of the schema.
mcpServer (dict) --
The MCP server specified as the gateway target.
endpoint (string) --
The endpoint for the MCP server target configuration.
apiGateway (dict) --
The configuration for an Amazon API Gateway target.
restApiId (string) --
The ID of the API Gateway REST API.
stage (string) --
The ID of the stage of the REST API to add as a target.
apiGatewayToolConfiguration (dict) --
The configuration for defining REST API tool filters and overrides for the gateway target.
toolOverrides (list) --
A list of explicit tool definitions with optional custom names and descriptions.
(dict) --
Settings to override configurations for a tool.
name (string) --
The name of tool. Identifies the tool in the Model Context Protocol.
description (string) --
The description of the tool. Provides information about the purpose and usage of the tool. If not provided, uses the description from the API's OpenAPI specification.
path (string) --
Resource path in the REST API (e.g., /pets). Must explicitly match an existing path in the REST API.
method (string) --
The HTTP method to expose for the specified path.
toolFilters (list) --
A list of path and method patterns to expose as tools using metadata from the REST API's OpenAPI specification.
(dict) --
Specifies which operations from an API Gateway REST API are exposed as tools. Tool names and descriptions are derived from the operationId and description fields in the API's exported OpenAPI specification.
filterPath (string) --
Resource path to match in the REST API. Supports exact paths (for example, /pets) or wildcard paths (for example, /pets/* to match all paths under /pets). Must match existing paths in the REST API.
methods (list) --
The methods to filter for.
(string) --
credentialProviderConfigurations (list) --
The updated credential provider configurations for the gateway target.
(dict) --
The configuration for a credential provider. This structure defines how the gateway authenticates with the target endpoint.
credentialProviderType (string) --
The type of credential provider. This field specifies which authentication method the gateway uses.
credentialProvider (dict) --
The credential provider. This field contains the specific configuration for the credential provider type.
oauthCredentialProvider (dict) --
The OAuth credential provider. This provider uses OAuth authentication to access the target endpoint.
providerArn (string) --
The Amazon Resource Name (ARN) of the OAuth credential provider. This ARN identifies the provider in Amazon Web Services.
scopes (list) --
The OAuth scopes for the credential provider. These scopes define the level of access requested from the OAuth provider.
(string) --
customParameters (dict) --
The custom parameters for the OAuth credential provider. These parameters provide additional configuration for the OAuth authentication process.
(string) --
(string) --
grantType (string) --
Specifies the kind of credentials to use for authorization:
CLIENT_CREDENTIALS - Authorization with a client ID and secret.
AUTHORIZATION_CODE - Authorization with a token that is specific to an individual end user.
defaultReturnUrl (string) --
The URL where the end user's browser is redirected after obtaining the authorization code. Generally points to the customer's application.
apiKeyCredentialProvider (dict) --
The API key credential provider. This provider uses an API key to authenticate with the target endpoint.
providerArn (string) --
The Amazon Resource Name (ARN) of the API key credential provider. This ARN identifies the provider in Amazon Web Services.
credentialParameterName (string) --
The name of the credential parameter for the API key. This parameter name is used when sending the API key to the target endpoint.
credentialPrefix (string) --
The prefix for the API key credential. This prefix is added to the API key when sending it to the target endpoint.
credentialLocation (string) --
The location of the API key credential. This field specifies where in the request the API key should be placed.
lastSynchronizedAt (datetime) --
The date and time at which the targets were last synchronized.
