2026/06/17 - Amazon Bedrock AgentCore Control - 6 new34 updated api methods
Changes AgentCore Harness service will be Generally Available at NYS 2026 with this Treb release. Harness will support invoking specific endpoints via the qualifier parameter, AWS Skills for pre-built agent capabilities, and improved validation for skill git source URLs.
Operation to create a harness endpoint.
See also: AWS API Documentation
Request Syntax
client.create_harness_endpoint(
harnessId='string',
endpointName='string',
targetVersion='string',
description='string',
clientToken='string',
tags={
'string': 'string'
}
)
string
[REQUIRED]
The ID of the harness to create an endpoint for.
string
[REQUIRED]
The name of the endpoint. Must start with a letter and contain only alphanumeric characters and underscores.
string
The harness version that the endpoint points to and serves invocations from.
string
A description of the endpoint.
string
A unique, case-sensitive identifier to ensure idempotency of the request.
This field is autopopulated if not provided.
dict
Tags to apply to the endpoint resource.
(string) --
(string) --
dict
Response Syntax
{
'endpoint': {
'harnessId': 'string',
'harnessName': 'string',
'endpointName': 'string',
'arn': 'string',
'status': 'CREATING'|'CREATE_FAILED'|'UPDATING'|'UPDATE_FAILED'|'READY'|'DELETING'|'DELETE_FAILED',
'createdAt': datetime(2015, 1, 1),
'updatedAt': datetime(2015, 1, 1),
'liveVersion': 'string',
'targetVersion': 'string',
'description': 'string',
'failureReason': 'string'
}
}
Response Structure
(dict) --
endpoint (dict) --
The endpoint that was created.
harnessId (string) --
The ID of the harness that the endpoint belongs to.
harnessName (string) --
The name of the harness that the endpoint belongs to.
endpointName (string) --
The name of the endpoint.
arn (string) --
The ARN of the endpoint.
status (string) --
The status of the endpoint.
createdAt (datetime) --
The timestamp when the endpoint was created.
updatedAt (datetime) --
The timestamp when the endpoint was last updated.
liveVersion (string) --
The harness version that the endpoint is currently serving.
targetVersion (string) --
The harness version that the endpoint points to. While an update is in progress, this can differ from the live version until the endpoint finishes transitioning.
description (string) --
The description of the endpoint.
failureReason (string) --
The reason the endpoint's last create or update operation failed.
Operation to get a single harness endpoint.
See also: AWS API Documentation
Request Syntax
client.get_harness_endpoint(
harnessId='string',
endpointName='string'
)
string
[REQUIRED]
The ID of the harness that the endpoint belongs to.
string
[REQUIRED]
The name of the endpoint to retrieve.
dict
Response Syntax
{
'endpoint': {
'harnessId': 'string',
'harnessName': 'string',
'endpointName': 'string',
'arn': 'string',
'status': 'CREATING'|'CREATE_FAILED'|'UPDATING'|'UPDATE_FAILED'|'READY'|'DELETING'|'DELETE_FAILED',
'createdAt': datetime(2015, 1, 1),
'updatedAt': datetime(2015, 1, 1),
'liveVersion': 'string',
'targetVersion': 'string',
'description': 'string',
'failureReason': 'string'
}
}
Response Structure
(dict) --
endpoint (dict) --
The endpoint resource.
harnessId (string) --
The ID of the harness that the endpoint belongs to.
harnessName (string) --
The name of the harness that the endpoint belongs to.
endpointName (string) --
The name of the endpoint.
arn (string) --
The ARN of the endpoint.
status (string) --
The status of the endpoint.
createdAt (datetime) --
The timestamp when the endpoint was created.
updatedAt (datetime) --
The timestamp when the endpoint was last updated.
liveVersion (string) --
The harness version that the endpoint is currently serving.
targetVersion (string) --
The harness version that the endpoint points to. While an update is in progress, this can differ from the live version until the endpoint finishes transitioning.
description (string) --
The description of the endpoint.
failureReason (string) --
The reason the endpoint's last create or update operation failed.
Operation to update a harness endpoint.
See also: AWS API Documentation
Request Syntax
client.update_harness_endpoint(
harnessId='string',
endpointName='string',
targetVersion='string',
description='string',
clientToken='string'
)
string
[REQUIRED]
The ID of the harness that the endpoint belongs to.
string
[REQUIRED]
The name of the endpoint to update.
string
The harness version that the endpoint points to. If not specified, the existing value is retained.
string
A description of the endpoint. If not specified, the existing value is retained.
string
A unique, case-sensitive identifier to ensure idempotency of the request.
This field is autopopulated if not provided.
dict
Response Syntax
{
'endpoint': {
'harnessId': 'string',
'harnessName': 'string',
'endpointName': 'string',
'arn': 'string',
'status': 'CREATING'|'CREATE_FAILED'|'UPDATING'|'UPDATE_FAILED'|'READY'|'DELETING'|'DELETE_FAILED',
'createdAt': datetime(2015, 1, 1),
'updatedAt': datetime(2015, 1, 1),
'liveVersion': 'string',
'targetVersion': 'string',
'description': 'string',
'failureReason': 'string'
}
}
Response Structure
(dict) --
endpoint (dict) --
The updated endpoint.
harnessId (string) --
The ID of the harness that the endpoint belongs to.
harnessName (string) --
The name of the harness that the endpoint belongs to.
endpointName (string) --
The name of the endpoint.
arn (string) --
The ARN of the endpoint.
status (string) --
The status of the endpoint.
createdAt (datetime) --
The timestamp when the endpoint was created.
updatedAt (datetime) --
The timestamp when the endpoint was last updated.
liveVersion (string) --
The harness version that the endpoint is currently serving.
targetVersion (string) --
The harness version that the endpoint points to. While an update is in progress, this can differ from the live version until the endpoint finishes transitioning.
description (string) --
The description of the endpoint.
failureReason (string) --
The reason the endpoint's last create or update operation failed.
Operation to list the endpoints of a harness.
See also: AWS API Documentation
Request Syntax
client.list_harness_endpoints(
harnessId='string',
maxResults=123,
nextToken='string'
)
string
[REQUIRED]
The ID of the harness whose endpoints are listed.
integer
The maximum number of results to return in a single call.
string
The token for the next set of results.
dict
Response Syntax
{
'endpoints': [
{
'harnessId': 'string',
'harnessName': 'string',
'endpointName': 'string',
'arn': 'string',
'status': 'CREATING'|'CREATE_FAILED'|'UPDATING'|'UPDATE_FAILED'|'READY'|'DELETING'|'DELETE_FAILED',
'createdAt': datetime(2015, 1, 1),
'updatedAt': datetime(2015, 1, 1),
'liveVersion': 'string',
'targetVersion': 'string',
'description': 'string',
'failureReason': 'string'
},
],
'nextToken': 'string'
}
Response Structure
(dict) --
endpoints (list) --
The list of harness endpoints.
(dict) --
Representation of a harness endpoint. An endpoint is a named, stable reference to a specific version of a harness that callers invoke, allowing the underlying version to be updated without changing how the agent is invoked.
harnessId (string) --
The ID of the harness that the endpoint belongs to.
harnessName (string) --
The name of the harness that the endpoint belongs to.
endpointName (string) --
The name of the endpoint.
arn (string) --
The ARN of the endpoint.
status (string) --
The status of the endpoint.
createdAt (datetime) --
The timestamp when the endpoint was created.
updatedAt (datetime) --
The timestamp when the endpoint was last updated.
liveVersion (string) --
The harness version that the endpoint is currently serving.
targetVersion (string) --
The harness version that the endpoint points to. While an update is in progress, this can differ from the live version until the endpoint finishes transitioning.
description (string) --
The description of the endpoint.
failureReason (string) --
The reason the endpoint's last create or update operation failed.
nextToken (string) --
The token for the next set of results.
Operation to delete a harness endpoint.
See also: AWS API Documentation
Request Syntax
client.delete_harness_endpoint(
harnessId='string',
endpointName='string',
clientToken='string'
)
string
[REQUIRED]
The ID of the harness that the endpoint belongs to.
string
[REQUIRED]
The name of the endpoint to delete.
string
A unique, case-sensitive identifier to ensure idempotency of the request.
This field is autopopulated if not provided.
dict
Response Syntax
{
'endpoint': {
'harnessId': 'string',
'harnessName': 'string',
'endpointName': 'string',
'arn': 'string',
'status': 'CREATING'|'CREATE_FAILED'|'UPDATING'|'UPDATE_FAILED'|'READY'|'DELETING'|'DELETE_FAILED',
'createdAt': datetime(2015, 1, 1),
'updatedAt': datetime(2015, 1, 1),
'liveVersion': 'string',
'targetVersion': 'string',
'description': 'string',
'failureReason': 'string'
}
}
Response Structure
(dict) --
endpoint (dict) --
The endpoint that was deleted.
harnessId (string) --
The ID of the harness that the endpoint belongs to.
harnessName (string) --
The name of the harness that the endpoint belongs to.
endpointName (string) --
The name of the endpoint.
arn (string) --
The ARN of the endpoint.
status (string) --
The status of the endpoint.
createdAt (datetime) --
The timestamp when the endpoint was created.
updatedAt (datetime) --
The timestamp when the endpoint was last updated.
liveVersion (string) --
The harness version that the endpoint is currently serving.
targetVersion (string) --
The harness version that the endpoint points to. While an update is in progress, this can differ from the live version until the endpoint finishes transitioning.
description (string) --
The description of the endpoint.
failureReason (string) --
The reason the endpoint's last create or update operation failed.
Operation to list the versions of a Harness.
See also: AWS API Documentation
Request Syntax
client.list_harness_versions(
harnessId='string',
maxResults=123,
nextToken='string'
)
string
[REQUIRED]
The ID of the harness whose versions are listed.
integer
The maximum number of results to return in a single call.
string
The token for the next set of results.
dict
Response Syntax
{
'harnessVersions': [
{
'harnessId': 'string',
'harnessName': 'string',
'arn': 'string',
'harnessVersion': 'string',
'status': 'CREATING'|'CREATE_FAILED'|'UPDATING'|'UPDATE_FAILED'|'READY'|'DELETING'|'DELETE_FAILED',
'createdAt': datetime(2015, 1, 1),
'updatedAt': datetime(2015, 1, 1),
'failureReason': 'string'
},
],
'nextToken': 'string'
}
Response Structure
(dict) --
harnessVersions (list) --
The list of harness version summaries.
(dict) --
Summary information about a single version of a harness.
harnessId (string) --
The ID of the harness.
harnessName (string) --
The name of the harness.
arn (string) --
The ARN of the harness.
harnessVersion (string) --
The version of the harness that this summary describes.
status (string) --
The status of this harness version.
createdAt (datetime) --
The timestamp when this harness version was created.
updatedAt (datetime) --
The timestamp when this harness version was last updated.
failureReason (string) --
Reason why the create or update operation for this harness version failed.
nextToken (string) --
The token for the next set of results.
{'authorizerConfiguration': {'customJWTAuthorizer': {'allowedWorkloadConfiguration': {'hostingEnvironments': [{'arn': 'string'}],
'workloadIdentities': ['string']}}}}
Creates an Amazon Bedrock AgentCore Runtime.
See also: AWS API Documentation
Request Syntax
client.create_agent_runtime(
agentRuntimeName='string',
agentRuntimeArtifact={
'containerConfiguration': {
'containerUri': 'string'
},
'codeConfiguration': {
'code': {
's3': {
'bucket': 'string',
'prefix': 'string',
'versionId': 'string'
}
},
'runtime': 'PYTHON_3_10'|'PYTHON_3_11'|'PYTHON_3_12'|'PYTHON_3_13'|'PYTHON_3_14'|'NODE_22',
'entryPoint': [
'string',
]
}
},
roleArn='string',
networkConfiguration={
'networkMode': 'PUBLIC'|'VPC',
'networkModeConfig': {
'securityGroups': [
'string',
],
'subnets': [
'string',
],
'requireServiceS3Endpoint': True|False
}
},
clientToken='string',
description='string',
authorizerConfiguration={
'customJWTAuthorizer': {
'discoveryUrl': 'string',
'allowedAudience': [
'string',
],
'allowedClients': [
'string',
],
'allowedScopes': [
'string',
],
'customClaims': [
{
'inboundTokenClaimName': 'string',
'inboundTokenClaimValueType': 'STRING'|'STRING_ARRAY',
'authorizingClaimMatchValue': {
'claimMatchValue': {
'matchValueString': 'string',
'matchValueStringList': [
'string',
]
},
'claimMatchOperator': 'EQUALS'|'CONTAINS'|'CONTAINS_ANY'
}
},
],
'privateEndpoint': {
'selfManagedLatticeResource': {
'resourceConfigurationIdentifier': 'string'
},
'managedVpcResource': {
'vpcIdentifier': 'string',
'subnetIds': [
'string',
],
'endpointIpAddressType': 'IPV4'|'IPV6',
'securityGroupIds': [
'string',
],
'tags': {
'string': 'string'
},
'routingDomain': 'string'
}
},
'privateEndpointOverrides': [
{
'domain': 'string',
'privateEndpoint': {
'selfManagedLatticeResource': {
'resourceConfigurationIdentifier': 'string'
},
'managedVpcResource': {
'vpcIdentifier': 'string',
'subnetIds': [
'string',
],
'endpointIpAddressType': 'IPV4'|'IPV6',
'securityGroupIds': [
'string',
],
'tags': {
'string': 'string'
},
'routingDomain': 'string'
}
}
},
],
'allowedWorkloadConfiguration': {
'hostingEnvironments': [
{
'arn': 'string'
},
],
'workloadIdentities': [
'string',
]
}
}
},
requestHeaderConfiguration={
'requestHeaderAllowlist': [
'string',
]
},
protocolConfiguration={
'serverProtocol': 'MCP'|'HTTP'|'A2A'|'AGUI'
},
lifecycleConfiguration={
'idleRuntimeSessionTimeout': 123,
'maxLifetime': 123
},
environmentVariables={
'string': 'string'
},
filesystemConfigurations=[
{
'sessionStorage': {
'mountPath': 'string'
},
's3FilesAccessPoint': {
'accessPointArn': 'string',
'mountPath': 'string'
},
'efsAccessPoint': {
'accessPointArn': 'string',
'mountPath': 'string'
}
},
],
tags={
'string': 'string'
}
)
string
[REQUIRED]
The name of the AgentCore Runtime.
dict
[REQUIRED]
The artifact of the AgentCore Runtime.
containerConfiguration (dict) --
The container configuration for the agent artifact.
containerUri (string) -- [REQUIRED]
The ECR URI of the container.
codeConfiguration (dict) --
The code configuration for the agent runtime artifact, including the source code location and execution settings.
code (dict) -- [REQUIRED]
The source code location and configuration details.
s3 (dict) --
The Amazon Amazon S3 object that contains the source code for the agent runtime.
bucket (string) -- [REQUIRED]
The name of the Amazon S3 bucket. This bucket contains the stored data.
prefix (string) -- [REQUIRED]
The prefix for objects in the Amazon S3 bucket. This prefix is added to the object keys to organize the data.
versionId (string) --
The version ID of the Amazon Amazon S3 object. If not specified, the latest version of the object is used.
runtime (string) -- [REQUIRED]
The runtime environment for executing the agent code. Specify the programming language and version to use for the agent runtime. For valid values, see the list of supported runtimes.
entryPoint (list) -- [REQUIRED]
The entry point for the code execution, specifying the function or method that should be invoked when the code runs.
(string) --
string
[REQUIRED]
The IAM role ARN that provides permissions for the AgentCore Runtime.
dict
[REQUIRED]
The network configuration for the AgentCore Runtime.
networkMode (string) -- [REQUIRED]
The network mode for the AgentCore Runtime.
networkModeConfig (dict) --
The network mode configuration for the AgentCore Runtime.
securityGroups (list) -- [REQUIRED]
The security groups associated with the VPC configuration.
(string) --
subnets (list) -- [REQUIRED]
The subnets associated with the VPC configuration.
(string) --
requireServiceS3Endpoint (boolean) --
Controls whether a service-managed Amazon S3 gateway endpoint is provisioned in the VPC network topology for the agent runtime. This gateway is used by Amazon Bedrock AgentCore Runtime to download code and container images during agent startup.
Starting May 5, 2026, Amazon Bedrock AgentCore Runtime is gradually rolling out a change to how network isolation is configured for VPC mode agents. Agent runtimes created on or after this rollout will no longer include the service-managed Amazon S3 gateway. Instead, all network access, including to Amazon S3, is governed exclusively by your VPC configuration. This field cannot be set on agent runtimes created after the rollout. Passing this field in an UpdateAgentRuntime request for these agent runtimes returns a ValidationException.
Agent runtimes created before the rollout are not affected and continue to operate with the service-managed Amazon S3 gateway. To enforce full VPC network isolation on these existing agent runtimes, set this field to false via the UpdateAgentRuntime API. Before opting out, ensure your VPC provides the Amazon S3 access required for agent startup. If this field is not specified or is set to true, the service-managed Amazon S3 gateway remains provisioned.
This field is only supported in the UpdateAgentRuntime API for pre-rollout agent runtimes. Passing this field in a CreateAgentRuntime request returns a ValidationException.
string
A unique, case-sensitive identifier to ensure idempotency of the request.
This field is autopopulated if not provided.
string
The description of the AgentCore Runtime.
dict
The authorizer configuration for the AgentCore Runtime.
customJWTAuthorizer (dict) --
The inbound JWT-based authorization, specifying how incoming requests should be authenticated.
discoveryUrl (string) -- [REQUIRED]
This URL is used to fetch OpenID Connect configuration or authorization server metadata for validating incoming tokens.
allowedAudience (list) --
Represents individual audience values that are validated in the incoming JWT token validation process.
(string) --
allowedClients (list) --
Represents individual client IDs that are validated in the incoming JWT token validation process.
(string) --
allowedScopes (list) --
An array of scopes that are allowed to access the token.
(string) --
customClaims (list) --
An array of objects that define a custom claim validation name, value, and operation
(dict) --
Defines the name of a custom claim field and rules for finding matches to authenticate its value.
inboundTokenClaimName (string) -- [REQUIRED]
The name of the custom claim field to check.
inboundTokenClaimValueType (string) -- [REQUIRED]
The data type of the claim value to check for.
Use STRING if you want to find an exact match to a string you define.
Use STRING_ARRAY if you want to fnd a match to at least one value in an array you define.
authorizingClaimMatchValue (dict) -- [REQUIRED]
Defines the value or values to match for and the relationship of the match.
claimMatchValue (dict) -- [REQUIRED]
The value or values to match for.
matchValueString (string) --
The string value to match for.
matchValueStringList (list) --
An array of strings to check for a match.
(string) --
claimMatchOperator (string) -- [REQUIRED]
Defines the relationship between the claim field value and the value or values you're matching for.
privateEndpoint (dict) --
The private endpoint configuration for a gateway target. Defines how the gateway connects to private resources in your VPC.
selfManagedLatticeResource (dict) --
Configuration for connecting to a private resource using a self-managed VPC Lattice resource configuration.
resourceConfigurationIdentifier (string) --
The ARN or ID of the VPC Lattice resource configuration.
managedVpcResource (dict) --
Configuration for connecting to a private resource using a managed VPC Lattice resource. The gateway creates and manages the VPC Lattice resources on your behalf.
vpcIdentifier (string) -- [REQUIRED]
The ID of the VPC that contains your private resource.
subnetIds (list) -- [REQUIRED]
The subnet IDs within the VPC where the VPC Lattice resource gateway is placed.
(string) --
endpointIpAddressType (string) -- [REQUIRED]
The IP address type for the resource configuration endpoint.
securityGroupIds (list) --
The security group IDs to associate with the VPC Lattice resource gateway. If not specified, the default security group for the VPC is used.
(string) --
tags (dict) --
Tags to apply to the managed VPC Lattice resource gateway.
(string) --
(string) --
routingDomain (string) --
An intermediate domain to use as the resource configuration endpoint instead of the actual target domain. Use this when you want to route traffic through an intermediate component such as a VPC endpoint or internal load balancer. For more information, see xref:lattice-vpc-egress-routing-domain[Route traffic through an intermediate domain].
privateEndpointOverrides (list) --
The private endpoint overrides for the custom JWT authorizer configuration.
(dict) --
A mapping of a specific domain to a private endpoint for secure connectivity through a VPC Lattice resource configuration.
domain (string) -- [REQUIRED]
The domain to override with a private endpoint.
privateEndpoint (dict) -- [REQUIRED]
The private endpoint configuration for the specified domain.
selfManagedLatticeResource (dict) --
Configuration for connecting to a private resource using a self-managed VPC Lattice resource configuration.
resourceConfigurationIdentifier (string) --
The ARN or ID of the VPC Lattice resource configuration.
managedVpcResource (dict) --
Configuration for connecting to a private resource using a managed VPC Lattice resource. The gateway creates and manages the VPC Lattice resources on your behalf.
vpcIdentifier (string) -- [REQUIRED]
The ID of the VPC that contains your private resource.
subnetIds (list) -- [REQUIRED]
The subnet IDs within the VPC where the VPC Lattice resource gateway is placed.
(string) --
endpointIpAddressType (string) -- [REQUIRED]
The IP address type for the resource configuration endpoint.
securityGroupIds (list) --
The security group IDs to associate with the VPC Lattice resource gateway. If not specified, the default security group for the VPC is used.
(string) --
tags (dict) --
Tags to apply to the managed VPC Lattice resource gateway.
(string) --
(string) --
routingDomain (string) --
An intermediate domain to use as the resource configuration endpoint instead of the actual target domain. Use this when you want to route traffic through an intermediate component such as a VPC endpoint or internal load balancer. For more information, see xref:lattice-vpc-egress-routing-domain[Route traffic through an intermediate domain].
allowedWorkloadConfiguration (dict) --
The configuration that restricts which workloads in the request's identity chain are allowed to invoke the target, identified by their hosting environments and workload identities. At launch, this is supported only for AgentCore Runtime targets, and the allowed workloads are AgentCore Gateways.
hostingEnvironments (list) --
The list of hosting environments whose workloads are allowed to invoke the target. At launch, the only supported hosting environment is AgentCore Gateway.
(dict) --
A hosting environment whose workloads are allowed to invoke the target. At launch, the only supported hosting environment is AgentCore Gateway.
arn (string) -- [REQUIRED]
The Amazon Resource Name (ARN) of the hosting environment.
workloadIdentities (list) --
The list of workload identities that are allowed to invoke the target.
(string) --
dict
Configuration for HTTP request headers that will be passed through to the runtime.
requestHeaderAllowlist (list) --
A list of HTTP request headers that are allowed to be passed through to the runtime.
(string) --
dict
The protocol configuration for an agent runtime. This structure defines how the agent runtime communicates with clients.
serverProtocol (string) -- [REQUIRED]
The server protocol for the agent runtime. This field specifies which protocol the agent runtime uses to communicate with clients.
dict
The life cycle configuration for the AgentCore Runtime.
idleRuntimeSessionTimeout (integer) --
Timeout in seconds for idle runtime sessions. When a session remains idle for this duration, it will be automatically terminated. Default: 900 seconds (15 minutes).
maxLifetime (integer) --
Maximum lifetime for the instance in seconds. Once reached, instances will be automatically terminated and replaced. Default: 28800 seconds (8 hours).
dict
Environment variables to set in the AgentCore Runtime environment.
(string) --
(string) --
list
The filesystem configurations to mount into the AgentCore Runtime. Use filesystem configurations to provide persistent storage to your AgentCore Runtime sessions.
(dict) --
Configuration for a filesystem that can be mounted into the AgentCore Runtime.
sessionStorage (dict) --
Configuration for session storage. Session storage provides persistent storage that is preserved across AgentCore Runtime session invocations.
mountPath (string) -- [REQUIRED]
The mount path for the session storage filesystem inside the AgentCore Runtime. The path must be under /mnt with exactly one subdirectory level (for example, /mnt/data).
s3FilesAccessPoint (dict) --
Configuration for an Amazon S3 Files access point to mount into the AgentCore Runtime.
accessPointArn (string) -- [REQUIRED]
The ARN of the S3 Files access point to mount into the AgentCore Runtime.
mountPath (string) -- [REQUIRED]
The mount path for the S3 Files access point inside the AgentCore Runtime. The path must be under /mnt with exactly one subdirectory level (for example, /mnt/data).
efsAccessPoint (dict) --
Configuration for an Amazon EFS access point to mount into the AgentCore Runtime.
accessPointArn (string) -- [REQUIRED]
The ARN of the EFS access point to mount into the AgentCore Runtime.
mountPath (string) -- [REQUIRED]
The mount path for the EFS access point inside the AgentCore Runtime. The path must be under /mnt with exactly one subdirectory level (for example, /mnt/data).
dict
A map of tag keys and values to assign to the agent runtime. Tags enable you to categorize your resources in different ways, for example, by purpose, owner, or environment.
(string) --
(string) --
dict
Response Syntax
{
'agentRuntimeArn': 'string',
'workloadIdentityDetails': {
'workloadIdentityArn': 'string'
},
'agentRuntimeId': 'string',
'agentRuntimeVersion': 'string',
'createdAt': datetime(2015, 1, 1),
'status': 'CREATING'|'CREATE_FAILED'|'UPDATING'|'UPDATE_FAILED'|'READY'|'DELETING'
}
Response Structure
(dict) --
agentRuntimeArn (string) --
The Amazon Resource Name (ARN) of the AgentCore Runtime.
workloadIdentityDetails (dict) --
The workload identity details for the AgentCore Runtime.
workloadIdentityArn (string) --
The ARN associated with the workload identity.
agentRuntimeId (string) --
The unique identifier of the AgentCore Runtime.
agentRuntimeVersion (string) --
The version of the AgentCore Runtime.
createdAt (datetime) --
The timestamp when the AgentCore Runtime was created.
status (string) --
The current status of the AgentCore Runtime.
{'authorizerConfiguration': {'customJWTAuthorizer': {'allowedWorkloadConfiguration': {'hostingEnvironments': [{'arn': 'string'}],
'workloadIdentities': ['string']}}},
'interceptorConfigurations': {'inputConfiguration': {'payloadFilter': {'exclude': [{'field': 'RESPONSE_BODY'}]}}}}
Response {'authorizerConfiguration': {'customJWTAuthorizer': {'allowedWorkloadConfiguration': {'hostingEnvironments': [{'arn': 'string'}],
'workloadIdentities': ['string']}}},
'customTransformConfiguration': {'lambda': {'arn': 'string'}},
'interceptorConfigurations': {'inputConfiguration': {'payloadFilter': {'exclude': [{'field': 'RESPONSE_BODY'}]}}},
'wafConfiguration': {'failureMode': 'FAIL_CLOSE | FAIL_OPEN'},
'webAclArn': 'string'}
Creates a gateway for Amazon Bedrock Agent. A gateway serves as an integration point between your agent and external services.
If you specify CUSTOM_JWT as the authorizerType, you must provide an authorizerConfiguration.
See also: AWS API Documentation
Request Syntax
client.create_gateway(
name='string',
description='string',
clientToken='string',
roleArn='string',
protocolType='MCP',
protocolConfiguration={
'mcp': {
'supportedVersions': [
'string',
],
'instructions': 'string',
'searchType': 'SEMANTIC',
'sessionConfiguration': {
'sessionTimeoutInSeconds': 123
},
'streamingConfiguration': {
'enableResponseStreaming': True|False
}
}
},
authorizerType='CUSTOM_JWT'|'AWS_IAM'|'NONE'|'AUTHENTICATE_ONLY',
authorizerConfiguration={
'customJWTAuthorizer': {
'discoveryUrl': 'string',
'allowedAudience': [
'string',
],
'allowedClients': [
'string',
],
'allowedScopes': [
'string',
],
'customClaims': [
{
'inboundTokenClaimName': 'string',
'inboundTokenClaimValueType': 'STRING'|'STRING_ARRAY',
'authorizingClaimMatchValue': {
'claimMatchValue': {
'matchValueString': 'string',
'matchValueStringList': [
'string',
]
},
'claimMatchOperator': 'EQUALS'|'CONTAINS'|'CONTAINS_ANY'
}
},
],
'privateEndpoint': {
'selfManagedLatticeResource': {
'resourceConfigurationIdentifier': 'string'
},
'managedVpcResource': {
'vpcIdentifier': 'string',
'subnetIds': [
'string',
],
'endpointIpAddressType': 'IPV4'|'IPV6',
'securityGroupIds': [
'string',
],
'tags': {
'string': 'string'
},
'routingDomain': 'string'
}
},
'privateEndpointOverrides': [
{
'domain': 'string',
'privateEndpoint': {
'selfManagedLatticeResource': {
'resourceConfigurationIdentifier': 'string'
},
'managedVpcResource': {
'vpcIdentifier': 'string',
'subnetIds': [
'string',
],
'endpointIpAddressType': 'IPV4'|'IPV6',
'securityGroupIds': [
'string',
],
'tags': {
'string': 'string'
},
'routingDomain': 'string'
}
}
},
],
'allowedWorkloadConfiguration': {
'hostingEnvironments': [
{
'arn': 'string'
},
],
'workloadIdentities': [
'string',
]
}
}
},
kmsKeyArn='string',
interceptorConfigurations=[
{
'interceptor': {
'lambda': {
'arn': 'string'
}
},
'interceptionPoints': [
'REQUEST'|'RESPONSE',
],
'inputConfiguration': {
'passRequestHeaders': True|False,
'payloadFilter': {
'exclude': [
{
'field': 'RESPONSE_BODY'
},
]
}
}
},
],
policyEngineConfiguration={
'arn': 'string',
'mode': 'LOG_ONLY'|'ENFORCE'
},
exceptionLevel='DEBUG',
tags={
'string': 'string'
}
)
string
[REQUIRED]
The name of the gateway. The name must be unique within your account.
string
The description of the gateway.
string
A unique, case-sensitive identifier to ensure that the API request completes no more than one time. If you don't specify this field, a value is randomly generated for you. If this token matches a previous request, the service ignores the request, but doesn't return an error. For more information, see Ensuring idempotency.
This field is autopopulated if not provided.
string
[REQUIRED]
The Amazon Resource Name (ARN) of the IAM role that provides permissions for the gateway to access Amazon Web Services services.
string
The protocol type for the gateway.
dict
The configuration settings for the protocol specified in the protocolType parameter.
mcp (dict) --
The configuration for the Model Context Protocol (MCP). This protocol enables communication between Amazon Bedrock Agent and external tools.
supportedVersions (list) --
The supported versions of the Model Context Protocol. This field specifies which versions of the protocol the gateway can use.
(string) --
instructions (string) --
The instructions for using the Model Context Protocol gateway. These instructions provide guidance on how to interact with the gateway.
searchType (string) --
The search type for the Model Context Protocol gateway. This field specifies how the gateway handles search operations.
sessionConfiguration (dict) --
The session configuration for the MCP gateway. This configuration controls session behavior, including session timeout settings.
sessionTimeoutInSeconds (integer) --
The session timeout in seconds. After this timeout, the session expires and subsequent requests to this session will receive an error. The minimum value is 900 seconds (15 minutes), the maximum value is 28800 seconds (8 hours), and the default value is 3600 seconds (1 hour).
streamingConfiguration (dict) --
The streaming configuration for the MCP gateway. This configuration controls whether response streaming is enabled for the gateway.
enableResponseStreaming (boolean) --
Indicates whether response streaming is enabled for the gateway. When set to true, the gateway streams responses from targets back to the client.
string
[REQUIRED]
The type of authorizer to use for the gateway.
CUSTOM_JWT - Authorize with a bearer token.
AWS_IAM - Authorize with your Amazon Web Services IAM credentials.
NONE - No authorization
dict
The authorizer configuration for the gateway. Required if authorizerType is CUSTOM_JWT.
customJWTAuthorizer (dict) --
The inbound JWT-based authorization, specifying how incoming requests should be authenticated.
discoveryUrl (string) -- [REQUIRED]
This URL is used to fetch OpenID Connect configuration or authorization server metadata for validating incoming tokens.
allowedAudience (list) --
Represents individual audience values that are validated in the incoming JWT token validation process.
(string) --
allowedClients (list) --
Represents individual client IDs that are validated in the incoming JWT token validation process.
(string) --
allowedScopes (list) --
An array of scopes that are allowed to access the token.
(string) --
customClaims (list) --
An array of objects that define a custom claim validation name, value, and operation
(dict) --
Defines the name of a custom claim field and rules for finding matches to authenticate its value.
inboundTokenClaimName (string) -- [REQUIRED]
The name of the custom claim field to check.
inboundTokenClaimValueType (string) -- [REQUIRED]
The data type of the claim value to check for.
Use STRING if you want to find an exact match to a string you define.
Use STRING_ARRAY if you want to fnd a match to at least one value in an array you define.
authorizingClaimMatchValue (dict) -- [REQUIRED]
Defines the value or values to match for and the relationship of the match.
claimMatchValue (dict) -- [REQUIRED]
The value or values to match for.
matchValueString (string) --
The string value to match for.
matchValueStringList (list) --
An array of strings to check for a match.
(string) --
claimMatchOperator (string) -- [REQUIRED]
Defines the relationship between the claim field value and the value or values you're matching for.
privateEndpoint (dict) --
The private endpoint configuration for a gateway target. Defines how the gateway connects to private resources in your VPC.
selfManagedLatticeResource (dict) --
Configuration for connecting to a private resource using a self-managed VPC Lattice resource configuration.
resourceConfigurationIdentifier (string) --
The ARN or ID of the VPC Lattice resource configuration.
managedVpcResource (dict) --
Configuration for connecting to a private resource using a managed VPC Lattice resource. The gateway creates and manages the VPC Lattice resources on your behalf.
vpcIdentifier (string) -- [REQUIRED]
The ID of the VPC that contains your private resource.
subnetIds (list) -- [REQUIRED]
The subnet IDs within the VPC where the VPC Lattice resource gateway is placed.
(string) --
endpointIpAddressType (string) -- [REQUIRED]
The IP address type for the resource configuration endpoint.
securityGroupIds (list) --
The security group IDs to associate with the VPC Lattice resource gateway. If not specified, the default security group for the VPC is used.
(string) --
tags (dict) --
Tags to apply to the managed VPC Lattice resource gateway.
(string) --
(string) --
routingDomain (string) --
An intermediate domain to use as the resource configuration endpoint instead of the actual target domain. Use this when you want to route traffic through an intermediate component such as a VPC endpoint or internal load balancer. For more information, see xref:lattice-vpc-egress-routing-domain[Route traffic through an intermediate domain].
privateEndpointOverrides (list) --
The private endpoint overrides for the custom JWT authorizer configuration.
(dict) --
A mapping of a specific domain to a private endpoint for secure connectivity through a VPC Lattice resource configuration.
domain (string) -- [REQUIRED]
The domain to override with a private endpoint.
privateEndpoint (dict) -- [REQUIRED]
The private endpoint configuration for the specified domain.
selfManagedLatticeResource (dict) --
Configuration for connecting to a private resource using a self-managed VPC Lattice resource configuration.
resourceConfigurationIdentifier (string) --
The ARN or ID of the VPC Lattice resource configuration.
managedVpcResource (dict) --
Configuration for connecting to a private resource using a managed VPC Lattice resource. The gateway creates and manages the VPC Lattice resources on your behalf.
vpcIdentifier (string) -- [REQUIRED]
The ID of the VPC that contains your private resource.
subnetIds (list) -- [REQUIRED]
The subnet IDs within the VPC where the VPC Lattice resource gateway is placed.
(string) --
endpointIpAddressType (string) -- [REQUIRED]
The IP address type for the resource configuration endpoint.
securityGroupIds (list) --
The security group IDs to associate with the VPC Lattice resource gateway. If not specified, the default security group for the VPC is used.
(string) --
tags (dict) --
Tags to apply to the managed VPC Lattice resource gateway.
(string) --
(string) --
routingDomain (string) --
An intermediate domain to use as the resource configuration endpoint instead of the actual target domain. Use this when you want to route traffic through an intermediate component such as a VPC endpoint or internal load balancer. For more information, see xref:lattice-vpc-egress-routing-domain[Route traffic through an intermediate domain].
allowedWorkloadConfiguration (dict) --
The configuration that restricts which workloads in the request's identity chain are allowed to invoke the target, identified by their hosting environments and workload identities. At launch, this is supported only for AgentCore Runtime targets, and the allowed workloads are AgentCore Gateways.
hostingEnvironments (list) --
The list of hosting environments whose workloads are allowed to invoke the target. At launch, the only supported hosting environment is AgentCore Gateway.
(dict) --
A hosting environment whose workloads are allowed to invoke the target. At launch, the only supported hosting environment is AgentCore Gateway.
arn (string) -- [REQUIRED]
The Amazon Resource Name (ARN) of the hosting environment.
workloadIdentities (list) --
The list of workload identities that are allowed to invoke the target.
(string) --
string
The Amazon Resource Name (ARN) of the KMS key used to encrypt data associated with the gateway.
list
A list of configuration settings for a gateway interceptor. Gateway interceptors allow custom code to be invoked during gateway invocations.
(dict) --
The configuration for an interceptor on a gateway. This structure defines settings for an interceptor that will be invoked during the invocation of the gateway.
interceptor (dict) -- [REQUIRED]
The infrastructure settings of an interceptor configuration. This structure defines how the interceptor can be invoked.
lambda (dict) --
The details of the lambda function used for the interceptor.
arn (string) -- [REQUIRED]
The arn of the lambda function to be invoked for the interceptor.
interceptionPoints (list) -- [REQUIRED]
The supported points of interception. This field specifies which points during the gateway invocation to invoke the interceptor
(string) --
inputConfiguration (dict) --
The configuration for the input of the interceptor. This field specifies how the input to the interceptor is constructed
passRequestHeaders (boolean) -- [REQUIRED]
Indicates whether to pass request headers as input into the interceptor. When set to true, request headers will be passed.
payloadFilter (dict) --
The filter that determines which parts of the request or response payload are passed as input to the interceptor.
exclude (list) -- [REQUIRED]
The list of selectors that identify payload fields to exclude from the interceptor input.
(dict) --
A selector that identifies a payload field to exclude from the interceptor input.
field (string) --
The field to exclude from the interceptor input.
dict
The policy engine configuration for the gateway. A policy engine is a collection of policies that evaluates and authorizes agent tool calls. When associated with a gateway, the policy engine intercepts all agent requests and determines whether to allow or deny each action based on the defined policies.
arn (string) -- [REQUIRED]
The ARN of the policy engine. The policy engine contains Cedar policies that define fine-grained authorization rules specifying who can perform what actions on which resources as agents interact through the gateway.
mode (string) -- [REQUIRED]
The enforcement mode for the policy engine. Valid values include:
LOG_ONLY - The policy engine evaluates each action against your policies and adds traces on whether tool calls would be allowed or denied, but does not enforce the decision. Use this mode to test and validate policies before enabling enforcement.
ENFORCE - The policy engine evaluates actions against your policies and enforces decisions by allowing or denying agent operations. Test and validate policies in LOG_ONLY mode before enabling enforcement to avoid unintended denials or adversely affecting production traffic.
string
The level of detail in error messages returned when invoking the gateway.
If the value is DEBUG, granular exception messages are returned to help a user debug the gateway.
If the value is omitted, a generic error message is returned to the end user.
dict
A map of key-value pairs to associate with the gateway as metadata tags.
(string) --
(string) --
dict
Response Syntax
{
'gatewayArn': 'string',
'gatewayId': 'string',
'gatewayUrl': 'string',
'createdAt': datetime(2015, 1, 1),
'updatedAt': datetime(2015, 1, 1),
'status': 'CREATING'|'UPDATING'|'UPDATE_UNSUCCESSFUL'|'DELETING'|'READY'|'FAILED',
'statusReasons': [
'string',
],
'name': 'string',
'description': 'string',
'roleArn': 'string',
'protocolType': 'MCP',
'protocolConfiguration': {
'mcp': {
'supportedVersions': [
'string',
],
'instructions': 'string',
'searchType': 'SEMANTIC',
'sessionConfiguration': {
'sessionTimeoutInSeconds': 123
},
'streamingConfiguration': {
'enableResponseStreaming': True|False
}
}
},
'authorizerType': 'CUSTOM_JWT'|'AWS_IAM'|'NONE'|'AUTHENTICATE_ONLY',
'authorizerConfiguration': {
'customJWTAuthorizer': {
'discoveryUrl': 'string',
'allowedAudience': [
'string',
],
'allowedClients': [
'string',
],
'allowedScopes': [
'string',
],
'customClaims': [
{
'inboundTokenClaimName': 'string',
'inboundTokenClaimValueType': 'STRING'|'STRING_ARRAY',
'authorizingClaimMatchValue': {
'claimMatchValue': {
'matchValueString': 'string',
'matchValueStringList': [
'string',
]
},
'claimMatchOperator': 'EQUALS'|'CONTAINS'|'CONTAINS_ANY'
}
},
],
'privateEndpoint': {
'selfManagedLatticeResource': {
'resourceConfigurationIdentifier': 'string'
},
'managedVpcResource': {
'vpcIdentifier': 'string',
'subnetIds': [
'string',
],
'endpointIpAddressType': 'IPV4'|'IPV6',
'securityGroupIds': [
'string',
],
'tags': {
'string': 'string'
},
'routingDomain': 'string'
}
},
'privateEndpointOverrides': [
{
'domain': 'string',
'privateEndpoint': {
'selfManagedLatticeResource': {
'resourceConfigurationIdentifier': 'string'
},
'managedVpcResource': {
'vpcIdentifier': 'string',
'subnetIds': [
'string',
],
'endpointIpAddressType': 'IPV4'|'IPV6',
'securityGroupIds': [
'string',
],
'tags': {
'string': 'string'
},
'routingDomain': 'string'
}
}
},
],
'allowedWorkloadConfiguration': {
'hostingEnvironments': [
{
'arn': 'string'
},
],
'workloadIdentities': [
'string',
]
}
}
},
'kmsKeyArn': 'string',
'customTransformConfiguration': {
'lambda': {
'arn': 'string'
}
},
'interceptorConfigurations': [
{
'interceptor': {
'lambda': {
'arn': 'string'
}
},
'interceptionPoints': [
'REQUEST'|'RESPONSE',
],
'inputConfiguration': {
'passRequestHeaders': True|False,
'payloadFilter': {
'exclude': [
{
'field': 'RESPONSE_BODY'
},
]
}
}
},
],
'policyEngineConfiguration': {
'arn': 'string',
'mode': 'LOG_ONLY'|'ENFORCE'
},
'workloadIdentityDetails': {
'workloadIdentityArn': 'string'
},
'exceptionLevel': 'DEBUG',
'webAclArn': 'string',
'wafConfiguration': {
'failureMode': 'FAIL_CLOSE'|'FAIL_OPEN'
}
}
Response Structure
(dict) --
gatewayArn (string) --
The Amazon Resource Name (ARN) of the created gateway.
gatewayId (string) --
The unique identifier of the created gateway.
gatewayUrl (string) --
The URL endpoint for the created gateway.
createdAt (datetime) --
The timestamp when the gateway was created.
updatedAt (datetime) --
The timestamp when the gateway was last updated.
status (string) --
The current status of the gateway.
statusReasons (list) --
The reasons for the current status of the gateway.