{'memoryStrategies': {'addMemoryStrategies': {'customMemoryStrategy': {'configuration': {'episodicOverride': {'consolidation': {'appendToPrompt': 'string',
'modelId': 'string'},
'extraction': {'appendToPrompt': 'string',
'modelId': 'string'},
'reflection': {'appendToPrompt': 'string',
'modelId': 'string',
'namespaces': ['string']}}}},
'episodicMemoryStrategy': {'description': 'string',
'name': 'string',
'namespaces': ['string'],
'reflectionConfiguration': {'namespaces': ['string']}}},
'modifyMemoryStrategies': {'configuration': {'consolidation': {'customConsolidationConfiguration': {'episodicConsolidationOverride': {'appendToPrompt': 'string',
'modelId': 'string'}}},
'extraction': {'customExtractionConfiguration': {'episodicExtractionOverride': {'appendToPrompt': 'string',
'modelId': 'string'}}},
'reflection': {'customReflectionConfiguration': {'episodicReflectionOverride': {'appendToPrompt': 'string',
'modelId': 'string',
'namespaces': ['string']}},
'episodicReflectionConfiguration': {'namespaces': ['string']}}}}}}
Response {'memory': {'strategies': {'configuration': {'consolidation': {'customConsolidationConfiguration': {'episodicConsolidationOverride': {'appendToPrompt': 'string',
'modelId': 'string'}}},
'extraction': {'customExtractionConfiguration': {'episodicExtractionOverride': {'appendToPrompt': 'string',
'modelId': 'string'}}},
'reflection': {'customReflectionConfiguration': {'episodicReflectionOverride': {'appendToPrompt': 'string',
'modelId': 'string',
'namespaces': ['string']}},
'episodicReflectionConfiguration': {'namespaces': ['string']}},
'type': {'EPISODIC_OVERRIDE'}},
'type': {'EPISODIC'}}}}
Update an Amazon Bedrock AgentCore Memory resource memory.
See also: AWS API Documentation
Request Syntax
client.update_memory(
clientToken='string',
memoryId='string',
description='string',
eventExpiryDuration=123,
memoryExecutionRoleArn='string',
memoryStrategies={
'addMemoryStrategies': [
{
'semanticMemoryStrategy': {
'name': 'string',
'description': 'string',
'namespaces': [
'string',
]
},
'summaryMemoryStrategy': {
'name': 'string',
'description': 'string',
'namespaces': [
'string',
]
},
'userPreferenceMemoryStrategy': {
'name': 'string',
'description': 'string',
'namespaces': [
'string',
]
},
'customMemoryStrategy': {
'name': 'string',
'description': 'string',
'namespaces': [
'string',
],
'configuration': {
'semanticOverride': {
'extraction': {
'appendToPrompt': 'string',
'modelId': 'string'
},
'consolidation': {
'appendToPrompt': 'string',
'modelId': 'string'
}
},
'summaryOverride': {
'consolidation': {
'appendToPrompt': 'string',
'modelId': 'string'
}
},
'userPreferenceOverride': {
'extraction': {
'appendToPrompt': 'string',
'modelId': 'string'
},
'consolidation': {
'appendToPrompt': 'string',
'modelId': 'string'
}
},
'episodicOverride': {
'extraction': {
'appendToPrompt': 'string',
'modelId': 'string'
},
'consolidation': {
'appendToPrompt': 'string',
'modelId': 'string'
},
'reflection': {
'appendToPrompt': 'string',
'modelId': 'string',
'namespaces': [
'string',
]
}
},
'selfManagedConfiguration': {
'triggerConditions': [
{
'messageBasedTrigger': {
'messageCount': 123
},
'tokenBasedTrigger': {
'tokenCount': 123
},
'timeBasedTrigger': {
'idleSessionTimeout': 123
}
},
],
'invocationConfiguration': {
'topicArn': 'string',
'payloadDeliveryBucketName': 'string'
},
'historicalContextWindowSize': 123
}
}
},
'episodicMemoryStrategy': {
'name': 'string',
'description': 'string',
'namespaces': [
'string',
],
'reflectionConfiguration': {
'namespaces': [
'string',
]
}
}
},
],
'modifyMemoryStrategies': [
{
'memoryStrategyId': 'string',
'description': 'string',
'namespaces': [
'string',
],
'configuration': {
'extraction': {
'customExtractionConfiguration': {
'semanticExtractionOverride': {
'appendToPrompt': 'string',
'modelId': 'string'
},
'userPreferenceExtractionOverride': {
'appendToPrompt': 'string',
'modelId': 'string'
},
'episodicExtractionOverride': {
'appendToPrompt': 'string',
'modelId': 'string'
}
}
},
'consolidation': {
'customConsolidationConfiguration': {
'semanticConsolidationOverride': {
'appendToPrompt': 'string',
'modelId': 'string'
},
'summaryConsolidationOverride': {
'appendToPrompt': 'string',
'modelId': 'string'
},
'userPreferenceConsolidationOverride': {
'appendToPrompt': 'string',
'modelId': 'string'
},
'episodicConsolidationOverride': {
'appendToPrompt': 'string',
'modelId': 'string'
}
}
},
'reflection': {
'episodicReflectionConfiguration': {
'namespaces': [
'string',
]
},
'customReflectionConfiguration': {
'episodicReflectionOverride': {
'appendToPrompt': 'string',
'modelId': 'string',
'namespaces': [
'string',
]
}
}
},
'selfManagedConfiguration': {
'triggerConditions': [
{
'messageBasedTrigger': {
'messageCount': 123
},
'tokenBasedTrigger': {
'tokenCount': 123
},
'timeBasedTrigger': {
'idleSessionTimeout': 123
}
},
],
'invocationConfiguration': {
'topicArn': 'string',
'payloadDeliveryBucketName': 'string'
},
'historicalContextWindowSize': 123
}
}
},
],
'deleteMemoryStrategies': [
{
'memoryStrategyId': 'string'
},
]
}
)
string
A client token is used for keeping track of idempotent requests. It can contain a session id which can be around 250 chars, combined with a unique AWS identifier.
This field is autopopulated if not provided.
string
[REQUIRED]
The unique identifier of the memory to update.
string
The updated description of the AgentCore Memory resource.
integer
The number of days after which memory events will expire, between 7 and 365 days.
string
The ARN of the IAM role that provides permissions for the AgentCore Memory resource.
dict
The memory strategies to add, modify, or delete.
addMemoryStrategies (list) --
The list of memory strategies to add.
(dict) --
Contains input information for creating a memory strategy.
semanticMemoryStrategy (dict) --
Input for creating a semantic memory strategy.
name (string) -- [REQUIRED]
The name of the semantic memory strategy.
description (string) --
The description of the semantic memory strategy.
namespaces (list) --
The namespaces associated with the semantic memory strategy.
(string) --
summaryMemoryStrategy (dict) --
Input for creating a summary memory strategy.
name (string) -- [REQUIRED]
The name of the summary memory strategy.
description (string) --
The description of the summary memory strategy.
namespaces (list) --
The namespaces associated with the summary memory strategy.
(string) --
userPreferenceMemoryStrategy (dict) --
Input for creating a user preference memory strategy.
name (string) -- [REQUIRED]
The name of the user preference memory strategy.
description (string) --
The description of the user preference memory strategy.
namespaces (list) --
The namespaces associated with the user preference memory strategy.
(string) --
customMemoryStrategy (dict) --
Input for creating a custom memory strategy.
name (string) -- [REQUIRED]
The name of the custom memory strategy.
description (string) --
The description of the custom memory strategy.
namespaces (list) --
The namespaces associated with the custom memory strategy.
(string) --
configuration (dict) --
The configuration for the custom memory strategy.
semanticOverride (dict) --
The semantic override configuration for a custom memory strategy.
extraction (dict) --
The extraction configuration for a semantic override.
appendToPrompt (string) -- [REQUIRED]
The text to append to the prompt for semantic extraction.
modelId (string) -- [REQUIRED]
The model ID to use for semantic extraction.
consolidation (dict) --
The consolidation configuration for a semantic override.
appendToPrompt (string) -- [REQUIRED]
The text to append to the prompt for semantic consolidation.
modelId (string) -- [REQUIRED]
The model ID to use for semantic consolidation.
summaryOverride (dict) --
The summary override configuration for a custom memory strategy.