(string) --
name (string) --
The name of the gateway.
description (string) --
The description of the gateway.
roleArn (string) --
The Amazon Resource Name (ARN) of the IAM role associated with the gateway.
protocolType (string) --
The protocol type of the gateway.
protocolConfiguration (dict) --
The configuration settings for the protocol used by the gateway.
mcp (dict) --
The configuration for the Model Context Protocol (MCP). This protocol enables communication between Amazon Bedrock Agent and external tools.
supportedVersions (list) --
The supported versions of the Model Context Protocol. This field specifies which versions of the protocol the gateway can use.
(string) --
instructions (string) --
The instructions for using the Model Context Protocol gateway. These instructions provide guidance on how to interact with the gateway.
searchType (string) --
The search type for the Model Context Protocol gateway. This field specifies how the gateway handles search operations.
sessionConfiguration (dict) --
The session configuration for the MCP gateway. This configuration controls session behavior, including session timeout settings.
sessionTimeoutInSeconds (integer) --
The session timeout in seconds. After this timeout, the session expires and subsequent requests to this session will receive an error. The minimum value is 900 seconds (15 minutes), the maximum value is 28800 seconds (8 hours), and the default value is 3600 seconds (1 hour).
streamingConfiguration (dict) --
The streaming configuration for the MCP gateway. This configuration controls whether response streaming is enabled for the gateway.
enableResponseStreaming (boolean) --
Indicates whether response streaming is enabled for the gateway. When set to true, the gateway streams responses from targets back to the client.
authorizerType (string) --
The type of authorizer used by the gateway.
authorizerConfiguration (dict) --
The authorizer configuration for the created gateway.
customJWTAuthorizer (dict) --
The inbound JWT-based authorization, specifying how incoming requests should be authenticated.
discoveryUrl (string) --
This URL is used to fetch OpenID Connect configuration or authorization server metadata for validating incoming tokens.
allowedAudience (list) --
Represents individual audience values that are validated in the incoming JWT token validation process.
(string) --
allowedClients (list) --
Represents individual client IDs that are validated in the incoming JWT token validation process.
(string) --
allowedScopes (list) --
An array of scopes that are allowed to access the token.
(string) --
customClaims (list) --
An array of objects that define a custom claim validation name, value, and operation
(dict) --
Defines the name of a custom claim field and rules for finding matches to authenticate its value.
inboundTokenClaimName (string) --
The name of the custom claim field to check.
inboundTokenClaimValueType (string) --
The data type of the claim value to check for.
Use STRING if you want to find an exact match to a string you define.
Use STRING_ARRAY if you want to fnd a match to at least one value in an array you define.
authorizingClaimMatchValue (dict) --
Defines the value or values to match for and the relationship of the match.
claimMatchValue (dict) --
The value or values to match for.
matchValueString (string) --
The string value to match for.
matchValueStringList (list) --
An array of strings to check for a match.
(string) --
claimMatchOperator (string) --
Defines the relationship between the claim field value and the value or values you're matching for.
privateEndpoint (dict) --
The private endpoint configuration for a gateway target. Defines how the gateway connects to private resources in your VPC.
selfManagedLatticeResource (dict) --
Configuration for connecting to a private resource using a self-managed VPC Lattice resource configuration.
resourceConfigurationIdentifier (string) --
The ARN or ID of the VPC Lattice resource configuration.
managedVpcResource (dict) --
Configuration for connecting to a private resource using a managed VPC Lattice resource. The gateway creates and manages the VPC Lattice resources on your behalf.
vpcIdentifier (string) --
The ID of the VPC that contains your private resource.
subnetIds (list) --
The subnet IDs within the VPC where the VPC Lattice resource gateway is placed.
(string) --
endpointIpAddressType (string) --
The IP address type for the resource configuration endpoint.
securityGroupIds (list) --
The security group IDs to associate with the VPC Lattice resource gateway. If not specified, the default security group for the VPC is used.
(string) --
tags (dict) --
Tags to apply to the managed VPC Lattice resource gateway.
(string) --
(string) --
routingDomain (string) --
An intermediate domain to use as the resource configuration endpoint instead of the actual target domain. Use this when you want to route traffic through an intermediate component such as a VPC endpoint or internal load balancer. For more information, see xref:lattice-vpc-egress-routing-domain[Route traffic through an intermediate domain].
privateEndpointOverrides (list) --
The private endpoint overrides for the custom JWT authorizer configuration.
(dict) --
A mapping of a specific domain to a private endpoint for secure connectivity through a VPC Lattice resource configuration.
domain (string) --
The domain to override with a private endpoint.
privateEndpoint (dict) --
The private endpoint configuration for the specified domain.
selfManagedLatticeResource (dict) --
Configuration for connecting to a private resource using a self-managed VPC Lattice resource configuration.
resourceConfigurationIdentifier (string) --
The ARN or ID of the VPC Lattice resource configuration.
managedVpcResource (dict) --
Configuration for connecting to a private resource using a managed VPC Lattice resource. The gateway creates and manages the VPC Lattice resources on your behalf.
vpcIdentifier (string) --
The ID of the VPC that contains your private resource.
subnetIds (list) --
The subnet IDs within the VPC where the VPC Lattice resource gateway is placed.
(string) --
endpointIpAddressType (string) --
The IP address type for the resource configuration endpoint.
securityGroupIds (list) --
The security group IDs to associate with the VPC Lattice resource gateway. If not specified, the default security group for the VPC is used.
(string) --
tags (dict) --
Tags to apply to the managed VPC Lattice resource gateway.
(string) --
(string) --
routingDomain (string) --
An intermediate domain to use as the resource configuration endpoint instead of the actual target domain. Use this when you want to route traffic through an intermediate component such as a VPC endpoint or internal load balancer. For more information, see xref:lattice-vpc-egress-routing-domain[Route traffic through an intermediate domain].
allowedWorkloadConfiguration (dict) --
The configuration that restricts which workloads in the request's identity chain are allowed to invoke the target, identified by their hosting environments and workload identities. At launch, this is supported only for AgentCore Runtime targets, and the allowed workloads are AgentCore Gateways.
hostingEnvironments (list) --
The list of hosting environments whose workloads are allowed to invoke the target. At launch, the only supported hosting environment is AgentCore Gateway.
(dict) --
A hosting environment whose workloads are allowed to invoke the target. At launch, the only supported hosting environment is AgentCore Gateway.
arn (string) --
The Amazon Resource Name (ARN) of the hosting environment.
workloadIdentities (list) --
The list of workload identities that are allowed to invoke the target.
(string) --
kmsKeyArn (string) --
The Amazon Resource Name (ARN) of the KMS key used to encrypt data associated with the gateway.
customTransformConfiguration (dict) --
The custom transformation configuration for the gateway. This configuration defines how the gateway transforms requests and responses.
lambda (dict) --
The Lambda configuration for custom transformations. This configuration defines how the gateway uses a Lambda function to transform data.
arn (string) --
The Amazon Resource Name (ARN) of the Lambda function. This function is invoked by the gateway to transform data.
interceptorConfigurations (list) --
The list of interceptor configurations for the created gateway.
(dict) --
The configuration for an interceptor on a gateway. This structure defines settings for an interceptor that will be invoked during the invocation of the gateway.
interceptor (dict) --
The infrastructure settings of an interceptor configuration. This structure defines how the interceptor can be invoked.
lambda (dict) --
The details of the lambda function used for the interceptor.
arn (string) --
The arn of the lambda function to be invoked for the interceptor.
interceptionPoints (list) --
The supported points of interception. This field specifies which points during the gateway invocation to invoke the interceptor
(string) --
inputConfiguration (dict) --
The configuration for the input of the interceptor. This field specifies how the input to the interceptor is constructed
passRequestHeaders (boolean) --
Indicates whether to pass request headers as input into the interceptor. When set to true, request headers will be passed.
payloadFilter (dict) --
The filter that determines which parts of the request or response payload are passed as input to the interceptor.
exclude (list) --
The list of selectors that identify payload fields to exclude from the interceptor input.
(dict) --
A selector that identifies a payload field to exclude from the interceptor input.
field (string) --
The field to exclude from the interceptor input.
policyEngineConfiguration (dict) --
The policy engine configuration for the created gateway.
arn (string) --
The ARN of the policy engine. The policy engine contains Cedar policies that define fine-grained authorization rules specifying who can perform what actions on which resources as agents interact through the gateway.
mode (string) --
The enforcement mode for the policy engine. Valid values include:
LOG_ONLY - The policy engine evaluates each action against your policies and adds traces on whether tool calls would be allowed or denied, but does not enforce the decision. Use this mode to test and validate policies before enabling enforcement.
ENFORCE - The policy engine evaluates actions against your policies and enforces decisions by allowing or denying agent operations. Test and validate policies in LOG_ONLY mode before enabling enforcement to avoid unintended denials or adversely affecting production traffic.
workloadIdentityDetails (dict) --
The workload identity details for the created gateway.
workloadIdentityArn (string) --
The ARN associated with the workload identity.
exceptionLevel (string) --
The level of detail in error messages returned when invoking the gateway.
If the value is DEBUG, granular exception messages are returned to help a user debug the gateway.
If the value is omitted, a generic error message is returned to the end user.
webAclArn (string) --
The Amazon Resource Name (ARN) of the Amazon Web Services WAF web ACL associated with the gateway.
wafConfiguration (dict) --
The Amazon Web Services WAF configuration for the gateway.
failureMode (string) --
The failure mode that determines how the gateway handles requests when Amazon Web Services WAF is unreachable or times out. Valid values include:
FAIL_CLOSE - The gateway blocks requests when Amazon Web Services WAF cannot be evaluated.
FAIL_OPEN - The gateway allows requests when Amazon Web Services WAF cannot be evaluated.
{'targetConfiguration': {'http': {'agentcoreRuntime': {'schema': {'source': {'inlinePayload': 'string',
's3': {'bucketOwnerAccountId': 'string',
'uri': 'string'}}}},
'passthrough': {'endpoint': 'string',
'protocolType': 'MCP | A2A | '
'INFERENCE | '
'CUSTOM',
'schema': {'source': {'inlinePayload': 'string',
's3': {'bucketOwnerAccountId': 'string',
'uri': 'string'}}},
'stickinessConfiguration': {'identifier': 'string',
'timeout': 'integer'}}},
'inference': {'connector': {'source': {'connectorId': 'string'}},
'provider': {'endpoint': 'string',
'modelMapping': {'providerPrefix': {'separator': 'string',
'strip': 'boolean'}},
'operations': [{'models': [{'model': 'string'}],
'path': 'string',
'providerPath': 'string'}]}},
'mcp': {'connector': {'configurations': [{'description': 'string',
'name': 'string',
'parameterOverrides': [{'description': 'string',
'path': 'string',
'visible': 'boolean'}],
'parameterValues': {}}],
'enabled': ['string'],
'source': {'connectorId': 'string'}}}}}
Creates a target for a gateway. A target defines an endpoint that the gateway can connect to.
See also: AWS API Documentation
Request Syntax
client.create_gateway_target(
gatewayIdentifier='string',
name='string',
description='string',
clientToken='string',
targetConfiguration={
'mcp': {
'openApiSchema': {
's3': {
'uri': 'string',
'bucketOwnerAccountId': 'string'
},
'inlinePayload': 'string'
},
'smithyModel': {
's3': {
'uri': 'string',
'bucketOwnerAccountId': 'string'
},
'inlinePayload': 'string'
},
'lambda': {
'lambdaArn': 'string',
'toolSchema': {
's3': {
'uri': 'string',
'bucketOwnerAccountId': 'string'
},
'inlinePayload': [
{
'name': 'string',
'description': 'string',
'inputSchema': {
'type': 'string'|'number'|'object'|'array'|'boolean'|'integer',
'properties': {
'string': {'... recursive ...'}
},
'required': [
'string',
],
'items': {'... recursive ...'},
'description': 'string'
},
'outputSchema': {
'type': 'string'|'number'|'object'|'array'|'boolean'|'integer',
'properties': {
'string': {'... recursive ...'}
},
'required': [
'string',
],
'items': {'... recursive ...'},
'description': 'string'
}
},
]
}
},
'mcpServer': {
'endpoint': 'string',
'mcpToolSchema': {
's3': {
'uri': 'string',
'bucketOwnerAccountId': 'string'
},
'inlinePayload': 'string'
},
'listingMode': 'DEFAULT'|'DYNAMIC',
'resourcePriority': 123
},
'apiGateway': {
'restApiId': 'string',
'stage': 'string',
'apiGatewayToolConfiguration': {
'toolOverrides': [
{
'name': 'string',
'description': 'string',
'path': 'string',
'method': 'GET'|'DELETE'|'HEAD'|'OPTIONS'|'PATCH'|'PUT'|'POST'
},
],
'toolFilters': [
{
'filterPath': 'string',
'methods': [
'GET'|'DELETE'|'HEAD'|'OPTIONS'|'PATCH'|'PUT'|'POST',
]
},
]
}
},
'connector': {
'source': {
'connectorId': 'string'
},
'enabled': [
'string',
],
'configurations': [
{
'name': 'string',
'description': 'string',
'parameterValues': {...}|[...]|123|123.4|'string'|True|None,
'parameterOverrides': [
{
'path': 'string',
'description': 'string',
'visible': True|False
},
]
},
]
}
},
'http': {
'agentcoreRuntime': {
'arn': 'string',
'qualifier': 'string',
'schema': {
'source': {
's3': {
'uri': 'string',
'bucketOwnerAccountId': 'string'
},
'inlinePayload': 'string'
}
}
},
'passthrough': {
'endpoint': 'string',
'protocolType': 'MCP'|'A2A'|'INFERENCE'|'CUSTOM',
'schema': {
'source': {
's3': {
'uri': 'string',
'bucketOwnerAccountId': 'string'
},
'inlinePayload': 'string'
}
},
'stickinessConfiguration': {
'identifier': 'string',
'timeout': 123
}
}
},
'inference': {
'connector': {
'source': {
'connectorId': 'string'
}
},
'provider': {
'endpoint': 'string',
'modelMapping': {
'providerPrefix': {
'strip': True|False,
'separator': 'string'
}
},
'operations': [
{
'path': 'string',
'providerPath': 'string',
'models': [
{
'model': 'string'
},
]
},
]
}
}
},
credentialProviderConfigurations=[
{
'credentialProviderType': 'GATEWAY_IAM_ROLE'|'OAUTH'|'API_KEY'|'CALLER_IAM_CREDENTIALS'|'JWT_PASSTHROUGH',
'credentialProvider': {
'oauthCredentialProvider': {
'providerArn': 'string',
'scopes': [
'string',
],
'customParameters': {
'string': 'string'
},
'grantType': 'CLIENT_CREDENTIALS'|'AUTHORIZATION_CODE'|'TOKEN_EXCHANGE',
'defaultReturnUrl': 'string'
},
'apiKeyCredentialProvider': {
'providerArn': 'string',
'credentialParameterName': 'string',
'credentialPrefix': 'string',
'credentialLocation': 'HEADER'|'QUERY_PARAMETER'
},
'iamCredentialProvider': {
'service': 'string',
'region': 'string'
}
}
},
],
metadataConfiguration={
'allowedRequestHeaders': [
'string',
],
'allowedQueryParameters': [
'string',
],
'allowedResponseHeaders': [
'string',
]
},
privateEndpoint={
'selfManagedLatticeResource': {
'resourceConfigurationIdentifier': 'string'
},
'managedVpcResource': {
'vpcIdentifier': 'string',
'subnetIds': [
'string',
],
'endpointIpAddressType': 'IPV4'|'IPV6',
'securityGroupIds': [
'string',
],
'tags': {
'string': 'string'
},
'routingDomain': 'string'
}
}
)
string
[REQUIRED]
The identifier of the gateway to create a target for.
string
The name of the gateway target. The name must be unique within the gateway.
string
The description of the gateway target.
string
A unique, case-sensitive identifier to ensure that the API request completes no more than one time. If you don't specify this field, a value is randomly generated for you. If this token matches a previous request, the service ignores the request, but doesn't return an error. For more information, see Ensuring idempotency.
This field is autopopulated if not provided.
dict
[REQUIRED]
The configuration settings for the target, including endpoint information and schema definitions.
mcp (dict) --
The Model Context Protocol (MCP) configuration for the target. This configuration defines how the gateway uses MCP to communicate with the target.
openApiSchema (dict) --
The OpenAPI schema for the Model Context Protocol target. This schema defines the API structure of the target.
s3 (dict) --
The Amazon S3 configuration for a gateway. This structure defines how the gateway accesses files in Amazon S3.
uri (string) --
The URI of the Amazon S3 object. This URI specifies the location of the object in Amazon S3.
bucketOwnerAccountId (string) --
The account ID of the Amazon S3 bucket owner. This ID is used for cross-account access to the bucket.
inlinePayload (string) --
The inline payload containing the API schema definition.
smithyModel (dict) --
The Smithy model for the Model Context Protocol target. This model defines the API structure of the target using the Smithy specification.
s3 (dict) --
The Amazon S3 configuration for a gateway. This structure defines how the gateway accesses files in Amazon S3.
uri (string) --
The URI of the Amazon S3 object. This URI specifies the location of the object in Amazon S3.
bucketOwnerAccountId (string) --
The account ID of the Amazon S3 bucket owner. This ID is used for cross-account access to the bucket.
inlinePayload (string) --
The inline payload containing the API schema definition.
lambda (dict) --
The Lambda configuration for the Model Context Protocol target. This configuration defines how the gateway uses a Lambda function to communicate with the target.
lambdaArn (string) -- [REQUIRED]
The Amazon Resource Name (ARN) of the Lambda function. This function is invoked by the gateway to communicate with the target.
toolSchema (dict) -- [REQUIRED]
The tool schema for the Lambda function. This schema defines the structure of the tools that the Lambda function provides.
s3 (dict) --
The Amazon S3 location of the tool schema. This location contains the schema definition file.
uri (string) --
The URI of the Amazon S3 object. This URI specifies the location of the object in Amazon S3.
bucketOwnerAccountId (string) --
The account ID of the Amazon S3 bucket owner. This ID is used for cross-account access to the bucket.
inlinePayload (list) --
The inline payload of the tool schema. This payload contains the schema definition directly in the request.
(dict) --
A tool definition for a gateway target. This structure defines a tool that the target exposes through the Model Context Protocol.
name (string) -- [REQUIRED]
The name of the tool. This name identifies the tool in the Model Context Protocol.
description (string) -- [REQUIRED]
The description of the tool. This description provides information about the purpose and usage of the tool.
inputSchema (dict) -- [REQUIRED]
The input schema for the tool. This schema defines the structure of the input that the tool accepts.
type (string) -- [REQUIRED]
The type of the schema definition. This field specifies the data type of the schema.
properties (dict) --
The properties of the schema definition. These properties define the fields in the schema.
(string) --
(dict) --
A schema definition for a gateway target. This structure defines the structure of the API that the target exposes.
required (list) --
The required fields in the schema definition. These fields must be provided when using the schema.
(string) --
items (dict) --
The items in the schema definition. This field is used for array types to define the structure of the array elements.
description (string) --
The description of the schema definition. This description provides information about the purpose and usage of the schema.
outputSchema (dict) --
The output schema for the tool. This schema defines the structure of the output that the tool produces.
type (string) -- [REQUIRED]
The type of the schema definition. This field specifies the data type of the schema.
properties (dict) --
The properties of the schema definition. These properties define the fields in the schema.
(string) --
(dict) --
A schema definition for a gateway target. This structure defines the structure of the API that the target exposes.
required (list) --
The required fields in the schema definition. These fields must be provided when using the schema.
(string) --
items (dict) --
The items in the schema definition. This field is used for array types to define the structure of the array elements.
description (string) --
The description of the schema definition. This description provides information about the purpose and usage of the schema.
mcpServer (dict) --
The MCP server specified as the gateway target.
endpoint (string) -- [REQUIRED]
The endpoint for the MCP server target configuration.
mcpToolSchema (dict) --
The tool schema configuration for the MCP server target. Supported only when the credential provider is configured with an authorization code grant type. Dynamic tool discovery/synchronization will be disabled when target is configured with mcpToolSchema.
s3 (dict) --
The Amazon S3 location of the tool schema. This location contains the schema definition file.
uri (string) --
The URI of the Amazon S3 object. This URI specifies the location of the object in Amazon S3.
bucketOwnerAccountId (string) --
The account ID of the Amazon S3 bucket owner. This ID is used for cross-account access to the bucket.
inlinePayload (string) --
The inline payload containing the MCP tool schema definition.
listingMode (string) --
The listing mode for the MCP server target configuration. MCP resources for default targets are cached at the control plane for faster access. MCP resources for dynamic targets will be dynamically retrieved when listing tools.
resourcePriority (integer) --
Priority for resolving MCP server targets with shared resource URIs. Lower values take precedence. Defaults to 1000 when not set.
apiGateway (dict) --
The configuration for an Amazon API Gateway target.
restApiId (string) -- [REQUIRED]
The ID of the API Gateway REST API.
stage (string) -- [REQUIRED]
The ID of the stage of the REST API to add as a target.
apiGatewayToolConfiguration (dict) -- [REQUIRED]
The configuration for defining REST API tool filters and overrides for the gateway target.
toolOverrides (list) --
A list of explicit tool definitions with optional custom names and descriptions.
(dict) --
Settings to override configurations for a tool.
name (string) -- [REQUIRED]
The name of tool. Identifies the tool in the Model Context Protocol.
description (string) --
The description of the tool. Provides information about the purpose and usage of the tool. If not provided, uses the description from the API's OpenAPI specification.
path (string) -- [REQUIRED]
Resource path in the REST API (e.g., /pets). Must explicitly match an existing path in the REST API.
method (string) -- [REQUIRED]
The HTTP method to expose for the specified path.
toolFilters (list) -- [REQUIRED]
A list of path and method patterns to expose as tools using metadata from the REST API's OpenAPI specification.
(dict) --
Specifies which operations from an API Gateway REST API are exposed as tools. Tool names and descriptions are derived from the operationId and description fields in the API's exported OpenAPI specification.
filterPath (string) -- [REQUIRED]
Resource path to match in the REST API. Supports exact paths (for example, /pets) or wildcard paths (for example, /pets/* to match all paths under /pets). Must match existing paths in the REST API.
methods (list) -- [REQUIRED]
The methods to filter for.
(string) --
connector (dict) --
The connector integration configuration for the Model Context Protocol target. This configuration defines how the gateway uses a pre-built connector to communicate with the target.
source (dict) -- [REQUIRED]
The source configuration identifying which connector to use.
connectorId (string) -- [REQUIRED]
The identifier for the connector integration (for example, bedrock-knowledge-bases).
enabled (list) --
A list of tool names to enable from this connector. If absent, all tools provided by the connector are enabled.
(string) --
configurations (list) --
A list of per-tool configurations for the connector.
(dict) --
Configuration for a single tool within a connector.
name (string) -- [REQUIRED]
The tool or operation name (for example, retrieve or webSearch).
description (string) --
An agent-facing description override for this tool.
parameterValues (:ref:`document<document>`) --
Parameters to set as fixed or default values when provisioning this tool.
parameterOverrides (list) --
Parameters to expose to the agent at runtime, with optional description overrides.
(dict) --
Specifies a parameter override for a connector tool, allowing you to control parameter visibility and descriptions.
path (string) -- [REQUIRED]
A JSON Pointer path identifying the parameter (for example, /numberOfResults or /filter).
description (string) --
An agent-facing description override for this parameter.
visible (boolean) --
Whether this parameter is visible to the agent. If not specified, uses the service default.
http (dict) --
The HTTP target configuration. Use this to route gateway requests to an HTTP-based endpoint such as an AgentCore Runtime.
agentcoreRuntime (dict) --
The AgentCore Runtime target configuration for HTTP-based communication with an agent runtime.
arn (string) -- [REQUIRED]
The Amazon Resource Name (ARN) of the AgentCore Runtime to route requests to.
qualifier (string) --
The qualifier for the agent runtime, used to target a specific endpoint version. If not specified, the default endpoint is used.
schema (dict) --
The API schema configuration that defines the structure of the runtime target's API.
source (dict) -- [REQUIRED]
Configuration for API schema.
s3 (dict) --
The Amazon S3 configuration for a gateway. This structure defines how the gateway accesses files in Amazon S3.
uri (string) --
The URI of the Amazon S3 object. This URI specifies the location of the object in Amazon S3.
bucketOwnerAccountId (string) --
The account ID of the Amazon S3 bucket owner. This ID is used for cross-account access to the bucket.
inlinePayload (string) --
The inline payload containing the API schema definition.
passthrough (dict) --
The passthrough configuration for the HTTP target. A passthrough target forwards requests directly to an external HTTP endpoint.
endpoint (string) -- [REQUIRED]
The HTTPS endpoint that the gateway forwards requests to for this passthrough target.
protocolType (string) -- [REQUIRED]
The application protocol the passthrough target implements. Required for passthrough targets.
schema (dict) --
The API schema configuration that defines the structure of the passthrough target's API.
source (dict) -- [REQUIRED]
Configuration for API schema.
s3 (dict) --
The Amazon S3 configuration for a gateway. This structure defines how the gateway accesses files in Amazon S3.
uri (string) --
The URI of the Amazon S3 object. This URI specifies the location of the object in Amazon S3.
bucketOwnerAccountId (string) --
The account ID of the Amazon S3 bucket owner. This ID is used for cross-account access to the bucket.
inlinePayload (string) --
The inline payload containing the API schema definition.
stickinessConfiguration (dict) --
The session stickiness configuration for the passthrough target. This configuration routes requests within the same session to the same target.
identifier (string) -- [REQUIRED]
The expression that identifies where to extract the session identifier from the request (for example, $context.header.x-session-id).
timeout (integer) --
The session stickiness timeout, in seconds. After this duration of inactivity, the session affinity expires. Valid values range from 1 to 86400.
inference (dict) --
The inference configuration for the target. This configuration routes requests to a large language model (LLM) provider.
connector (dict) --
The connector-based inference configuration. Use this option to route requests to an LLM provider through a built-in connector that includes predefined provider rules.
source (dict) -- [REQUIRED]
The source configuration identifying which inference connector to use.
connectorId (string) -- [REQUIRED]
The identifier for the inference connector (for example, bedrock-mantle, openai, or anthropic).
provider (dict) --
The provider-based inference configuration. Use this option to explicitly configure the endpoint, model mapping, and operations for an LLM provider.
endpoint (string) -- [REQUIRED]
The HTTPS endpoint of the inference provider that the gateway forwards requests to.
modelMapping (dict) --
The configuration that translates client-facing model IDs to the model IDs expected by the provider.
providerPrefix (dict) --
The provider prefix configuration used for model ID translation.
strip (boolean) --
Whether clients can omit the provider prefix from model IDs. If true, the gateway accepts model IDs without the prefix and restores the full prefixed form before forwarding to the provider. The default is false.
separator (string) --
The single character that separates the provider prefix from the model name (for example, .). The default is ..
operations (list) --
A list of per-operation configurations that map request paths to the models supported for each operation.
(dict) --
The configuration for a specific inference operation, including its request path and the models that the operation supports.
path (string) -- [REQUIRED]
The request path for this operation (for example, /v1/messages or /v1/responses).
providerPath (string) --
The provider path to forward requests to, if it differs from the request path. For example, /anthropic/v1/messages when the provider expects a different path than the client-facing /v1/messages.
models (list) --
The list of models supported for this operation.
(dict) --
A model entry that specifies a model supported for an inference operation.
model (string) -- [REQUIRED]
The model ID or glob pattern that identifies the model (for example, anthropic.claude-opus-* or openai.gpt-oss-*).
list
The credential provider configurations for the target. These configurations specify how the gateway authenticates with the target endpoint.
(dict) --
The configuration for a credential provider. This structure defines how the gateway authenticates with the target endpoint.
credentialProviderType (string) -- [REQUIRED]
The type of credential provider. This field specifies which authentication method the gateway uses.
credentialProvider (dict) --
The credential provider. This field contains the specific configuration for the credential provider type.
oauthCredentialProvider (dict) --
The OAuth credential provider. This provider uses OAuth authentication to access the target endpoint.
providerArn (string) -- [REQUIRED]
The Amazon Resource Name (ARN) of the OAuth credential provider. This ARN identifies the provider in Amazon Web Services.
scopes (list) -- [REQUIRED]
The OAuth scopes for the credential provider. These scopes define the level of access requested from the OAuth provider.
(string) --
customParameters (dict) --
The custom parameters for the OAuth credential provider. These parameters provide additional configuration for the OAuth authentication process.
(string) --
(string) --
grantType (string) --
Specifies the kind of credentials to use for authorization:
CLIENT_CREDENTIALS - Authorization with a client ID and secret.
AUTHORIZATION_CODE - Authorization with a token that is specific to an individual end user.
TOKEN_EXCHANGE - Authorization using on-behalf-of token exchange. An inbound user token is exchanged for a downstream access token scoped to the target audience.
defaultReturnUrl (string) --
The URL where the end user's browser is redirected after obtaining the authorization code. Generally points to the customer's application.
apiKeyCredentialProvider (dict) --
The API key credential provider. This provider uses an API key to authenticate with the target endpoint.
providerArn (string) -- [REQUIRED]
The Amazon Resource Name (ARN) of the API key credential provider. This ARN identifies the provider in Amazon Web Services.
credentialParameterName (string) --
The name of the credential parameter for the API key. This parameter name is used when sending the API key to the target endpoint.
credentialPrefix (string) --
The prefix for the API key credential. This prefix is added to the API key when sending it to the target endpoint.
credentialLocation (string) --
The location of the API key credential. This field specifies where in the request the API key should be placed.
iamCredentialProvider (dict) --
The IAM credential provider. This provider uses IAM authentication with SigV4 signing to access the target endpoint.
service (string) -- [REQUIRED]
The target Amazon Web Services service name used for SigV4 signing. This value identifies the service that the gateway authenticates with when making requests to the target endpoint.
region (string) --
The Amazon Web Services Region used for SigV4 signing. If not specified, defaults to the gateway's Region.
dict
Optional configuration for HTTP header and query parameter propagation to and from the gateway target.
allowedRequestHeaders (list) --
A list of HTTP headers that are allowed to be propagated from incoming client requests to the target.
(string) --
allowedQueryParameters (list) --
A list of URL query parameters that are allowed to be propagated from incoming gateway URL to the target.
(string) --
allowedResponseHeaders (list) --
A list of HTTP headers that are allowed to be propagated from the target response back to the client.
(string) --
dict
The private endpoint configuration for the gateway target. Use this to connect the gateway to private resources in your VPC.
selfManagedLatticeResource (dict) --
Configuration for connecting to a private resource using a self-managed VPC Lattice resource configuration.
resourceConfigurationIdentifier (string) --
The ARN or ID of the VPC Lattice resource configuration.
managedVpcResource (dict) --
Configuration for connecting to a private resource using a managed VPC Lattice resource. The gateway creates and manages the VPC Lattice resources on your behalf.
vpcIdentifier (string) -- [REQUIRED]
The ID of the VPC that contains your private resource.
subnetIds (list) -- [REQUIRED]
The subnet IDs within the VPC where the VPC Lattice resource gateway is placed.
(string) --
endpointIpAddressType (string) -- [REQUIRED]
The IP address type for the resource configuration endpoint.
securityGroupIds (list) --
The security group IDs to associate with the VPC Lattice resource gateway. If not specified, the default security group for the VPC is used.
(string) --
tags (dict) --
Tags to apply to the managed VPC Lattice resource gateway.
(string) --
(string) --
routingDomain (string) --
An intermediate domain to use as the resource configuration endpoint instead of the actual target domain. Use this when you want to route traffic through an intermediate component such as a VPC endpoint or internal load balancer. For more information, see xref:lattice-vpc-egress-routing-domain[Route traffic through an intermediate domain].
dict
Response Syntax
{
'gatewayArn': 'string',
'targetId': 'string',
'createdAt': datetime(2015, 1, 1),
'updatedAt': datetime(2015, 1, 1),
'status': 'CREATING'|'UPDATING'|'UPDATE_UNSUCCESSFUL'|'DELETING'|'READY'|'FAILED'|'SYNCHRONIZING'|'SYNCHRONIZE_UNSUCCESSFUL'|'CREATE_PENDING_AUTH'|'UPDATE_PENDING_AUTH'|'SYNCHRONIZE_PENDING_AUTH',
'statusReasons': [
'string',
],
'name': 'string',
'description': 'string',
'targetConfiguration': {
'mcp': {
'openApiSchema': {
's3': {
'uri': 'string',
'bucketOwnerAccountId': 'string'
},
'inlinePayload': 'string'
},
'smithyModel': {
's3': {
'uri': 'string',
'bucketOwnerAccountId': 'string'
},
'inlinePayload': 'string'
},
'lambda': {
'lambdaArn': 'string',
'toolSchema': {
's3': {
'uri': 'string',
'bucketOwnerAccountId': 'string'
},
'inlinePayload': [
{
'name': 'string',
'description': 'string',
'inputSchema': {
'type': 'string'|'number'|'object'|'array'|'boolean'|'integer',
'properties': {
'string': {'... recursive ...'}
},
'required': [
'string',
],
'items': {'... recursive ...'},
'description': 'string'
},
'outputSchema': {
'type': 'string'|'number'|'object'|'array'|'boolean'|'integer',
'properties': {
'string': {'... recursive ...'}
},
'required': [
'string',
],
'items': {'... recursive ...'},
'description': 'string'
}
},
]
}
},
'mcpServer': {
'endpoint': 'string',
'mcpToolSchema': {
's3': {
'uri': 'string',
'bucketOwnerAccountId': 'string'
},
'inlinePayload': 'string'
},
'listingMode': 'DEFAULT'|'DYNAMIC',
'resourcePriority': 123
},
'apiGateway': {
'restApiId': 'string',
'stage': 'string',
'apiGatewayToolConfiguration': {
'toolOverrides': [
{
'name': 'string',
'description': 'string',
'path': 'string',
'method': 'GET'|'DELETE'|'HEAD'|'OPTIONS'|'PATCH'|'PUT'|'POST'
},
],
'toolFilters': [
{
'filterPath': 'string',
'methods': [
'GET'|'DELETE'|'HEAD'|'OPTIONS'|'PATCH'|'PUT'|'POST',
]
},
]
}
},
'connector': {
'source': {
'connectorId': 'string'
},
'enabled': [
'string',
],
'configurations': [
{
'name': 'string',
'description': 'string',
'parameterValues': {...}|[...]|123|123.4|'string'|True|None,
'parameterOverrides': [
{
'path': 'string',
'description': 'string',
'visible': True|False
},
]
},
]
}
},
'http': {
'agentcoreRuntime': {
'arn': 'string',
'qualifier': 'string',
'schema': {
'source': {
's3': {
'uri': 'string',
'bucketOwnerAccountId': 'string'
},
'inlinePayload': 'string'
}
}
},
'passthrough': {
'endpoint': 'string',
'protocolType': 'MCP'|'A2A'|'INFERENCE'|'CUSTOM',
'schema': {
'source': {
's3': {
'uri': 'string',
'bucketOwnerAccountId': 'string'
},
'inlinePayload': 'string'
}
},
'stickinessConfiguration': {
'identifier': 'string',
'timeout': 123
}
}
},
'inference': {
'connector': {
'source': {
'connectorId': 'string'
}
},
'provider': {
'endpoint': 'string',
'modelMapping': {
'providerPrefix': {
'strip': True|False,
'separator': 'string'
}
},
'operations': [
{
'path': 'string',
'providerPath': 'string',
'models': [
{
'model': 'string'
},
]
},
]
}
}
},
'credentialProviderConfigurations': [
{
'credentialProviderType': 'GATEWAY_IAM_ROLE'|'OAUTH'|'API_KEY'|'CALLER_IAM_CREDENTIALS'|'JWT_PASSTHROUGH',
'credentialProvider': {
'oauthCredentialProvider': {
'providerArn': 'string',
'scopes': [
'string',
],
'customParameters': {
'string': 'string'
},
'grantType': 'CLIENT_CREDENTIALS'|'AUTHORIZATION_CODE'|'TOKEN_EXCHANGE',
'defaultReturnUrl': 'string'
},
'apiKeyCredentialProvider': {
'providerArn': 'string',
'credentialParameterName': 'string',
'credentialPrefix': 'string',
'credentialLocation': 'HEADER'|'QUERY_PARAMETER'
},
'iamCredentialProvider': {
'service': 'string',
'region': 'string'
}
}
},
],
'lastSynchronizedAt': datetime(2015, 1, 1),
'metadataConfiguration': {
'allowedRequestHeaders': [
'string',
],
'allowedQueryParameters': [
'string',
],
'allowedResponseHeaders': [
'string',
]
},
'privateEndpoint': {
'selfManagedLatticeResource': {
'resourceConfigurationIdentifier': 'string'
},
'managedVpcResource': {
'vpcIdentifier': 'string',
'subnetIds': [
'string',
],
'endpointIpAddressType': 'IPV4'|'IPV6',
'securityGroupIds': [
'string',
],
'tags': {
'string': 'string'
},
'routingDomain': 'string'
}
},
'privateEndpointManagedResources': [
{
'domain': 'string',
'resourceGatewayArn': 'string',
'resourceAssociationArn': 'string'
},
],
'authorizationData': {
'oauth2': {
'authorizationUrl': 'string',
'userId': 'string'
}
},
'protocolType': 'MCP'|'HTTP'
}
Response Structure
(dict) --
gatewayArn (string) --
The Amazon Resource Name (ARN) of the gateway.
targetId (string) --
The unique identifier of the created target.
createdAt (datetime) --
The timestamp when the target was created.
updatedAt (datetime) --
The timestamp when the target was last updated.
status (string) --
The current status of the target.
statusReasons (list) --
The reasons for the current status of the target.
(string) --
name (string) --
The name of the target.
description (string) --
The description of the target.
targetConfiguration (dict) --
The configuration settings for the target.
mcp (dict) --
The Model Context Protocol (MCP) configuration for the target. This configuration defines how the gateway uses MCP to communicate with the target.
openApiSchema (dict) --
The OpenAPI schema for the Model Context Protocol target. This schema defines the API structure of the target.
s3 (dict) --
The Amazon S3 configuration for a gateway. This structure defines how the gateway accesses files in Amazon S3.
uri (string) --
The URI of the Amazon S3 object. This URI specifies the location of the object in Amazon S3.
bucketOwnerAccountId (string) --
The account ID of the Amazon S3 bucket owner. This ID is used for cross-account access to the bucket.
inlinePayload (string) --
The inline payload containing the API schema definition.
smithyModel (dict) --
The Smithy model for the Model Context Protocol target. This model defines the API structure of the target using the Smithy specification.
s3 (dict) --
The Amazon S3 configuration for a gateway. This structure defines how the gateway accesses files in Amazon S3.
uri (string) --
The URI of the Amazon S3 object. This URI specifies the location of the object in Amazon S3.
bucketOwnerAccountId (string) --
The account ID of the Amazon S3 bucket owner. This ID is used for cross-account access to the bucket.
inlinePayload (string) --
The inline payload containing the API schema definition.
lambda (dict) --
The Lambda configuration for the Model Context Protocol target. This configuration defines how the gateway uses a Lambda function to communicate with the target.
lambdaArn (string) --
The Amazon Resource Name (ARN) of the Lambda function. This function is invoked by the gateway to communicate with the target.
toolSchema (dict) --
The tool schema for the Lambda function. This schema defines the structure of the tools that the Lambda function provides.
s3 (dict) --
The Amazon S3 location of the tool schema. This location contains the schema definition file.
uri (string) --
The URI of the Amazon S3 object. This URI specifies the location of the object in Amazon S3.
bucketOwnerAccountId (string) --
The account ID of the Amazon S3 bucket owner. This ID is used for cross-account access to the bucket.
inlinePayload (list) --
The inline payload of the tool schema. This payload contains the schema definition directly in the request.