consolidation (dict) --
The consolidation configuration for a summary override.
appendToPrompt (string) -- [REQUIRED]
The text to append to the prompt for summary consolidation.
modelId (string) -- [REQUIRED]
The model ID to use for summary consolidation.
userPreferenceOverride (dict) --
The user preference override configuration for a custom memory strategy.
extraction (dict) --
The extraction configuration for a user preference override.
appendToPrompt (string) -- [REQUIRED]
The text to append to the prompt for user preference extraction.
modelId (string) -- [REQUIRED]
The model ID to use for user preference extraction.
consolidation (dict) --
The consolidation configuration for a user preference override.
appendToPrompt (string) -- [REQUIRED]
The text to append to the prompt for user preference consolidation.
modelId (string) -- [REQUIRED]
The model ID to use for user preference consolidation.
episodicOverride (dict) --
The episodic memory strategy override configuration for a custom memory strategy.
extraction (dict) --
Contains configurations for overriding the extraction step of the episodic memory strategy.
appendToPrompt (string) -- [REQUIRED]
The text to append to the prompt for the extraction step of the episodic memory strategy.
modelId (string) -- [REQUIRED]
The model ID to use for the extraction step of the episodic memory strategy.
consolidation (dict) --
Contains configurations for overriding the consolidation step of the episodic memory strategy.
appendToPrompt (string) -- [REQUIRED]
The text to append to the prompt for the consolidation step of the episodic memory strategy.
modelId (string) -- [REQUIRED]
The model ID to use for the consolidation step of the episodic memory strategy.
reflection (dict) --
Contains configurations for overriding the reflection step of the episodic memory strategy.
appendToPrompt (string) -- [REQUIRED]
The text to append to the prompt for reflection step of the episodic memory strategy.
modelId (string) -- [REQUIRED]
The model ID to use for the reflection step of the episodic memory strategy.
namespaces (list) --
The namespaces to use for episodic reflection. Can be less nested than the episodic namespaces.
(string) --
selfManagedConfiguration (dict) --
The self managed configuration for a custom memory strategy.
triggerConditions (list) --
A list of conditions that trigger memory processing.
(dict) --
Condition that triggers memory processing.
messageBasedTrigger (dict) --
Message based trigger configuration.
messageCount (integer) --
The number of messages that trigger memory processing.
tokenBasedTrigger (dict) --
Token based trigger configuration.
tokenCount (integer) --
Number of tokens that trigger memory processing.
timeBasedTrigger (dict) --
Time based trigger configuration.
idleSessionTimeout (integer) --
Idle session timeout (seconds) that triggers memory processing.
invocationConfiguration (dict) -- [REQUIRED]
Configuration to invoke a self-managed memory processing pipeline with.
topicArn (string) -- [REQUIRED]
The ARN of the SNS topic for job notifications.
payloadDeliveryBucketName (string) -- [REQUIRED]
The S3 bucket name for event payload delivery.
historicalContextWindowSize (integer) --
Number of historical messages to include in processing context.
episodicMemoryStrategy (dict) --
Input for creating an episodic memory strategy
name (string) -- [REQUIRED]
The name of the episodic memory strategy.
description (string) --
The description of the episodic memory strategy.
namespaces (list) --
The namespaces for which to create episodes.
(string) --
reflectionConfiguration (dict) --
The configuration for the reflections created with the episodic memory strategy.
namespaces (list) -- [REQUIRED]
The namespaces over which to create reflections. Can be less nested than episode namespaces.
(string) --
modifyMemoryStrategies (list) --
The list of memory strategies to modify.
(dict) --
Input for modifying a memory strategy.
memoryStrategyId (string) -- [REQUIRED]
The unique identifier of the memory strategy to modify.
description (string) --
The updated description of the memory strategy.
namespaces (list) --
The updated namespaces for the memory strategy.
(string) --
configuration (dict) --
The updated configuration for the memory strategy.
extraction (dict) --
The updated extraction configuration.
customExtractionConfiguration (dict) --
The updated custom extraction configuration.
semanticExtractionOverride (dict) --
The semantic extraction override configuration input.
appendToPrompt (string) -- [REQUIRED]
The text to append to the prompt for semantic extraction.
modelId (string) -- [REQUIRED]
The model ID to use for semantic extraction.
userPreferenceExtractionOverride (dict) --
The user preference extraction override configuration input.
appendToPrompt (string) -- [REQUIRED]
The text to append to the prompt for user preference extraction.
modelId (string) -- [REQUIRED]
The model ID to use for user preference extraction.
episodicExtractionOverride (dict) --
Configurations to override the extraction step of the episodic strategy.
appendToPrompt (string) -- [REQUIRED]
The text to append to the prompt for the extraction step of the episodic memory strategy.
modelId (string) -- [REQUIRED]
The model ID to use for the extraction step of the episodic memory strategy.
consolidation (dict) --
The updated consolidation configuration.
customConsolidationConfiguration (dict) --
The updated custom consolidation configuration.
semanticConsolidationOverride (dict) --
The semantic consolidation override configuration input.
appendToPrompt (string) -- [REQUIRED]
The text to append to the prompt for semantic consolidation.
modelId (string) -- [REQUIRED]
The model ID to use for semantic consolidation.
summaryConsolidationOverride (dict) --
The summary consolidation override configuration input.
appendToPrompt (string) -- [REQUIRED]
The text to append to the prompt for summary consolidation.
modelId (string) -- [REQUIRED]
The model ID to use for summary consolidation.
userPreferenceConsolidationOverride (dict) --
The user preference consolidation override configuration input.
appendToPrompt (string) -- [REQUIRED]
The text to append to the prompt for user preference consolidation.
modelId (string) -- [REQUIRED]
The model ID to use for user preference consolidation.
episodicConsolidationOverride (dict) --
Configurations to override the consolidation step of the episodic strategy.
appendToPrompt (string) -- [REQUIRED]
The text to append to the prompt for the consolidation step of the episodic memory strategy.
modelId (string) -- [REQUIRED]
The model ID to use for the consolidation step of the episodic memory strategy.
reflection (dict) --
The updated reflection configuration.
episodicReflectionConfiguration (dict) --
The updated episodic reflection configuration.
namespaces (list) -- [REQUIRED]
The namespaces over which to create reflections. Can be less nested than episode namespaces.
(string) --
customReflectionConfiguration (dict) --
The updated custom reflection configuration.
episodicReflectionOverride (dict) --
The reflection override configuration input.
appendToPrompt (string) -- [REQUIRED]
The text to append to the prompt for reflection step of the episodic memory strategy.
modelId (string) -- [REQUIRED]
The model ID to use for the reflection step of the episodic memory strategy.
namespaces (list) --
The namespaces to use for episodic reflection. Can be less nested than the episodic namespaces.
(string) --
selfManagedConfiguration (dict) --
The updated self-managed configuration.
triggerConditions (list) --
The updated list of conditions that trigger memory processing.
(dict) --
Condition that triggers memory processing.
messageBasedTrigger (dict) --
Message based trigger configuration.
messageCount (integer) --
The number of messages that trigger memory processing.
tokenBasedTrigger (dict) --
Token based trigger configuration.
tokenCount (integer) --
Number of tokens that trigger memory processing.
timeBasedTrigger (dict) --
Time based trigger configuration.
idleSessionTimeout (integer) --
Idle session timeout (seconds) that triggers memory processing.
invocationConfiguration (dict) --
The updated configuration to invoke self-managed memory processing pipeline.
topicArn (string) --
The updated ARN of the SNS topic for job notifications.
payloadDeliveryBucketName (string) --
The updated S3 bucket name for event payload delivery.
historicalContextWindowSize (integer) --
The updated number of historical messages to include in processing context.
deleteMemoryStrategies (list) --
The list of memory strategies to delete.