(dict) --
A tool definition for a gateway target. This structure defines a tool that the target exposes through the Model Context Protocol.
name (string) --
The name of the tool. This name identifies the tool in the Model Context Protocol.
description (string) --
The description of the tool. This description provides information about the purpose and usage of the tool.
inputSchema (dict) --
The input schema for the tool. This schema defines the structure of the input that the tool accepts.
type (string) --
The type of the schema definition. This field specifies the data type of the schema.
properties (dict) --
The properties of the schema definition. These properties define the fields in the schema.
(string) --
(dict) --
A schema definition for a gateway target. This structure defines the structure of the API that the target exposes.
required (list) --
The required fields in the schema definition. These fields must be provided when using the schema.
(string) --
items (dict) --
The items in the schema definition. This field is used for array types to define the structure of the array elements.
description (string) --
The description of the schema definition. This description provides information about the purpose and usage of the schema.
outputSchema (dict) --
The output schema for the tool. This schema defines the structure of the output that the tool produces.
type (string) --
The type of the schema definition. This field specifies the data type of the schema.
properties (dict) --
The properties of the schema definition. These properties define the fields in the schema.
(string) --
(dict) --
A schema definition for a gateway target. This structure defines the structure of the API that the target exposes.
required (list) --
The required fields in the schema definition. These fields must be provided when using the schema.
(string) --
items (dict) --
The items in the schema definition. This field is used for array types to define the structure of the array elements.
description (string) --
The description of the schema definition. This description provides information about the purpose and usage of the schema.
mcpServer (dict) --
The MCP server specified as the gateway target.
endpoint (string) --
The endpoint for the MCP server target configuration.
mcpToolSchema (dict) --
The tool schema configuration for the MCP server target. Supported only when the credential provider is configured with an authorization code grant type. Dynamic tool discovery/synchronization will be disabled when target is configured with mcpToolSchema.
s3 (dict) --
The Amazon S3 location of the tool schema. This location contains the schema definition file.
uri (string) --
The URI of the Amazon S3 object. This URI specifies the location of the object in Amazon S3.
bucketOwnerAccountId (string) --
The account ID of the Amazon S3 bucket owner. This ID is used for cross-account access to the bucket.
inlinePayload (string) --
The inline payload containing the MCP tool schema definition.
listingMode (string) --
The listing mode for the MCP server target configuration. MCP resources for default targets are cached at the control plane for faster access. MCP resources for dynamic targets will be dynamically retrieved when listing tools.
resourcePriority (integer) --
Priority for resolving MCP server targets with shared resource URIs. Lower values take precedence. Defaults to 1000 when not set.
apiGateway (dict) --
The configuration for an Amazon API Gateway target.
restApiId (string) --
The ID of the API Gateway REST API.
stage (string) --
The ID of the stage of the REST API to add as a target.
apiGatewayToolConfiguration (dict) --
The configuration for defining REST API tool filters and overrides for the gateway target.
toolOverrides (list) --
A list of explicit tool definitions with optional custom names and descriptions.
(dict) --
Settings to override configurations for a tool.
name (string) --
The name of tool. Identifies the tool in the Model Context Protocol.
description (string) --
The description of the tool. Provides information about the purpose and usage of the tool. If not provided, uses the description from the API's OpenAPI specification.
path (string) --
Resource path in the REST API (e.g., /pets). Must explicitly match an existing path in the REST API.
method (string) --
The HTTP method to expose for the specified path.
toolFilters (list) --
A list of path and method patterns to expose as tools using metadata from the REST API's OpenAPI specification.
(dict) --
Specifies which operations from an API Gateway REST API are exposed as tools. Tool names and descriptions are derived from the operationId and description fields in the API's exported OpenAPI specification.
filterPath (string) --
Resource path to match in the REST API. Supports exact paths (for example, /pets) or wildcard paths (for example, /pets/* to match all paths under /pets). Must match existing paths in the REST API.
methods (list) --
The methods to filter for.
(string) --
connector (dict) --
The connector integration configuration for the Model Context Protocol target. This configuration defines how the gateway uses a pre-built connector to communicate with the target.
source (dict) --
The source configuration identifying which connector to use.
connectorId (string) --
The identifier for the connector integration (for example, bedrock-knowledge-bases).
enabled (list) --
A list of tool names to enable from this connector. If absent, all tools provided by the connector are enabled.
(string) --
configurations (list) --
A list of per-tool configurations for the connector.
(dict) --
Configuration for a single tool within a connector.
name (string) --
The tool or operation name (for example, retrieve or webSearch).
description (string) --
An agent-facing description override for this tool.
parameterValues (:ref:`document<document>`) --
Parameters to set as fixed or default values when provisioning this tool.
parameterOverrides (list) --
Parameters to expose to the agent at runtime, with optional description overrides.
(dict) --
Specifies a parameter override for a connector tool, allowing you to control parameter visibility and descriptions.
path (string) --
A JSON Pointer path identifying the parameter (for example, /numberOfResults or /filter).
description (string) --
An agent-facing description override for this parameter.
visible (boolean) --
Whether this parameter is visible to the agent. If not specified, uses the service default.
http (dict) --
The HTTP target configuration. Use this to route gateway requests to an HTTP-based endpoint such as an AgentCore Runtime.
agentcoreRuntime (dict) --
The AgentCore Runtime target configuration for HTTP-based communication with an agent runtime.
arn (string) --
The Amazon Resource Name (ARN) of the AgentCore Runtime to route requests to.
qualifier (string) --
The qualifier for the agent runtime, used to target a specific endpoint version. If not specified, the default endpoint is used.
schema (dict) --
The API schema configuration that defines the structure of the runtime target's API.
source (dict) --
Configuration for API schema.
s3 (dict) --
The Amazon S3 configuration for a gateway. This structure defines how the gateway accesses files in Amazon S3.
uri (string) --
The URI of the Amazon S3 object. This URI specifies the location of the object in Amazon S3.
bucketOwnerAccountId (string) --
The account ID of the Amazon S3 bucket owner. This ID is used for cross-account access to the bucket.
inlinePayload (string) --
The inline payload containing the API schema definition.
passthrough (dict) --
The passthrough configuration for the HTTP target. A passthrough target forwards requests directly to an external HTTP endpoint.
endpoint (string) --
The HTTPS endpoint that the gateway forwards requests to for this passthrough target.
protocolType (string) --
The application protocol the passthrough target implements. Required for passthrough targets.
schema (dict) --
The API schema configuration that defines the structure of the passthrough target's API.
source (dict) --
Configuration for API schema.
s3 (dict) --
The Amazon S3 configuration for a gateway. This structure defines how the gateway accesses files in Amazon S3.
uri (string) --
The URI of the Amazon S3 object. This URI specifies the location of the object in Amazon S3.
bucketOwnerAccountId (string) --
The account ID of the Amazon S3 bucket owner. This ID is used for cross-account access to the bucket.
inlinePayload (string) --
The inline payload containing the API schema definition.
stickinessConfiguration (dict) --
The session stickiness configuration for the passthrough target. This configuration routes requests within the same session to the same target.
identifier (string) --
The expression that identifies where to extract the session identifier from the request (for example, $context.header.x-session-id).
timeout (integer) --
The session stickiness timeout, in seconds. After this duration of inactivity, the session affinity expires. Valid values range from 1 to 86400.
inference (dict) --
The inference configuration for the target. This configuration routes requests to a large language model (LLM) provider.
connector (dict) --
The connector-based inference configuration. Use this option to route requests to an LLM provider through a built-in connector that includes predefined provider rules.
source (dict) --
The source configuration identifying which inference connector to use.
connectorId (string) --
The identifier for the inference connector (for example, bedrock-mantle, openai, or anthropic).
provider (dict) --
The provider-based inference configuration. Use this option to explicitly configure the endpoint, model mapping, and operations for an LLM provider.
endpoint (string) --
The HTTPS endpoint of the inference provider that the gateway forwards requests to.
modelMapping (dict) --
The configuration that translates client-facing model IDs to the model IDs expected by the provider.
providerPrefix (dict) --
The provider prefix configuration used for model ID translation.
strip (boolean) --
Whether clients can omit the provider prefix from model IDs. If true, the gateway accepts model IDs without the prefix and restores the full prefixed form before forwarding to the provider. The default is false.
separator (string) --
The single character that separates the provider prefix from the model name (for example, .). The default is ..
operations (list) --
A list of per-operation configurations that map request paths to the models supported for each operation.
(dict) --
The configuration for a specific inference operation, including its request path and the models that the operation supports.
path (string) --
The request path for this operation (for example, /v1/messages or /v1/responses).
providerPath (string) --
The provider path to forward requests to, if it differs from the request path. For example, /anthropic/v1/messages when the provider expects a different path than the client-facing /v1/messages.
models (list) --
The list of models supported for this operation.
(dict) --
A model entry that specifies a model supported for an inference operation.
model (string) --
The model ID or glob pattern that identifies the model (for example, anthropic.claude-opus-* or openai.gpt-oss-*).
credentialProviderConfigurations (list) --
The credential provider configurations for the target.
(dict) --
The configuration for a credential provider. This structure defines how the gateway authenticates with the target endpoint.
credentialProviderType (string) --
The type of credential provider. This field specifies which authentication method the gateway uses.
credentialProvider (dict) --
The credential provider. This field contains the specific configuration for the credential provider type.
oauthCredentialProvider (dict) --
The OAuth credential provider. This provider uses OAuth authentication to access the target endpoint.
providerArn (string) --
The Amazon Resource Name (ARN) of the OAuth credential provider. This ARN identifies the provider in Amazon Web Services.
scopes (list) --
The OAuth scopes for the credential provider. These scopes define the level of access requested from the OAuth provider.
(string) --
customParameters (dict) --
The custom parameters for the OAuth credential provider. These parameters provide additional configuration for the OAuth authentication process.
(string) --
(string) --
grantType (string) --
Specifies the kind of credentials to use for authorization:
CLIENT_CREDENTIALS - Authorization with a client ID and secret.
AUTHORIZATION_CODE - Authorization with a token that is specific to an individual end user.
TOKEN_EXCHANGE - Authorization using on-behalf-of token exchange. An inbound user token is exchanged for a downstream access token scoped to the target audience.
defaultReturnUrl (string) --
The URL where the end user's browser is redirected after obtaining the authorization code. Generally points to the customer's application.
apiKeyCredentialProvider (dict) --
The API key credential provider. This provider uses an API key to authenticate with the target endpoint.
providerArn (string) --
The Amazon Resource Name (ARN) of the API key credential provider. This ARN identifies the provider in Amazon Web Services.
credentialParameterName (string) --
The name of the credential parameter for the API key. This parameter name is used when sending the API key to the target endpoint.
credentialPrefix (string) --
The prefix for the API key credential. This prefix is added to the API key when sending it to the target endpoint.
credentialLocation (string) --
The location of the API key credential. This field specifies where in the request the API key should be placed.
iamCredentialProvider (dict) --
The IAM credential provider. This provider uses IAM authentication with SigV4 signing to access the target endpoint.
service (string) --
The target Amazon Web Services service name used for SigV4 signing. This value identifies the service that the gateway authenticates with when making requests to the target endpoint.
region (string) --
The Amazon Web Services Region used for SigV4 signing. If not specified, defaults to the gateway's Region.
lastSynchronizedAt (datetime) --
The last synchronization of the target.
metadataConfiguration (dict) --
The metadata configuration that was applied to the created gateway target.
allowedRequestHeaders (list) --
A list of HTTP headers that are allowed to be propagated from incoming client requests to the target.
(string) --
allowedQueryParameters (list) --
A list of URL query parameters that are allowed to be propagated from incoming gateway URL to the target.
(string) --
allowedResponseHeaders (list) --
A list of HTTP headers that are allowed to be propagated from the target response back to the client.
(string) --
privateEndpoint (dict) --
The private endpoint configuration for the gateway target.
selfManagedLatticeResource (dict) --
Configuration for connecting to a private resource using a self-managed VPC Lattice resource configuration.
resourceConfigurationIdentifier (string) --
The ARN or ID of the VPC Lattice resource configuration.
managedVpcResource (dict) --
Configuration for connecting to a private resource using a managed VPC Lattice resource. The gateway creates and manages the VPC Lattice resources on your behalf.
vpcIdentifier (string) --
The ID of the VPC that contains your private resource.
subnetIds (list) --
The subnet IDs within the VPC where the VPC Lattice resource gateway is placed.
(string) --
endpointIpAddressType (string) --
The IP address type for the resource configuration endpoint.
securityGroupIds (list) --
The security group IDs to associate with the VPC Lattice resource gateway. If not specified, the default security group for the VPC is used.
(string) --
tags (dict) --
Tags to apply to the managed VPC Lattice resource gateway.
(string) --
(string) --
routingDomain (string) --
An intermediate domain to use as the resource configuration endpoint instead of the actual target domain. Use this when you want to route traffic through an intermediate component such as a VPC endpoint or internal load balancer. For more information, see xref:lattice-vpc-egress-routing-domain[Route traffic through an intermediate domain].
privateEndpointManagedResources (list) --
The managed resources created by the gateway for private endpoint connectivity.
(dict) --
Details of a resource created and managed by the gateway for private endpoint connectivity.
domain (string) --
The domain associated with this managed resource.
resourceGatewayArn (string) --
The ARN of the VPC Lattice resource gateway created in your account.
resourceAssociationArn (string) --
The ARN of the service network resource association.
authorizationData (dict) --
OAuth2 authorization data for the created gateway target. This data is returned when a target is configured with a credential provider with authorization code grant type and requires user federation.
oauth2 (dict) --
OAuth2 authorization data for the gateway target.
authorizationUrl (string) --
The URL to initiate the authorization process. This URL is provided when the OAuth2 access token requires user authorization.
userId (string) --
The user identifier associated with the OAuth2 authorization session that is defined by AgentCore Gateway.
protocolType (string) --
The protocol type of the created gateway target.
{'authorizerConfiguration': {'customJWTAuthorizer': {'allowedWorkloadConfiguration': {'hostingEnvironments': [{'arn': 'string'}],
'workloadIdentities': ['string']}}},
'memory': {'disabled': {},
'managedMemoryConfiguration': {'arn': 'string',
'encryptionKeyArn': 'string',
'eventExpiryDuration': 'integer',
'strategies': ['SEMANTIC | '
'SUMMARIZATION | '
'USER_PREFERENCE | '
'EPISODIC']}},
'skills': {'awsSkills': {'paths': ['string']}}}
Response {'harness': {'authorizerConfiguration': {'customJWTAuthorizer': {'allowedWorkloadConfiguration': {'hostingEnvironments': [{'arn': 'string'}],
'workloadIdentities': ['string']}}},
'harnessVersion': 'string',
'memory': {'disabled': {},
'managedMemoryConfiguration': {'arn': 'string',
'encryptionKeyArn': 'string',
'eventExpiryDuration': 'integer',
'strategies': ['SEMANTIC '
'| '
'SUMMARIZATION '
'| '
'USER_PREFERENCE '
'| '
'EPISODIC']}},
'skills': {'awsSkills': {'paths': ['string']}}}}
Operation to create a harness.
See also: AWS API Documentation
Request Syntax
client.create_harness(
harnessName='string',
clientToken='string',
executionRoleArn='string',
environment={
'agentCoreRuntimeEnvironment': {
'lifecycleConfiguration': {
'idleRuntimeSessionTimeout': 123,
'maxLifetime': 123
},
'networkConfiguration': {
'networkMode': 'PUBLIC'|'VPC',
'networkModeConfig': {
'securityGroups': [
'string',
],
'subnets': [
'string',
],
'requireServiceS3Endpoint': True|False
}
},
'filesystemConfigurations': [
{
'sessionStorage': {
'mountPath': 'string'
},
's3FilesAccessPoint': {
'accessPointArn': 'string',
'mountPath': 'string'
},
'efsAccessPoint': {
'accessPointArn': 'string',
'mountPath': 'string'
}
},
]
}
},
environmentArtifact={
'containerConfiguration': {
'containerUri': 'string'
}
},
environmentVariables={
'string': 'string'
},
authorizerConfiguration={
'customJWTAuthorizer': {
'discoveryUrl': 'string',
'allowedAudience': [
'string',
],
'allowedClients': [
'string',
],
'allowedScopes': [
'string',
],
'customClaims': [
{
'inboundTokenClaimName': 'string',
'inboundTokenClaimValueType': 'STRING'|'STRING_ARRAY',
'authorizingClaimMatchValue': {
'claimMatchValue': {
'matchValueString': 'string',
'matchValueStringList': [
'string',
]
},
'claimMatchOperator': 'EQUALS'|'CONTAINS'|'CONTAINS_ANY'
}
},
],
'privateEndpoint': {
'selfManagedLatticeResource': {
'resourceConfigurationIdentifier': 'string'
},
'managedVpcResource': {
'vpcIdentifier': 'string',
'subnetIds': [
'string',
],
'endpointIpAddressType': 'IPV4'|'IPV6',
'securityGroupIds': [
'string',
],
'tags': {
'string': 'string'
},
'routingDomain': 'string'
}
},
'privateEndpointOverrides': [
{
'domain': 'string',
'privateEndpoint': {
'selfManagedLatticeResource': {
'resourceConfigurationIdentifier': 'string'
},
'managedVpcResource': {
'vpcIdentifier': 'string',
'subnetIds': [
'string',
],
'endpointIpAddressType': 'IPV4'|'IPV6',
'securityGroupIds': [
'string',
],
'tags': {
'string': 'string'
},
'routingDomain': 'string'
}
}
},
],
'allowedWorkloadConfiguration': {
'hostingEnvironments': [
{
'arn': 'string'
},
],
'workloadIdentities': [
'string',
]
}
}
},
model={
'bedrockModelConfig': {
'modelId': 'string',
'maxTokens': 123,
'temperature': ...,
'topP': ...,
'apiFormat': 'converse_stream'|'responses'|'chat_completions',
'additionalParams': {...}|[...]|123|123.4|'string'|True|None
},
'openAiModelConfig': {
'modelId': 'string',
'apiKeyArn': 'string',
'maxTokens': 123,
'temperature': ...,
'topP': ...,
'apiFormat': 'chat_completions'|'responses',
'additionalParams': {...}|[...]|123|123.4|'string'|True|None
},
'geminiModelConfig': {
'modelId': 'string',
'apiKeyArn': 'string',
'maxTokens': 123,
'temperature': ...,
'topP': ...,
'topK': 123
},
'liteLlmModelConfig': {
'modelId': 'string',
'apiKeyArn': 'string',
'apiBase': 'string',
'maxTokens': 123,
'temperature': ...,
'topP': ...,
'additionalParams': {...}|[...]|123|123.4|'string'|True|None
}
},
systemPrompt=[
{
'text': 'string'
},
],
tools=[
{
'type': 'remote_mcp'|'agentcore_browser'|'agentcore_gateway'|'inline_function'|'agentcore_code_interpreter',
'name': 'string',
'config': {
'remoteMcp': {
'url': 'string',
'headers': {
'string': 'string'
}
},
'agentCoreBrowser': {
'browserArn': 'string'
},
'agentCoreGateway': {
'gatewayArn': 'string',
'outboundAuth': {
'awsIam': {}
,
'none': {}
,
'oauth': {
'providerArn': 'string',
'scopes': [
'string',
],
'customParameters': {
'string': 'string'
},
'grantType': 'CLIENT_CREDENTIALS'|'AUTHORIZATION_CODE'|'TOKEN_EXCHANGE',
'defaultReturnUrl': 'string'
}
}
},
'inlineFunction': {
'description': 'string',
'inputSchema': {...}|[...]|123|123.4|'string'|True|None
},
'agentCoreCodeInterpreter': {
'codeInterpreterArn': 'string'
}
}
},
],
skills=[
{
'path': 'string',
's3': {
'uri': 'string'
},
'git': {
'url': 'string',
'path': 'string',
'auth': {
'credentialArn': 'string',
'username': 'string'
}
},
'awsSkills': {
'paths': [
'string',
]
}
},
],
allowedTools=[
'string',
],
memory={
'agentCoreMemoryConfiguration': {
'arn': 'string',
'actorId': 'string',
'messagesCount': 123,
'retrievalConfig': {
'string': {
'topK': 123,
'relevanceScore': ...,
'strategyId': 'string'
}
}
},
'managedMemoryConfiguration': {
'arn': 'string',
'strategies': [
'SEMANTIC'|'SUMMARIZATION'|'USER_PREFERENCE'|'EPISODIC',
],
'eventExpiryDuration': 123,
'encryptionKeyArn': 'string'
},
'disabled': {}
},
truncation={
'strategy': 'sliding_window'|'summarization'|'none',
'config': {
'slidingWindow': {
'messagesCount': 123
},
'summarization': {
'summaryRatio': ...,
'preserveRecentMessages': 123,
'summarizationSystemPrompt': 'string'
}
}
},
maxIterations=123,
maxTokens=123,
timeoutSeconds=123,
tags={
'string': 'string'
}
)
string
[REQUIRED]
The name of the harness. Must start with a letter and contain only alphanumeric characters and underscores.
string
A unique, case-sensitive identifier to ensure idempotency of the request.
This field is autopopulated if not provided.
string
[REQUIRED]
The ARN of the IAM role that the harness assumes when running. This role must have permissions for the services the agent needs to access, such as Amazon Bedrock for model invocation.
dict
The compute environment configuration for the harness, including network and lifecycle settings.
agentCoreRuntimeEnvironment (dict) --
The AgentCore Runtime environment configuration.
lifecycleConfiguration (dict) --
LifecycleConfiguration lets you manage the lifecycle of runtime sessions and resources in AgentCore Runtime. This configuration helps optimize resource utilization by automatically cleaning up idle sessions and preventing long-running instances from consuming resources indefinitely.
idleRuntimeSessionTimeout (integer) --
Timeout in seconds for idle runtime sessions. When a session remains idle for this duration, it will be automatically terminated. Default: 900 seconds (15 minutes).
maxLifetime (integer) --
Maximum lifetime for the instance in seconds. Once reached, instances will be automatically terminated and replaced. Default: 28800 seconds (8 hours).
networkConfiguration (dict) --
SecurityConfig for the Agent.
networkMode (string) -- [REQUIRED]
The network mode for the AgentCore Runtime.
networkModeConfig (dict) --
The network mode configuration for the AgentCore Runtime.
securityGroups (list) -- [REQUIRED]
The security groups associated with the VPC configuration.
(string) --
subnets (list) -- [REQUIRED]
The subnets associated with the VPC configuration.
(string) --
requireServiceS3Endpoint (boolean) --
Controls whether a service-managed Amazon S3 gateway endpoint is provisioned in the VPC network topology for the agent runtime. This gateway is used by Amazon Bedrock AgentCore Runtime to download code and container images during agent startup.
Starting May 5, 2026, Amazon Bedrock AgentCore Runtime is gradually rolling out a change to how network isolation is configured for VPC mode agents. Agent runtimes created on or after this rollout will no longer include the service-managed Amazon S3 gateway. Instead, all network access, including to Amazon S3, is governed exclusively by your VPC configuration. This field cannot be set on agent runtimes created after the rollout. Passing this field in an UpdateAgentRuntime request for these agent runtimes returns a ValidationException.
Agent runtimes created before the rollout are not affected and continue to operate with the service-managed Amazon S3 gateway. To enforce full VPC network isolation on these existing agent runtimes, set this field to false via the UpdateAgentRuntime API. Before opting out, ensure your VPC provides the Amazon S3 access required for agent startup. If this field is not specified or is set to true, the service-managed Amazon S3 gateway remains provisioned.
This field is only supported in the UpdateAgentRuntime API for pre-rollout agent runtimes. Passing this field in a CreateAgentRuntime request returns a ValidationException.
filesystemConfigurations (list) --
The filesystem configurations for the runtime environment.
(dict) --
Configuration for a filesystem that can be mounted into the AgentCore Runtime.
sessionStorage (dict) --
Configuration for session storage. Session storage provides persistent storage that is preserved across AgentCore Runtime session invocations.
mountPath (string) -- [REQUIRED]
The mount path for the session storage filesystem inside the AgentCore Runtime. The path must be under /mnt with exactly one subdirectory level (for example, /mnt/data).
s3FilesAccessPoint (dict) --
Configuration for an Amazon S3 Files access point to mount into the AgentCore Runtime.
accessPointArn (string) -- [REQUIRED]
The ARN of the S3 Files access point to mount into the AgentCore Runtime.
mountPath (string) -- [REQUIRED]
The mount path for the S3 Files access point inside the AgentCore Runtime. The path must be under /mnt with exactly one subdirectory level (for example, /mnt/data).
efsAccessPoint (dict) --
Configuration for an Amazon EFS access point to mount into the AgentCore Runtime.
accessPointArn (string) -- [REQUIRED]
The ARN of the EFS access point to mount into the AgentCore Runtime.
mountPath (string) -- [REQUIRED]
The mount path for the EFS access point inside the AgentCore Runtime. The path must be under /mnt with exactly one subdirectory level (for example, /mnt/data).
dict
The environment artifact for the harness, such as a custom container image containing additional dependencies.
containerConfiguration (dict) --
Representation of a container configuration.
containerUri (string) -- [REQUIRED]
The ECR URI of the container.
dict
Environment variables to set in the harness runtime environment.
(string) --
(string) --
dict
Represents inbound authorization configuration options used to authenticate incoming requests.
customJWTAuthorizer (dict) --
The inbound JWT-based authorization, specifying how incoming requests should be authenticated.
discoveryUrl (string) -- [REQUIRED]
This URL is used to fetch OpenID Connect configuration or authorization server metadata for validating incoming tokens.
allowedAudience (list) --
Represents individual audience values that are validated in the incoming JWT token validation process.
(string) --
allowedClients (list) --
Represents individual client IDs that are validated in the incoming JWT token validation process.
(string) --
allowedScopes (list) --
An array of scopes that are allowed to access the token.
(string) --
customClaims (list) --
An array of objects that define a custom claim validation name, value, and operation
(dict) --
Defines the name of a custom claim field and rules for finding matches to authenticate its value.
inboundTokenClaimName (string) -- [REQUIRED]
The name of the custom claim field to check.
inboundTokenClaimValueType (string) -- [REQUIRED]
The data type of the claim value to check for.
Use STRING if you want to find an exact match to a string you define.
Use STRING_ARRAY if you want to fnd a match to at least one value in an array you define.
authorizingClaimMatchValue (dict) -- [REQUIRED]
Defines the value or values to match for and the relationship of the match.
claimMatchValue (dict) -- [REQUIRED]
The value or values to match for.
matchValueString (string) --
The string value to match for.
matchValueStringList (list) --
An array of strings to check for a match.
(string) --
claimMatchOperator (string) -- [REQUIRED]
Defines the relationship between the claim field value and the value or values you're matching for.
privateEndpoint (dict) --
The private endpoint configuration for a gateway target. Defines how the gateway connects to private resources in your VPC.
selfManagedLatticeResource (dict) --
Configuration for connecting to a private resource using a self-managed VPC Lattice resource configuration.
resourceConfigurationIdentifier (string) --
The ARN or ID of the VPC Lattice resource configuration.
managedVpcResource (dict) --
Configuration for connecting to a private resource using a managed VPC Lattice resource. The gateway creates and manages the VPC Lattice resources on your behalf.
vpcIdentifier (string) -- [REQUIRED]
The ID of the VPC that contains your private resource.
subnetIds (list) -- [REQUIRED]
The subnet IDs within the VPC where the VPC Lattice resource gateway is placed.
(string) --
endpointIpAddressType (string) -- [REQUIRED]
The IP address type for the resource configuration endpoint.
securityGroupIds (list) --
The security group IDs to associate with the VPC Lattice resource gateway. If not specified, the default security group for the VPC is used.
(string) --
tags (dict) --
Tags to apply to the managed VPC Lattice resource gateway.
(string) --
(string) --
routingDomain (string) --
An intermediate domain to use as the resource configuration endpoint instead of the actual target domain. Use this when you want to route traffic through an intermediate component such as a VPC endpoint or internal load balancer. For more information, see xref:lattice-vpc-egress-routing-domain[Route traffic through an intermediate domain].
privateEndpointOverrides (list) --
The private endpoint overrides for the custom JWT authorizer configuration.
(dict) --
A mapping of a specific domain to a private endpoint for secure connectivity through a VPC Lattice resource configuration.
domain (string) -- [REQUIRED]
The domain to override with a private endpoint.
privateEndpoint (dict) -- [REQUIRED]
The private endpoint configuration for the specified domain.
selfManagedLatticeResource (dict) --
Configuration for connecting to a private resource using a self-managed VPC Lattice resource configuration.
resourceConfigurationIdentifier (string) --
The ARN or ID of the VPC Lattice resource configuration.
managedVpcResource (dict) --
Configuration for connecting to a private resource using a managed VPC Lattice resource. The gateway creates and manages the VPC Lattice resources on your behalf.
vpcIdentifier (string) -- [REQUIRED]
The ID of the VPC that contains your private resource.
subnetIds (list) -- [REQUIRED]
The subnet IDs within the VPC where the VPC Lattice resource gateway is placed.
(string) --
endpointIpAddressType (string) -- [REQUIRED]
The IP address type for the resource configuration endpoint.
securityGroupIds (list) --
The security group IDs to associate with the VPC Lattice resource gateway. If not specified, the default security group for the VPC is used.
(string) --
tags (dict) --
Tags to apply to the managed VPC Lattice resource gateway.
(string) --
(string) --
routingDomain (string) --
An intermediate domain to use as the resource configuration endpoint instead of the actual target domain. Use this when you want to route traffic through an intermediate component such as a VPC endpoint or internal load balancer. For more information, see xref:lattice-vpc-egress-routing-domain[Route traffic through an intermediate domain].
allowedWorkloadConfiguration (dict) --
The configuration that restricts which workloads in the request's identity chain are allowed to invoke the target, identified by their hosting environments and workload identities. At launch, this is supported only for AgentCore Runtime targets, and the allowed workloads are AgentCore Gateways.
hostingEnvironments (list) --
The list of hosting environments whose workloads are allowed to invoke the target. At launch, the only supported hosting environment is AgentCore Gateway.
(dict) --
A hosting environment whose workloads are allowed to invoke the target. At launch, the only supported hosting environment is AgentCore Gateway.
arn (string) -- [REQUIRED]
The Amazon Resource Name (ARN) of the hosting environment.
workloadIdentities (list) --
The list of workload identities that are allowed to invoke the target.
(string) --
dict
The model configuration for the harness. Supports Amazon Bedrock, OpenAI, and Google Gemini model providers.
bedrockModelConfig (dict) --
Configuration for an Amazon Bedrock model.
modelId (string) -- [REQUIRED]
The Bedrock model ID.
maxTokens (integer) --
The maximum number of tokens to allow in the generated response per model call.
temperature (float) --
The temperature to set when calling the model.
topP (float) --
The topP set when calling the model.
apiFormat (string) --
The API format to use when calling the Bedrock provider.
additionalParams (:ref:`document<document>`) --
Provider-specific parameters passed through to the model provider unchanged.
openAiModelConfig (dict) --
Configuration for an OpenAI model.
modelId (string) -- [REQUIRED]
The OpenAI model ID.
apiKeyArn (string) -- [REQUIRED]
The ARN of your OpenAI API key on AgentCore Identity.
maxTokens (integer) --
The maximum number of tokens to allow in the generated response per model call.
temperature (float) --
The temperature to set when calling the model.
topP (float) --
The topP set when calling the model.
apiFormat (string) --
The API format to use when calling the OpenAI provider.
additionalParams (:ref:`document<document>`) --
Provider-specific parameters passed through to the model provider unchanged.
geminiModelConfig (dict) --
Configuration for a Google Gemini model.
modelId (string) -- [REQUIRED]
The Gemini model ID.
apiKeyArn (string) -- [REQUIRED]
The ARN of your Gemini API key on AgentCore Identity.
maxTokens (integer) --
The maximum number of tokens to allow in the generated response per model call.
temperature (float) --
The temperature to set when calling the model.
topP (float) --
The topP set when calling the model.
topK (integer) --
The topK set when calling the model.
liteLlmModelConfig (dict) --
The LiteLLM model configuration for connecting to third-party model providers.
modelId (string) -- [REQUIRED]
The LiteLLM model identifier (e.g., "anthropic/claude-3-sonnet").
apiKeyArn (string) --
The ARN of the API key in AgentCore Identity for authenticating with the model provider.
apiBase (string) --
The base URL for the model provider's API endpoint.
maxTokens (integer) --
The maximum number of tokens to allow in the generated response per iteration.
temperature (float) --
The temperature to set when calling the model.
topP (float) --
The topP set when calling the model.
additionalParams (:ref:`document<document>`) --
Provider-specific parameters passed through to the model provider unchanged.
list
The system prompt that defines the agent's behavior and instructions.
(dict) --
A content block in the system prompt.
text (string) --
The text content of the system prompt block.
list
The tools available to the agent, such as remote MCP servers, AgentCore Gateway, AgentCore Browser, Code Interpreter, or inline functions.
(dict) --
A tool available to the agent loop.
type (string) -- [REQUIRED]
The type of tool.
name (string) --
Unique name for the tool. If not provided, a name will be inferred or generated.
config (dict) --
Tool-specific configuration.
remoteMcp (dict) --
Configuration for remote MCP server.
url (string) -- [REQUIRED]
URL of the MCP endpoint.
headers (dict) --
Custom headers to include when connecting to the remote MCP server.
(string) --
The key of an HTTP header.
(string) --
The value of an HTTP header.
agentCoreBrowser (dict) --
Configuration for AgentCore Browser.
browserArn (string) --
If not populated, the built-in Browser ARN is used.
agentCoreGateway (dict) --
Configuration for AgentCore Gateway.
gatewayArn (string) -- [REQUIRED]
The ARN of the desired AgentCore Gateway.
outboundAuth (dict) --
How harness authenticates to this Gateway. Defaults to AWS_IAM (SigV4) if omitted.
awsIam (dict) --
SigV4-sign requests using the agent's execution role.
none (dict) --
No authentication.
oauth (dict) --
Use OAuth credentials for outbound authentication to the gateway.
providerArn (string) -- [REQUIRED]
The Amazon Resource Name (ARN) of the OAuth credential provider. This ARN identifies the provider in Amazon Web Services.
scopes (list) -- [REQUIRED]
The OAuth scopes for the credential provider. These scopes define the level of access requested from the OAuth provider.
(string) --
customParameters (dict) --
The custom parameters for the OAuth credential provider. These parameters provide additional configuration for the OAuth authentication process.
(string) --
(string) --
grantType (string) --
Specifies the kind of credentials to use for authorization:
CLIENT_CREDENTIALS - Authorization with a client ID and secret.
AUTHORIZATION_CODE - Authorization with a token that is specific to an individual end user.
TOKEN_EXCHANGE - Authorization using on-behalf-of token exchange. An inbound user token is exchanged for a downstream access token scoped to the target audience.
defaultReturnUrl (string) --
The URL where the end user's browser is redirected after obtaining the authorization code. Generally points to the customer's application.
inlineFunction (dict) --
Configuration for an inline function tool.
description (string) -- [REQUIRED]
Description of what the tool does, provided to the model.
inputSchema (:ref:`document<document>`) -- [REQUIRED]
JSON Schema describing the tool's input parameters.
agentCoreCodeInterpreter (dict) --
Configuration for AgentCore Code Interpreter.
codeInterpreterArn (string) --
If not populated, the built-in Code Interpreter ARN is used.
list
The skills available to the agent. Skills are bundles of files that the agent can pull into its context on demand.
(dict) --
A skill available to the agent.
path (string) --
The filesystem path to the skill definition.
s3 (dict) --
An S3 source containing the skill.
uri (string) -- [REQUIRED]
The S3 URI pointing to the skill directory (e.g., s3://bucket/skills/my-skill/).
git (dict) --
A git repository containing the skill.
url (string) -- [REQUIRED]
The HTTPS URL of the git repository.
path (string) --
Subdirectory within the repository containing the skill.
auth (dict) --
Authentication configuration for private repositories.
credentialArn (string) -- [REQUIRED]
The ARN of the credential in AgentCore Identity containing the password or personal access token.
username (string) --
Username for authentication. Defaults to 'oauth2' if not specified.
awsSkills (dict) --
AWS Skills baked into the harness's underlying Runtime.
paths (list) --
Optionally filter allowed skills with glob syntax, e.g., ['core-skills/*'].
(string) --
list
The tools that the agent is allowed to use. Supports glob patterns such as * for all tools, @builtin for all built-in tools, or @serverName/toolName for specific MCP server tools.
(string) --
dict
The AgentCore Memory configuration for persisting conversation context across sessions.
agentCoreMemoryConfiguration (dict) --
The AgentCore Memory configuration.
arn (string) -- [REQUIRED]
The ARN of the AgentCore Memory resource.
actorId (string) --
The actor ID for memory operations.
messagesCount (integer) --
The number of messages to retrieve from memory.
retrievalConfig (dict) --
The retrieval configuration for long-term memory, mapping namespace path templates to retrieval settings.
(string) --
(dict) --
Configuration for memory retrieval within a namespace.
topK (integer) --
The maximum number of memory entries to retrieve.
relevanceScore (float) --
The minimum relevance score for retrieved memories.
strategyId (string) --
The ID of the retrieval strategy to use.
managedMemoryConfiguration (dict) --
Harness creates and manages a memory resource in the customer's account.
arn (string) --
The ARN of the managed AgentCore Memory resource. Read-only on Get, ignored on Create/Update input.
strategies (list) --
Strategy types to enable. Defaults to [SEMANTIC, SUMMARIZATION].
(string) --
eventExpiryDuration (integer) --
Event retention in days. Defaults to 30.
encryptionKeyArn (string) --
Customer-managed KMS key. Defaults to AWS-owned key. Not updatable after creation.
disabled (dict) --
Explicitly opt out of memory.
dict
The truncation configuration for managing conversation context when it exceeds model limits.
strategy (string) -- [REQUIRED]
The truncation strategy to use.
config (dict) --
The strategy-specific configuration.
slidingWindow (dict) --
Configuration for sliding window truncation.
messagesCount (integer) --
The number of recent messages to retain in the context window.
summarization (dict) --
Configuration for summarization-based truncation.
summaryRatio (float) --
The ratio of content to summarize.
preserveRecentMessages (integer) --
The number of recent messages to preserve without summarization.
summarizationSystemPrompt (string) --
The system prompt used for generating summaries.
integer
The maximum number of iterations the agent loop can execute per invocation.
integer
The maximum total number of output tokens the agent can generate across all model calls within a single invocation.
integer
The maximum duration in seconds for the agent loop execution per invocation.
dict
Tags to apply to the harness resource.