(dict) --
Input for deleting a memory strategy.
memoryStrategyId (string) -- [REQUIRED]
The unique identifier of the memory strategy to delete.
dict
Response Syntax
{
'memory': {
'arn': 'string',
'id': 'string',
'name': 'string',
'description': 'string',
'encryptionKeyArn': 'string',
'memoryExecutionRoleArn': 'string',
'eventExpiryDuration': 123,
'status': 'CREATING'|'ACTIVE'|'FAILED'|'DELETING',
'failureReason': 'string',
'createdAt': datetime(2015, 1, 1),
'updatedAt': datetime(2015, 1, 1),
'strategies': [
{
'strategyId': 'string',
'name': 'string',
'description': 'string',
'configuration': {
'type': 'SEMANTIC_OVERRIDE'|'SUMMARY_OVERRIDE'|'USER_PREFERENCE_OVERRIDE'|'SELF_MANAGED'|'EPISODIC_OVERRIDE',
'extraction': {
'customExtractionConfiguration': {
'semanticExtractionOverride': {
'appendToPrompt': 'string',
'modelId': 'string'
},
'userPreferenceExtractionOverride': {
'appendToPrompt': 'string',
'modelId': 'string'
},
'episodicExtractionOverride': {
'appendToPrompt': 'string',
'modelId': 'string'
}
}
},
'consolidation': {
'customConsolidationConfiguration': {
'semanticConsolidationOverride': {
'appendToPrompt': 'string',
'modelId': 'string'
},
'summaryConsolidationOverride': {
'appendToPrompt': 'string',
'modelId': 'string'
},
'userPreferenceConsolidationOverride': {
'appendToPrompt': 'string',
'modelId': 'string'
},
'episodicConsolidationOverride': {
'appendToPrompt': 'string',
'modelId': 'string'
}
}
},
'reflection': {
'customReflectionConfiguration': {
'episodicReflectionOverride': {
'appendToPrompt': 'string',
'modelId': 'string',
'namespaces': [
'string',
]
}
},
'episodicReflectionConfiguration': {
'namespaces': [
'string',
]
}
},
'selfManagedConfiguration': {
'triggerConditions': [
{
'messageBasedTrigger': {
'messageCount': 123
},
'tokenBasedTrigger': {
'tokenCount': 123
},
'timeBasedTrigger': {
'idleSessionTimeout': 123
}
},
],
'invocationConfiguration': {
'topicArn': 'string',
'payloadDeliveryBucketName': 'string'
},
'historicalContextWindowSize': 123
}
},
'type': 'SEMANTIC'|'SUMMARIZATION'|'USER_PREFERENCE'|'CUSTOM'|'EPISODIC',
'namespaces': [
'string',
],
'createdAt': datetime(2015, 1, 1),
'updatedAt': datetime(2015, 1, 1),
'status': 'CREATING'|'ACTIVE'|'DELETING'|'FAILED'
},
]
}
}
Response Structure
(dict) --
memory (dict) --
The updated AgentCore Memory resource details.
arn (string) --
The Amazon Resource Name (ARN) of the memory.
id (string) --
The unique identifier of the memory.
name (string) --
The name of the memory.
description (string) --
The description of the memory.
encryptionKeyArn (string) --
The ARN of the KMS key used to encrypt the memory.
memoryExecutionRoleArn (string) --
The ARN of the IAM role that provides permissions for the memory.
eventExpiryDuration (integer) --
The number of days after which memory events will expire.
status (string) --
The current status of the memory.
failureReason (string) --
The reason for failure if the memory is in a failed state.
createdAt (datetime) --
The timestamp when the memory was created.
updatedAt (datetime) --
The timestamp when the memory was last updated.
strategies (list) --
The list of memory strategies associated with this memory.