(string) --
(string) --
dict
Response Syntax
{
'harness': {
'harnessId': 'string',
'harnessName': 'string',
'arn': 'string',
'status': 'CREATING'|'CREATE_FAILED'|'UPDATING'|'UPDATE_FAILED'|'READY'|'DELETING'|'DELETE_FAILED',
'harnessVersion': 'string',
'executionRoleArn': 'string',
'createdAt': datetime(2015, 1, 1),
'updatedAt': datetime(2015, 1, 1),
'model': {
'bedrockModelConfig': {
'modelId': 'string',
'maxTokens': 123,
'temperature': ...,
'topP': ...,
'apiFormat': 'converse_stream'|'responses'|'chat_completions',
'additionalParams': {...}|[...]|123|123.4|'string'|True|None
},
'openAiModelConfig': {
'modelId': 'string',
'apiKeyArn': 'string',
'maxTokens': 123,
'temperature': ...,
'topP': ...,
'apiFormat': 'chat_completions'|'responses',
'additionalParams': {...}|[...]|123|123.4|'string'|True|None
},
'geminiModelConfig': {
'modelId': 'string',
'apiKeyArn': 'string',
'maxTokens': 123,
'temperature': ...,
'topP': ...,
'topK': 123
},
'liteLlmModelConfig': {
'modelId': 'string',
'apiKeyArn': 'string',
'apiBase': 'string',
'maxTokens': 123,
'temperature': ...,
'topP': ...,
'additionalParams': {...}|[...]|123|123.4|'string'|True|None
}
},
'systemPrompt': [
{
'text': 'string'
},
],
'tools': [
{
'type': 'remote_mcp'|'agentcore_browser'|'agentcore_gateway'|'inline_function'|'agentcore_code_interpreter',
'name': 'string',
'config': {
'remoteMcp': {
'url': 'string',
'headers': {
'string': 'string'
}
},
'agentCoreBrowser': {
'browserArn': 'string'
},
'agentCoreGateway': {
'gatewayArn': 'string',
'outboundAuth': {
'awsIam': {},
'none': {},
'oauth': {
'providerArn': 'string',
'scopes': [
'string',
],
'customParameters': {
'string': 'string'
},
'grantType': 'CLIENT_CREDENTIALS'|'AUTHORIZATION_CODE'|'TOKEN_EXCHANGE',
'defaultReturnUrl': 'string'
}
}
},
'inlineFunction': {
'description': 'string',
'inputSchema': {...}|[...]|123|123.4|'string'|True|None
},
'agentCoreCodeInterpreter': {
'codeInterpreterArn': 'string'
}
}
},
],
'skills': [
{
'path': 'string',
's3': {
'uri': 'string'
},
'git': {
'url': 'string',
'path': 'string',
'auth': {
'credentialArn': 'string',
'username': 'string'
}
},
'awsSkills': {
'paths': [
'string',
]
}
},
],
'allowedTools': [
'string',
],
'truncation': {
'strategy': 'sliding_window'|'summarization'|'none',
'config': {
'slidingWindow': {
'messagesCount': 123
},
'summarization': {
'summaryRatio': ...,
'preserveRecentMessages': 123,
'summarizationSystemPrompt': 'string'
}
}
},
'environment': {
'agentCoreRuntimeEnvironment': {
'agentRuntimeArn': 'string',
'agentRuntimeName': 'string',
'agentRuntimeId': 'string',
'lifecycleConfiguration': {
'idleRuntimeSessionTimeout': 123,
'maxLifetime': 123
},
'networkConfiguration': {
'networkMode': 'PUBLIC'|'VPC',
'networkModeConfig': {
'securityGroups': [
'string',
],
'subnets': [
'string',
],
'requireServiceS3Endpoint': True|False
}
},
'filesystemConfigurations': [
{
'sessionStorage': {
'mountPath': 'string'
},
's3FilesAccessPoint': {
'accessPointArn': 'string',
'mountPath': 'string'
},
'efsAccessPoint': {
'accessPointArn': 'string',
'mountPath': 'string'
}
},
]
}
},
'environmentArtifact': {
'containerConfiguration': {
'containerUri': 'string'
}
},
'environmentVariables': {
'string': 'string'
},
'authorizerConfiguration': {
'customJWTAuthorizer': {
'discoveryUrl': 'string',
'allowedAudience': [
'string',
],
'allowedClients': [
'string',
],
'allowedScopes': [
'string',
],
'customClaims': [
{
'inboundTokenClaimName': 'string',
'inboundTokenClaimValueType': 'STRING'|'STRING_ARRAY',
'authorizingClaimMatchValue': {
'claimMatchValue': {
'matchValueString': 'string',
'matchValueStringList': [
'string',
]
},
'claimMatchOperator': 'EQUALS'|'CONTAINS'|'CONTAINS_ANY'
}
},
],
'privateEndpoint': {
'selfManagedLatticeResource': {
'resourceConfigurationIdentifier': 'string'
},
'managedVpcResource': {
'vpcIdentifier': 'string',
'subnetIds': [
'string',
],
'endpointIpAddressType': 'IPV4'|'IPV6',
'securityGroupIds': [
'string',
],
'tags': {
'string': 'string'
},
'routingDomain': 'string'
}
},
'privateEndpointOverrides': [
{
'domain': 'string',
'privateEndpoint': {
'selfManagedLatticeResource': {
'resourceConfigurationIdentifier': 'string'
},
'managedVpcResource': {
'vpcIdentifier': 'string',
'subnetIds': [
'string',
],
'endpointIpAddressType': 'IPV4'|'IPV6',
'securityGroupIds': [
'string',
],
'tags': {
'string': 'string'
},
'routingDomain': 'string'
}
}
},
],
'allowedWorkloadConfiguration': {
'hostingEnvironments': [
{
'arn': 'string'
},
],
'workloadIdentities': [
'string',
]
}
}
},
'memory': {
'agentCoreMemoryConfiguration': {
'arn': 'string',
'actorId': 'string',
'messagesCount': 123,
'retrievalConfig': {
'string': {
'topK': 123,
'relevanceScore': ...,
'strategyId': 'string'
}
}
},
'managedMemoryConfiguration': {
'arn': 'string',
'strategies': [
'SEMANTIC'|'SUMMARIZATION'|'USER_PREFERENCE'|'EPISODIC',
],
'eventExpiryDuration': 123,
'encryptionKeyArn': 'string'
},
'disabled': {}
},
'maxIterations': 123,
'maxTokens': 123,
'timeoutSeconds': 123,
'failureReason': 'string'
}
}
Response Structure
(dict) --
harness (dict) --
The harness that was created.
harnessId (string) --
The ID of the harness.
harnessName (string) --
The name of the harness.
arn (string) --
The ARN of the harness.
status (string) --
The status of the harness.
harnessVersion (string) --
The version of the harness. Incremented on every successful UpdateHarness.
executionRoleArn (string) --
IAM role the harness assumes when running.
createdAt (datetime) --
The createdAt time of the harness.
updatedAt (datetime) --
The updatedAt time of the harness.
model (dict) --
The configuration of the default model used by the Harness.
bedrockModelConfig (dict) --
Configuration for an Amazon Bedrock model.
modelId (string) --
The Bedrock model ID.
maxTokens (integer) --
The maximum number of tokens to allow in the generated response per model call.
temperature (float) --
The temperature to set when calling the model.
topP (float) --
The topP set when calling the model.
apiFormat (string) --
The API format to use when calling the Bedrock provider.
additionalParams (:ref:`document<document>`) --
Provider-specific parameters passed through to the model provider unchanged.
openAiModelConfig (dict) --
Configuration for an OpenAI model.
modelId (string) --
The OpenAI model ID.
apiKeyArn (string) --
The ARN of your OpenAI API key on AgentCore Identity.
maxTokens (integer) --
The maximum number of tokens to allow in the generated response per model call.
temperature (float) --
The temperature to set when calling the model.
topP (float) --
The topP set when calling the model.
apiFormat (string) --
The API format to use when calling the OpenAI provider.
additionalParams (:ref:`document<document>`) --
Provider-specific parameters passed through to the model provider unchanged.
geminiModelConfig (dict) --
Configuration for a Google Gemini model.
modelId (string) --
The Gemini model ID.
apiKeyArn (string) --
The ARN of your Gemini API key on AgentCore Identity.
maxTokens (integer) --
The maximum number of tokens to allow in the generated response per model call.
temperature (float) --
The temperature to set when calling the model.
topP (float) --
The topP set when calling the model.
topK (integer) --
The topK set when calling the model.
liteLlmModelConfig (dict) --
The LiteLLM model configuration for connecting to third-party model providers.
modelId (string) --
The LiteLLM model identifier (e.g., "anthropic/claude-3-sonnet").
apiKeyArn (string) --
The ARN of the API key in AgentCore Identity for authenticating with the model provider.
apiBase (string) --
The base URL for the model provider's API endpoint.
maxTokens (integer) --
The maximum number of tokens to allow in the generated response per iteration.
temperature (float) --
The temperature to set when calling the model.
topP (float) --
The topP set when calling the model.
additionalParams (:ref:`document<document>`) --
Provider-specific parameters passed through to the model provider unchanged.
systemPrompt (list) --
The system prompt of the harness.
(dict) --
A content block in the system prompt.
text (string) --
The text content of the system prompt block.
tools (list) --
The tools of the harness.
(dict) --
A tool available to the agent loop.
type (string) --
The type of tool.
name (string) --
Unique name for the tool. If not provided, a name will be inferred or generated.
config (dict) --
Tool-specific configuration.
remoteMcp (dict) --
Configuration for remote MCP server.
url (string) --
URL of the MCP endpoint.
headers (dict) --
Custom headers to include when connecting to the remote MCP server.
(string) --
The key of an HTTP header.
(string) --
The value of an HTTP header.
agentCoreBrowser (dict) --
Configuration for AgentCore Browser.
browserArn (string) --
If not populated, the built-in Browser ARN is used.
agentCoreGateway (dict) --
Configuration for AgentCore Gateway.
gatewayArn (string) --
The ARN of the desired AgentCore Gateway.
outboundAuth (dict) --
How harness authenticates to this Gateway. Defaults to AWS_IAM (SigV4) if omitted.
awsIam (dict) --
SigV4-sign requests using the agent's execution role.
none (dict) --
No authentication.
oauth (dict) --
Use OAuth credentials for outbound authentication to the gateway.
providerArn (string) --
The Amazon Resource Name (ARN) of the OAuth credential provider. This ARN identifies the provider in Amazon Web Services.
scopes (list) --
The OAuth scopes for the credential provider. These scopes define the level of access requested from the OAuth provider.
(string) --
customParameters (dict) --
The custom parameters for the OAuth credential provider. These parameters provide additional configuration for the OAuth authentication process.
(string) --
(string) --
grantType (string) --
Specifies the kind of credentials to use for authorization:
CLIENT_CREDENTIALS - Authorization with a client ID and secret.
AUTHORIZATION_CODE - Authorization with a token that is specific to an individual end user.
TOKEN_EXCHANGE - Authorization using on-behalf-of token exchange. An inbound user token is exchanged for a downstream access token scoped to the target audience.
defaultReturnUrl (string) --
The URL where the end user's browser is redirected after obtaining the authorization code. Generally points to the customer's application.
inlineFunction (dict) --
Configuration for an inline function tool.
description (string) --
Description of what the tool does, provided to the model.
inputSchema (:ref:`document<document>`) --
JSON Schema describing the tool's input parameters.
agentCoreCodeInterpreter (dict) --
Configuration for AgentCore Code Interpreter.
codeInterpreterArn (string) --
If not populated, the built-in Code Interpreter ARN is used.
skills (list) --
The skills of the harness.
(dict) --
A skill available to the agent.
path (string) --
The filesystem path to the skill definition.
s3 (dict) --
An S3 source containing the skill.
uri (string) --
The S3 URI pointing to the skill directory (e.g., s3://bucket/skills/my-skill/).
git (dict) --
A git repository containing the skill.
url (string) --
The HTTPS URL of the git repository.
path (string) --
Subdirectory within the repository containing the skill.
auth (dict) --
Authentication configuration for private repositories.
credentialArn (string) --
The ARN of the credential in AgentCore Identity containing the password or personal access token.
username (string) --
Username for authentication. Defaults to 'oauth2' if not specified.
awsSkills (dict) --
AWS Skills baked into the harness's underlying Runtime.
paths (list) --
Optionally filter allowed skills with glob syntax, e.g., ['core-skills/*'].
(string) --
allowedTools (list) --
The allowed tools of the harness. All tools are allowed by default.
(string) --
truncation (dict) --
Configuration for truncating model context.
strategy (string) --
The truncation strategy to use.
config (dict) --
The strategy-specific configuration.
slidingWindow (dict) --
Configuration for sliding window truncation.
messagesCount (integer) --
The number of recent messages to retain in the context window.
summarization (dict) --
Configuration for summarization-based truncation.
summaryRatio (float) --
The ratio of content to summarize.
preserveRecentMessages (integer) --
The number of recent messages to preserve without summarization.
summarizationSystemPrompt (string) --
The system prompt used for generating summaries.
environment (dict) --
The compute environment on which the Harness runs.
agentCoreRuntimeEnvironment (dict) --
The AgentCore Runtime environment configuration.
agentRuntimeArn (string) --
The ARN of the underlying AgentCore Runtime.
agentRuntimeName (string) --
The name of the underlying AgentCore Runtime.
agentRuntimeId (string) --
The ID of the underlying AgentCore Runtime.
lifecycleConfiguration (dict) --
LifecycleConfiguration lets you manage the lifecycle of runtime sessions and resources in AgentCore Runtime. This configuration helps optimize resource utilization by automatically cleaning up idle sessions and preventing long-running instances from consuming resources indefinitely.
idleRuntimeSessionTimeout (integer) --
Timeout in seconds for idle runtime sessions. When a session remains idle for this duration, it will be automatically terminated. Default: 900 seconds (15 minutes).
maxLifetime (integer) --
Maximum lifetime for the instance in seconds. Once reached, instances will be automatically terminated and replaced. Default: 28800 seconds (8 hours).
networkConfiguration (dict) --
SecurityConfig for the Agent.
networkMode (string) --
The network mode for the AgentCore Runtime.
networkModeConfig (dict) --
The network mode configuration for the AgentCore Runtime.
securityGroups (list) --
The security groups associated with the VPC configuration.
(string) --
subnets (list) --
The subnets associated with the VPC configuration.
(string) --
requireServiceS3Endpoint (boolean) --
Controls whether a service-managed Amazon S3 gateway endpoint is provisioned in the VPC network topology for the agent runtime. This gateway is used by Amazon Bedrock AgentCore Runtime to download code and container images during agent startup.
Starting May 5, 2026, Amazon Bedrock AgentCore Runtime is gradually rolling out a change to how network isolation is configured for VPC mode agents. Agent runtimes created on or after this rollout will no longer include the service-managed Amazon S3 gateway. Instead, all network access, including to Amazon S3, is governed exclusively by your VPC configuration. This field cannot be set on agent runtimes created after the rollout. Passing this field in an UpdateAgentRuntime request for these agent runtimes returns a ValidationException.
Agent runtimes created before the rollout are not affected and continue to operate with the service-managed Amazon S3 gateway. To enforce full VPC network isolation on these existing agent runtimes, set this field to false via the UpdateAgentRuntime API. Before opting out, ensure your VPC provides the Amazon S3 access required for agent startup. If this field is not specified or is set to true, the service-managed Amazon S3 gateway remains provisioned.
This field is only supported in the UpdateAgentRuntime API for pre-rollout agent runtimes. Passing this field in a CreateAgentRuntime request returns a ValidationException.
filesystemConfigurations (list) --
The filesystem configurations for the runtime environment.
(dict) --
Configuration for a filesystem that can be mounted into the AgentCore Runtime.
sessionStorage (dict) --
Configuration for session storage. Session storage provides persistent storage that is preserved across AgentCore Runtime session invocations.
mountPath (string) --
The mount path for the session storage filesystem inside the AgentCore Runtime. The path must be under /mnt with exactly one subdirectory level (for example, /mnt/data).
s3FilesAccessPoint (dict) --
Configuration for an Amazon S3 Files access point to mount into the AgentCore Runtime.
accessPointArn (string) --
The ARN of the S3 Files access point to mount into the AgentCore Runtime.
mountPath (string) --
The mount path for the S3 Files access point inside the AgentCore Runtime. The path must be under /mnt with exactly one subdirectory level (for example, /mnt/data).
efsAccessPoint (dict) --
Configuration for an Amazon EFS access point to mount into the AgentCore Runtime.
accessPointArn (string) --
The ARN of the EFS access point to mount into the AgentCore Runtime.
mountPath (string) --
The mount path for the EFS access point inside the AgentCore Runtime. The path must be under /mnt with exactly one subdirectory level (for example, /mnt/data).
environmentArtifact (dict) --
The environment artifact (e.g., container) in which the Harness operates.
containerConfiguration (dict) --
Representation of a container configuration.
containerUri (string) --
The ECR URI of the container.
environmentVariables (dict) --
Environment variables exposed in the environment in which the harness operates.
(string) --
(string) --
authorizerConfiguration (dict) --
Represents inbound authorization configuration options used to authenticate incoming requests.
customJWTAuthorizer (dict) --
The inbound JWT-based authorization, specifying how incoming requests should be authenticated.
discoveryUrl (string) --
This URL is used to fetch OpenID Connect configuration or authorization server metadata for validating incoming tokens.
allowedAudience (list) --
Represents individual audience values that are validated in the incoming JWT token validation process.
(string) --
allowedClients (list) --
Represents individual client IDs that are validated in the incoming JWT token validation process.
(string) --
allowedScopes (list) --
An array of scopes that are allowed to access the token.
(string) --
customClaims (list) --
An array of objects that define a custom claim validation name, value, and operation
(dict) --
Defines the name of a custom claim field and rules for finding matches to authenticate its value.
inboundTokenClaimName (string) --
The name of the custom claim field to check.
inboundTokenClaimValueType (string) --
The data type of the claim value to check for.
Use STRING if you want to find an exact match to a string you define.
Use STRING_ARRAY if you want to fnd a match to at least one value in an array you define.
authorizingClaimMatchValue (dict) --
Defines the value or values to match for and the relationship of the match.
claimMatchValue (dict) --
The value or values to match for.
matchValueString (string) --
The string value to match for.
matchValueStringList (list) --
An array of strings to check for a match.
(string) --
claimMatchOperator (string) --
Defines the relationship between the claim field value and the value or values you're matching for.
privateEndpoint (dict) --
The private endpoint configuration for a gateway target. Defines how the gateway connects to private resources in your VPC.
selfManagedLatticeResource (dict) --
Configuration for connecting to a private resource using a self-managed VPC Lattice resource configuration.
resourceConfigurationIdentifier (string) --
The ARN or ID of the VPC Lattice resource configuration.
managedVpcResource (dict) --
Configuration for connecting to a private resource using a managed VPC Lattice resource. The gateway creates and manages the VPC Lattice resources on your behalf.
vpcIdentifier (string) --
The ID of the VPC that contains your private resource.
subnetIds (list) --
The subnet IDs within the VPC where the VPC Lattice resource gateway is placed.
(string) --
endpointIpAddressType (string) --
The IP address type for the resource configuration endpoint.
securityGroupIds (list) --
The security group IDs to associate with the VPC Lattice resource gateway. If not specified, the default security group for the VPC is used.
(string) --
tags (dict) --
Tags to apply to the managed VPC Lattice resource gateway.
(string) --
(string) --
routingDomain (string) --
An intermediate domain to use as the resource configuration endpoint instead of the actual target domain. Use this when you want to route traffic through an intermediate component such as a VPC endpoint or internal load balancer. For more information, see xref:lattice-vpc-egress-routing-domain[Route traffic through an intermediate domain].
privateEndpointOverrides (list) --
The private endpoint overrides for the custom JWT authorizer configuration.
(dict) --
A mapping of a specific domain to a private endpoint for secure connectivity through a VPC Lattice resource configuration.
domain (string) --
The domain to override with a private endpoint.
privateEndpoint (dict) --
The private endpoint configuration for the specified domain.
selfManagedLatticeResource (dict) --
Configuration for connecting to a private resource using a self-managed VPC Lattice resource configuration.
resourceConfigurationIdentifier (string) --
The ARN or ID of the VPC Lattice resource configuration.
managedVpcResource (dict) --
Configuration for connecting to a private resource using a managed VPC Lattice resource. The gateway creates and manages the VPC Lattice resources on your behalf.
vpcIdentifier (string) --
The ID of the VPC that contains your private resource.
subnetIds (list) --
The subnet IDs within the VPC where the VPC Lattice resource gateway is placed.
(string) --
endpointIpAddressType (string) --
The IP address type for the resource configuration endpoint.
securityGroupIds (list) --
The security group IDs to associate with the VPC Lattice resource gateway. If not specified, the default security group for the VPC is used.
(string) --
tags (dict) --
Tags to apply to the managed VPC Lattice resource gateway.
(string) --
(string) --
routingDomain (string) --
An intermediate domain to use as the resource configuration endpoint instead of the actual target domain. Use this when you want to route traffic through an intermediate component such as a VPC endpoint or internal load balancer. For more information, see xref:lattice-vpc-egress-routing-domain[Route traffic through an intermediate domain].
allowedWorkloadConfiguration (dict) --
The configuration that restricts which workloads in the request's identity chain are allowed to invoke the target, identified by their hosting environments and workload identities. At launch, this is supported only for AgentCore Runtime targets, and the allowed workloads are AgentCore Gateways.
hostingEnvironments (list) --
The list of hosting environments whose workloads are allowed to invoke the target. At launch, the only supported hosting environment is AgentCore Gateway.
(dict) --
A hosting environment whose workloads are allowed to invoke the target. At launch, the only supported hosting environment is AgentCore Gateway.
arn (string) --
The Amazon Resource Name (ARN) of the hosting environment.
workloadIdentities (list) --
The list of workload identities that are allowed to invoke the target.
(string) --
memory (dict) --
AgentCore Memory instance configuration for short and long term memory.
agentCoreMemoryConfiguration (dict) --
The AgentCore Memory configuration.
arn (string) --
The ARN of the AgentCore Memory resource.
actorId (string) --
The actor ID for memory operations.
messagesCount (integer) --
The number of messages to retrieve from memory.
retrievalConfig (dict) --
The retrieval configuration for long-term memory, mapping namespace path templates to retrieval settings.
(string) --
(dict) --
Configuration for memory retrieval within a namespace.
topK (integer) --
The maximum number of memory entries to retrieve.
relevanceScore (float) --
The minimum relevance score for retrieved memories.
strategyId (string) --
The ID of the retrieval strategy to use.
managedMemoryConfiguration (dict) --
Harness creates and manages a memory resource in the customer's account.
arn (string) --
The ARN of the managed AgentCore Memory resource. Read-only on Get, ignored on Create/Update input.
strategies (list) --
Strategy types to enable. Defaults to [SEMANTIC, SUMMARIZATION].
(string) --
eventExpiryDuration (integer) --
Event retention in days. Defaults to 30.
encryptionKeyArn (string) --
Customer-managed KMS key. Defaults to AWS-owned key. Not updatable after creation.
disabled (dict) --
Explicitly opt out of memory.
maxIterations (integer) --
The maximum number of iterations in the agent loop allowed before exiting per invocation.
maxTokens (integer) --
The maximum total number of output tokens the agent can generate across all model calls within a single invocation.
timeoutSeconds (integer) --
The maximum duration per invocation.
failureReason (string) --
Reason why create or update operations fail.
{'memory': {'managedByResourceArn': 'string'}}
Creates a new Amazon Bedrock AgentCore Memory resource.
See also: AWS API Documentation
Request Syntax
client.create_memory(
clientToken='string',
name='string',
description='string',
encryptionKeyArn='string',
memoryExecutionRoleArn='string',
eventExpiryDuration=123,
memoryStrategies=[
{
'semanticMemoryStrategy': {
'name': 'string',
'description': 'string',
'namespaces': [
'string',
],
'namespaceTemplates': [
'string',
],
'memoryRecordSchema': {
'metadataSchema': [
{
'key': 'string',
'type': 'STRING'|'STRINGLIST'|'NUMBER',
'extractionType': 'LLM_INFERRED'|'STRICTLY_CONSISTENT',
'extractionConfig': {
'llmExtractionConfig': {
'llmExtractionInstruction': 'string',
'definition': 'string',
'validation': {
'stringValidation': {
'allowedValues': [
'string',
]
},
'stringListValidation': {
'allowedValues': [
'string',
],
'maxItems': 123
},
'numberValidation': {
'minValue': 123.0,
'maxValue': 123.0
}
}
}
}
},
]
}
},
'summaryMemoryStrategy': {
'name': 'string',
'description': 'string',
'namespaces': [
'string',
],
'namespaceTemplates': [
'string',
],
'memoryRecordSchema': {
'metadataSchema': [
{
'key': 'string',
'type': 'STRING'|'STRINGLIST'|'NUMBER',
'extractionType': 'LLM_INFERRED'|'STRICTLY_CONSISTENT',
'extractionConfig': {
'llmExtractionConfig': {
'llmExtractionInstruction': 'string',
'definition': 'string',
'validation': {
'stringValidation': {
'allowedValues': [
'string',
]
},
'stringListValidation': {
'allowedValues': [
'string',
],
'maxItems': 123
},
'numberValidation': {
'minValue': 123.0,
'maxValue': 123.0
}
}
}
}
},
]
}
},
'userPreferenceMemoryStrategy': {
'name': 'string',
'description': 'string',
'namespaces': [
'string',
],
'namespaceTemplates': [
'string',
],
'memoryRecordSchema': {
'metadataSchema': [
{
'key': 'string',
'type': 'STRING'|'STRINGLIST'|'NUMBER',
'extractionType': 'LLM_INFERRED'|'STRICTLY_CONSISTENT',
'extractionConfig': {
'llmExtractionConfig': {
'llmExtractionInstruction': 'string',
'definition': 'string',
'validation': {
'stringValidation': {
'allowedValues': [
'string',
]
},
'stringListValidation': {
'allowedValues': [
'string',
],
'maxItems': 123
},
'numberValidation': {
'minValue': 123.0,
'maxValue': 123.0
}
}
}
}
},
]
}
},
'customMemoryStrategy': {
'name': 'string',
'description': 'string',
'namespaces': [
'string',
],
'namespaceTemplates': [
'string',
],
'configuration': {
'semanticOverride': {
'extraction': {
'appendToPrompt': 'string',
'modelId': 'string'
},
'consolidation': {
'appendToPrompt': 'string',
'modelId': 'string'
}
},
'summaryOverride': {
'consolidation': {
'appendToPrompt': 'string',
'modelId': 'string'
}
},
'userPreferenceOverride': {
'extraction': {
'appendToPrompt': 'string',
'modelId': 'string'
},
'consolidation': {
'appendToPrompt': 'string',
'modelId': 'string'
}
},
'episodicOverride': {
'extraction': {
'appendToPrompt': 'string',
'modelId': 'string'
},
'consolidation': {
'appendToPrompt': 'string',
'modelId': 'string'
},
'reflection': {
'appendToPrompt': 'string',
'modelId': 'string',
'namespaces': [
'string',
],
'namespaceTemplates': [
'string',
],
'memoryRecordSchema': {
'metadataSchema': [
{
'key': 'string',
'type': 'STRING'|'STRINGLIST'|'NUMBER',
'extractionType': 'LLM_INFERRED'|'STRICTLY_CONSISTENT',
'extractionConfig': {
'llmExtractionConfig': {
'llmExtractionInstruction': 'string',
'definition': 'string',
'validation': {
'stringValidation': {
'allowedValues': [
'string',
]
},
'stringListValidation': {
'allowedValues': [
'string',
],
'maxItems': 123
},
'numberValidation': {
'minValue': 123.0,
'maxValue': 123.0
}
}
}
}
},
]
}
}
},
'selfManagedConfiguration': {
'triggerConditions': [
{
'messageBasedTrigger': {
'messageCount': 123
},
'tokenBasedTrigger': {
'tokenCount': 123
},
'timeBasedTrigger': {
'idleSessionTimeout': 123
}
},
],
'invocationConfiguration': {
'topicArn': 'string',
'payloadDeliveryBucketName': 'string'
},
'historicalContextWindowSize': 123
}
},
'memoryRecordSchema': {
'metadataSchema': [
{
'key': 'string',
'type': 'STRING'|'STRINGLIST'|'NUMBER',
'extractionType': 'LLM_INFERRED'|'STRICTLY_CONSISTENT',
'extractionConfig': {
'llmExtractionConfig': {
'llmExtractionInstruction': 'string',
'definition': 'string',
'validation': {
'stringValidation': {
'allowedValues': [
'string',
]
},
'stringListValidation': {
'allowedValues': [
'string',
],
'maxItems': 123
},
'numberValidation': {
'minValue': 123.0,
'maxValue': 123.0
}
}
}
}
},
]
}
},
'episodicMemoryStrategy': {
'name': 'string',
'description': 'string',
'namespaces': [
'string',
],
'namespaceTemplates': [
'string',
],
'reflectionConfiguration': {
'namespaces': [
'string',
],
'namespaceTemplates': [
'string',
],
'memoryRecordSchema': {
'metadataSchema': [
{
'key': 'string',
'type': 'STRING'|'STRINGLIST'|'NUMBER',
'extractionType': 'LLM_INFERRED'|'STRICTLY_CONSISTENT',
'extractionConfig': {
'llmExtractionConfig': {
'llmExtractionInstruction': 'string',
'definition': 'string',
'validation': {
'stringValidation': {
'allowedValues': [
'string',
]
},
'stringListValidation': {
'allowedValues': [
'string',
],
'maxItems': 123
},
'numberValidation': {
'minValue': 123.0,
'maxValue': 123.0
}
}
}
}
},
]
}
},
'memoryRecordSchema': {
'metadataSchema': [
{
'key': 'string',
'type': 'STRING'|'STRINGLIST'|'NUMBER',
'extractionType': 'LLM_INFERRED'|'STRICTLY_CONSISTENT',
'extractionConfig': {
'llmExtractionConfig': {
'llmExtractionInstruction': 'string',
'definition': 'string',
'validation': {
'stringValidation': {
'allowedValues': [
'string',
]
},
'stringListValidation': {
'allowedValues': [
'string',
],
'maxItems': 123
},
'numberValidation': {
'minValue': 123.0,
'maxValue': 123.0
}
}
}
}
},
]
}
}
},
],
indexedKeys=[
{
'key': 'string',
'type': 'STRING'|'STRINGLIST'|'NUMBER'
},
],
streamDeliveryResources={
'resources': [
{
'kinesis': {
'dataStreamArn': 'string',
'contentConfigurations': [
{
'type': 'MEMORY_RECORDS',
'level': 'METADATA_ONLY'|'FULL_CONTENT'
},
]
}
},
]
},
tags={
'string': 'string'
}
)
string
A unique, case-sensitive identifier to ensure that the operation completes no more than one time. If this token matches a previous request, Amazon Bedrock ignores the request but does not return an error.
This field is autopopulated if not provided.
string
[REQUIRED]
The name of the memory. The name must be unique within your account.
string
The description of the memory.
string
The Amazon Resource Name (ARN) of the KMS key used to encrypt the memory data.
string
The Amazon Resource Name (ARN) of the IAM role that provides permissions for the memory to access Amazon Web Services services.
integer
[REQUIRED]
The duration after which memory events expire. Specified as an ISO 8601 duration.
list
The memory strategies to use for this memory. Strategies define how information is extracted, processed, and consolidated.
(dict) --
Contains input information for creating a memory strategy.
semanticMemoryStrategy (dict) --
Input for creating a semantic memory strategy.
name (string) -- [REQUIRED]
The name of the semantic memory strategy.
description (string) --
The description of the semantic memory strategy.
namespaces (list) --
This is a legacy parameter, use namespaceTemplates. The namespaces associated with the semantic memory strategy.
(string) --
namespaceTemplates (list) --
The namespaceTemplates associated with the semantic memory strategy.
(string) --
memoryRecordSchema (dict) --
Schema for metadata on memory records generated by a strategy.
metadataSchema (list) --
The metadata field definitions for this strategy.
(dict) --
A metadata field definition within a strategy's schema.
key (string) -- [REQUIRED]
The metadata field name. Must match an indexed key to be queryable via metadata filters.
type (string) --
The MetadataValueType.
extractionType (string) --
Specifies whether the metadata value is extracted by the LLM or passed through deterministically from the event.
extractionConfig (dict) --
Configuration for extracting this metadata value from conversational content. Applicable only if extractionType is LLM inferred.
llmExtractionConfig (dict) --
Model-based extraction using a definition and instructions.
llmExtractionInstruction (string) --
Instructions for extraction. Supports built-in operators like LATEST_VALUE or custom natural-language instructions.
definition (string) -- [REQUIRED]
Description of what this metadata field represents.
validation (dict) --
Validation rules to constrain extracted values.
stringValidation (dict) --
Validation for STRING fields.
allowedValues (list) -- [REQUIRED]
Allowed values for this STRING field.
(string) --
stringListValidation (dict) --
Validation for STRINGLIST fields.
allowedValues (list) --
Allowed values for items in this STRINGLIST field.
(string) --
maxItems (integer) --
Maximum number of items in the string list.
numberValidation (dict) --
Validation for NUMBER fields.
minValue (float) --
Minimum allowed value.
maxValue (float) --
Maximum allowed value.
summaryMemoryStrategy (dict) --
Input for creating a summary memory strategy.
name (string) -- [REQUIRED]
The name of the summary memory strategy.
description (string) --
The description of the summary memory strategy.
namespaces (list) --
This is a legacy parameter, use namespaceTemplates. The namespaces associated with the summary memory strategy.
(string) --
namespaceTemplates (list) --
The namespaceTemplates associated with the summary memory strategy.
(string) --
memoryRecordSchema (dict) --
Schema for metadata fields on records generated by this strategy.
metadataSchema (list) --
The metadata field definitions for this strategy.
(dict) --
A metadata field definition within a strategy's schema.
key (string) -- [REQUIRED]
The metadata field name. Must match an indexed key to be queryable via metadata filters.
type (string) --
The MetadataValueType.
extractionType (string) --
Specifies whether the metadata value is extracted by the LLM or passed through deterministically from the event.
extractionConfig (dict) --
Configuration for extracting this metadata value from conversational content. Applicable only if extractionType is LLM inferred.
llmExtractionConfig (dict) --
Model-based extraction using a definition and instructions.
llmExtractionInstruction (string) --
Instructions for extraction. Supports built-in operators like LATEST_VALUE or custom natural-language instructions.
definition (string) -- [REQUIRED]
Description of what this metadata field represents.
validation (dict) --
Validation rules to constrain extracted values.
stringValidation (dict) --
Validation for STRING fields.
allowedValues (list) -- [REQUIRED]
Allowed values for this STRING field.
(string) --
stringListValidation (dict) --
Validation for STRINGLIST fields.
allowedValues (list) --
Allowed values for items in this STRINGLIST field.
(string) --
maxItems (integer) --
Maximum number of items in the string list.
numberValidation (dict) --
Validation for NUMBER fields.
minValue (float) --
Minimum allowed value.
maxValue (float) --
Maximum allowed value.
userPreferenceMemoryStrategy (dict) --
Input for creating a user preference memory strategy.
name (string) -- [REQUIRED]
The name of the user preference memory strategy.
description (string) --
The description of the user preference memory strategy.
namespaces (list) --
This is a legacy parameter, use namespaceTemplates. The namespaces associated with the user preference memory strategy.
(string) --
namespaceTemplates (list) --
The namespaceTemplates associated with the user preference memory strategy.
(string) --
memoryRecordSchema (dict) --
Schema for metadata fields on records generated by this strategy.
metadataSchema (list) --
The metadata field definitions for this strategy.
(dict) --
A metadata field definition within a strategy's schema.
key (string) -- [REQUIRED]
The metadata field name. Must match an indexed key to be queryable via metadata filters.
type (string) --
The MetadataValueType.
extractionType (string) --
Specifies whether the metadata value is extracted by the LLM or passed through deterministically from the event.
extractionConfig (dict) --
Configuration for extracting this metadata value from conversational content. Applicable only if extractionType is LLM inferred.
llmExtractionConfig (dict) --
Model-based extraction using a definition and instructions.
llmExtractionInstruction (string) --
Instructions for extraction. Supports built-in operators like LATEST_VALUE or custom natural-language instructions.
definition (string) -- [REQUIRED]
Description of what this metadata field represents.
validation (dict) --
Validation rules to constrain extracted values.
stringValidation (dict) --
Validation for STRING fields.
allowedValues (list) -- [REQUIRED]
Allowed values for this STRING field.
(string) --
stringListValidation (dict) --
Validation for STRINGLIST fields.
allowedValues (list) --
Allowed values for items in this STRINGLIST field.
(string) --
maxItems (integer) --
Maximum number of items in the string list.
numberValidation (dict) --
Validation for NUMBER fields.
minValue (float) --
Minimum allowed value.
maxValue (float) --
Maximum allowed value.
customMemoryStrategy (dict) --
Input for creating a custom memory strategy.
name (string) -- [REQUIRED]
The name of the custom memory strategy.
description (string) --
The description of the custom memory strategy.
namespaces (list) --
This is a legacy parameter, use namespaceTemplates. The namespaces associated with the custom memory strategy.
(string) --
namespaceTemplates (list) --
The namespaceTemplates associated with the custom memory strategy.
(string) --
configuration (dict) --
The configuration for the custom memory strategy.
semanticOverride (dict) --
The semantic override configuration for a custom memory strategy.
extraction (dict) --
The extraction configuration for a semantic override.
appendToPrompt (string) -- [REQUIRED]
The text to append to the prompt for semantic extraction.
modelId (string) -- [REQUIRED]
The model ID to use for semantic extraction.
consolidation (dict) --
The consolidation configuration for a semantic override.
appendToPrompt (string) -- [REQUIRED]
The text to append to the prompt for semantic consolidation.
modelId (string) -- [REQUIRED]
The model ID to use for semantic consolidation.
summaryOverride (dict) --
The summary override configuration for a custom memory strategy.
consolidation (dict) --
The consolidation configuration for a summary override.
appendToPrompt (string) -- [REQUIRED]
The text to append to the prompt for summary consolidation.
modelId (string) -- [REQUIRED]
The model ID to use for summary consolidation.
userPreferenceOverride (dict) --
The user preference override configuration for a custom memory strategy.
extraction (dict) --
The extraction configuration for a user preference override.
appendToPrompt (string) -- [REQUIRED]
The text to append to the prompt for user preference extraction.
modelId (string) -- [REQUIRED]
The model ID to use for user preference extraction.
consolidation (dict) --
The consolidation configuration for a user preference override.
appendToPrompt (string) -- [REQUIRED]
The text to append to the prompt for user preference consolidation.
modelId (string) -- [REQUIRED]
The model ID to use for user preference consolidation.
episodicOverride (dict) --
The episodic memory strategy override configuration for a custom memory strategy.
extraction (dict) --
Contains configurations for overriding the extraction step of the episodic memory strategy.
appendToPrompt (string) -- [REQUIRED]
The text to append to the prompt for the extraction step of the episodic memory strategy.
modelId (string) -- [REQUIRED]
The model ID to use for the extraction step of the episodic memory strategy.
consolidation (dict) --
Contains configurations for overriding the consolidation step of the episodic memory strategy.
appendToPrompt (string) -- [REQUIRED]
The text to append to the prompt for the consolidation step of the episodic memory strategy.
modelId (string) -- [REQUIRED]
The model ID to use for the consolidation step of the episodic memory strategy.
reflection (dict) --
Contains configurations for overriding the reflection step of the episodic memory strategy.
appendToPrompt (string) -- [REQUIRED]
The text to append to the prompt for reflection step of the episodic memory strategy.
modelId (string) -- [REQUIRED]
The model ID to use for the reflection step of the episodic memory strategy.
namespaces (list) --
This is a legacy parameter, use namespaceTemplates. The namespaces to use for episodic reflection. Can be less nested than the episodic namespaces.
(string) --
namespaceTemplates (list) --
The namespaceTemplates to use for episodic reflection. Can be less nested than the episodic namespaces.
(string) --
memoryRecordSchema (dict) --
Schema for metadata fields on records generated by this reflection override.
metadataSchema (list) --
The metadata field definitions for this strategy.
(dict) --
A metadata field definition within a strategy's schema.
key (string) -- [REQUIRED]
The metadata field name. Must match an indexed key to be queryable via metadata filters.
type (string) --
The MetadataValueType.
extractionType (string) --
Specifies whether the metadata value is extracted by the LLM or passed through deterministically from the event.
extractionConfig (dict) --
Configuration for extracting this metadata value from conversational content. Applicable only if extractionType is LLM inferred.
llmExtractionConfig (dict) --
Model-based extraction using a definition and instructions.
llmExtractionInstruction (string) --
Instructions for extraction. Supports built-in operators like LATEST_VALUE or custom natural-language instructions.
definition (string) -- [REQUIRED]
Description of what this metadata field represents.
validation (dict) --
Validation rules to constrain extracted values.
stringValidation (dict) --
Validation for STRING fields.
allowedValues (list) -- [REQUIRED]
Allowed values for this STRING field.
(string) --
stringListValidation (dict) --
Validation for STRINGLIST fields.
allowedValues (list) --
Allowed values for items in this STRINGLIST field.
(string) --
maxItems (integer) --
Maximum number of items in the string list.
numberValidation (dict) --
Validation for NUMBER fields.
minValue (float) --
Minimum allowed value.
maxValue (float) --
Maximum allowed value.
selfManagedConfiguration (dict) --
The self managed configuration for a custom memory strategy.
triggerConditions (list) --
A list of conditions that trigger memory processing.
(dict) --
Condition that triggers memory processing.
messageBasedTrigger (dict) --
Message based trigger configuration.
messageCount (integer) --
The number of messages that trigger memory processing.
tokenBasedTrigger (dict) --
Token based trigger configuration.
tokenCount (integer) --
Number of tokens that trigger memory processing.
timeBasedTrigger (dict) --
Time based trigger configuration.
idleSessionTimeout (integer) --
Idle session timeout (seconds) that triggers memory processing.
invocationConfiguration (dict) -- [REQUIRED]
Configuration to invoke a self-managed memory processing pipeline with.
topicArn (string) -- [REQUIRED]
The ARN of the SNS topic for job notifications.
payloadDeliveryBucketName (string) -- [REQUIRED]
The S3 bucket name for event payload delivery.
historicalContextWindowSize (integer) --
Number of historical messages to include in processing context.
memoryRecordSchema (dict) --
Schema for metadata fields on records generated by this strategy.
metadataSchema (list) --
The metadata field definitions for this strategy.
(dict) --
A metadata field definition within a strategy's schema.
key (string) -- [REQUIRED]
The metadata field name. Must match an indexed key to be queryable via metadata filters.
type (string) --
The MetadataValueType.
extractionType (string) --
Specifies whether the metadata value is extracted by the LLM or passed through deterministically from the event.
extractionConfig (dict) --
Configuration for extracting this metadata value from conversational content. Applicable only if extractionType is LLM inferred.
llmExtractionConfig (dict) --
Model-based extraction using a definition and instructions.
llmExtractionInstruction (string) --
Instructions for extraction. Supports built-in operators like LATEST_VALUE or custom natural-language instructions.
definition (string) -- [REQUIRED]
Description of what this metadata field represents.
validation (dict) --
Validation rules to constrain extracted values.
stringValidation (dict) --
Validation for STRING fields.
allowedValues (list) -- [REQUIRED]
Allowed values for this STRING field.
(string) --
stringListValidation (dict) --
Validation for STRINGLIST fields.
allowedValues (list) --
Allowed values for items in this STRINGLIST field.
(string) --
maxItems (integer) --
Maximum number of items in the string list.
numberValidation (dict) --
Validation for NUMBER fields.
minValue (float) --
Minimum allowed value.
maxValue (float) --
Maximum allowed value.
episodicMemoryStrategy (dict) --
Input for creating an episodic memory strategy
name (string) -- [REQUIRED]
The name of the episodic memory strategy.
description (string) --
The description of the episodic memory strategy.
namespaces (list) --
This is a legacy parameter, use namespaceTemplates. The namespaces for which to create episodes.
(string) --
namespaceTemplates (list) --
The namespaceTemplates for which to create episodes.
(string) --
reflectionConfiguration (dict) --
The configuration for the reflections created with the episodic memory strategy.
namespaces (list) --
This is a legacy parameter, use namespaceTemplates. The namespaces over which to create reflections. Can be less nested than episode namespaces.
(string) --
namespaceTemplates (list) --
The namespaceTemplates over which to create reflections. Can be less nested than episode namespaces.
(string) --
memoryRecordSchema (dict) --
Schema for metadata fields on records generated by reflections.
metadataSchema (list) --
The metadata field definitions for this strategy.
(dict) --
A metadata field definition within a strategy's schema.
key (string) -- [REQUIRED]
The metadata field name. Must match an indexed key to be queryable via metadata filters.
type (string) --
The MetadataValueType.
extractionType (string) --
Specifies whether the metadata value is extracted by the LLM or passed through deterministically from the event.
extractionConfig (dict) --
Configuration for extracting this metadata value from conversational content. Applicable only if extractionType is LLM inferred.
llmExtractionConfig (dict) --
Model-based extraction using a definition and instructions.
llmExtractionInstruction (string) --
Instructions for extraction. Supports built-in operators like LATEST_VALUE or custom natural-language instructions.
definition (string) -- [REQUIRED]
Description of what this metadata field represents.
validation (dict) --
Validation rules to constrain extracted values.
stringValidation (dict) --
Validation for STRING fields.
allowedValues (list) -- [REQUIRED]
Allowed values for this STRING field.
(string) --
stringListValidation (dict) --
Validation for STRINGLIST fields.
allowedValues (list) --
Allowed values for items in this STRINGLIST field.
(string) --
maxItems (integer) --
Maximum number of items in the string list.
numberValidation (dict) --
Validation for NUMBER fields.
minValue (float) --
Minimum allowed value.
maxValue (float) --
Maximum allowed value.
memoryRecordSchema (dict) --
Schema for metadata fields on records generated by this strategy.
metadataSchema (list) --
The metadata field definitions for this strategy.
(dict) --
A metadata field definition within a strategy's schema.
key (string) -- [REQUIRED]
The metadata field name. Must match an indexed key to be queryable via metadata filters.
type (string) --
The MetadataValueType.
extractionType (string) --
Specifies whether the metadata value is extracted by the LLM or passed through deterministically from the event.
extractionConfig (dict) --
Configuration for extracting this metadata value from conversational content. Applicable only if extractionType is LLM inferred.
llmExtractionConfig (dict) --
Model-based extraction using a definition and instructions.
llmExtractionInstruction (string) --
Instructions for extraction. Supports built-in operators like LATEST_VALUE or custom natural-language instructions.
definition (string) -- [REQUIRED]
Description of what this metadata field represents.
validation (dict) --
Validation rules to constrain extracted values.
stringValidation (dict) --
Validation for STRING fields.
allowedValues (list) -- [REQUIRED]
Allowed values for this STRING field.
(string) --
stringListValidation (dict) --
Validation for STRINGLIST fields.
allowedValues (list) --
Allowed values for items in this STRINGLIST field.
(string) --
maxItems (integer) --
Maximum number of items in the string list.
numberValidation (dict) --
Validation for NUMBER fields.
minValue (float) --
Minimum allowed value.
maxValue (float) --
Maximum allowed value.
list
Metadata keys to index for filtering. Once declared, indexed keys cannot be removed.
(dict) --
A metadata key indexed for filtering.
key (string) -- [REQUIRED]
The metadata key name to index.
type (string) -- [REQUIRED]
The data type of the indexed key.
dict
Configuration for streaming memory record data to external resources.
resources (list) -- [REQUIRED]
List of stream delivery resource configurations.
(dict) --
Supported stream delivery resource types.
kinesis (dict) --
Kinesis Data Stream configuration.
dataStreamArn (string) -- [REQUIRED]
ARN of the Kinesis Data Stream.
contentConfigurations (list) -- [REQUIRED]
Content configurations for stream delivery.
(dict) --
Defines what content to stream and at what level of detail.
type (string) -- [REQUIRED]
Type of content to stream.
level (string) --
Level of detail for streamed content.
dict
A map of tag keys and values to assign to an AgentCore Memory. Tags enable you to categorize your resources in different ways, for example, by purpose, owner, or environment.
(string) --
(string) --
dict
Response Syntax
{
'memory': {
'arn': 'string',
'id': 'string',
'name': 'string',
'description': 'string',
'encryptionKeyArn': 'string',
'memoryExecutionRoleArn': 'string',
'eventExpiryDuration': 123,
'status': 'CREATING'|'ACTIVE'|'FAILED'|'DELETING'|'UPDATING',
'failureReason': 'string',
'createdAt': datetime(2015, 1, 1),
'updatedAt': datetime(2015, 1, 1),
'strategies': [
{
'strategyId': 'string',
'name': 'string',
'description': 'string',
'configuration': {
'type': 'SEMANTIC_OVERRIDE'|'SUMMARY_OVERRIDE'|'USER_PREFERENCE_OVERRIDE'|'SELF_MANAGED'|'EPISODIC_OVERRIDE',
'extraction': {
'customExtractionConfiguration': {
'semanticExtractionOverride': {
'appendToPrompt': 'string',
'modelId': 'string'
},
'userPreferenceExtractionOverride': {
'appendToPrompt': 'string',
'modelId': 'string'
},
'episodicExtractionOverride': {
'appendToPrompt': 'string',
'modelId': 'string'
}
}
},
'consolidation': {
'customConsolidationConfiguration': {
'semanticConsolidationOverride': {
'appendToPrompt': 'string',
'modelId': 'string'
},
'summaryConsolidationOverride': {
'appendToPrompt': 'string',
'modelId': 'string'
},
'userPreferenceConsolidationOverride': {
'appendToPrompt': 'string',
'modelId': 'string'
},
'episodicConsolidationOverride': {
'appendToPrompt': 'string',
'modelId': 'string'
}
}
},
'reflection': {
'customReflectionConfiguration': {
'episodicReflectionOverride': {
'appendToPrompt': 'string',
'modelId': 'string',
'namespaces': [
'string',
],
'namespaceTemplates': [
'string',
],
'memoryRecordSchema': {
'metadataSchema': [
{
'key': 'string',
'type': 'STRING'|'STRINGLIST'|'NUMBER',
'extractionType': 'LLM_INFERRED'|'STRICTLY_CONSISTENT',
'extractionConfig': {
'llmExtractionConfig': {
'llmExtractionInstruction': 'string',
'definition': 'string',
'validation': {
'stringValidation': {
'allowedValues': [
'string',
]
},
'stringListValidation': {
'allowedValues': [
'string',
],
'maxItems': 123
},
'numberValidation': {
'minValue': 123.0,
'maxValue': 123.0
}
}
}
}
},
]
}
}
},
'episodicReflectionConfiguration': {
'namespaces': [
'string',
],
'namespaceTemplates': [
'string',
],
'memoryRecordSchema': {
'metadataSchema': [
{
'key': 'string',
'type': 'STRING'|'STRINGLIST'|'NUMBER',
'extractionType': 'LLM_INFERRED'|'STRICTLY_CONSISTENT',
'extractionConfig': {
'llmExtractionConfig': {
'llmExtractionInstruction': 'string',
'definition': 'string',
'validation': {
'stringValidation': {
'allowedValues': [
'string',
]
},
'stringListValidation': {
'allowedValues': [
'string',
],
'maxItems': 123
},
'numberValidation': {
'minValue': 123.0,
'maxValue': 123.0
}
}
}
}
},
]
}
}
},
'selfManagedConfiguration': {
'triggerConditions': [
{
'messageBasedTrigger': {
'messageCount': 123
},
'tokenBasedTrigger': {
'tokenCount': 123
},
'timeBasedTrigger': {
'idleSessionTimeout': 123
}
},
],
'invocationConfiguration': {
'topicArn': 'string',
'payloadDeliveryBucketName': 'string'
},
'historicalContextWindowSize': 123
}
},
'type': 'SEMANTIC'|'SUMMARIZATION'|'USER_PREFERENCE'|'CUSTOM'|'EPISODIC',
'namespaces': [
'string',
],
'namespaceTemplates': [
'string',
],
'createdAt': datetime(2015, 1, 1),
'updatedAt': datetime(2015, 1, 1),
'status': 'CREATING'|'ACTIVE'|'DELETING'|'FAILED',
'memoryRecordSchema': {
'metadataSchema': [
{
'key': 'string',
'type': 'STRING'|'STRINGLIST'|'NUMBER',
'extractionType': 'LLM_INFERRED'|'STRICTLY_CONSISTENT',
'extractionConfig': {
'llmExtractionConfig': {
'llmExtractionInstruction': 'string',
'definition': 'string',
'validation': {
'stringValidation': {
'allowedValues': [
'string',
]
},
'stringListValidation': {
'allowedValues': [
'string',
],
'maxItems': 123
},
'numberValidation': {
'minValue': 123.0,
'maxValue': 123.0
}
}
}
}
},
]
}
},
],
'indexedKeys': [
{
'key': 'string',
'type': 'STRING'|'STRINGLIST'|'NUMBER'
},
],
'streamDeliveryResources': {
'resources': [
{
'kinesis': {
'dataStreamArn': 'string',
'contentConfigurations': [
{
'type': 'MEMORY_RECORDS',
'level': 'METADATA_ONLY'|'FULL_CONTENT'
},
]
}
},
]
},
'managedByResourceArn': 'string'
}
}
Response Structure
(dict) --
memory (dict) --
The details of the created memory, including its ID, ARN, name, description, and configuration settings.
arn (string) --
The Amazon Resource Name (ARN) of the memory.
id (string) --
The unique identifier of the memory.
name (string) --
The name of the memory.
description (string) --
The description of the memory.
encryptionKeyArn (string) --
The ARN of the KMS key used to encrypt the memory.
memoryExecutionRoleArn (string) --
The ARN of the IAM role that provides permissions for the memory.
eventExpiryDuration (integer) --
The number of days after which memory events will expire.
status (string) --
The current status of the memory.
failureReason (string) --
The reason for failure if the memory is in a failed state.
createdAt (datetime) --
The timestamp when the memory was created.
updatedAt (datetime) --
The timestamp when the memory was last updated.
strategies (list) --
The list of memory strategies associated with this memory.
(dict) --
Contains information about a memory strategy.
strategyId (string) --
The unique identifier of the memory strategy.
name (string) --
The name of the memory strategy.
description (string) --
The description of the memory strategy.
configuration (dict) --
The configuration of the memory strategy.
type (string) --
The type of override for the strategy configuration.
extraction (dict) --
The extraction configuration for the memory strategy.
customExtractionConfiguration (dict) --
The custom extraction configuration.
semanticExtractionOverride (dict) --
The semantic extraction override configuration.
appendToPrompt (string) --
The text to append to the prompt for semantic extraction.
modelId (string) --
The model ID to use for semantic extraction.
userPreferenceExtractionOverride (dict) --
The user preference extraction override configuration.
appendToPrompt (string) --
The text to append to the prompt for user preference extraction.
modelId (string) --
The model ID to use for user preference extraction.
episodicExtractionOverride (dict) --
The configurations to override the default extraction step for the episodic memory strategy.
appendToPrompt (string) --
The text appended to the prompt for the extraction step of the episodic memory strategy.
modelId (string) --
The model ID used for the extraction step of the episodic memory strategy.
consolidation (dict) --
The consolidation configuration for the memory strategy.
customConsolidationConfiguration (dict) --
The custom consolidation configuration.
semanticConsolidationOverride (dict) --
The semantic consolidation override configuration.
appendToPrompt (string) --
The text to append to the prompt for semantic consolidation.
modelId (string) --
The model ID to use for semantic consolidation.
summaryConsolidationOverride (dict) --
The summary consolidation override configuration.
appendToPrompt (string) --
The text to append to the prompt for summary consolidation.
modelId (string) --
The model ID to use for summary consolidation.
userPreferenceConsolidationOverride (dict) --
The user preference consolidation override configuration.
appendToPrompt (string) --
The text to append to the prompt for user preference consolidation.
modelId (string) --
The model ID to use for user preference consolidation.
episodicConsolidationOverride (dict) --
The configurations to override the default consolidation step for the episodic memory strategy.
appendToPrompt (string) --
The text appended to the prompt for the consolidation step of the episodic memory strategy.
modelId (string) --
The model ID used for the consolidation step of the episodic memory strategy.
reflection (dict) --
The reflection configuration for the memory strategy.
customReflectionConfiguration (dict) --
The configuration for a custom reflection strategy.
episodicReflectionOverride (dict) --
The configuration for a reflection strategy to override the default one.
appendToPrompt (string) --
The text appended to the prompt for the reflection step of the episodic memory strategy.
modelId (string) --
The model ID used for the reflection step of the episodic memory strategy.
namespaces (list) --
This is a legacy parameter. The namespaces over which reflections were created. Can be less nested than the episodic namespaces.
(string) --
namespaceTemplates (list) --
The namespaceTemplates over which reflections were created. Can be less nested than the episodic namespaces.
(string) --
memoryRecordSchema (dict) --
Schema for metadata fields on records generated by this reflection override.
metadataSchema (list) --
The metadata field definitions for this strategy.
(dict) --
A metadata field definition within a strategy's schema.
key (string) --
The metadata field name. Must match an indexed key to be queryable via metadata filters.
type (string) --
The MetadataValueType.
extractionType (string) --
Specifies whether the metadata value is extracted by the LLM or passed through deterministically from the event.
extractionConfig (dict) --
Configuration for extracting this metadata value from conversational content. Applicable only if extractionType is LLM inferred.
llmExtractionConfig (dict) --
Model-based extraction using a definition and instructions.
llmExtractionInstruction (string) --
Instructions for extraction. Supports built-in operators like LATEST_VALUE or custom natural-language instructions.
definition (string) --
Description of what this metadata field represents.
validation (dict) --
Validation rules to constrain extracted values.
stringValidation (dict) --
Validation for STRING fields.
allowedValues (list) --
Allowed values for this STRING field.
(string) --
stringListValidation (dict) --
Validation for STRINGLIST fields.
allowedValues (list) --
Allowed values for items in this STRINGLIST field.
(string) --
maxItems (integer) --
Maximum number of items in the string list.
numberValidation (dict) --
Validation for NUMBER fields.
minValue (float) --
Minimum allowed value.
maxValue (float) --
Maximum allowed value.
episodicReflectionConfiguration (dict) --
The configuration for the episodic reflection strategy.
namespaces (list) --
This is a legacy parameter, use namespaceTemplates. The namespaces for which to create reflections. Can be less nested than the episodic namespaces.
(string) --
namespaceTemplates (list) --
The namespaceTemplates for which to create reflections. Can be less nested than the episodic namespaces.
(string) --
memoryRecordSchema (dict) --
"Schema for metadata fields on records generated by reflections.
metadataSchema (list) --
The metadata field definitions for this strategy.
(dict) --
A metadata field definition within a strategy's schema.
key (string) --
The metadata field name. Must match an indexed key to be queryable via metadata filters.
type (string) --
The MetadataValueType.
extractionType (string) --
Specifies whether the metadata value is extracted by the LLM or passed through deterministically from the event.
extractionConfig (dict) --
Configuration for extracting this metadata value from conversational content. Applicable only if extractionType is LLM inferred.
llmExtractionConfig (dict) --
Model-based extraction using a definition and instructions.
llmExtractionInstruction (string) --
Instructions for extraction. Supports built-in operators like LATEST_VALUE or custom natural-language instructions.
definition (string) --
Description of what this metadata field represents.
validation (dict) --
Validation rules to constrain extracted values.
stringValidation (dict) --
Validation for STRING fields.
allowedValues (list) --
Allowed values for this STRING field.
(string) --
stringListValidation (dict) --
Validation for STRINGLIST fields.
allowedValues (list) --
Allowed values for items in this STRINGLIST field.
(string) --
maxItems (integer) --
Maximum number of items in the string list.
numberValidation (dict) --
Validation for NUMBER fields.
minValue (float) --
Minimum allowed value.
maxValue (float) --
Maximum allowed value.
selfManagedConfiguration (dict) --
Self-managed configuration settings.
triggerConditions (list) --
A list of conditions that trigger memory processing.
(dict) --
Condition that triggers memory processing.
messageBasedTrigger (dict) --
Message based trigger configuration.
messageCount (integer) --
The number of messages that trigger memory processing.
tokenBasedTrigger (dict) --
Token based trigger configuration.
tokenCount (integer) --
Number of tokens that trigger memory processing.
timeBasedTrigger (dict) --
Time based trigger configuration.
idleSessionTimeout (integer) --
Idle session timeout (seconds) that triggers memory processing.
invocationConfiguration (dict) --
The configuration to use when invoking memory processing.
topicArn (string) --
The ARN of the SNS topic for job notifications.
payloadDeliveryBucketName (string) --
The S3 bucket name for event payload delivery.
historicalContextWindowSize (integer) --
The number of historical messages to include in processing context.
type (string) --
The type of the memory strategy.
namespaces (list) --
This is a legacy parameter. The namespaces associated with the memory strategy.
(string) --
namespaceTemplates (list) --
The namespaceTemplates associated with the memory strategy.
(string) --
createdAt (datetime) --
The timestamp when the memory strategy was created.
updatedAt (datetime) --
The timestamp when the memory strategy was last updated.
status (string) --
The current status of the memory strategy.
memoryRecordSchema (dict) --
Schema for metadata fields on records generated by this strategy.
metadataSchema (list) --
The metadata field definitions for this strategy.
(dict) --
A metadata field definition within a strategy's schema.
key (string) --
The metadata field name. Must match an indexed key to be queryable via metadata filters.
type (string) --
The MetadataValueType.
extractionType (string) --
Specifies whether the metadata value is extracted by the LLM or passed through deterministically from the event.
extractionConfig (dict) --
Configuration for extracting this metadata value from conversational content. Applicable only if extractionType is LLM inferred.
llmExtractionConfig (dict) --
Model-based extraction using a definition and instructions.
llmExtractionInstruction (string) --
Instructions for extraction. Supports built-in operators like LATEST_VALUE or custom natural-language instructions.
definition (string) --
Description of what this metadata field represents.
validation (dict) --
Validation rules to constrain extracted values.
stringValidation (dict) --
Validation for STRING fields.
allowedValues (list) --
Allowed values for this STRING field.
(string) --
stringListValidation (dict) --
Validation for STRINGLIST fields.
allowedValues (list) --
Allowed values for items in this STRINGLIST field.
(string) --
maxItems (integer) --
Maximum number of items in the string list.
numberValidation (dict) --
Validation for NUMBER fields.
minValue (float) --
Minimum allowed value.
maxValue (float) --
Maximum allowed value.
indexedKeys (list) --
The indexed metadata keys for this memory. Only indexed keys can be used in metadata filters.
(dict) --
A metadata key indexed for filtering.
key (string) --
The metadata key name to index.
type (string) --
The data type of the indexed key.
streamDeliveryResources (dict) --
Configuration for streaming memory record data to external resources.
resources (list) --
List of stream delivery resource configurations.
(dict) --
Supported stream delivery resource types.
kinesis (dict) --
Kinesis Data Stream configuration.
dataStreamArn (string) --
ARN of the Kinesis Data Stream.
contentConfigurations (list) --
Content configurations for stream delivery.
(dict) --
Defines what content to stream and at what level of detail.
type (string) --
Type of content to stream.
level (string) --
Level of detail for streamed content.
managedByResourceArn (string) --
ARN of the resource managing this memory (e.g. a harness). When set, strategy modifications and deletion are only allowed through the managing resource.
{'authorizerConfiguration': {'customJWTAuthorizer': {'allowedWorkloadConfiguration': {'hostingEnvironments': [{'arn': 'string'}],
'workloadIdentities': ['string']}}}}
Creates a new payment manager in your Amazon Web Services account. A payment manager serves as the top-level resource for managing payment processing capabilities, including payment connectors that integrate with supported payment providers.
If you specify CUSTOM_JWT as the authorizerType, you must provide an authorizerConfiguration.
See also: AWS API Documentation
Request Syntax
client.create_payment_manager(
name='string',
description='string',
authorizerType='CUSTOM_JWT'|'AWS_IAM',
authorizerConfiguration={
'customJWTAuthorizer': {
'discoveryUrl': 'string',
'allowedAudience': [
'string',
],
'allowedClients': [
'string',
],
'allowedScopes': [
'string',
],
'customClaims': [
{
'inboundTokenClaimName': 'string',
'inboundTokenClaimValueType': 'STRING'|'STRING_ARRAY',
'authorizingClaimMatchValue': {
'claimMatchValue': {
'matchValueString': 'string',
'matchValueStringList': [
'string',
]
},
'claimMatchOperator': 'EQUALS'|'CONTAINS'|'CONTAINS_ANY'
}
},
],
'privateEndpoint': {
'selfManagedLatticeResource': {
'resourceConfigurationIdentifier': 'string'
},
'managedVpcResource': {
'vpcIdentifier': 'string',
'subnetIds': [
'string',
],
'endpointIpAddressType': 'IPV4'|'IPV6',
'securityGroupIds': [
'string',
],
'tags': {
'string': 'string'
},
'routingDomain': 'string'
}
},
'privateEndpointOverrides': [
{
'domain': 'string',
'privateEndpoint': {
'selfManagedLatticeResource': {
'resourceConfigurationIdentifier': 'string'
},
'managedVpcResource': {
'vpcIdentifier': 'string',
'subnetIds': [
'string',
],
'endpointIpAddressType': 'IPV4'|'IPV6',
'securityGroupIds': [
'string',
],
'tags': {
'string': 'string'
},
'routingDomain': 'string'
}
}
},
],
'allowedWorkloadConfiguration': {
'hostingEnvironments': [
{
'arn': 'string'
},
],
'workloadIdentities': [
'string',
]
}
}
},
roleArn='string',
clientToken='string',
tags={
'string': 'string'
}
)
string
[REQUIRED]
The name of the payment manager.
string
A description of the payment manager.
string
[REQUIRED]
The type of authorizer to use for the payment manager.
CUSTOM_JWT - Authorize with a bearer token.
AWS_IAM - Authorize with your Amazon Web Services IAM credentials.
dict
The authorizer configuration for the payment manager.
customJWTAuthorizer (dict) --
The inbound JWT-based authorization, specifying how incoming requests should be authenticated.
discoveryUrl (string) -- [REQUIRED]
This URL is used to fetch OpenID Connect configuration or authorization server metadata for validating incoming tokens.
allowedAudience (list) --
Represents individual audience values that are validated in the incoming JWT token validation process.
(string) --
allowedClients (list) --
Represents individual client IDs that are validated in the incoming JWT token validation process.
(string) --
allowedScopes (list) --
An array of scopes that are allowed to access the token.
(string) --
customClaims (list) --
An array of objects that define a custom claim validation name, value, and operation
(dict) --
Defines the name of a custom claim field and rules for finding matches to authenticate its value.
inboundTokenClaimName (string) -- [REQUIRED]
The name of the custom claim field to check.
inboundTokenClaimValueType (string) -- [REQUIRED]
The data type of the claim value to check for.
Use STRING if you want to find an exact match to a string you define.
Use STRING_ARRAY if you want to fnd a match to at least one value in an array you define.
authorizingClaimMatchValue (dict) -- [REQUIRED]
Defines the value or values to match for and the relationship of the match.
claimMatchValue (dict) -- [REQUIRED]
The value or values to match for.
matchValueString (string) --
The string value to match for.
matchValueStringList (list) --
An array of strings to check for a match.
(string) --
claimMatchOperator (string) -- [REQUIRED]
Defines the relationship between the claim field value and the value or values you're matching for.
privateEndpoint (dict) --
The private endpoint configuration for a gateway target. Defines how the gateway connects to private resources in your VPC.
selfManagedLatticeResource (dict) --
Configuration for connecting to a private resource using a self-managed VPC Lattice resource configuration.
resourceConfigurationIdentifier (string) --
The ARN or ID of the VPC Lattice resource configuration.
managedVpcResource (dict) --
Configuration for connecting to a private resource using a managed VPC Lattice resource. The gateway creates and manages the VPC Lattice resources on your behalf.
vpcIdentifier (string) -- [REQUIRED]
The ID of the VPC that contains your private resource.
subnetIds (list) -- [REQUIRED]
The subnet IDs within the VPC where the VPC Lattice resource gateway is placed.
(string) --
endpointIpAddressType (string) -- [REQUIRED]
The IP address type for the resource configuration endpoint.
securityGroupIds (list) --
The security group IDs to associate with the VPC Lattice resource gateway. If not specified, the default security group for the VPC is used.
(string) --
tags (dict) --
Tags to apply to the managed VPC Lattice resource gateway.
(string) --
(string) --
routingDomain (string) --
An intermediate domain to use as the resource configuration endpoint instead of the actual target domain. Use this when you want to route traffic through an intermediate component such as a VPC endpoint or internal load balancer. For more information, see xref:lattice-vpc-egress-routing-domain[Route traffic through an intermediate domain].
privateEndpointOverrides (list) --
The private endpoint overrides for the custom JWT authorizer configuration.
(dict) --
A mapping of a specific domain to a private endpoint for secure connectivity through a VPC Lattice resource configuration.
domain (string) -- [REQUIRED]
The domain to override with a private endpoint.
privateEndpoint (dict) -- [REQUIRED]
The private endpoint configuration for the specified domain.
selfManagedLatticeResource (dict) --
Configuration for connecting to a private resource using a self-managed VPC Lattice resource configuration.
resourceConfigurationIdentifier (string) --
The ARN or ID of the VPC Lattice resource configuration.
managedVpcResource (dict) --
Configuration for connecting to a private resource using a managed VPC Lattice resource. The gateway creates and manages the VPC Lattice resources on your behalf.
vpcIdentifier (string) -- [REQUIRED]
The ID of the VPC that contains your private resource.
subnetIds (list) -- [REQUIRED]
The subnet IDs within the VPC where the VPC Lattice resource gateway is placed.
(string) --
endpointIpAddressType (string) -- [REQUIRED]
The IP address type for the resource configuration endpoint.
securityGroupIds (list) --
The security group IDs to associate with the VPC Lattice resource gateway. If not specified, the default security group for the VPC is used.
(string) --
tags (dict) --
Tags to apply to the managed VPC Lattice resource gateway.
(string) --
(string) --
routingDomain (string) --
An intermediate domain to use as the resource configuration endpoint instead of the actual target domain. Use this when you want to route traffic through an intermediate component such as a VPC endpoint or internal load balancer. For more information, see xref:lattice-vpc-egress-routing-domain[Route traffic through an intermediate domain].
allowedWorkloadConfiguration (dict) --
The configuration that restricts which workloads in the request's identity chain are allowed to invoke the target, identified by their hosting environments and workload identities. At launch, this is supported only for AgentCore Runtime targets, and the allowed workloads are AgentCore Gateways.
hostingEnvironments (list) --
The list of hosting environments whose workloads are allowed to invoke the target. At launch, the only supported hosting environment is AgentCore Gateway.
(dict) --
A hosting environment whose workloads are allowed to invoke the target. At launch, the only supported hosting environment is AgentCore Gateway.
arn (string) -- [REQUIRED]
The Amazon Resource Name (ARN) of the hosting environment.
workloadIdentities (list) --
The list of workload identities that are allowed to invoke the target.
(string) --
string
[REQUIRED]
The Amazon Resource Name (ARN) of the IAM role that the payment manager assumes to access resources on your behalf.
string
A unique, case-sensitive identifier to ensure that the API request completes no more than one time. If you don't specify this field, a value is randomly generated for you. If this token matches a previous request, the service ignores the request, but doesn't return an error. For more information, see Ensuring idempotency.
This field is autopopulated if not provided.
dict
A map of tag keys and values to assign to the payment manager.
(string) --
(string) --
dict
Response Syntax
{
'paymentManagerArn': 'string',
'paymentManagerId': 'string',
'name': 'string',
'authorizerType': 'CUSTOM_JWT'|'AWS_IAM',
'authorizerConfiguration': {
'customJWTAuthorizer': {
'discoveryUrl': 'string',
'allowedAudience': [
'string',
],
'allowedClients': [
'string',
],
'allowedScopes': [
'string',
],
'customClaims': [
{
'inboundTokenClaimName': 'string',
'inboundTokenClaimValueType': 'STRING'|'STRING_ARRAY',
'authorizingClaimMatchValue': {
'claimMatchValue': {
'matchValueString': 'string',
'matchValueStringList': [
'string',
]
},
'claimMatchOperator': 'EQUALS'|'CONTAINS'|'CONTAINS_ANY'
}
},
],
'privateEndpoint': {
'selfManagedLatticeResource': {
'resourceConfigurationIdentifier': 'string'
},
'managedVpcResource': {
'vpcIdentifier': 'string',
'subnetIds': [
'string',
],
'endpointIpAddressType': 'IPV4'|'IPV6',
'securityGroupIds': [
'string',
],
'tags': {
'string': 'string'
},
'routingDomain': 'string'
}
},
'privateEndpointOverrides': [
{
'domain': 'string',
'privateEndpoint': {
'selfManagedLatticeResource': {
'resourceConfigurationIdentifier': 'string'
},
'managedVpcResource': {
'vpcIdentifier': 'string',
'subnetIds': [
'string',
],
'endpointIpAddressType': 'IPV4'|'IPV6',
'securityGroupIds': [
'string',
],
'tags': {
'string': 'string'
},
'routingDomain': 'string'
}
}
},
],
'allowedWorkloadConfiguration': {
'hostingEnvironments': [
{
'arn': 'string'
},
],
'workloadIdentities': [
'string',
]
}
}
},
'roleArn': 'string',
'workloadIdentityDetails': {
'workloadIdentityArn': 'string'
},
'createdAt': datetime(2015, 1, 1),
'status': 'CREATING'|'UPDATING'|'DELETING'|'READY'|'CREATE_FAILED'|'UPDATE_FAILED'|'DELETE_FAILED',
'tags': {
'string': 'string'
}
}
Response Structure
(dict) --
paymentManagerArn (string) --
The Amazon Resource Name (ARN) of the created payment manager.
paymentManagerId (string) --
The unique identifier of the created payment manager.
name (string) --
The name of the created payment manager.
authorizerType (string) --
The type of authorizer for the created payment manager.
authorizerConfiguration (dict) --
Represents inbound authorization configuration options used to authenticate incoming requests.
customJWTAuthorizer (dict) --
The inbound JWT-based authorization, specifying how incoming requests should be authenticated.
discoveryUrl (string) --
This URL is used to fetch OpenID Connect configuration or authorization server metadata for validating incoming tokens.
allowedAudience (list) --
Represents individual audience values that are validated in the incoming JWT token validation process.
(string) --
allowedClients (list) --
Represents individual client IDs that are validated in the incoming JWT token validation process.
(string) --
allowedScopes (list) --
An array of scopes that are allowed to access the token.
(string) --
customClaims (list) --
An array of objects that define a custom claim validation name, value, and operation
(dict) --
Defines the name of a custom claim field and rules for finding matches to authenticate its value.
inboundTokenClaimName (string) --
The name of the custom claim field to check.
inboundTokenClaimValueType (string) --
The data type of the claim value to check for.
Use STRING if you want to find an exact match to a string you define.
Use STRING_ARRAY if you want to fnd a match to at least one value in an array you define.
authorizingClaimMatchValue (dict) --
Defines the value or values to match for and the relationship of the match.
claimMatchValue (dict) --
The value or values to match for.
matchValueString (string) --
The string value to match for.
matchValueStringList (list) --
An array of strings to check for a match.
(string) --
claimMatchOperator (string) --
Defines the relationship between the claim field value and the value or values you're matching for.
privateEndpoint (dict) --
The private endpoint configuration for a gateway target. Defines how the gateway connects to private resources in your VPC.
selfManagedLatticeResource (dict) --
Configuration for connecting to a private resource using a self-managed VPC Lattice resource configuration.
resourceConfigurationIdentifier (string) --
The ARN or ID of the VPC Lattice resource configuration.
managedVpcResource (dict) --
Configuration for connecting to a private resource using a managed VPC Lattice resource. The gateway creates and manages the VPC Lattice resources on your behalf.
vpcIdentifier (string) --
The ID of the VPC that contains your private resource.
subnetIds (list) --
The subnet IDs within the VPC where the VPC Lattice resource gateway is placed.
(string) --
endpointIpAddressType (string) --
The IP address type for the resource configuration endpoint.
securityGroupIds (list) --
The security group IDs to associate with the VPC Lattice resource gateway. If not specified, the default security group for the VPC is used.
(string) --
tags (dict) --
Tags to apply to the managed VPC Lattice resource gateway.
(string) --
(string) --
routingDomain (string) --
An intermediate domain to use as the resource configuration endpoint instead of the actual target domain. Use this when you want to route traffic through an intermediate component such as a VPC endpoint or internal load balancer. For more information, see xref:lattice-vpc-egress-routing-domain[Route traffic through an intermediate domain].
privateEndpointOverrides (list) --
The private endpoint overrides for the custom JWT authorizer configuration.
(dict) --
A mapping of a specific domain to a private endpoint for secure connectivity through a VPC Lattice resource configuration.
domain (string) --
The domain to override with a private endpoint.
privateEndpoint (dict) --
The private endpoint configuration for the specified domain.
selfManagedLatticeResource (dict) --
Configuration for connecting to a private resource using a self-managed VPC Lattice resource configuration.
resourceConfigurationIdentifier (string) --
The ARN or ID of the VPC Lattice resource configuration.
managedVpcResource (dict) --
Configuration for connecting to a private resource using a managed VPC Lattice resource. The gateway creates and manages the VPC Lattice resources on your behalf.
vpcIdentifier (string) --
The ID of the VPC that contains your private resource.
subnetIds (list) --
The subnet IDs within the VPC where the VPC Lattice resource gateway is placed.
(string) --
endpointIpAddressType (string) --
The IP address type for the resource configuration endpoint.
securityGroupIds (list) --
The security group IDs to associate with the VPC Lattice resource gateway. If not specified, the default security group for the VPC is used.
(string) --
tags (dict) --
Tags to apply to the managed VPC Lattice resource gateway.
(string) --
(string) --
routingDomain (string) --
An intermediate domain to use as the resource configuration endpoint instead of the actual target domain. Use this when you want to route traffic through an intermediate component such as a VPC endpoint or internal load balancer. For more information, see xref:lattice-vpc-egress-routing-domain[Route traffic through an intermediate domain].
allowedWorkloadConfiguration (dict) --
The configuration that restricts which workloads in the request's identity chain are allowed to invoke the target, identified by their hosting environments and workload identities. At launch, this is supported only for AgentCore Runtime targets, and the allowed workloads are AgentCore Gateways.
hostingEnvironments (list) --
The list of hosting environments whose workloads are allowed to invoke the target. At launch, the only supported hosting environment is AgentCore Gateway.
(dict) --
A hosting environment whose workloads are allowed to invoke the target. At launch, the only supported hosting environment is AgentCore Gateway.
arn (string) --
The Amazon Resource Name (ARN) of the hosting environment.
workloadIdentities (list) --
The list of workload identities that are allowed to invoke the target.
(string) --
roleArn (string) --
The Amazon Resource Name (ARN) of the IAM role associated with the created payment manager.
workloadIdentityDetails (dict) --
The information about the workload identity.
workloadIdentityArn (string) --
The ARN associated with the workload identity.
createdAt (datetime) --
The timestamp when the payment manager was created.
status (string) --
The current status of the payment manager. Possible values include CREATING, READY, UPDATING, DELETING, CREATE_FAILED, UPDATE_FAILED, and DELETE_FAILED.
tags (dict) --
The tags associated with the created payment manager.
(string) --
(string) --
{'definition': {'policy': {'statement': 'string'}},
'enforcementMode': 'ACTIVE | LOG_ONLY'}
Creates a policy within the AgentCore Policy system. Policies provide real-time, deterministic control over agentic interactions with AgentCore Gateway. Using the Cedar policy language, you can define fine-grained policies that specify which interactions with Gateway tools are permitted based on input parameters and OAuth claims, ensuring agents operate within defined boundaries and business rules. The policy is validated during creation against the Cedar schema generated from the Gateway's tools' input schemas, which defines the available tools, their parameters, and expected data types. This is an asynchronous operation. Use the GetPolicy operation to poll the status field to track completion.
See also: AWS API Documentation
Request Syntax
client.create_policy(
name='string',
definition={
'cedar': {
'statement': 'string'
},
'policyGeneration': {
'policyGenerationId': 'string',
'policyGenerationAssetId': 'string'
},
'policy': {
'statement': 'string'
}
},
description='string',
validationMode='FAIL_ON_ANY_FINDINGS'|'IGNORE_ALL_FINDINGS',
enforcementMode='ACTIVE'|'LOG_ONLY',
policyEngineId='string',
clientToken='string'
)
string
[REQUIRED]
The customer-assigned immutable name for the policy. Must be unique within the account. This name is used for policy identification and cannot be changed after creation.
dict
[REQUIRED]
The Cedar policy statement that defines the access control rules. This contains the actual policy logic written in Cedar policy language, specifying effect (permit or forbid), principals, actions, resources, and conditions for agent behavior control.
cedar (dict) --
The Cedar policy definition within the policy definition structure. This contains the Cedar policy statement that defines the authorization logic using Cedar's human-readable, analyzable policy language. Cedar policies specify principals (who can access), actions (what operations are allowed), resources (what can be accessed), and optional conditions for fine-grained control. Cedar provides a formal policy language designed for authorization with deterministic evaluation, making policies testable, reviewable, and auditable. All Cedar policies follow a default-deny model where actions are denied unless explicitly permitted, and forbid policies always override permit policies.
statement (string) -- [REQUIRED]
The Cedar policy statement that defines the authorization logic. This statement follows Cedar syntax and specifies principals, actions, resources, and conditions that determine when access should be allowed or denied.
policyGeneration (dict) --
The generated policy asset information within the policy definition structure. This contains information identifying a generated policy asset from the AI-powered policy generation process within the AgentCore Policy system. Each asset contains a Cedar policy statement generated from natural language input, along with associated metadata and analysis findings to help users evaluate and select the most appropriate policy option.
policyGenerationId (string) -- [REQUIRED]
The unique identifier for this policy generation request.
policyGenerationAssetId (string) -- [REQUIRED]
The unique identifier for this generated policy asset within the policy generation request.
policy (dict) --
An AgentCore policy statement that defines the access control rules. The statement can be a Cedar policy or a guardrails definition.
statement (string) -- [REQUIRED]
The body of the AgentCore policy statement. Contains the policy logic, which can be a Cedar policy or a guardrails definition.
string
A human-readable description of the policy's purpose and functionality (1-4,096 characters). This helps policy administrators understand the policy's intent, business rules, and operational scope. Use this field to document why the policy exists, what business requirement it addresses, and any special considerations for maintenance. Clear descriptions are essential for policy governance, auditing, and troubleshooting.
string
The validation mode for the policy creation. Determines how Cedar analyzer validation results are handled during policy creation. FAIL_ON_ANY_FINDINGS (default) runs the Cedar analyzer to validate the policy against the Cedar schema and tool context, failing creation if the analyzer detects any validation issues to ensure strict conformance. IGNORE_ALL_FINDINGS runs the Cedar analyzer but allows policy creation even if validation issues are detected, useful for testing or when the policy schema is evolving. Use FAIL_ON_ANY_FINDINGS for production policies to ensure correctness, and IGNORE_ALL_FINDINGS only when you understand and accept the analyzer findings.
string
The enforcement mode for the policy. Run this policy in LOG_ONLY mode to collect data on how it affects your application. Once you are satisfied with the data gathered, switch the policy to ACTIVE. Defaults to ACTIVE.
string
[REQUIRED]
The identifier of the policy engine which contains this policy. Policy engines group related policies and provide the execution context for policy evaluation.
string
A unique, case-sensitive identifier to ensure the idempotency of the request. The AWS SDK automatically generates this token, so you don't need to provide it in most cases. If you retry a request with the same client token, the service returns the same response without creating a duplicate policy.