(dict) --
Contains information about a memory strategy.
strategyId (string) --
The unique identifier of the memory strategy.
name (string) --
The name of the memory strategy.
description (string) --
The description of the memory strategy.
configuration (dict) --
The configuration of the memory strategy.
type (string) --
The type of override for the strategy configuration.
extraction (dict) --
The extraction configuration for the memory strategy.
customExtractionConfiguration (dict) --
The custom extraction configuration.
semanticExtractionOverride (dict) --
The semantic extraction override configuration.
appendToPrompt (string) --
The text to append to the prompt for semantic extraction.
modelId (string) --
The model ID to use for semantic extraction.
userPreferenceExtractionOverride (dict) --
The user preference extraction override configuration.
appendToPrompt (string) --
The text to append to the prompt for user preference extraction.
modelId (string) --
The model ID to use for user preference extraction.
episodicExtractionOverride (dict) --
The configurations to override the default extraction step for the episodic memory strategy.
appendToPrompt (string) --
The text appended to the prompt for the extraction step of the episodic memory strategy.
modelId (string) --
The model ID used for the extraction step of the episodic memory strategy.
consolidation (dict) --
The consolidation configuration for the memory strategy.
customConsolidationConfiguration (dict) --
The custom consolidation configuration.
semanticConsolidationOverride (dict) --
The semantic consolidation override configuration.
appendToPrompt (string) --
The text to append to the prompt for semantic consolidation.
modelId (string) --
The model ID to use for semantic consolidation.
summaryConsolidationOverride (dict) --
The summary consolidation override configuration.
appendToPrompt (string) --
The text to append to the prompt for summary consolidation.
modelId (string) --
The model ID to use for summary consolidation.
userPreferenceConsolidationOverride (dict) --
The user preference consolidation override configuration.
appendToPrompt (string) --
The text to append to the prompt for user preference consolidation.
modelId (string) --
The model ID to use for user preference consolidation.
episodicConsolidationOverride (dict) --
The configurations to override the default consolidation step for the episodic memory strategy.
appendToPrompt (string) --
The text appended to the prompt for the consolidation step of the episodic memory strategy.
modelId (string) --
The model ID used for the consolidation step of the episodic memory strategy.
reflection (dict) --
The reflection configuration for the memory strategy.
customReflectionConfiguration (dict) --
The configuration for a custom reflection strategy.
episodicReflectionOverride (dict) --
The configuration for a reflection strategy to override the default one.
appendToPrompt (string) --
The text appended to the prompt for the reflection step of the episodic memory strategy.
modelId (string) --
The model ID used for the reflection step of the episodic memory strategy.
namespaces (list) --
The namespaces over which reflections were created. Can be less nested than the episodic namespaces.
(string) --
episodicReflectionConfiguration (dict) --
The configuration for the episodic reflection strategy.
namespaces (list) --
The namespaces for which to create reflections. Can be less nested than the episodic namespaces.
(string) --
selfManagedConfiguration (dict) --
Self-managed configuration settings.
triggerConditions (list) --
A list of conditions that trigger memory processing.
(dict) --
Condition that triggers memory processing.
messageBasedTrigger (dict) --
Message based trigger configuration.
messageCount (integer) --
The number of messages that trigger memory processing.
tokenBasedTrigger (dict) --
Token based trigger configuration.
tokenCount (integer) --
Number of tokens that trigger memory processing.
timeBasedTrigger (dict) --
Time based trigger configuration.
idleSessionTimeout (integer) --
Idle session timeout (seconds) that triggers memory processing.
invocationConfiguration (dict) --
The configuration to use when invoking memory processing.
topicArn (string) --
The ARN of the SNS topic for job notifications.
payloadDeliveryBucketName (string) --
The S3 bucket name for event payload delivery.
historicalContextWindowSize (integer) --
The number of historical messages to include in processing context.
type (string) --
The type of the memory strategy.
namespaces (list) --
The namespaces associated with the memory strategy.
(string) --
createdAt (datetime) --
The timestamp when the memory strategy was created.
updatedAt (datetime) --
The timestamp when the memory strategy was last updated.
status (string) --
The current status of the memory strategy.