This field is autopopulated if not provided.
dict
Response Syntax
{
'policyId': 'string',
'name': 'string',
'policyEngineId': 'string',
'createdAt': datetime(2015, 1, 1),
'updatedAt': datetime(2015, 1, 1),
'policyArn': 'string',
'status': 'CREATING'|'ACTIVE'|'UPDATING'|'DELETING'|'CREATE_FAILED'|'UPDATE_FAILED'|'DELETE_FAILED',
'enforcementMode': 'ACTIVE'|'LOG_ONLY',
'definition': {
'cedar': {
'statement': 'string'
},
'policyGeneration': {
'policyGenerationId': 'string',
'policyGenerationAssetId': 'string'
},
'policy': {
'statement': 'string'
}
},
'description': 'string',
'statusReasons': [
'string',
]
}
Response Structure
(dict) --
policyId (string) --
The unique identifier for the created policy. This is a system-generated identifier consisting of the user name plus a 10-character generated suffix, used for all subsequent policy operations.
name (string) --
The customer-assigned name of the created policy. This matches the name provided in the request and serves as the human-readable identifier for the policy.
policyEngineId (string) --
The identifier of the policy engine that manages this policy. This confirms the policy engine assignment and is used for policy evaluation routing.
createdAt (datetime) --
The timestamp when the policy was created. This is automatically set by the service and used for auditing and lifecycle management.
updatedAt (datetime) --
The timestamp when the policy was last updated. For newly created policies, this matches the createdAt timestamp.
policyArn (string) --
The Amazon Resource Name (ARN) of the created policy. This globally unique identifier can be used for cross-service references and IAM policy statements.
status (string) --
The current status of the policy. A status of ACTIVE indicates the policy is ready for use.
enforcementMode (string) --
The enforcement mode of the created policy.
definition (dict) --
The Cedar policy statement that was created. This is the validated policy definition that will be used for agent behavior control and access decisions.
cedar (dict) --
The Cedar policy definition within the policy definition structure. This contains the Cedar policy statement that defines the authorization logic using Cedar's human-readable, analyzable policy language. Cedar policies specify principals (who can access), actions (what operations are allowed), resources (what can be accessed), and optional conditions for fine-grained control. Cedar provides a formal policy language designed for authorization with deterministic evaluation, making policies testable, reviewable, and auditable. All Cedar policies follow a default-deny model where actions are denied unless explicitly permitted, and forbid policies always override permit policies.
statement (string) --
The Cedar policy statement that defines the authorization logic. This statement follows Cedar syntax and specifies principals, actions, resources, and conditions that determine when access should be allowed or denied.
policyGeneration (dict) --
The generated policy asset information within the policy definition structure. This contains information identifying a generated policy asset from the AI-powered policy generation process within the AgentCore Policy system. Each asset contains a Cedar policy statement generated from natural language input, along with associated metadata and analysis findings to help users evaluate and select the most appropriate policy option.
policyGenerationId (string) --
The unique identifier for this policy generation request.
policyGenerationAssetId (string) --
The unique identifier for this generated policy asset within the policy generation request.
policy (dict) --
An AgentCore policy statement that defines the access control rules. The statement can be a Cedar policy or a guardrails definition.
statement (string) --
The body of the AgentCore policy statement. Contains the policy logic, which can be a Cedar policy or a guardrails definition.
description (string) --
The human-readable description of the policy's purpose and functionality. This helps administrators understand and manage the policy.
statusReasons (list) --
Additional information about the policy status. This provides details about any failures or the current state of the policy creation process.
(string) --
{'authorizerConfiguration': {'customJWTAuthorizer': {'allowedWorkloadConfiguration': {'hostingEnvironments': [{'arn': 'string'}],
'workloadIdentities': ['string']}}}}
Creates a new registry in your Amazon Web Services account. A registry serves as a centralized catalog for organizing and managing registry records, including MCP servers, A2A agents, agent skills, and custom resource types.
If you specify CUSTOM_JWT as the authorizerType, you must provide an authorizerConfiguration.
See also: AWS API Documentation
Request Syntax
client.create_registry(
name='string',
description='string',
authorizerType='CUSTOM_JWT'|'AWS_IAM',
authorizerConfiguration={
'customJWTAuthorizer': {
'discoveryUrl': 'string',
'allowedAudience': [
'string',
],
'allowedClients': [
'string',
],
'allowedScopes': [
'string',
],
'customClaims': [
{
'inboundTokenClaimName': 'string',
'inboundTokenClaimValueType': 'STRING'|'STRING_ARRAY',
'authorizingClaimMatchValue': {
'claimMatchValue': {
'matchValueString': 'string',
'matchValueStringList': [
'string',
]
},
'claimMatchOperator': 'EQUALS'|'CONTAINS'|'CONTAINS_ANY'
}
},
],
'privateEndpoint': {
'selfManagedLatticeResource': {
'resourceConfigurationIdentifier': 'string'
},
'managedVpcResource': {
'vpcIdentifier': 'string',
'subnetIds': [
'string',
],
'endpointIpAddressType': 'IPV4'|'IPV6',
'securityGroupIds': [
'string',
],
'tags': {
'string': 'string'
},
'routingDomain': 'string'
}
},
'privateEndpointOverrides': [
{
'domain': 'string',
'privateEndpoint': {
'selfManagedLatticeResource': {
'resourceConfigurationIdentifier': 'string'
},
'managedVpcResource': {
'vpcIdentifier': 'string',
'subnetIds': [
'string',
],
'endpointIpAddressType': 'IPV4'|'IPV6',
'securityGroupIds': [
'string',
],
'tags': {
'string': 'string'
},
'routingDomain': 'string'
}
}
},
],
'allowedWorkloadConfiguration': {
'hostingEnvironments': [
{
'arn': 'string'
},
],
'workloadIdentities': [
'string',
]
}
}
},
clientToken='string',
approvalConfiguration={
'autoApproval': True|False
}
)
string
[REQUIRED]
The name of the registry. The name must be unique within your account and can contain alphanumeric characters and underscores.
string
A description of the registry.
string
The type of authorizer to use for the registry. This controls the authorization method for the Search and Invoke APIs used by consumers, and does not affect the standard CRUDL APIs for registry and registry record management used by administrators.
CUSTOM_JWT - Authorize with a bearer token.
AWS_IAM - Authorize with your Amazon Web Services IAM credentials.
dict
The authorizer configuration for the registry. Required if authorizerType is CUSTOM_JWT. For details, see the AuthorizerConfiguration data type.
customJWTAuthorizer (dict) --
The inbound JWT-based authorization, specifying how incoming requests should be authenticated.
discoveryUrl (string) -- [REQUIRED]
This URL is used to fetch OpenID Connect configuration or authorization server metadata for validating incoming tokens.
allowedAudience (list) --
Represents individual audience values that are validated in the incoming JWT token validation process.
(string) --
allowedClients (list) --
Represents individual client IDs that are validated in the incoming JWT token validation process.
(string) --
allowedScopes (list) --
An array of scopes that are allowed to access the token.
(string) --
customClaims (list) --
An array of objects that define a custom claim validation name, value, and operation
(dict) --
Defines the name of a custom claim field and rules for finding matches to authenticate its value.
inboundTokenClaimName (string) -- [REQUIRED]
The name of the custom claim field to check.
inboundTokenClaimValueType (string) -- [REQUIRED]
The data type of the claim value to check for.
Use STRING if you want to find an exact match to a string you define.
Use STRING_ARRAY if you want to fnd a match to at least one value in an array you define.
authorizingClaimMatchValue (dict) -- [REQUIRED]
Defines the value or values to match for and the relationship of the match.
claimMatchValue (dict) -- [REQUIRED]
The value or values to match for.
matchValueString (string) --
The string value to match for.
matchValueStringList (list) --
An array of strings to check for a match.
(string) --
claimMatchOperator (string) -- [REQUIRED]
Defines the relationship between the claim field value and the value or values you're matching for.
privateEndpoint (dict) --
The private endpoint configuration for a gateway target. Defines how the gateway connects to private resources in your VPC.
selfManagedLatticeResource (dict) --
Configuration for connecting to a private resource using a self-managed VPC Lattice resource configuration.
resourceConfigurationIdentifier (string) --
The ARN or ID of the VPC Lattice resource configuration.
managedVpcResource (dict) --
Configuration for connecting to a private resource using a managed VPC Lattice resource. The gateway creates and manages the VPC Lattice resources on your behalf.
vpcIdentifier (string) -- [REQUIRED]
The ID of the VPC that contains your private resource.
subnetIds (list) -- [REQUIRED]
The subnet IDs within the VPC where the VPC Lattice resource gateway is placed.
(string) --
endpointIpAddressType (string) -- [REQUIRED]
The IP address type for the resource configuration endpoint.
securityGroupIds (list) --
The security group IDs to associate with the VPC Lattice resource gateway. If not specified, the default security group for the VPC is used.
(string) --
tags (dict) --
Tags to apply to the managed VPC Lattice resource gateway.
(string) --
(string) --
routingDomain (string) --
An intermediate domain to use as the resource configuration endpoint instead of the actual target domain. Use this when you want to route traffic through an intermediate component such as a VPC endpoint or internal load balancer. For more information, see xref:lattice-vpc-egress-routing-domain[Route traffic through an intermediate domain].
privateEndpointOverrides (list) --
The private endpoint overrides for the custom JWT authorizer configuration.
(dict) --
A mapping of a specific domain to a private endpoint for secure connectivity through a VPC Lattice resource configuration.
domain (string) -- [REQUIRED]
The domain to override with a private endpoint.
privateEndpoint (dict) -- [REQUIRED]
The private endpoint configuration for the specified domain.
selfManagedLatticeResource (dict) --
Configuration for connecting to a private resource using a self-managed VPC Lattice resource configuration.
resourceConfigurationIdentifier (string) --
The ARN or ID of the VPC Lattice resource configuration.
managedVpcResource (dict) --
Configuration for connecting to a private resource using a managed VPC Lattice resource. The gateway creates and manages the VPC Lattice resources on your behalf.
vpcIdentifier (string) -- [REQUIRED]
The ID of the VPC that contains your private resource.
subnetIds (list) -- [REQUIRED]
The subnet IDs within the VPC where the VPC Lattice resource gateway is placed.
(string) --
endpointIpAddressType (string) -- [REQUIRED]
The IP address type for the resource configuration endpoint.
securityGroupIds (list) --
The security group IDs to associate with the VPC Lattice resource gateway. If not specified, the default security group for the VPC is used.
(string) --
tags (dict) --
Tags to apply to the managed VPC Lattice resource gateway.
(string) --
(string) --
routingDomain (string) --
An intermediate domain to use as the resource configuration endpoint instead of the actual target domain. Use this when you want to route traffic through an intermediate component such as a VPC endpoint or internal load balancer. For more information, see xref:lattice-vpc-egress-routing-domain[Route traffic through an intermediate domain].
allowedWorkloadConfiguration (dict) --
The configuration that restricts which workloads in the request's identity chain are allowed to invoke the target, identified by their hosting environments and workload identities. At launch, this is supported only for AgentCore Runtime targets, and the allowed workloads are AgentCore Gateways.
hostingEnvironments (list) --
The list of hosting environments whose workloads are allowed to invoke the target. At launch, the only supported hosting environment is AgentCore Gateway.
(dict) --
A hosting environment whose workloads are allowed to invoke the target. At launch, the only supported hosting environment is AgentCore Gateway.
arn (string) -- [REQUIRED]
The Amazon Resource Name (ARN) of the hosting environment.
workloadIdentities (list) --
The list of workload identities that are allowed to invoke the target.
(string) --
string
A unique, case-sensitive identifier to ensure that the API request completes no more than one time. If you don't specify this field, a value is randomly generated for you. If this token matches a previous request, the service ignores the request, but doesn't return an error. For more information, see Ensuring idempotency.
This field is autopopulated if not provided.
dict
The approval configuration for registry records. Controls whether records require explicit approval before becoming active. See the ApprovalConfiguration data type for supported configuration options.
autoApproval (boolean) --
Whether registry records are auto-approved. When set to true, records are automatically approved upon creation. When set to false (the default), records require explicit approval for security purposes.
dict
Response Syntax
{
'registryArn': 'string'
}
Response Structure
(dict) --
registryArn (string) --
The Amazon Resource Name (ARN) of the created registry.
{'deleteManagedMemory': 'boolean'}
Response {'harness': {'authorizerConfiguration': {'customJWTAuthorizer': {'allowedWorkloadConfiguration': {'hostingEnvironments': [{'arn': 'string'}],
'workloadIdentities': ['string']}}},
'harnessVersion': 'string',
'memory': {'disabled': {},
'managedMemoryConfiguration': {'arn': 'string',
'encryptionKeyArn': 'string',
'eventExpiryDuration': 'integer',
'strategies': ['SEMANTIC '
'| '
'SUMMARIZATION '
'| '
'USER_PREFERENCE '
'| '
'EPISODIC']}},
'skills': {'awsSkills': {'paths': ['string']}}}}
Operation to delete a Harness.
See also: AWS API Documentation
Request Syntax
client.delete_harness(
harnessId='string',
clientToken='string',
deleteManagedMemory=True|False
)
string
[REQUIRED]
The ID of the harness to delete.
string
A unique, case-sensitive identifier to ensure idempotency of the request.
This field is autopopulated if not provided.
boolean
Whether to delete the managed memory on harness deletion. Default: true. If false, the memory is disassociated and becomes a regular customer-owned resource.
dict
Response Syntax
{
'harness': {
'harnessId': 'string',
'harnessName': 'string',
'arn': 'string',
'status': 'CREATING'|'CREATE_FAILED'|'UPDATING'|'UPDATE_FAILED'|'READY'|'DELETING'|'DELETE_FAILED',
'harnessVersion': 'string',
'executionRoleArn': 'string',
'createdAt': datetime(2015, 1, 1),
'updatedAt': datetime(2015, 1, 1),
'model': {
'bedrockModelConfig': {
'modelId': 'string',
'maxTokens': 123,
'temperature': ...,
'topP': ...,
'apiFormat': 'converse_stream'|'responses'|'chat_completions',
'additionalParams': {...}|[...]|123|123.4|'string'|True|None
},
'openAiModelConfig': {
'modelId': 'string',
'apiKeyArn': 'string',
'maxTokens': 123,
'temperature': ...,
'topP': ...,
'apiFormat': 'chat_completions'|'responses',
'additionalParams': {...}|[...]|123|123.4|'string'|True|None
},
'geminiModelConfig': {
'modelId': 'string',
'apiKeyArn': 'string',
'maxTokens': 123,
'temperature': ...,
'topP': ...,
'topK': 123
},
'liteLlmModelConfig': {
'modelId': 'string',
'apiKeyArn': 'string',
'apiBase': 'string',
'maxTokens': 123,
'temperature': ...,
'topP': ...,
'additionalParams': {...}|[...]|123|123.4|'string'|True|None
}
},
'systemPrompt': [
{
'text': 'string'
},
],
'tools': [
{
'type': 'remote_mcp'|'agentcore_browser'|'agentcore_gateway'|'inline_function'|'agentcore_code_interpreter',
'name': 'string',
'config': {
'remoteMcp': {
'url': 'string',
'headers': {
'string': 'string'
}
},
'agentCoreBrowser': {
'browserArn': 'string'
},
'agentCoreGateway': {
'gatewayArn': 'string',
'outboundAuth': {
'awsIam': {},
'none': {},
'oauth': {
'providerArn': 'string',
'scopes': [
'string',
],
'customParameters': {
'string': 'string'
},
'grantType': 'CLIENT_CREDENTIALS'|'AUTHORIZATION_CODE'|'TOKEN_EXCHANGE',
'defaultReturnUrl': 'string'
}
}
},
'inlineFunction': {
'description': 'string',
'inputSchema': {...}|[...]|123|123.4|'string'|True|None
},
'agentCoreCodeInterpreter': {
'codeInterpreterArn': 'string'
}
}
},
],
'skills': [
{
'path': 'string',
's3': {
'uri': 'string'
},
'git': {
'url': 'string',
'path': 'string',
'auth': {
'credentialArn': 'string',
'username': 'string'
}
},
'awsSkills': {
'paths': [
'string',
]
}
},
],
'allowedTools': [
'string',
],
'truncation': {
'strategy': 'sliding_window'|'summarization'|'none',
'config': {
'slidingWindow': {
'messagesCount': 123
},
'summarization': {
'summaryRatio': ...,
'preserveRecentMessages': 123,
'summarizationSystemPrompt': 'string'
}
}
},
'environment': {
'agentCoreRuntimeEnvironment': {
'agentRuntimeArn': 'string',
'agentRuntimeName': 'string',
'agentRuntimeId': 'string',
'lifecycleConfiguration': {
'idleRuntimeSessionTimeout': 123,
'maxLifetime': 123
},
'networkConfiguration': {
'networkMode': 'PUBLIC'|'VPC',
'networkModeConfig': {
'securityGroups': [
'string',
],
'subnets': [
'string',
],
'requireServiceS3Endpoint': True|False
}
},
'filesystemConfigurations': [
{
'sessionStorage': {
'mountPath': 'string'
},
's3FilesAccessPoint': {
'accessPointArn': 'string',
'mountPath': 'string'
},
'efsAccessPoint': {
'accessPointArn': 'string',
'mountPath': 'string'
}
},
]
}
},
'environmentArtifact': {
'containerConfiguration': {
'containerUri': 'string'
}
},
'environmentVariables': {
'string': 'string'
},
'authorizerConfiguration': {
'customJWTAuthorizer': {
'discoveryUrl': 'string',
'allowedAudience': [
'string',
],
'allowedClients': [
'string',
],
'allowedScopes': [
'string',
],
'customClaims': [
{
'inboundTokenClaimName': 'string',
'inboundTokenClaimValueType': 'STRING'|'STRING_ARRAY',
'authorizingClaimMatchValue': {
'claimMatchValue': {
'matchValueString': 'string',
'matchValueStringList': [
'string',
]
},
'claimMatchOperator': 'EQUALS'|'CONTAINS'|'CONTAINS_ANY'
}
},
],
'privateEndpoint': {
'selfManagedLatticeResource': {
'resourceConfigurationIdentifier': 'string'
},
'managedVpcResource': {
'vpcIdentifier': 'string',
'subnetIds': [
'string',
],
'endpointIpAddressType': 'IPV4'|'IPV6',
'securityGroupIds': [
'string',
],
'tags': {
'string': 'string'
},
'routingDomain': 'string'
}
},
'privateEndpointOverrides': [
{
'domain': 'string',
'privateEndpoint': {
'selfManagedLatticeResource': {
'resourceConfigurationIdentifier': 'string'
},
'managedVpcResource': {
'vpcIdentifier': 'string',
'subnetIds': [
'string',
],
'endpointIpAddressType': 'IPV4'|'IPV6',
'securityGroupIds': [
'string',
],
'tags': {
'string': 'string'
},
'routingDomain': 'string'
}
}
},
],
'allowedWorkloadConfiguration': {
'hostingEnvironments': [
{
'arn': 'string'
},
],
'workloadIdentities': [
'string',
]
}
}
},
'memory': {
'agentCoreMemoryConfiguration': {
'arn': 'string',
'actorId': 'string',
'messagesCount': 123,
'retrievalConfig': {
'string': {
'topK': 123,
'relevanceScore': ...,
'strategyId': 'string'
}
}
},
'managedMemoryConfiguration': {
'arn': 'string',
'strategies': [
'SEMANTIC'|'SUMMARIZATION'|'USER_PREFERENCE'|'EPISODIC',
],
'eventExpiryDuration': 123,
'encryptionKeyArn': 'string'
},
'disabled': {}
},
'maxIterations': 123,
'maxTokens': 123,
'timeoutSeconds': 123,
'failureReason': 'string'
}
}
Response Structure
(dict) --
harness (dict) --
The harness that was deleted.
harnessId (string) --
The ID of the harness.
harnessName (string) --
The name of the harness.
arn (string) --
The ARN of the harness.
status (string) --
The status of the harness.
harnessVersion (string) --
The version of the harness. Incremented on every successful UpdateHarness.
executionRoleArn (string) --
IAM role the harness assumes when running.
createdAt (datetime) --
The createdAt time of the harness.
updatedAt (datetime) --
The updatedAt time of the harness.
model (dict) --
The configuration of the default model used by the Harness.
bedrockModelConfig (dict) --
Configuration for an Amazon Bedrock model.
modelId (string) --
The Bedrock model ID.
maxTokens (integer) --
The maximum number of tokens to allow in the generated response per model call.
temperature (float) --
The temperature to set when calling the model.
topP (float) --
The topP set when calling the model.
apiFormat (string) --
The API format to use when calling the Bedrock provider.
additionalParams (:ref:`document<document>`) --
Provider-specific parameters passed through to the model provider unchanged.
openAiModelConfig (dict) --
Configuration for an OpenAI model.
modelId (string) --
The OpenAI model ID.
apiKeyArn (string) --
The ARN of your OpenAI API key on AgentCore Identity.
maxTokens (integer) --
The maximum number of tokens to allow in the generated response per model call.
temperature (float) --
The temperature to set when calling the model.
topP (float) --
The topP set when calling the model.
apiFormat (string) --
The API format to use when calling the OpenAI provider.
additionalParams (:ref:`document<document>`) --
Provider-specific parameters passed through to the model provider unchanged.
geminiModelConfig (dict) --
Configuration for a Google Gemini model.
modelId (string) --
The Gemini model ID.
apiKeyArn (string) --
The ARN of your Gemini API key on AgentCore Identity.
maxTokens (integer) --
The maximum number of tokens to allow in the generated response per model call.
temperature (float) --
The temperature to set when calling the model.
topP (float) --
The topP set when calling the model.
topK (integer) --
The topK set when calling the model.
liteLlmModelConfig (dict) --
The LiteLLM model configuration for connecting to third-party model providers.
modelId (string) --
The LiteLLM model identifier (e.g., "anthropic/claude-3-sonnet").
apiKeyArn (string) --
The ARN of the API key in AgentCore Identity for authenticating with the model provider.
apiBase (string) --
The base URL for the model provider's API endpoint.
maxTokens (integer) --
The maximum number of tokens to allow in the generated response per iteration.
temperature (float) --
The temperature to set when calling the model.
topP (float) --
The topP set when calling the model.
additionalParams (:ref:`document<document>`) --
Provider-specific parameters passed through to the model provider unchanged.
systemPrompt (list) --
The system prompt of the harness.
(dict) --
A content block in the system prompt.
text (string) --
The text content of the system prompt block.
tools (list) --
The tools of the harness.
(dict) --
A tool available to the agent loop.
type (string) --
The type of tool.
name (string) --
Unique name for the tool. If not provided, a name will be inferred or generated.
config (dict) --
Tool-specific configuration.
remoteMcp (dict) --
Configuration for remote MCP server.
url (string) --
URL of the MCP endpoint.
headers (dict) --
Custom headers to include when connecting to the remote MCP server.
(string) --
The key of an HTTP header.
(string) --
The value of an HTTP header.
agentCoreBrowser (dict) --
Configuration for AgentCore Browser.
browserArn (string) --
If not populated, the built-in Browser ARN is used.
agentCoreGateway (dict) --
Configuration for AgentCore Gateway.
gatewayArn (string) --
The ARN of the desired AgentCore Gateway.
outboundAuth (dict) --
How harness authenticates to this Gateway. Defaults to AWS_IAM (SigV4) if omitted.
awsIam (dict) --
SigV4-sign requests using the agent's execution role.
none (dict) --
No authentication.
oauth (dict) --
Use OAuth credentials for outbound authentication to the gateway.
providerArn (string) --
The Amazon Resource Name (ARN) of the OAuth credential provider. This ARN identifies the provider in Amazon Web Services.
scopes (list) --
The OAuth scopes for the credential provider. These scopes define the level of access requested from the OAuth provider.
(string) --
customParameters (dict) --
The custom parameters for the OAuth credential provider. These parameters provide additional configuration for the OAuth authentication process.
(string) --
(string) --
grantType (string) --
Specifies the kind of credentials to use for authorization:
CLIENT_CREDENTIALS - Authorization with a client ID and secret.
AUTHORIZATION_CODE - Authorization with a token that is specific to an individual end user.
TOKEN_EXCHANGE - Authorization using on-behalf-of token exchange. An inbound user token is exchanged for a downstream access token scoped to the target audience.
defaultReturnUrl (string) --
The URL where the end user's browser is redirected after obtaining the authorization code. Generally points to the customer's application.
inlineFunction (dict) --
Configuration for an inline function tool.
description (string) --
Description of what the tool does, provided to the model.
inputSchema (:ref:`document<document>`) --
JSON Schema describing the tool's input parameters.
agentCoreCodeInterpreter (dict) --
Configuration for AgentCore Code Interpreter.
codeInterpreterArn (string) --
If not populated, the built-in Code Interpreter ARN is used.
skills (list) --
The skills of the harness.
(dict) --
A skill available to the agent.
path (string) --
The filesystem path to the skill definition.
s3 (dict) --
An S3 source containing the skill.
uri (string) --
The S3 URI pointing to the skill directory (e.g., s3://bucket/skills/my-skill/).
git (dict) --
A git repository containing the skill.
url (string) --
The HTTPS URL of the git repository.
path (string) --
Subdirectory within the repository containing the skill.
auth (dict) --
Authentication configuration for private repositories.
credentialArn (string) --
The ARN of the credential in AgentCore Identity containing the password or personal access token.
username (string) --
Username for authentication. Defaults to 'oauth2' if not specified.
awsSkills (dict) --
AWS Skills baked into the harness's underlying Runtime.
paths (list) --
Optionally filter allowed skills with glob syntax, e.g., ['core-skills/*'].
(string) --
allowedTools (list) --
The allowed tools of the harness. All tools are allowed by default.
(string) --
truncation (dict) --
Configuration for truncating model context.
strategy (string) --
The truncation strategy to use.
config (dict) --
The strategy-specific configuration.
slidingWindow (dict) --
Configuration for sliding window truncation.
messagesCount (integer) --
The number of recent messages to retain in the context window.
summarization (dict) --
Configuration for summarization-based truncation.
summaryRatio (float) --
The ratio of content to summarize.
preserveRecentMessages (integer) --
The number of recent messages to preserve without summarization.
summarizationSystemPrompt (string) --
The system prompt used for generating summaries.
environment (dict) --
The compute environment on which the Harness runs.
agentCoreRuntimeEnvironment (dict) --
The AgentCore Runtime environment configuration.
agentRuntimeArn (string) --
The ARN of the underlying AgentCore Runtime.
agentRuntimeName (string) --
The name of the underlying AgentCore Runtime.
agentRuntimeId (string) --
The ID of the underlying AgentCore Runtime.
lifecycleConfiguration (dict) --
LifecycleConfiguration lets you manage the lifecycle of runtime sessions and resources in AgentCore Runtime. This configuration helps optimize resource utilization by automatically cleaning up idle sessions and preventing long-running instances from consuming resources indefinitely.
idleRuntimeSessionTimeout (integer) --
Timeout in seconds for idle runtime sessions. When a session remains idle for this duration, it will be automatically terminated. Default: 900 seconds (15 minutes).
maxLifetime (integer) --
Maximum lifetime for the instance in seconds. Once reached, instances will be automatically terminated and replaced. Default: 28800 seconds (8 hours).
networkConfiguration (dict) --
SecurityConfig for the Agent.
networkMode (string) --
The network mode for the AgentCore Runtime.
networkModeConfig (dict) --
The network mode configuration for the AgentCore Runtime.
securityGroups (list) --
The security groups associated with the VPC configuration.
(string) --
subnets (list) --
The subnets associated with the VPC configuration.
(string) --
requireServiceS3Endpoint (boolean) --
Controls whether a service-managed Amazon S3 gateway endpoint is provisioned in the VPC network topology for the agent runtime. This gateway is used by Amazon Bedrock AgentCore Runtime to download code and container images during agent startup.
Starting May 5, 2026, Amazon Bedrock AgentCore Runtime is gradually rolling out a change to how network isolation is configured for VPC mode agents. Agent runtimes created on or after this rollout will no longer include the service-managed Amazon S3 gateway. Instead, all network access, including to Amazon S3, is governed exclusively by your VPC configuration. This field cannot be set on agent runtimes created after the rollout. Passing this field in an UpdateAgentRuntime request for these agent runtimes returns a ValidationException.
Agent runtimes created before the rollout are not affected and continue to operate with the service-managed Amazon S3 gateway. To enforce full VPC network isolation on these existing agent runtimes, set this field to false via the UpdateAgentRuntime API. Before opting out, ensure your VPC provides the Amazon S3 access required for agent startup. If this field is not specified or is set to true, the service-managed Amazon S3 gateway remains provisioned.
This field is only supported in the UpdateAgentRuntime API for pre-rollout agent runtimes. Passing this field in a CreateAgentRuntime request returns a ValidationException.
filesystemConfigurations (list) --
The filesystem configurations for the runtime environment.
(dict) --
Configuration for a filesystem that can be mounted into the AgentCore Runtime.
sessionStorage (dict) --
Configuration for session storage. Session storage provides persistent storage that is preserved across AgentCore Runtime session invocations.
mountPath (string) --
The mount path for the session storage filesystem inside the AgentCore Runtime. The path must be under /mnt with exactly one subdirectory level (for example, /mnt/data).
s3FilesAccessPoint (dict) --
Configuration for an Amazon S3 Files access point to mount into the AgentCore Runtime.
accessPointArn (string) --
The ARN of the S3 Files access point to mount into the AgentCore Runtime.
mountPath (string) --
The mount path for the S3 Files access point inside the AgentCore Runtime. The path must be under /mnt with exactly one subdirectory level (for example, /mnt/data).
efsAccessPoint (dict) --
Configuration for an Amazon EFS access point to mount into the AgentCore Runtime.
accessPointArn (string) --
The ARN of the EFS access point to mount into the AgentCore Runtime.
mountPath (string) --
The mount path for the EFS access point inside the AgentCore Runtime. The path must be under /mnt with exactly one subdirectory level (for example, /mnt/data).
environmentArtifact (dict) --
The environment artifact (e.g., container) in which the Harness operates.
containerConfiguration (dict) --
Representation of a container configuration.
containerUri (string) --
The ECR URI of the container.
environmentVariables (dict) --
Environment variables exposed in the environment in which the harness operates.
(string) --
(string) --
authorizerConfiguration (dict) --
Represents inbound authorization configuration options used to authenticate incoming requests.
customJWTAuthorizer (dict) --
The inbound JWT-based authorization, specifying how incoming requests should be authenticated.
discoveryUrl (string) --
This URL is used to fetch OpenID Connect configuration or authorization server metadata for validating incoming tokens.
allowedAudience (list) --
Represents individual audience values that are validated in the incoming JWT token validation process.
(string) --
allowedClients (list) --
Represents individual client IDs that are validated in the incoming JWT token validation process.
(string) --
allowedScopes (list) --
An array of scopes that are allowed to access the token.
(string) --
customClaims (list) --
An array of objects that define a custom claim validation name, value, and operation
(dict) --
Defines the name of a custom claim field and rules for finding matches to authenticate its value.
inboundTokenClaimName (string) --
The name of the custom claim field to check.
inboundTokenClaimValueType (string) --
The data type of the claim value to check for.
Use STRING if you want to find an exact match to a string you define.
Use STRING_ARRAY if you want to fnd a match to at least one value in an array you define.
authorizingClaimMatchValue (dict) --
Defines the value or values to match for and the relationship of the match.
claimMatchValue (dict) --
The value or values to match for.
matchValueString (string) --
The string value to match for.
matchValueStringList (list) --
An array of strings to check for a match.
(string) --
claimMatchOperator (string) --
Defines the relationship between the claim field value and the value or values you're matching for.
privateEndpoint (dict) --
The private endpoint configuration for a gateway target. Defines how the gateway connects to private resources in your VPC.
selfManagedLatticeResource (dict) --
Configuration for connecting to a private resource using a self-managed VPC Lattice resource configuration.
resourceConfigurationIdentifier (string) --
The ARN or ID of the VPC Lattice resource configuration.
managedVpcResource (dict) --
Configuration for connecting to a private resource using a managed VPC Lattice resource. The gateway creates and manages the VPC Lattice resources on your behalf.
vpcIdentifier (string) --
The ID of the VPC that contains your private resource.
subnetIds (list) --
The subnet IDs within the VPC where the VPC Lattice resource gateway is placed.
(string) --
endpointIpAddressType (string) --
The IP address type for the resource configuration endpoint.
securityGroupIds (list) --
The security group IDs to associate with the VPC Lattice resource gateway. If not specified, the default security group for the VPC is used.
(string) --
tags (dict) --
Tags to apply to the managed VPC Lattice resource gateway.
(string) --
(string) --
routingDomain (string) --
An intermediate domain to use as the resource configuration endpoint instead of the actual target domain. Use this when you want to route traffic through an intermediate component such as a VPC endpoint or internal load balancer. For more information, see xref:lattice-vpc-egress-routing-domain[Route traffic through an intermediate domain].
privateEndpointOverrides (list) --
The private endpoint overrides for the custom JWT authorizer configuration.
(dict) --
A mapping of a specific domain to a private endpoint for secure connectivity through a VPC Lattice resource configuration.
domain (string) --
The domain to override with a private endpoint.
privateEndpoint (dict) --
The private endpoint configuration for the specified domain.
selfManagedLatticeResource (dict) --
Configuration for connecting to a private resource using a self-managed VPC Lattice resource configuration.
resourceConfigurationIdentifier (string) --
The ARN or ID of the VPC Lattice resource configuration.
managedVpcResource (dict) --
Configuration for connecting to a private resource using a managed VPC Lattice resource. The gateway creates and manages the VPC Lattice resources on your behalf.
vpcIdentifier (string) --
The ID of the VPC that contains your private resource.
subnetIds (list) --
The subnet IDs within the VPC where the VPC Lattice resource gateway is placed.
(string) --
endpointIpAddressType (string) --
The IP address type for the resource configuration endpoint.
securityGroupIds (list) --
The security group IDs to associate with the VPC Lattice resource gateway. If not specified, the default security group for the VPC is used.
(string) --
tags (dict) --
Tags to apply to the managed VPC Lattice resource gateway.
(string) --
(string) --
routingDomain (string) --
An intermediate domain to use as the resource configuration endpoint instead of the actual target domain. Use this when you want to route traffic through an intermediate component such as a VPC endpoint or internal load balancer. For more information, see xref:lattice-vpc-egress-routing-domain[Route traffic through an intermediate domain].
allowedWorkloadConfiguration (dict) --
The configuration that restricts which workloads in the request's identity chain are allowed to invoke the target, identified by their hosting environments and workload identities. At launch, this is supported only for AgentCore Runtime targets, and the allowed workloads are AgentCore Gateways.
hostingEnvironments (list) --
The list of hosting environments whose workloads are allowed to invoke the target. At launch, the only supported hosting environment is AgentCore Gateway.
(dict) --
A hosting environment whose workloads are allowed to invoke the target. At launch, the only supported hosting environment is AgentCore Gateway.
arn (string) --
The Amazon Resource Name (ARN) of the hosting environment.
workloadIdentities (list) --
The list of workload identities that are allowed to invoke the target.
(string) --
memory (dict) --
AgentCore Memory instance configuration for short and long term memory.
agentCoreMemoryConfiguration (dict) --
The AgentCore Memory configuration.
arn (string) --
The ARN of the AgentCore Memory resource.
actorId (string) --
The actor ID for memory operations.
messagesCount (integer) --
The number of messages to retrieve from memory.
retrievalConfig (dict) --
The retrieval configuration for long-term memory, mapping namespace path templates to retrieval settings.
(string) --
(dict) --
Configuration for memory retrieval within a namespace.
topK (integer) --
The maximum number of memory entries to retrieve.
relevanceScore (float) --
The minimum relevance score for retrieved memories.
strategyId (string) --
The ID of the retrieval strategy to use.
managedMemoryConfiguration (dict) --
Harness creates and manages a memory resource in the customer's account.
arn (string) --
The ARN of the managed AgentCore Memory resource. Read-only on Get, ignored on Create/Update input.
strategies (list) --
Strategy types to enable. Defaults to [SEMANTIC, SUMMARIZATION].
(string) --
eventExpiryDuration (integer) --
Event retention in days. Defaults to 30.
encryptionKeyArn (string) --
Customer-managed KMS key. Defaults to AWS-owned key. Not updatable after creation.
disabled (dict) --
Explicitly opt out of memory.
maxIterations (integer) --
The maximum number of iterations in the agent loop allowed before exiting per invocation.
maxTokens (integer) --
The maximum total number of output tokens the agent can generate across all model calls within a single invocation.
timeoutSeconds (integer) --
The maximum duration per invocation.
failureReason (string) --
Reason why create or update operations fail.
{'definition': {'policy': {'statement': 'string'}},
'enforcementMode': 'ACTIVE | LOG_ONLY'}
Deletes an existing policy from the AgentCore Policy system. Once deleted, the policy can no longer be used for agent behavior control and all references to it become invalid. This is an asynchronous operation. Use the GetPolicy operation to poll the status field to track completion.
See also: AWS API Documentation
Request Syntax
client.delete_policy(
policyEngineId='string',
policyId='string'
)
string
[REQUIRED]
The identifier of the policy engine that manages the policy to be deleted. This ensures the policy is deleted from the correct policy engine context.
string
[REQUIRED]
The unique identifier of the policy to be deleted. This must be a valid policy ID that exists within the specified policy engine.
dict
Response Syntax
{
'policyId': 'string',
'name': 'string',
'policyEngineId': 'string',
'createdAt': datetime(2015, 1, 1),
'updatedAt': datetime(2015, 1, 1),
'policyArn': 'string',
'status': 'CREATING'|'ACTIVE'|'UPDATING'|'DELETING'|'CREATE_FAILED'|'UPDATE_FAILED'|'DELETE_FAILED',
'enforcementMode': 'ACTIVE'|'LOG_ONLY',
'definition': {
'cedar': {
'statement': 'string'
},
'policyGeneration': {
'policyGenerationId': 'string',
'policyGenerationAssetId': 'string'
},
'policy': {
'statement': 'string'
}
},
'description': 'string',
'statusReasons': [
'string',
]
}
Response Structure
(dict) --
policyId (string) --
The unique identifier of the policy being deleted. This confirms which policy the deletion operation targets.
name (string) --
The customer-assigned name of the deleted policy. This confirms which policy was successfully removed from the system and matches the name that was originally assigned during policy creation.
policyEngineId (string) --
The identifier of the policy engine from which the policy was deleted. This confirms the policy engine context for the deletion operation.
createdAt (datetime) --
The timestamp when the deleted policy was originally created.
updatedAt (datetime) --
The timestamp when the deleted policy was last modified before deletion. This tracks the final state of the policy before it was removed from the system.
policyArn (string) --
The Amazon Resource Name (ARN) of the deleted policy. This globally unique identifier confirms which policy resource was successfully removed.
status (string) --
The status of the policy deletion operation. This provides information about any issues that occurred during the deletion process.
enforcementMode (string) --
The enforcement mode of the deleted policy.
definition (dict) --
Represents the definition structure for policies within the AgentCore Policy system. This structure encapsulates different policy formats and languages that can be used to define access control rules.
cedar (dict) --
The Cedar policy definition within the policy definition structure. This contains the Cedar policy statement that defines the authorization logic using Cedar's human-readable, analyzable policy language. Cedar policies specify principals (who can access), actions (what operations are allowed), resources (what can be accessed), and optional conditions for fine-grained control. Cedar provides a formal policy language designed for authorization with deterministic evaluation, making policies testable, reviewable, and auditable. All Cedar policies follow a default-deny model where actions are denied unless explicitly permitted, and forbid policies always override permit policies.
statement (string) --
The Cedar policy statement that defines the authorization logic. This statement follows Cedar syntax and specifies principals, actions, resources, and conditions that determine when access should be allowed or denied.
policyGeneration (dict) --
The generated policy asset information within the policy definition structure. This contains information identifying a generated policy asset from the AI-powered policy generation process within the AgentCore Policy system. Each asset contains a Cedar policy statement generated from natural language input, along with associated metadata and analysis findings to help users evaluate and select the most appropriate policy option.
policyGenerationId (string) --
The unique identifier for this policy generation request.
policyGenerationAssetId (string) --
The unique identifier for this generated policy asset within the policy generation request.
policy (dict) --
An AgentCore policy statement that defines the access control rules. The statement can be a Cedar policy or a guardrails definition.
statement (string) --
The body of the AgentCore policy statement. Contains the policy logic, which can be a Cedar policy or a guardrails definition.
description (string) --
The human-readable description of the deleted policy.
statusReasons (list) --
Additional information about the deletion status. This provides details about the deletion process or any issues that may have occurred.
(string) --
{'authorizerConfiguration': {'customJWTAuthorizer': {'allowedWorkloadConfiguration': {'hostingEnvironments': [{'arn': 'string'}],
'workloadIdentities': ['string']}}}}
Gets an Amazon Bedrock AgentCore Runtime.
See also: AWS API Documentation
Request Syntax
client.get_agent_runtime(
agentRuntimeId='string',
agentRuntimeVersion='string'
)
string
[REQUIRED]
The unique identifier of the AgentCore Runtime to retrieve.
string
The version of the AgentCore Runtime to retrieve.
dict
Response Syntax
{
'agentRuntimeArn': 'string',
'agentRuntimeName': 'string',
'agentRuntimeId': 'string',
'agentRuntimeVersion': 'string',
'createdAt': datetime(2015, 1, 1),
'lastUpdatedAt': datetime(2015, 1, 1),
'roleArn': 'string',
'networkConfiguration': {
'networkMode': 'PUBLIC'|'VPC',
'networkModeConfig': {
'securityGroups': [
'string',
],
'subnets': [
'string',
],
'requireServiceS3Endpoint': True|False
}
},
'status': 'CREATING'|'CREATE_FAILED'|'UPDATING'|'UPDATE_FAILED'|'READY'|'DELETING',
'lifecycleConfiguration': {
'idleRuntimeSessionTimeout': 123,
'maxLifetime': 123
},
'failureReason': 'string',
'description': 'string',
'workloadIdentityDetails': {
'workloadIdentityArn': 'string'
},
'agentRuntimeArtifact': {
'containerConfiguration': {
'containerUri': 'string'
},
'codeConfiguration': {
'code': {
's3': {
'bucket': 'string',
'prefix': 'string',
'versionId': 'string'
}
},
'runtime': 'PYTHON_3_10'|'PYTHON_3_11'|'PYTHON_3_12'|'PYTHON_3_13'|'PYTHON_3_14'|'NODE_22',
'entryPoint': [
'string',
]
}
},
'protocolConfiguration': {
'serverProtocol': 'MCP'|'HTTP'|'A2A'|'AGUI'
},
'environmentVariables': {
'string': 'string'
},
'authorizerConfiguration': {
'customJWTAuthorizer': {
'discoveryUrl': 'string',
'allowedAudience': [
'string',
],
'allowedClients': [
'string',
],
'allowedScopes': [
'string',
],
'customClaims': [
{
'inboundTokenClaimName': 'string',
'inboundTokenClaimValueType': 'STRING'|'STRING_ARRAY',
'authorizingClaimMatchValue': {
'claimMatchValue': {
'matchValueString': 'string',
'matchValueStringList': [
'string',
]
},
'claimMatchOperator': 'EQUALS'|'CONTAINS'|'CONTAINS_ANY'
}
},
],
'privateEndpoint': {
'selfManagedLatticeResource': {
'resourceConfigurationIdentifier': 'string'
},
'managedVpcResource': {
'vpcIdentifier': 'string',
'subnetIds': [
'string',
],
'endpointIpAddressType': 'IPV4'|'IPV6',
'securityGroupIds': [
'string',
],
'tags': {
'string': 'string'
},
'routingDomain': 'string'
}
},
'privateEndpointOverrides': [
{
'domain': 'string',
'privateEndpoint': {
'selfManagedLatticeResource': {
'resourceConfigurationIdentifier': 'string'
},
'managedVpcResource': {
'vpcIdentifier': 'string',
'subnetIds': [
'string',
],
'endpointIpAddressType': 'IPV4'|'IPV6',
'securityGroupIds': [
'string',
],
'tags': {
'string': 'string'
},
'routingDomain': 'string'
}
}
},
],
'allowedWorkloadConfiguration': {
'hostingEnvironments': [
{
'arn': 'string'
},
],
'workloadIdentities': [
'string',
]
}
}
},
'requestHeaderConfiguration': {
'requestHeaderAllowlist': [
'string',
]
},
'metadataConfiguration': {
'requireMMDSV2': True|False
},
'filesystemConfigurations': [
{
'sessionStorage': {
'mountPath': 'string'
},
's3FilesAccessPoint': {
'accessPointArn': 'string',
'mountPath': 'string'
},
'efsAccessPoint': {
'accessPointArn': 'string',
'mountPath': 'string'
}
},
]
}
Response Structure
(dict) --
agentRuntimeArn (string) --
The Amazon Resource Name (ARN) of the AgentCore Runtime.
agentRuntimeName (string) --
The name of the AgentCore Runtime.
agentRuntimeId (string) --
The unique identifier of the AgentCore Runtime.
agentRuntimeVersion (string) --
The version of the AgentCore Runtime.
createdAt (datetime) --
The timestamp when the AgentCore Runtime was created.
lastUpdatedAt (datetime) --
The timestamp when the AgentCore Runtime was last updated.
roleArn (string) --
The IAM role ARN that provides permissions for the AgentCore Runtime.
networkConfiguration (dict) --
The network configuration for the AgentCore Runtime.
networkMode (string) --
The network mode for the AgentCore Runtime.
networkModeConfig (dict) --
The network mode configuration for the AgentCore Runtime.
securityGroups (list) --
The security groups associated with the VPC configuration.
(string) --
subnets (list) --
The subnets associated with the VPC configuration.
(string) --
requireServiceS3Endpoint (boolean) --
Controls whether a service-managed Amazon S3 gateway endpoint is provisioned in the VPC network topology for the agent runtime. This gateway is used by Amazon Bedrock AgentCore Runtime to download code and container images during agent startup.
Starting May 5, 2026, Amazon Bedrock AgentCore Runtime is gradually rolling out a change to how network isolation is configured for VPC mode agents. Agent runtimes created on or after this rollout will no longer include the service-managed Amazon S3 gateway. Instead, all network access, including to Amazon S3, is governed exclusively by your VPC configuration. This field cannot be set on agent runtimes created after the rollout. Passing this field in an UpdateAgentRuntime request for these agent runtimes returns a ValidationException.
Agent runtimes created before the rollout are not affected and continue to operate with the service-managed Amazon S3 gateway. To enforce full VPC network isolation on these existing agent runtimes, set this field to false via the UpdateAgentRuntime API. Before opting out, ensure your VPC provides the Amazon S3 access required for agent startup. If this field is not specified or is set to true, the service-managed Amazon S3 gateway remains provisioned.
This field is only supported in the UpdateAgentRuntime API for pre-rollout agent runtimes. Passing this field in a CreateAgentRuntime request returns a ValidationException.
status (string) --
The current status of the AgentCore Runtime.
lifecycleConfiguration (dict) --
The life cycle configuration for the AgentCore Runtime.
idleRuntimeSessionTimeout (integer) --
Timeout in seconds for idle runtime sessions. When a session remains idle for this duration, it will be automatically terminated. Default: 900 seconds (15 minutes).
maxLifetime (integer) --
Maximum lifetime for the instance in seconds. Once reached, instances will be automatically terminated and replaced. Default: 28800 seconds (8 hours).
failureReason (string) --
The reason for failure if the AgentCore Runtime is in a failed state.
description (string) --
The description of the AgentCore Runtime.
workloadIdentityDetails (dict) --
The workload identity details for the AgentCore Runtime.
workloadIdentityArn (string) --
The ARN associated with the workload identity.
agentRuntimeArtifact (dict) --
The artifact of the AgentCore Runtime.
containerConfiguration (dict) --
The container configuration for the agent artifact.
containerUri (string) --
The ECR URI of the container.
codeConfiguration (dict) --
The code configuration for the agent runtime artifact, including the source code location and execution settings.
code (dict) --
The source code location and configuration details.
s3 (dict) --
The Amazon Amazon S3 object that contains the source code for the agent runtime.
bucket (string) --
The name of the Amazon S3 bucket. This bucket contains the stored data.
prefix (string) --
The prefix for objects in the Amazon S3 bucket. This prefix is added to the object keys to organize the data.
versionId (string) --
The version ID of the Amazon Amazon S3 object. If not specified, the latest version of the object is used.
runtime (string) --
The runtime environment for executing the agent code. Specify the programming language and version to use for the agent runtime. For valid values, see the list of supported runtimes.
entryPoint (list) --
The entry point for the code execution, specifying the function or method that should be invoked when the code runs.
(string) --
protocolConfiguration (dict) --
The protocol configuration for an agent runtime. This structure defines how the agent runtime communicates with clients.
serverProtocol (string) --
The server protocol for the agent runtime. This field specifies which protocol the agent runtime uses to communicate with clients.
environmentVariables (dict) --
Environment variables set in the AgentCore Runtime environment.
(string) --
(string) --
authorizerConfiguration (dict) --
The authorizer configuration for the AgentCore Runtime.
customJWTAuthorizer (dict) --
The inbound JWT-based authorization, specifying how incoming requests should be authenticated.
discoveryUrl (string) --
This URL is used to fetch OpenID Connect configuration or authorization server metadata for validating incoming tokens.
allowedAudience (list) --
Represents individual audience values that are validated in the incoming JWT token validation process.
(string) --
allowedClients (list) --
Represents individual client IDs that are validated in the incoming JWT token validation process.
(string) --
allowedScopes (list) --
An array of scopes that are allowed to access the token.
(string) --
customClaims (list) --
An array of objects that define a custom claim validation name, value, and operation
(dict) --
Defines the name of a custom claim field and rules for finding matches to authenticate its value.
inboundTokenClaimName (string) --
The name of the custom claim field to check.
inboundTokenClaimValueType (string) --
The data type of the claim value to check for.
Use STRING if you want to find an exact match to a string you define.
Use STRING_ARRAY if you want to fnd a match to at least one value in an array you define.
authorizingClaimMatchValue (dict) --
Defines the value or values to match for and the relationship of the match.
claimMatchValue (dict) --
The value or values to match for.
matchValueString (string) --
The string value to match for.
matchValueStringList (list) --
An array of strings to check for a match.
(string) --
claimMatchOperator (string) --
Defines the relationship between the claim field value and the value or values you're matching for.
privateEndpoint (dict) --
The private endpoint configuration for a gateway target. Defines how the gateway connects to private resources in your VPC.
selfManagedLatticeResource (dict) --
Configuration for connecting to a private resource using a self-managed VPC Lattice resource configuration.
resourceConfigurationIdentifier (string) --
The ARN or ID of the VPC Lattice resource configuration.
managedVpcResource (dict) --
Configuration for connecting to a private resource using a managed VPC Lattice resource. The gateway creates and manages the VPC Lattice resources on your behalf.
vpcIdentifier (string) --
The ID of the VPC that contains your private resource.
subnetIds (list) --
The subnet IDs within the VPC where the VPC Lattice resource gateway is placed.
(string) --
endpointIpAddressType (string) --
The IP address type for the resource configuration endpoint.
securityGroupIds (list) --
The security group IDs to associate with the VPC Lattice resource gateway. If not specified, the default security group for the VPC is used.
(string) --
tags (dict) --
Tags to apply to the managed VPC Lattice resource gateway.
(string) --
(string) --
routingDomain (string) --
An intermediate domain to use as the resource configuration endpoint instead of the actual target domain. Use this when you want to route traffic through an intermediate component such as a VPC endpoint or internal load balancer. For more information, see xref:lattice-vpc-egress-routing-domain[Route traffic through an intermediate domain].
privateEndpointOverrides (list) --
The private endpoint overrides for the custom JWT authorizer configuration.
(dict) --
A mapping of a specific domain to a private endpoint for secure connectivity through a VPC Lattice resource configuration.
domain (string) --
The domain to override with a private endpoint.
privateEndpoint (dict) --
The private endpoint configuration for the specified domain.
selfManagedLatticeResource (dict) --
Configuration for connecting to a private resource using a self-managed VPC Lattice resource configuration.
resourceConfigurationIdentifier (string) --
The ARN or ID of the VPC Lattice resource configuration.
managedVpcResource (dict) --
Configuration for connecting to a private resource using a managed VPC Lattice resource. The gateway creates and manages the VPC Lattice resources on your behalf.
vpcIdentifier (string) --
The ID of the VPC that contains your private resource.
subnetIds (list) --
The subnet IDs within the VPC where the VPC Lattice resource gateway is placed.
(string) --
endpointIpAddressType (string) --
The IP address type for the resource configuration endpoint.
securityGroupIds (list) --
The security group IDs to associate with the VPC Lattice resource gateway. If not specified, the default security group for the VPC is used.
(string) --
tags (dict) --
Tags to apply to the managed VPC Lattice resource gateway.
(string) --
(string) --
routingDomain (string) --
An intermediate domain to use as the resource configuration endpoint instead of the actual target domain. Use this when you want to route traffic through an intermediate component such as a VPC endpoint or internal load balancer. For more information, see xref:lattice-vpc-egress-routing-domain[Route traffic through an intermediate domain].
allowedWorkloadConfiguration (dict) --
The configuration that restricts which workloads in the request's identity chain are allowed to invoke the target, identified by their hosting environments and workload identities. At launch, this is supported only for AgentCore Runtime targets, and the allowed workloads are AgentCore Gateways.
hostingEnvironments (list) --
The list of hosting environments whose workloads are allowed to invoke the target. At launch, the only supported hosting environment is AgentCore Gateway.
(dict) --
A hosting environment whose workloads are allowed to invoke the target. At launch, the only supported hosting environment is AgentCore Gateway.
arn (string) --
The Amazon Resource Name (ARN) of the hosting environment.
workloadIdentities (list) --
The list of workload identities that are allowed to invoke the target.
(string) --
requestHeaderConfiguration (dict) --
Configuration for HTTP request headers that will be passed through to the runtime.
requestHeaderAllowlist (list) --
A list of HTTP request headers that are allowed to be passed through to the runtime.
(string) --
metadataConfiguration (dict) --
Configuration for microVM Metadata Service (MMDS) settings for the AgentCore Runtime.
requireMMDSV2 (boolean) --
Enables MMDSv2 (microVM Metadata Service Version 2) requirement for the agent runtime. When set to true, the runtime microVM will only accept MMDSv2 requests.
filesystemConfigurations (list) --
The filesystem configurations mounted into the AgentCore Runtime.
(dict) --
Configuration for a filesystem that can be mounted into the AgentCore Runtime.
sessionStorage (dict) --
Configuration for session storage. Session storage provides persistent storage that is preserved across AgentCore Runtime session invocations.
mountPath (string) --
The mount path for the session storage filesystem inside the AgentCore Runtime. The path must be under /mnt with exactly one subdirectory level (for example, /mnt/data).
s3FilesAccessPoint (dict) --
Configuration for an Amazon S3 Files access point to mount into the AgentCore Runtime.
accessPointArn (string) --
The ARN of the S3 Files access point to mount into the AgentCore Runtime.
mountPath (string) --
The mount path for the S3 Files access point inside the AgentCore Runtime. The path must be under /mnt with exactly one subdirectory level (for example, /mnt/data).
efsAccessPoint (dict) --
Configuration for an Amazon EFS access point to mount into the AgentCore Runtime.
accessPointArn (string) --
The ARN of the EFS access point to mount into the AgentCore Runtime.
mountPath (string) --
The mount path for the EFS access point inside the AgentCore Runtime. The path must be under /mnt with exactly one subdirectory level (for example, /mnt/data).
{'authorizerConfiguration': {'customJWTAuthorizer': {'allowedWorkloadConfiguration': {'hostingEnvironments': [{'arn': 'string'}],
'workloadIdentities': ['string']}}},
'customTransformConfiguration': {'lambda': {'arn': 'string'}},
'interceptorConfigurations': {'inputConfiguration': {'payloadFilter': {'exclude': [{'field': 'RESPONSE_BODY'}]}}},
'wafConfiguration': {'failureMode': 'FAIL_CLOSE | FAIL_OPEN'},
'webAclArn': 'string'}
Retrieves information about a specific Gateway.
See also: AWS API Documentation
Request Syntax
client.get_gateway(
gatewayIdentifier='string'
)
string
[REQUIRED]
The identifier of the gateway to retrieve.
dict
Response Syntax
{
'gatewayArn': 'string',
'gatewayId': 'string',
'gatewayUrl': 'string',
'createdAt': datetime(2015, 1, 1),
'updatedAt': datetime(2015, 1, 1),
'status': 'CREATING'|'UPDATING'|'UPDATE_UNSUCCESSFUL'|'DELETING'|'READY'|'FAILED',
'statusReasons': [
'string',
],
'name': 'string',
'description': 'string',
'roleArn': 'string',
'protocolType': 'MCP',
'protocolConfiguration': {
'mcp': {
'supportedVersions': [
'string',
],
'instructions': 'string',
'searchType': 'SEMANTIC',
'sessionConfiguration': {
'sessionTimeoutInSeconds': 123
},
'streamingConfiguration': {
'enableResponseStreaming': True|False
}
}
},
'authorizerType': 'CUSTOM_JWT'|'AWS_IAM'|'NONE'|'AUTHENTICATE_ONLY',
'authorizerConfiguration': {
'customJWTAuthorizer': {
'discoveryUrl': 'string',
'allowedAudience': [
'string',
],
'allowedClients': [
'string',
],
'allowedScopes': [
'string',
],
'customClaims': [
{
'inboundTokenClaimName': 'string',
'inboundTokenClaimValueType': 'STRING'|'STRING_ARRAY',
'authorizingClaimMatchValue': {
'claimMatchValue': {
'matchValueString': 'string',
'matchValueStringList': [
'string',
]
},
'claimMatchOperator': 'EQUALS'|'CONTAINS'|'CONTAINS_ANY'
}
},
],
'privateEndpoint': {
'selfManagedLatticeResource': {
'resourceConfigurationIdentifier': 'string'
},
'managedVpcResource': {
'vpcIdentifier': 'string',
'subnetIds': [
'string',
],
'endpointIpAddressType': 'IPV4'|'IPV6',
'securityGroupIds': [
'string',
],
'tags': {
'string': 'string'
},
'routingDomain': 'string'
}
},
'privateEndpointOverrides': [
{
'domain': 'string',
'privateEndpoint': {
'selfManagedLatticeResource': {
'resourceConfigurationIdentifier': 'string'
},
'managedVpcResource': {
'vpcIdentifier': 'string',
'subnetIds': [
'string',
],
'endpointIpAddressType': 'IPV4'|'IPV6',
'securityGroupIds': [
'string',
],
'tags': {
'string': 'string'
},
'routingDomain': 'string'
}
}
},
],
'allowedWorkloadConfiguration': {
'hostingEnvironments': [
{
'arn': 'string'
},
],
'workloadIdentities': [
'string',
]
}
}
},
'kmsKeyArn': 'string',
'customTransformConfiguration': {
'lambda': {
'arn': 'string'
}
},
'interceptorConfigurations': [
{
'interceptor': {
'lambda': {
'arn': 'string'
}
},
'interceptionPoints': [
'REQUEST'|'RESPONSE',
],
'inputConfiguration': {
'passRequestHeaders': True|False,
'payloadFilter': {
'exclude': [
{
'field': 'RESPONSE_BODY'
},
]
}
}
},
],
'policyEngineConfiguration': {
'arn': 'string',
'mode': 'LOG_ONLY'|'ENFORCE'
},
'workloadIdentityDetails': {
'workloadIdentityArn': 'string'
},
'exceptionLevel': 'DEBUG',
'webAclArn': 'string',
'wafConfiguration': {
'failureMode': 'FAIL_CLOSE'|'FAIL_OPEN'
}
}
Response Structure
(dict) --
gatewayArn (string) --
The Amazon Resource Name (ARN) of the gateway.
gatewayId (string) --
The unique identifier of the gateway.
gatewayUrl (string) --
An endpoint for invoking gateway.
createdAt (datetime) --
The timestamp when the gateway was created.
updatedAt (datetime) --
The timestamp when the gateway was last updated.
status (string) --
The current status of the gateway.
statusReasons (list) --
The reasons for the current status of the gateway.
(string) --
name (string) --
The name of the gateway.
description (string) --
The description of the gateway.
roleArn (string) --
The IAM role ARN that provides permissions for the gateway.
protocolType (string) --
Protocol applied to a gateway.
protocolConfiguration (dict) --
The configuration for a gateway protocol. This structure defines how the gateway communicates with external services.
mcp (dict) --
The configuration for the Model Context Protocol (MCP). This protocol enables communication between Amazon Bedrock Agent and external tools.
supportedVersions (list) --
The supported versions of the Model Context Protocol. This field specifies which versions of the protocol the gateway can use.
(string) --
instructions (string) --
The instructions for using the Model Context Protocol gateway. These instructions provide guidance on how to interact with the gateway.
searchType (string) --
The search type for the Model Context Protocol gateway. This field specifies how the gateway handles search operations.
sessionConfiguration (dict) --
The session configuration for the MCP gateway. This configuration controls session behavior, including session timeout settings.
sessionTimeoutInSeconds (integer) --
The session timeout in seconds. After this timeout, the session expires and subsequent requests to this session will receive an error. The minimum value is 900 seconds (15 minutes), the maximum value is 28800 seconds (8 hours), and the default value is 3600 seconds (1 hour).
streamingConfiguration (dict) --
The streaming configuration for the MCP gateway. This configuration controls whether response streaming is enabled for the gateway.
enableResponseStreaming (boolean) --
Indicates whether response streaming is enabled for the gateway. When set to true, the gateway streams responses from targets back to the client.
authorizerType (string) --
Authorizer type for the gateway.
authorizerConfiguration (dict) --
The authorizer configuration for the gateway.
customJWTAuthorizer (dict) --
The inbound JWT-based authorization, specifying how incoming requests should be authenticated.
discoveryUrl (string) --
This URL is used to fetch OpenID Connect configuration or authorization server metadata for validating incoming tokens.
allowedAudience (list) --
Represents individual audience values that are validated in the incoming JWT token validation process.
(string) --
allowedClients (list) --
Represents individual client IDs that are validated in the incoming JWT token validation process.
(string) --
allowedScopes (list) --
An array of scopes that are allowed to access the token.
(string) --
customClaims (list) --
An array of objects that define a custom claim validation name, value, and operation
(dict) --
Defines the name of a custom claim field and rules for finding matches to authenticate its value.
inboundTokenClaimName (string) --
The name of the custom claim field to check.
inboundTokenClaimValueType (string) --
The data type of the claim value to check for.
Use STRING if you want to find an exact match to a string you define.
Use STRING_ARRAY if you want to fnd a match to at least one value in an array you define.
authorizingClaimMatchValue (dict) --
Defines the value or values to match for and the relationship of the match.
claimMatchValue (dict) --
The value or values to match for.
matchValueString (string) --
The string value to match for.
matchValueStringList (list) --
An array of strings to check for a match.
(string) --
claimMatchOperator (string) --
Defines the relationship between the claim field value and the value or values you're matching for.
privateEndpoint (dict) --
The private endpoint configuration for a gateway target. Defines how the gateway connects to private resources in your VPC.
selfManagedLatticeResource (dict) --
Configuration for connecting to a private resource using a self-managed VPC Lattice resource configuration.
resourceConfigurationIdentifier (string) --
The ARN or ID of the VPC Lattice resource configuration.
managedVpcResource (dict) --
Configuration for connecting to a private resource using a managed VPC Lattice resource. The gateway creates and manages the VPC Lattice resources on your behalf.
vpcIdentifier (string) --
The ID of the VPC that contains your private resource.
subnetIds (list) --
The subnet IDs within the VPC where the VPC Lattice resource gateway is placed.
(string) --
endpointIpAddressType (string) --
The IP address type for the resource configuration endpoint.
securityGroupIds (list) --
The security group IDs to associate with the VPC Lattice resource gateway. If not specified, the default security group for the VPC is used.
(string) --
tags (dict) --
Tags to apply to the managed VPC Lattice resource gateway.
(string) --
(string) --
routingDomain (string) --
An intermediate domain to use as the resource configuration endpoint instead of the actual target domain. Use this when you want to route traffic through an intermediate component such as a VPC endpoint or internal load balancer. For more information, see xref:lattice-vpc-egress-routing-domain[Route traffic through an intermediate domain].
privateEndpointOverrides (list) --
The private endpoint overrides for the custom JWT authorizer configuration.
(dict) --
A mapping of a specific domain to a private endpoint for secure connectivity through a VPC Lattice resource configuration.
domain (string) --
The domain to override with a private endpoint.
privateEndpoint (dict) --
The private endpoint configuration for the specified domain.
selfManagedLatticeResource (dict) --
Configuration for connecting to a private resource using a self-managed VPC Lattice resource configuration.
resourceConfigurationIdentifier (string) --
The ARN or ID of the VPC Lattice resource configuration.
managedVpcResource (dict) --
Configuration for connecting to a private resource using a managed VPC Lattice resource. The gateway creates and manages the VPC Lattice resources on your behalf.
vpcIdentifier (string) --
The ID of the VPC that contains your private resource.
subnetIds (list) --
The subnet IDs within the VPC where the VPC Lattice resource gateway is placed.
(string) --
endpointIpAddressType (string) --
The IP address type for the resource configuration endpoint.
securityGroupIds (list) --
The security group IDs to associate with the VPC Lattice resource gateway. If not specified, the default security group for the VPC is used.
(string) --
tags (dict) --
Tags to apply to the managed VPC Lattice resource gateway.
(string) --
(string) --
routingDomain (string) --
An intermediate domain to use as the resource configuration endpoint instead of the actual target domain. Use this when you want to route traffic through an intermediate component such as a VPC endpoint or internal load balancer. For more information, see xref:lattice-vpc-egress-routing-domain[Route traffic through an intermediate domain].
allowedWorkloadConfiguration (dict) --
The configuration that restricts which workloads in the request's identity chain are allowed to invoke the target, identified by their hosting environments and workload identities. At launch, this is supported only for AgentCore Runtime targets, and the allowed workloads are AgentCore Gateways.
hostingEnvironments (list) --
The list of hosting environments whose workloads are allowed to invoke the target. At launch, the only supported hosting environment is AgentCore Gateway.
(dict) --
A hosting environment whose workloads are allowed to invoke the target. At launch, the only supported hosting environment is AgentCore Gateway.
arn (string) --
The Amazon Resource Name (ARN) of the hosting environment.
workloadIdentities (list) --
The list of workload identities that are allowed to invoke the target.
(string) --
kmsKeyArn (string) --
The Amazon Resource Name (ARN) of the KMS key used to encrypt the gateway.
customTransformConfiguration (dict) --
The custom transformation configuration for the gateway. This configuration defines how the gateway transforms requests and responses.
lambda (dict) --
The Lambda configuration for custom transformations. This configuration defines how the gateway uses a Lambda function to transform data.
arn (string) --
The Amazon Resource Name (ARN) of the Lambda function. This function is invoked by the gateway to transform data.
interceptorConfigurations (list) --
The interceptors configured on the gateway.
(dict) --
The configuration for an interceptor on a gateway. This structure defines settings for an interceptor that will be invoked during the invocation of the gateway.
interceptor (dict) --
The infrastructure settings of an interceptor configuration. This structure defines how the interceptor can be invoked.
lambda (dict) --
The details of the lambda function used for the interceptor.
arn (string) --
The arn of the lambda function to be invoked for the interceptor.
interceptionPoints (list) --
The supported points of interception. This field specifies which points during the gateway invocation to invoke the interceptor
(string) --
inputConfiguration (dict) --
The configuration for the input of the interceptor. This field specifies how the input to the interceptor is constructed
passRequestHeaders (boolean) --
Indicates whether to pass request headers as input into the interceptor. When set to true, request headers will be passed.
payloadFilter (dict) --
The filter that determines which parts of the request or response payload are passed as input to the interceptor.
exclude (list) --
The list of selectors that identify payload fields to exclude from the interceptor input.
(dict) --
A selector that identifies a payload field to exclude from the interceptor input.
field (string) --
The field to exclude from the interceptor input.
policyEngineConfiguration (dict) --
The policy engine configuration for the gateway.
arn (string) --
The ARN of the policy engine. The policy engine contains Cedar policies that define fine-grained authorization rules specifying who can perform what actions on which resources as agents interact through the gateway.
mode (string) --
The enforcement mode for the policy engine. Valid values include:
LOG_ONLY - The policy engine evaluates each action against your policies and adds traces on whether tool calls would be allowed or denied, but does not enforce the decision. Use this mode to test and validate policies before enabling enforcement.
ENFORCE - The policy engine evaluates actions against your policies and enforces decisions by allowing or denying agent operations. Test and validate policies in LOG_ONLY mode before enabling enforcement to avoid unintended denials or adversely affecting production traffic.
workloadIdentityDetails (dict) --
The workload identity details for the gateway.
workloadIdentityArn (string) --
The ARN associated with the workload identity.
exceptionLevel (string) --
The level of detail in error messages returned when invoking the gateway.
If the value is DEBUG, granular exception messages are returned to help a user debug the gateway.
If the value is omitted, a generic error message is returned to the end user.
webAclArn (string) --
The Amazon Resource Name (ARN) of the Amazon Web Services WAF web ACL associated with the gateway.
wafConfiguration (dict) --
The Amazon Web Services WAF configuration for the gateway.
failureMode (string) --
The failure mode that determines how the gateway handles requests when Amazon Web Services WAF is unreachable or times out. Valid values include:
FAIL_CLOSE - The gateway blocks requests when Amazon Web Services WAF cannot be evaluated.
FAIL_OPEN - The gateway allows requests when Amazon Web Services WAF cannot be evaluated.
{'targetConfiguration': {'http': {'agentcoreRuntime': {'schema': {'source': {'inlinePayload': 'string',
's3': {'bucketOwnerAccountId': 'string',
'uri': 'string'}}}},
'passthrough': {'endpoint': 'string',
'protocolType': 'MCP | A2A | '
'INFERENCE | '
'CUSTOM',
'schema': {'source': {'inlinePayload': 'string',
's3': {'bucketOwnerAccountId': 'string',
'uri': 'string'}}},
'stickinessConfiguration': {'identifier': 'string',
'timeout': 'integer'}}},
'inference': {'connector': {'source': {'connectorId': 'string'}},
'provider': {'endpoint': 'string',
'modelMapping': {'providerPrefix': {'separator': 'string',
'strip': 'boolean'}},
'operations': [{'models': [{'model': 'string'}],
'path': 'string',
'providerPath': 'string'}]}},
'mcp': {'connector': {'configurations': [{'description': 'string',
'name': 'string',
'parameterOverrides': [{'description': 'string',
'path': 'string',
'visible': 'boolean'}],
'parameterValues': {}}],
'enabled': ['string'],
'source': {'connectorId': 'string'}}}}}
Retrieves information about a specific gateway target.
See also: AWS API Documentation
Request Syntax
client.get_gateway_target(
gatewayIdentifier='string',
targetId='string'
)
string
[REQUIRED]
The identifier of the gateway that contains the target.
string
[REQUIRED]
The unique identifier of the target to retrieve.
dict
Response Syntax
{
'gatewayArn': 'string',
'targetId': 'string',
'createdAt': datetime(2015, 1, 1),
'updatedAt': datetime(2015, 1, 1),
'status': 'CREATING'|'UPDATING'|'UPDATE_UNSUCCESSFUL'|'DELETING'|'READY'|'FAILED'|'SYNCHRONIZING'|'SYNCHRONIZE_UNSUCCESSFUL'|'CREATE_PENDING_AUTH'|'UPDATE_PENDING_AUTH'|'SYNCHRONIZE_PENDING_AUTH',
'statusReasons': [
'string',
],
'name': 'string',
'description': 'string',
'targetConfiguration': {
'mcp': {
'openApiSchema': {
's3': {
'uri': 'string',
'bucketOwnerAccountId': 'string'
},
'inlinePayload': 'string'
},
'smithyModel': {
's3': {
'uri': 'string',
'bucketOwnerAccountId': 'string'
},
'inlinePayload': 'string'
},
'lambda': {
'lambdaArn': 'string',
'toolSchema': {
's3': {
'uri': 'string',
'bucketOwnerAccountId': 'string'
},
'inlinePayload': [
{
'name': 'string',
'description': 'string',
'inputSchema': {
'type': 'string'|'number'|'object'|'array'|'boolean'|'integer',
'properties': {
'string': {'... recursive ...'}
},
'required': [
'string',
],
'items': {'... recursive ...'},
'description': 'string'
},
'outputSchema': {
'type': 'string'|'number'|'object'|'array'|'boolean'|'integer',
'properties': {
'string': {'... recursive ...'}
},
'required': [
'string',
],
'items': {'... recursive ...'},
'description': 'string'
}
},
]
}
},
'mcpServer': {
'endpoint': 'string',
'mcpToolSchema': {
's3': {
'uri': 'string',
'bucketOwnerAccountId': 'string'
},
'inlinePayload': 'string'
},
'listingMode': 'DEFAULT'|'DYNAMIC',
'resourcePriority': 123
},
'apiGateway': {
'restApiId': 'string',
'stage': 'string',
'apiGatewayToolConfiguration': {
'toolOverrides': [
{
'name': 'string',
'description': 'string',
'path': 'string',
'method': 'GET'|'DELETE'|'HEAD'|'OPTIONS'|'PATCH'|'PUT'|'POST'
},
],
'toolFilters': [
{
'filterPath': 'string',
'methods': [
'GET'|'DELETE'|'HEAD'|'OPTIONS'|'PATCH'|'PUT'|'POST',
]
},
]
}
},
'connector': {
'source': {
'connectorId': 'string'
},
'enabled': [
'string',
],
'configurations': [
{
'name': 'string',
'description': 'string',
'parameterValues': {...}|[...]|123|123.4|'string'|True|None,
'parameterOverrides': [
{
'path': 'string',
'description': 'string',
'visible': True|False
},
]
},
]
}
},
'http': {
'agentcoreRuntime': {
'arn': 'string',
'qualifier': 'string',
'schema': {
'source': {
's3': {
'uri': 'string',
'bucketOwnerAccountId': 'string'
},
'inlinePayload': 'string'
}
}
},
'passthrough': {
'endpoint': 'string',
'protocolType': 'MCP'|'A2A'|'INFERENCE'|'CUSTOM',
'schema': {
'source': {
's3': {
'uri': 'string',
'bucketOwnerAccountId': 'string'
},
'inlinePayload': 'string'
}
},
'stickinessConfiguration': {
'identifier': 'string',
'timeout': 123
}
}
},
'inference': {
'connector': {
'source': {
'connectorId': 'string'
}
},
'provider': {
'endpoint': 'string',
'modelMapping': {
'providerPrefix': {
'strip': True|False,
'separator': 'string'
}
},
'operations': [
{
'path': 'string',
'providerPath': 'string',
'models': [
{
'model': 'string'
},
]
},
]
}
}
},
'credentialProviderConfigurations': [
{
'credentialProviderType': 'GATEWAY_IAM_ROLE'|'OAUTH'|'API_KEY'|'CALLER_IAM_CREDENTIALS'|'JWT_PASSTHROUGH',
'credentialProvider': {
'oauthCredentialProvider': {
'providerArn': 'string',
'scopes': [
'string',
],
'customParameters': {
'string': 'string'
},
'grantType': 'CLIENT_CREDENTIALS'|'AUTHORIZATION_CODE'|'TOKEN_EXCHANGE',
'defaultReturnUrl': 'string'
},
'apiKeyCredentialProvider': {
'providerArn': 'string',
'credentialParameterName': 'string',
'credentialPrefix': 'string',
'credentialLocation': 'HEADER'|'QUERY_PARAMETER'
},
'iamCredentialProvider': {
'service': 'string',
'region': 'string'
}
}
},
],
'lastSynchronizedAt': datetime(2015, 1, 1),
'metadataConfiguration': {
'allowedRequestHeaders': [
'string',
],
'allowedQueryParameters': [
'string',
],
'allowedResponseHeaders': [
'string',
]
},
'privateEndpoint': {
'selfManagedLatticeResource': {
'resourceConfigurationIdentifier': 'string'
},
'managedVpcResource': {
'vpcIdentifier': 'string',
'subnetIds': [
'string',
],
'endpointIpAddressType': 'IPV4'|'IPV6',
'securityGroupIds': [
'string',
],
'tags': {
'string': 'string'
},
'routingDomain': 'string'
}
},
'privateEndpointManagedResources': [
{
'domain': 'string',
'resourceGatewayArn': 'string',
'resourceAssociationArn': 'string'
},
],
'authorizationData': {
'oauth2': {
'authorizationUrl': 'string',
'userId': 'string'
}
},
'protocolType': 'MCP'|'HTTP'
}
Response Structure
(dict) --
gatewayArn (string) --
The Amazon Resource Name (ARN) of the gateway.
targetId (string) --
The unique identifier of the gateway target.
createdAt (datetime) --
The timestamp when the gateway target was created.
updatedAt (datetime) --
The timestamp when the gateway target was last updated.
status (string) --
The current status of the gateway target.
statusReasons (list) --
The reasons for the current status of the gateway target.
(string) --
name (string) --
The name of the gateway target.
description (string) --
The description of the gateway target.
targetConfiguration (dict) --
The configuration for a gateway target. This structure defines how the gateway connects to and interacts with the target endpoint.
mcp (dict) --
The Model Context Protocol (MCP) configuration for the target. This configuration defines how the gateway uses MCP to communicate with the target.
openApiSchema (dict) --
The OpenAPI schema for the Model Context Protocol target. This schema defines the API structure of the target.
s3 (dict) --
The Amazon S3 configuration for a gateway. This structure defines how the gateway accesses files in Amazon S3.
uri (string) --
The URI of the Amazon S3 object. This URI specifies the location of the object in Amazon S3.
bucketOwnerAccountId (string) --
The account ID of the Amazon S3 bucket owner. This ID is used for cross-account access to the bucket.
inlinePayload (string) --
The inline payload containing the API schema definition.
smithyModel (dict) --
The Smithy model for the Model Context Protocol target. This model defines the API structure of the target using the Smithy specification.
s3 (dict) --
The Amazon S3 configuration for a gateway. This structure defines how the gateway accesses files in Amazon S3.
uri (string) --
The URI of the Amazon S3 object. This URI specifies the location of the object in Amazon S3.
bucketOwnerAccountId (string) --
The account ID of the Amazon S3 bucket owner. This ID is used for cross-account access to the bucket.
inlinePayload (string) --
The inline payload containing the API schema definition.
lambda (dict) --
The Lambda configuration for the Model Context Protocol target. This configuration defines how the gateway uses a Lambda function to communicate with the target.
lambdaArn (string) --
The Amazon Resource Name (ARN) of the Lambda function. This function is invoked by the gateway to communicate with the target.
toolSchema (dict) --
The tool schema for the Lambda function. This schema defines the structure of the tools that the Lambda function provides.
s3 (dict) --
The Amazon S3 location of the tool schema. This location contains the schema definition file.
uri (string) --
The URI of the Amazon S3 object. This URI specifies the location of the object in Amazon S3.
bucketOwnerAccountId (string) --
The account ID of the Amazon S3 bucket owner. This ID is used for cross-account access to the bucket.
inlinePayload (list) --
The inline payload of the tool schema. This payload contains the schema definition directly in the request.
(dict) --
A tool definition for a gateway target. This structure defines a tool that the target exposes through the Model Context Protocol.
name (string) --
The name of the tool. This name identifies the tool in the Model Context Protocol.
description (string) --
The description of the tool. This description provides information about the purpose and usage of the tool.
inputSchema (dict) --
The input schema for the tool. This schema defines the structure of the input that the tool accepts.
type (string) --
The type of the schema definition. This field specifies the data type of the schema.
properties (dict) --
The properties of the schema definition. These properties define the fields in the schema.
(string) --
(dict) --
A schema definition for a gateway target. This structure defines the structure of the API that the target exposes.
required (list) --
The required fields in the schema definition. These fields must be provided when using the schema.
(string) --
items (dict) --
The items in the schema definition. This field is used for array types to define the structure of the array elements.
description (string) --
The description of the schema definition. This description provides information about the purpose and usage of the schema.
outputSchema (dict) --
The output schema for the tool. This schema defines the structure of the output that the tool produces.
type (string) --
The type of the schema definition. This field specifies the data type of the schema.
properties (dict) --
The properties of the schema definition. These properties define the fields in the schema.
(string) --
(dict) --
A schema definition for a gateway target. This structure defines the structure of the API that the target exposes.
required (list) --
The required fields in the schema definition. These fields must be provided when using the schema.
(string) --
items (dict) --
The items in the schema definition. This field is used for array types to define the structure of the array elements.
description (string) --
The description of the schema definition. This description provides information about the purpose and usage of the schema.
mcpServer (dict) --
The MCP server specified as the gateway target.
endpoint (string) --
The endpoint for the MCP server target configuration.
mcpToolSchema (dict) --
The tool schema configuration for the MCP server target. Supported only when the credential provider is configured with an authorization code grant type. Dynamic tool discovery/synchronization will be disabled when target is configured with mcpToolSchema.
s3 (dict) --
The Amazon S3 location of the tool schema. This location contains the schema definition file.
uri (string) --
The URI of the Amazon S3 object. This URI specifies the location of the object in Amazon S3.
bucketOwnerAccountId (string) --
The account ID of the Amazon S3 bucket owner. This ID is used for cross-account access to the bucket.
inlinePayload (string) --
The inline payload containing the MCP tool schema definition.
listingMode (string) --
The listing mode for the MCP server target configuration. MCP resources for default targets are cached at the control plane for faster access. MCP resources for dynamic targets will be dynamically retrieved when listing tools.
resourcePriority (integer) --
Priority for resolving MCP server targets with shared resource URIs. Lower values take precedence. Defaults to 1000 when not set.
apiGateway (dict) --
The configuration for an Amazon API Gateway target.
restApiId (string) --
The ID of the API Gateway REST API.
stage (string) --
The ID of the stage of the REST API to add as a target.
apiGatewayToolConfiguration (dict) --
The configuration for defining REST API tool filters and overrides for the gateway target.
toolOverrides (list) --
A list of explicit tool definitions with optional custom names and descriptions.
(dict) --
Settings to override configurations for a tool.
name (string) --
The name of tool. Identifies the tool in the Model Context Protocol.
description (string) --
The description of the tool. Provides information about the purpose and usage of the tool. If not provided, uses the description from the API's OpenAPI specification.
path (string) --
Resource path in the REST API (e.g., /pets). Must explicitly match an existing path in the REST API.
method (string) --
The HTTP method to expose for the specified path.
toolFilters (list) --
A list of path and method patterns to expose as tools using metadata from the REST API's OpenAPI specification.
(dict) --
Specifies which operations from an API Gateway REST API are exposed as tools. Tool names and descriptions are derived from the operationId and description fields in the API's exported OpenAPI specification.
filterPath (string) --
Resource path to match in the REST API. Supports exact paths (for example, /pets) or wildcard paths (for example, /pets/* to match all paths under /pets). Must match existing paths in the REST API.
methods (list) --
The methods to filter for.
(string) --
connector (dict) --
The connector integration configuration for the Model Context Protocol target. This configuration defines how the gateway uses a pre-built connector to communicate with the target.
source (dict) --
The source configuration identifying which connector to use.
connectorId (string) --
The identifier for the connector integration (for example, bedrock-knowledge-bases).
enabled (list) --
A list of tool names to enable from this connector. If absent, all tools provided by the connector are enabled.
(string) --
configurations (list) --
A list of per-tool configurations for the connector.
(dict) --
Configuration for a single tool within a connector.
name (string) --
The tool or operation name (for example, retrieve or webSearch).
description (string) --
An agent-facing description override for this tool.
parameterValues (:ref:`document<document>`) --
Parameters to set as fixed or default values when provisioning this tool.
parameterOverrides (list) --
Parameters to expose to the agent at runtime, with optional description overrides.
(dict) --
Specifies a parameter override for a connector tool, allowing you to control parameter visibility and descriptions.
path (string) --
A JSON Pointer path identifying the parameter (for example, /numberOfResults or /filter).
description (string) --
An agent-facing description override for this parameter.
visible (boolean) --
Whether this parameter is visible to the agent. If not specified, uses the service default.
http (dict) --
The HTTP target configuration. Use this to route gateway requests to an HTTP-based endpoint such as an AgentCore Runtime.
agentcoreRuntime (dict) --
The AgentCore Runtime target configuration for HTTP-based communication with an agent runtime.
arn (string) --
The Amazon Resource Name (ARN) of the AgentCore Runtime to route requests to.
qualifier (string) --
The qualifier for the agent runtime, used to target a specific endpoint version. If not specified, the default endpoint is used.
schema (dict) --
The API schema configuration that defines the structure of the runtime target's API.
source (dict) --
Configuration for API schema.
s3 (dict) --
The Amazon S3 configuration for a gateway. This structure defines how the gateway accesses files in Amazon S3.
uri (string) --
The URI of the Amazon S3 object. This URI specifies the location of the object in Amazon S3.
bucketOwnerAccountId (string) --
The account ID of the Amazon S3 bucket owner. This ID is used for cross-account access to the bucket.
inlinePayload (string) --
The inline payload containing the API schema definition.
passthrough (dict) --
The passthrough configuration for the HTTP target. A passthrough target forwards requests directly to an external HTTP endpoint.
endpoint (string) --
The HTTPS endpoint that the gateway forwards requests to for this passthrough target.
protocolType (string) --
The application protocol the passthrough target implements. Required for passthrough targets.
schema (dict) --
The API schema configuration that defines the structure of the passthrough target's API.
source (dict) --
Configuration for API schema.
s3 (dict) --
The Amazon S3 configuration for a gateway. This structure defines how the gateway accesses files in Amazon S3.
uri (string) --
The URI of the Amazon S3 object. This URI specifies the location of the object in Amazon S3.
bucketOwnerAccountId (string) --
The account ID of the Amazon S3 bucket owner. This ID is used for cross-account access to the bucket.
inlinePayload (string) --
The inline payload containing the API schema definition.
stickinessConfiguration (dict) --
The session stickiness configuration for the passthrough target. This configuration routes requests within the same session to the same target.
identifier (string) --
The expression that identifies where to extract the session identifier from the request (for example, $context.header.x-session-id).
timeout (integer) --
The session stickiness timeout, in seconds. After this duration of inactivity, the session affinity expires. Valid values range from 1 to 86400.
inference (dict) --
The inference configuration for the target. This configuration routes requests to a large language model (LLM) provider.
connector (dict) --
The connector-based inference configuration. Use this option to route requests to an LLM provider through a built-in connector that includes predefined provider rules.
source (dict) --
The source configuration identifying which inference connector to use.
connectorId (string) --
The identifier for the inference connector (for example, bedrock-mantle, openai, or anthropic).
provider (dict) --
The provider-based inference configuration. Use this option to explicitly configure the endpoint, model mapping, and operations for an LLM provider.
endpoint (string) --
The HTTPS endpoint of the inference provider that the gateway forwards requests to.
modelMapping (dict) --
The configuration that translates client-facing model IDs to the model IDs expected by the provider.
providerPrefix (dict) --
The provider prefix configuration used for model ID translation.
strip (boolean) --
Whether clients can omit the provider prefix from model IDs. If true, the gateway accepts model IDs without the prefix and restores the full prefixed form before forwarding to the provider. The default is false.
separator (string) --
The single character that separates the provider prefix from the model name (for example, .). The default is ..
operations (list) --
A list of per-operation configurations that map request paths to the models supported for each operation.
(dict) --
The configuration for a specific inference operation, including its request path and the models that the operation supports.
path (string) --
The request path for this operation (for example, /v1/messages or /v1/responses).
providerPath (string) --
The provider path to forward requests to, if it differs from the request path. For example, /anthropic/v1/messages when the provider expects a different path than the client-facing /v1/messages.
models (list) --
The list of models supported for this operation.
(dict) --
A model entry that specifies a model supported for an inference operation.
model (string) --
The model ID or glob pattern that identifies the model (for example, anthropic.claude-opus-* or openai.gpt-oss-*).
credentialProviderConfigurations (list) --
The credential provider configurations for the gateway target.
(dict) --
The configuration for a credential provider. This structure defines how the gateway authenticates with the target endpoint.
credentialProviderType (string) --
The type of credential provider. This field specifies which authentication method the gateway uses.
credentialProvider (dict) --
The credential provider. This field contains the specific configuration for the credential provider type.
oauthCredentialProvider (dict) --
The OAuth credential provider. This provider uses OAuth authentication to access the target endpoint.
providerArn (string) --
The Amazon Resource Name (ARN) of the OAuth credential provider. This ARN identifies the provider in Amazon Web Services.
scopes (list) --
The OAuth scopes for the credential provider. These scopes define the level of access requested from the OAuth provider.
(string) --
customParameters (dict) --
The custom parameters for the OAuth credential provider. These parameters provide additional configuration for the OAuth authentication process.
(string) --
(string) --
grantType (string) --
Specifies the kind of credentials to use for authorization:
CLIENT_CREDENTIALS - Authorization with a client ID and secret.
AUTHORIZATION_CODE - Authorization with a token that is specific to an individual end user.
TOKEN_EXCHANGE - Authorization using on-behalf-of token exchange. An inbound user token is exchanged for a downstream access token scoped to the target audience.
defaultReturnUrl (string) --
The URL where the end user's browser is redirected after obtaining the authorization code. Generally points to the customer's application.
apiKeyCredentialProvider (dict) --
The API key credential provider. This provider uses an API key to authenticate with the target endpoint.
providerArn (string) --
The Amazon Resource Name (ARN) of the API key credential provider. This ARN identifies the provider in Amazon Web Services.
credentialParameterName (string) --
The name of the credential parameter for the API key. This parameter name is used when sending the API key to the target endpoint.
credentialPrefix (string) --
The prefix for the API key credential. This prefix is added to the API key when sending it to the target endpoint.
credentialLocation (string) --
The location of the API key credential. This field specifies where in the request the API key should be placed.
iamCredentialProvider (dict) --
The IAM credential provider. This provider uses IAM authentication with SigV4 signing to access the target endpoint.
service (string) --
The target Amazon Web Services service name used for SigV4 signing. This value identifies the service that the gateway authenticates with when making requests to the target endpoint.
region (string) --
The Amazon Web Services Region used for SigV4 signing. If not specified, defaults to the gateway's Region.
lastSynchronizedAt (datetime) --
The last synchronization of the target.
metadataConfiguration (dict) --
The metadata configuration for HTTP header and query parameter propagation for the retrieved gateway target.
allowedRequestHeaders (list) --
A list of HTTP headers that are allowed to be propagated from incoming client requests to the target.
(string) --
allowedQueryParameters (list) --
A list of URL query parameters that are allowed to be propagated from incoming gateway URL to the target.
(string) --
allowedResponseHeaders (list) --
A list of HTTP headers that are allowed to be propagated from the target response back to the client.
(string) --
privateEndpoint (dict) --
The private endpoint configuration for the gateway target.
selfManagedLatticeResource (dict) --
Configuration for connecting to a private resource using a self-managed VPC Lattice resource configuration.
resourceConfigurationIdentifier (string) --
The ARN or ID of the VPC Lattice resource configuration.
managedVpcResource (dict) --
Configuration for connecting to a private resource using a managed VPC Lattice resource. The gateway creates and manages the VPC Lattice resources on your behalf.
vpcIdentifier (string) --
The ID of the VPC that contains your private resource.
subnetIds (list) --
The subnet IDs within the VPC where the VPC Lattice resource gateway is placed.
(string) --
endpointIpAddressType (string) --
The IP address type for the resource configuration endpoint.
securityGroupIds (list) --
The security group IDs to associate with the VPC Lattice resource gateway. If not specified, the default security group for the VPC is used.
(string) --
tags (dict) --
Tags to apply to the managed VPC Lattice resource gateway.
(string) --
(string) --
routingDomain (string) --
An intermediate domain to use as the resource configuration endpoint instead of the actual target domain. Use this when you want to route traffic through an intermediate component such as a VPC endpoint or internal load balancer. For more information, see xref:lattice-vpc-egress-routing-domain[Route traffic through an intermediate domain].
privateEndpointManagedResources (list) --
The managed resources created by the gateway for private endpoint connectivity.
(dict) --
Details of a resource created and managed by the gateway for private endpoint connectivity.
domain (string) --
The domain associated with this managed resource.
resourceGatewayArn (string) --
The ARN of the VPC Lattice resource gateway created in your account.
resourceAssociationArn (string) --
The ARN of the service network resource association.
authorizationData (dict) --
OAuth2 authorization data for the gateway target. This data is returned when a target is configured with a credential provider with authorization code grant type and requires user federation.
oauth2 (dict) --
OAuth2 authorization data for the gateway target.
authorizationUrl (string) --
The URL to initiate the authorization process. This URL is provided when the OAuth2 access token requires user authorization.
userId (string) --
The user identifier associated with the OAuth2 authorization session that is defined by AgentCore Gateway.
protocolType (string) --
The protocol type of the gateway target.
{'harnessVersion': 'string'}
Response {'harness': {'authorizerConfiguration': {'customJWTAuthorizer': {'allowedWorkloadConfiguration': {'hostingEnvironments': [{'arn': 'string'}],
'workloadIdentities': ['string']}}},
'harnessVersion': 'string',
'memory': {'disabled': {},
'managedMemoryConfiguration': {'arn': 'string',
'encryptionKeyArn': 'string',
'eventExpiryDuration': 'integer',
'strategies': ['SEMANTIC '
'| '
'SUMMARIZATION '
'| '
'USER_PREFERENCE '
'| '
'EPISODIC']}},
'skills': {'awsSkills': {'paths': ['string']}}}}
Operation to get a single harness.
See also: AWS API Documentation
Request Syntax
client.get_harness(
harnessId='string',
harnessVersion='string'
)
string
[REQUIRED]
The ID of the harness to retrieve.
string
Specific version of the harness to retrieve. If omitted, returns the current Harness configuration, including its status.
dict
Response Syntax
{
'harness': {
'harnessId': 'string',
'harnessName': 'string',
'arn': 'string',
'status': 'CREATING'|'CREATE_FAILED'|'UPDATING'|'UPDATE_FAILED'|'READY'|'DELETING'|'DELETE_FAILED',
'harnessVersion': 'string',
'executionRoleArn': 'string',
'createdAt': datetime(2015, 1, 1),
'updatedAt': datetime(2015, 1, 1),
'model': {
'bedrockModelConfig': {
'modelId': 'string',
'maxTokens': 123,
'temperature': ...,
'topP': ...,
'apiFormat': 'converse_stream'|'responses'|'chat_completions',
'additionalParams': {...}|[...]|123|123.4|'string'|True|None
},
'openAiModelConfig': {
'modelId': 'string',
'apiKeyArn': 'string',
'maxTokens': 123,
'temperature': ...,
'topP': ...,
'apiFormat': 'chat_completions'|'responses',
'additionalParams': {...}|[...]|123|123.4|'string'|True|None
},
'geminiModelConfig': {
'modelId': 'string',
'apiKeyArn': 'string',
'maxTokens': 123,
'temperature': ...,
'topP': ...,
'topK': 123
},
'liteLlmModelConfig': {
'modelId': 'string',
'apiKeyArn': 'string',
'apiBase': 'string',
'maxTokens': 123,
'temperature': ...,
'topP': ...,
'additionalParams': {...}|[...]|123|123.4|'string'|True|None
}
},
'systemPrompt': [
{
'text': 'string'
},
],
'tools': [
{
'type': 'remote_mcp'|'agentcore_browser'|'agentcore_gateway'|'inline_function'|'agentcore_code_interpreter',
'name': 'string',
'config': {
'remoteMcp': {
'url': 'string',
'headers': {
'string': 'string'
}
},
'agentCoreBrowser': {
'browserArn': 'string'
},
'agentCoreGateway': {
'gatewayArn': 'string',
'outboundAuth': {
'awsIam': {},
'none': {},
'oauth': {
'providerArn': 'string',
'scopes': [
'string',
],
'customParameters': {
'string': 'string'
},
'grantType': 'CLIENT_CREDENTIALS'|'AUTHORIZATION_CODE'|'TOKEN_EXCHANGE',
'defaultReturnUrl': 'string'
}
}
},
'inlineFunction': {
'description': 'string',
'inputSchema': {...}|[...]|123|123.4|'string'|True|None
},
'agentCoreCodeInterpreter': {
'codeInterpreterArn': 'string'
}
}
},
],
'skills': [
{
'path': 'string',
's3': {
'uri': 'string'
},
'git': {
'url': 'string',
'path': 'string',
'auth': {
'credentialArn': 'string',
'username': 'string'
}
},
'awsSkills': {
'paths': [
'string',
]
}
},
],
'allowedTools': [
'string',
],
'truncation': {
'strategy': 'sliding_window'|'summarization'|'none',
'config': {
'slidingWindow': {
'messagesCount': 123
},
'summarization': {
'summaryRatio': ...,
'preserveRecentMessages': 123,
'summarizationSystemPrompt': 'string'
}
}
},
'environment': {
'agentCoreRuntimeEnvironment': {
'agentRuntimeArn': 'string',
'agentRuntimeName': 'string',
'agentRuntimeId': 'string',
'lifecycleConfiguration': {
'idleRuntimeSessionTimeout': 123,
'maxLifetime': 123
},
'networkConfiguration': {
'networkMode': 'PUBLIC'|'VPC',
'networkModeConfig': {
'securityGroups': [
'string',
],
'subnets': [
'string',
],
'requireServiceS3Endpoint': True|False
}
},
'filesystemConfigurations': [
{
'sessionStorage': {
'mountPath': 'string'
},
's3FilesAccessPoint': {
'accessPointArn': 'string',
'mountPath': 'string'
},
'efsAccessPoint': {
'accessPointArn': 'string',
'mountPath': 'string'
}
},
]
}
},
'environmentArtifact': {
'containerConfiguration': {
'containerUri': 'string'
}
},
'environmentVariables': {
'string': 'string'
},
'authorizerConfiguration': {
'customJWTAuthorizer': {
'discoveryUrl': 'string',
'allowedAudience': [
'string',
],
'allowedClients': [
'string',
],
'allowedScopes': [
'string',
],
'customClaims': [
{
'inboundTokenClaimName': 'string',
'inboundTokenClaimValueType': 'STRING'|'STRING_ARRAY',
'authorizingClaimMatchValue': {
'claimMatchValue': {
'matchValueString': 'string',
'matchValueStringList': [
'string',
]
},
'claimMatchOperator': 'EQUALS'|'CONTAINS'|'CONTAINS_ANY'
}
},
],
'privateEndpoint': {
'selfManagedLatticeResource': {
'resourceConfigurationIdentifier': 'string'
},
'managedVpcResource': {
'vpcIdentifier': 'string',
'subnetIds': [
'string',
],
'endpointIpAddressType': 'IPV4'|'IPV6',
'securityGroupIds': [
'string',
],
'tags': {
'string': 'string'
},
'routingDomain': 'string'
}
},
'privateEndpointOverrides': [
{
'domain': 'string',
'privateEndpoint': {
'selfManagedLatticeResource': {
'resourceConfigurationIdentifier': 'string'
},
'managedVpcResource': {
'vpcIdentifier': 'string',
'subnetIds': [
'string',
],
'endpointIpAddressType': 'IPV4'|'IPV6',
'securityGroupIds': [
'string',
],
'tags': {
'string': 'string'
},
'routingDomain': 'string'
}
}
},
],
'allowedWorkloadConfiguration': {
'hostingEnvironments': [
{
'arn': 'string'
},
],
'workloadIdentities': [
'string',
]
}
}
},
'memory': {
'agentCoreMemoryConfiguration': {
'arn': 'string',
'actorId': 'string',
'messagesCount': 123,
'retrievalConfig': {
'string': {
'topK': 123,
'relevanceScore': ...,
'strategyId': 'string'
}
}
},
'managedMemoryConfiguration': {
'arn': 'string',
'strategies': [
'SEMANTIC'|'SUMMARIZATION'|'USER_PREFERENCE'|'EPISODIC',
],
'eventExpiryDuration': 123,
'encryptionKeyArn': 'string'
},
'disabled': {}
},
'maxIterations': 123,
'maxTokens': 123,
'timeoutSeconds': 123,
'failureReason': 'string'
}
}
Response Structure
(dict) --
harness (dict) --
The harness resource.
harnessId (string) --
The ID of the harness.
harnessName (string) --
The name of the harness.
arn (string) --
The ARN of the harness.
status (string) --
The status of the harness.
harnessVersion (string) --
The version of the harness. Incremented on every successful UpdateHarness.
executionRoleArn (string) --
IAM role the harness assumes when running.
createdAt (datetime) --
The createdAt time of the harness.
updatedAt (datetime) --
The updatedAt time of the harness.
model (dict) --
The configuration of the default model used by the Harness.
bedrockModelConfig (dict) --
Configuration for an Amazon Bedrock model.
modelId (string) --
The Bedrock model ID.
maxTokens (integer) --
The maximum number of tokens to allow in the generated response per model call.
temperature (float) --
The temperature to set when calling the model.
topP (float) --
The topP set when calling the model.
apiFormat (string) --
The API format to use when calling the Bedrock provider.
additionalParams (:ref:`document<document>`) --
Provider-specific parameters passed through to the model provider unchanged.
openAiModelConfig (dict) --
Configuration for an OpenAI model.
modelId (string) --
The OpenAI model ID.
apiKeyArn (string) --
The ARN of your OpenAI API key on AgentCore Identity.
maxTokens (integer) --
The maximum number of tokens to allow in the generated response per model call.
temperature (float) --
The temperature to set when calling the model.
topP (float) --
The topP set when calling the model.
apiFormat (string) --
The API format to use when calling the OpenAI provider.
additionalParams (:ref:`document<document>`) --
Provider-specific parameters passed through to the model provider unchanged.
geminiModelConfig (dict) --
Configuration for a Google Gemini model.
modelId (string) --
The Gemini model ID.
apiKeyArn (string) --
The ARN of your Gemini API key on AgentCore Identity.
maxTokens (integer) --
The maximum number of tokens to allow in the generated response per model call.
temperature (float) --
The temperature to set when calling the model.
topP (float) --
The topP set when calling the model.
topK (integer) --
The topK set when calling the model.
liteLlmModelConfig (dict) --
The LiteLLM model configuration for connecting to third-party model providers.
modelId (string) --
The LiteLLM model identifier (e.g., "anthropic/claude-3-sonnet").
apiKeyArn (string) --
The ARN of the API key in AgentCore Identity for authenticating with the model provider.
apiBase (string) --
The base URL for the model provider's API endpoint.
maxTokens (integer) --
The maximum number of tokens to allow in the generated response per iteration.
temperature (float) --
The temperature to set when calling the model.
topP (float) --
The topP set when calling the model.
additionalParams (:ref:`document<document>`) --
Provider-specific parameters passed through to the model provider unchanged.
systemPrompt (list) --
The system prompt of the harness.
(dict) --
A content block in the system prompt.
text (string) --
The text content of the system prompt block.
tools (list) --
The tools of the harness.
(dict) --
A tool available to the agent loop.
type (string) --
The type of tool.
name (string) --
Unique name for the tool. If not provided, a name will be inferred or generated.
config (dict) --
Tool-specific configuration.
remoteMcp (dict) --
Configuration for remote MCP server.
url (string) --
URL of the MCP endpoint.
headers (dict) --
Custom headers to include when connecting to the remote MCP server.
(string) --
The key of an HTTP header.
(string) --
The value of an HTTP header.
agentCoreBrowser (dict) --
Configuration for AgentCore Browser.
browserArn (string) --
If not populated, the built-in Browser ARN is used.
agentCoreGateway (dict) --
Configuration for AgentCore Gateway.
gatewayArn (string) --
The ARN of the desired AgentCore Gateway.
outboundAuth (dict) --
How harness authenticates to this Gateway. Defaults to AWS_IAM (SigV4) if omitted.
awsIam (dict) --
SigV4-sign requests using the agent's execution role.
none (dict) --
No authentication.
oauth (dict) --
Use OAuth credentials for outbound authentication to the gateway.
providerArn (string) --
The Amazon Resource Name (ARN) of the OAuth credential provider. This ARN identifies the provider in Amazon Web Services.
scopes (list) --
The OAuth scopes for the credential provider. These scopes define the level of access requested from the OAuth provider.
(string) --
customParameters (dict) --
The custom parameters for the OAuth credential provider. These parameters provide additional configuration for the OAuth authentication process.
(string) --
(string) --
grantType (string) --
Specifies the kind of credentials to use for authorization:
CLIENT_CREDENTIALS - Authorization with a client ID and secret.
AUTHORIZATION_CODE - Authorization with a token that is specific to an individual end user.
TOKEN_EXCHANGE - Authorization using on-behalf-of token exchange. An inbound user token is exchanged for a downstream access token scoped to the target audience.
defaultReturnUrl (string) --
The URL where the end user's browser is redirected after obtaining the authorization code. Generally points to the customer's application.
inlineFunction (dict) --
Configuration for an inline function tool.
description (string) --
Description of what the tool does, provided to the model.
inputSchema (:ref:`document<document>`) --
JSON Schema describing the tool's input parameters.
agentCoreCodeInterpreter (dict) --
Configuration for AgentCore Code Interpreter.
codeInterpreterArn (string) --
If not populated, the built-in Code Interpreter ARN is used.
skills (list) --
The skills of the harness.
(dict) --
A skill available to the agent.
path (string) --
The filesystem path to the skill definition.
s3 (dict) --
An S3 source containing the skill.
uri (string) --
The S3 URI pointing to the skill directory (e.g., s3://bucket/skills/my-skill/).
git (dict) --
A git repository containing the skill.
url (string) --
The HTTPS URL of the git repository.
path (string) --
Subdirectory within the repository containing the skill.
auth (dict) --
Authentication configuration for private repositories.
credentialArn (string) --
The ARN of the credential in AgentCore Identity containing the password or personal access token.
username (string) --
Username for authentication. Defaults to 'oauth2' if not specified.
awsSkills (dict) --
AWS Skills baked into the harness's underlying Runtime.
paths (list) --
Optionally filter allowed skills with glob syntax, e.g., ['core-skills/*'].
(string) --
allowedTools (list) --
The allowed tools of the harness. All tools are allowed by default.
(string) --
truncation (dict) --
Configuration for truncating model context.
strategy (string) --
The truncation strategy to use.
config (dict) --
The strategy-specific configuration.
slidingWindow (dict) --
Configuration for sliding window truncation.
messagesCount (integer) --
The number of recent messages to retain in the context window.
summarization (dict) --
Configuration for summarization-based truncation.
summaryRatio (float) --
The ratio of content to summarize.
preserveRecentMessages (integer) --
The number of recent messages to preserve without summarization.
summarizationSystemPrompt (string) --
The system prompt used for generating summaries.
environment (dict) --
The compute environment on which the Harness runs.
agentCoreRuntimeEnvironment (dict) --
The AgentCore Runtime environment configuration.
agentRuntimeArn (string) --
The ARN of the underlying AgentCore Runtime.
agentRuntimeName (string) --
The name of the underlying AgentCore Runtime.
agentRuntimeId (string) --
The ID of the underlying AgentCore Runtime.
lifecycleConfiguration (dict) --
LifecycleConfiguration lets you manage the lifecycle of runtime sessions and resources in AgentCore Runtime. This configuration helps optimize resource utilization by automatically cleaning up idle sessions and preventing long-running instances from consuming resources indefinitely.
idleRuntimeSessionTimeout (integer) --
Timeout in seconds for idle runtime sessions. When a session remains idle for this duration, it will be automatically terminated. Default: 900 seconds (15 minutes).
maxLifetime (integer) --
Maximum lifetime for the instance in seconds. Once reached, instances will be automatically terminated and replaced. Default: 28800 seconds (8 hours).
networkConfiguration (dict) --
SecurityConfig for the Agent.
networkMode (string) --
The network mode for the AgentCore Runtime.
networkModeConfig (dict) --
The network mode configuration for the AgentCore Runtime.
securityGroups (list) --
The security groups associated with the VPC configuration.
(string) --
subnets (list) --
The subnets associated with the VPC configuration.
(string) --
requireServiceS3Endpoint (boolean) --
Controls whether a service-managed Amazon S3 gateway endpoint is provisioned in the VPC network topology for the agent runtime. This gateway is used by Amazon Bedrock AgentCore Runtime to download code and container images during agent startup.
Starting May 5, 2026, Amazon Bedrock AgentCore Runtime is gradually rolling out a change to how network isolation is configured for VPC mode agents. Agent runtimes created on or after this rollout will no longer include the service-managed Amazon S3 gateway. Instead, all network access, including to Amazon S3, is governed exclusively by your VPC configuration. This field cannot be set on agent runtimes created after the rollout. Passing this field in an UpdateAgentRuntime request for these agent runtimes returns a ValidationException.
Agent runtimes created before the rollout are not affected and continue to operate with the service-managed Amazon S3 gateway. To enforce full VPC network isolation on these existing agent runtimes, set this field to false via the UpdateAgentRuntime API. Before opting out, ensure your VPC provides the Amazon S3 access required for agent startup. If this field is not specified or is set to true, the service-managed Amazon S3 gateway remains provisioned.
This field is only supported in the UpdateAgentRuntime API for pre-rollout agent runtimes. Passing this field in a CreateAgentRuntime request returns a ValidationException.
filesystemConfigurations (list) --
The filesystem configurations for the runtime environment.
(dict) --
Configuration for a filesystem that can be mounted into the AgentCore Runtime.
sessionStorage (dict) --
Configuration for session storage. Session storage provides persistent storage that is preserved across AgentCore Runtime session invocations.
mountPath (string) --
The mount path for the session storage filesystem inside the AgentCore Runtime. The path must be under /mnt with exactly one subdirectory level (for example, /mnt/data).
s3FilesAccessPoint (dict) --
Configuration for an Amazon S3 Files access point to mount into the AgentCore Runtime.
accessPointArn (string) --
The ARN of the S3 Files access point to mount into the AgentCore Runtime.
mountPath (string) --
The mount path for the S3 Files access point inside the AgentCore Runtime. The path must be under /mnt with exactly one subdirectory level (for example, /mnt/data).
efsAccessPoint (dict) --
Configuration for an Amazon EFS access point to mount into the AgentCore Runtime.
accessPointArn (string) --
The ARN of the EFS access point to mount into the AgentCore Runtime.
mountPath (string) --
The mount path for the EFS access point inside the AgentCore Runtime. The path must be under /mnt with exactly one subdirectory level (for example, /mnt/data).
environmentArtifact (dict) --
The environment artifact (e.g., container) in which the Harness operates.
containerConfiguration (dict) --
Representation of a container configuration.
containerUri (string) --
The ECR URI of the container.
environmentVariables (dict) --
Environment variables exposed in the environment in which the harness operates.
(string) --
(string) --
authorizerConfiguration (dict) --
Represents inbound authorization configuration options used to authenticate incoming requests.
customJWTAuthorizer (dict) --
The inbound JWT-based authorization, specifying how incoming requests should be authenticated.
discoveryUrl (string) --
This URL is used to fetch OpenID Connect configuration or authorization server metadata for validating incoming tokens.
allowedAudience (list) --
Represents individual audience values that are validated in the incoming JWT token validation process.
(string) --
allowedClients (list) --
Represents individual client IDs that are validated in the incoming JWT token validation process.
(string) --
allowedScopes (list) --
An array of scopes that are allowed to access the token.
(string) --
customClaims (list) --
An array of objects that define a custom claim validation name, value, and operation
(dict) --
Defines the name of a custom claim field and rules for finding matches to authenticate its value.
inboundTokenClaimName (string) --
The name of the custom claim field to check.
inboundTokenClaimValueType (string) --
The data type of the claim value to check for.
Use STRING if you want to find an exact match to a string you define.
Use STRING_ARRAY if you want to fnd a match to at least one value in an array you define.
authorizingClaimMatchValue (dict) --
Defines the value or values to match for and the relationship of the match.
claimMatchValue (dict) --
The value or values to match for.
matchValueString (string) --
The string value to match for.
matchValueStringList (list) --
An array of strings to check for a match.
(string) --
claimMatchOperator (string) --
Defines the relationship between the claim field value and the value or values you're matching for.
privateEndpoint (dict) --
The private endpoint configuration for a gateway target. Defines how the gateway connects to private resources in your VPC.
selfManagedLatticeResource (dict) --
Configuration for connecting to a private resource using a self-managed VPC Lattice resource configuration.
resourceConfigurationIdentifier (string) --
The ARN or ID of the VPC Lattice resource configuration.
managedVpcResource (dict) --
Configuration for connecting to a private resource using a managed VPC Lattice resource. The gateway creates and manages the VPC Lattice resources on your behalf.
vpcIdentifier (string) --
The ID of the VPC that contains your private resource.
subnetIds (list) --
The subnet IDs within the VPC where the VPC Lattice resource gateway is placed.
(string) --
endpointIpAddressType (string) --
The IP address type for the resource configuration endpoint.
securityGroupIds (list) --
The security group IDs to associate with the VPC Lattice resource gateway. If not specified, the default security group for the VPC is used.
(string) --
tags (dict) --
Tags to apply to the managed VPC Lattice resource gateway.
(string) --
(string) --
routingDomain (string) --
An intermediate domain to use as the resource configuration endpoint instead of the actual target domain. Use this when you want to route traffic through an intermediate component such as a VPC endpoint or internal load balancer. For more information, see xref:lattice-vpc-egress-routing-domain[Route traffic through an intermediate domain].
privateEndpointOverrides (list) --
The private endpoint overrides for the custom JWT authorizer configuration.
(dict) --
A mapping of a specific domain to a private endpoint for secure connectivity through a VPC Lattice resource configuration.
domain (string) --
The domain to override with a private endpoint.
privateEndpoint (dict) --
The private endpoint configuration for the specified domain.
selfManagedLatticeResource (dict) --
Configuration for connecting to a private resource using a self-managed VPC Lattice resource configuration.
resourceConfigurationIdentifier (string) --
The ARN or ID of the VPC Lattice resource configuration.
managedVpcResource (dict) --
Configuration for connecting to a private resource using a managed VPC Lattice resource. The gateway creates and manages the VPC Lattice resources on your behalf.
vpcIdentifier (string) --
The ID of the VPC that contains your private resource.
subnetIds (list) --
The subnet IDs within the VPC where the VPC Lattice resource gateway is placed.
(string) --
endpointIpAddressType (string) --
The IP address type for the resource configuration endpoint.
securityGroupIds (list) --
The security group IDs to associate with the VPC Lattice resource gateway. If not specified, the default security group for the VPC is used.
(string) --
tags (dict) --
Tags to apply to the managed VPC Lattice resource gateway.
(string) --
(string) --
routingDomain (string) --
An intermediate domain to use as the resource configuration endpoint instead of the actual target domain. Use this when you want to route traffic through an intermediate component such as a VPC endpoint or internal load balancer. For more information, see xref:lattice-vpc-egress-routing-domain[Route traffic through an intermediate domain].
allowedWorkloadConfiguration (dict) --
The configuration that restricts which workloads in the request's identity chain are allowed to invoke the target, identified by their hosting environments and workload identities. At launch, this is supported only for AgentCore Runtime targets, and the allowed workloads are AgentCore Gateways.
hostingEnvironments (list) --
The list of hosting environments whose workloads are allowed to invoke the target. At launch, the only supported hosting environment is AgentCore Gateway.
(dict) --
A hosting environment whose workloads are allowed to invoke the target. At launch, the only supported hosting environment is AgentCore Gateway.
arn (string) --
The Amazon Resource Name (ARN) of the hosting environment.
workloadIdentities (list) --
The list of workload identities that are allowed to invoke the target.
(string) --
memory (dict) --
AgentCore Memory instance configuration for short and long term memory.
agentCoreMemoryConfiguration (dict) --
The AgentCore Memory configuration.
arn (string) --
The ARN of the AgentCore Memory resource.
actorId (string) --
The actor ID for memory operations.
messagesCount (integer) --
The number of messages to retrieve from memory.
retrievalConfig (dict) --
The retrieval configuration for long-term memory, mapping namespace path templates to retrieval settings.
(string) --
(dict) --
Configuration for memory retrieval within a namespace.
topK (integer) --
The maximum number of memory entries to retrieve.
relevanceScore (float) --
The minimum relevance score for retrieved memories.
strategyId (string) --
The ID of the retrieval strategy to use.
managedMemoryConfiguration (dict) --
Harness creates and manages a memory resource in the customer's account.
arn (string) --
The ARN of the managed AgentCore Memory resource. Read-only on Get, ignored on Create/Update input.
strategies (list) --
Strategy types to enable. Defaults to [SEMANTIC, SUMMARIZATION].
(string) --
eventExpiryDuration (integer) --
Event retention in days. Defaults to 30.
encryptionKeyArn (string) --
Customer-managed KMS key. Defaults to AWS-owned key. Not updatable after creation.
disabled (dict) --
Explicitly opt out of memory.
maxIterations (integer) --
The maximum number of iterations in the agent loop allowed before exiting per invocation.
maxTokens (integer) --
The maximum total number of output tokens the agent can generate across all model calls within a single invocation.
timeoutSeconds (integer) --
The maximum duration per invocation.
failureReason (string) --
Reason why create or update operations fail.
{'memory': {'managedByResourceArn': 'string'}}
Retrieve an existing Amazon Bedrock AgentCore Memory resource.
See also: AWS API Documentation
Request Syntax
client.get_memory(
memoryId='string',
view='full'|'without_decryption'
)
string
[REQUIRED]
The unique identifier of the memory to retrieve.
string
The level of detail to return for the memory.
dict
Response Syntax
{
'memory': {
'arn': 'string',
'id': 'string',
'name': 'string',
'description': 'string',
'encryptionKeyArn': 'string',
'memoryExecutionRoleArn': 'string',
'eventExpiryDuration': 123,
'status': 'CREATING'|'ACTIVE'|'FAILED'|'DELETING'|'UPDATING',
'failureReason': 'string',
'createdAt': datetime(2015, 1, 1),
'updatedAt': datetime(2015, 1, 1),
'strategies': [
{
'strategyId': 'string',
'name': 'string',
'description': 'string',
'configuration': {
'type': 'SEMANTIC_OVERRIDE'|'SUMMARY_OVERRIDE'|'USER_PREFERENCE_OVERRIDE'|'SELF_MANAGED'|'EPISODIC_OVERRIDE',
'extraction': {
'customExtractionConfiguration': {
'semanticExtractionOverride': {
'appendToPrompt': 'string',
'modelId': 'string'
},
'userPreferenceExtractionOverride': {
'appendToPrompt': 'string',
'modelId': 'string'
},
'episodicExtractionOverride': {
'appendToPrompt': 'string',
'modelId': 'string'
}
}
},
'consolidation': {
'customConsolidationConfiguration': {
'semanticConsolidationOverride': {
'appendToPrompt': 'string',
'modelId': 'string'
},
'summaryConsolidationOverride': {
'appendToPrompt': 'string',
'modelId': 'string'
},
'userPreferenceConsolidationOverride': {
'appendToPrompt': 'string',
'modelId': 'string'
},
'episodicConsolidationOverride': {
'appendToPrompt': 'string',
'modelId': 'string'
}
}
},
'reflection': {
'customReflectionConfiguration': {
'episodicReflectionOverride': {
'appendToPrompt': 'string',
'modelId': 'string',
'namespaces': [
'string',
],
'namespaceTemplates': [
'string',
],
'memoryRecordSchema': {
'metadataSchema': [
{
'key': 'string',
'type': 'STRING'|'STRINGLIST'|'NUMBER',
'extractionType': 'LLM_INFERRED'|'STRICTLY_CONSISTENT',
'extractionConfig': {
'llmExtractionConfig': {
'llmExtractionInstruction': 'string',
'definition': 'string',
'validation': {
'stringValidation': {
'allowedValues': [
'string',
]
},
'stringListValidation': {
'allowedValues': [
'string',
],
'maxItems': 123
},
'numberValidation': {
'minValue': 123.0,
'maxValue': 123.0
}
}
}
}
},
]
}
}
},
'episodicReflectionConfiguration': {
'namespaces': [
'string',
],
'namespaceTemplates': [
'string',
],
'memoryRecordSchema': {
'metadataSchema': [
{
'key': 'string',
'type': 'STRING'|'STRINGLIST'|'NUMBER',
'extractionType': 'LLM_INFERRED'|'STRICTLY_CONSISTENT',
'extractionConfig': {
'llmExtractionConfig': {
'llmExtractionInstruction': 'string',
'definition': 'string',
'validation': {
'stringValidation': {
'allowedValues': [
'string',
]
},
'stringListValidation': {
'allowedValues': [
'string',
],
'maxItems': 123
},
'numberValidation': {
'minValue': 123.0,
'maxValue': 123.0
}
}
}
}
},
]
}
}
},
'selfManagedConfiguration': {
'triggerConditions': [
{
'messageBasedTrigger': {
'messageCount': 123
},
'tokenBasedTrigger': {
'tokenCount': 123
},
'timeBasedTrigger': {
'idleSessionTimeout': 123
}
},
],
'invocationConfiguration': {
'topicArn': 'string',
'payloadDeliveryBucketName': 'string'
},
'historicalContextWindowSize': 123
}
},
'type': 'SEMANTIC'|'SUMMARIZATION'|'USER_PREFERENCE'|'CUSTOM'|'EPISODIC',
'namespaces': [
'string',
],
'namespaceTemplates': [
'string',
],
'createdAt': datetime(2015, 1, 1),
'updatedAt': datetime(2015, 1, 1),
'status': 'CREATING'|'ACTIVE'|'DELETING'|'FAILED',
'memoryRecordSchema': {
'metadataSchema': [
{
'key': 'string',
'type': 'STRING'|'STRINGLIST'|'NUMBER',
'extractionType': 'LLM_INFERRED'|'STRICTLY_CONSISTENT',
'extractionConfig': {
'llmExtractionConfig': {
'llmExtractionInstruction': 'string',
'definition': 'string',
'validation': {
'stringValidation': {
'allowedValues': [
'string',
]
},
'stringListValidation': {
'allowedValues': [
'string',
],
'maxItems': 123
},
'numberValidation': {
'minValue': 123.0,
'maxValue': 123.0
}
}
}
}
},
]
}
},
],
'indexedKeys': [
{
'key': 'string',
'type': 'STRING'|'STRINGLIST'|'NUMBER'
},
],
'streamDeliveryResources': {
'resources': [
{
'kinesis': {
'dataStreamArn': 'string',
'contentConfigurations': [
{
'type': 'MEMORY_RECORDS',
'level': 'METADATA_ONLY'|'FULL_CONTENT'
},
]
}
},
]
},
'managedByResourceArn': 'string'
}
}
Response Structure
(dict) --
memory (dict) --
The retrieved AgentCore Memory resource details.
arn (string) --
The Amazon Resource Name (ARN) of the memory.
id (string) --
The unique identifier of the memory.
name (string) --
The name of the memory.
description (string) --
The description of the memory.
encryptionKeyArn (string) --
The ARN of the KMS key used to encrypt the memory.
memoryExecutionRoleArn (string) --
The ARN of the IAM role that provides permissions for the memory.
eventExpiryDuration (integer) --
The number of days after which memory events will expire.
status (string) --
The current status of the memory.
failureReason (string) --
The reason for failure if the memory is in a failed state.
createdAt (datetime) --
The timestamp when the memory was created.
updatedAt (datetime) --
The timestamp when the memory was last updated.
strategies (list) --
The list of memory strategies associated with this memory.
(dict) --
Contains information about a memory strategy.
strategyId (string) --
The unique identifier of the memory strategy.
name (string) --
The name of the memory strategy.
description (string) --
The description of the memory strategy.
configuration (dict) --
The configuration of the memory strategy.
type (string) --
The type of override for the strategy configuration.
extraction (dict) --
The extraction configuration for the memory strategy.
customExtractionConfiguration (dict) --
The custom extraction configuration.
semanticExtractionOverride (dict) --
The semantic extraction override configuration.
appendToPrompt (string) --
The text to append to the prompt for semantic extraction.
modelId (string) --
The model ID to use for semantic extraction.
userPreferenceExtractionOverride (dict) --
The user preference extraction override configuration.
appendToPrompt (string) --
The text to append to the prompt for user preference extraction.
modelId (string) --
The model ID to use for user preference extraction.
episodicExtractionOverride (dict) --
The configurations to override the default extraction step for the episodic memory strategy.
appendToPrompt (string) --
The text appended to the prompt for the extraction step of the episodic memory strategy.
modelId (string) --
The model ID used for the extraction step of the episodic memory strategy.
consolidation (dict) --
The consolidation configuration for the memory strategy.
customConsolidationConfiguration (dict) --
The custom consolidation configuration.
semanticConsolidationOverride (dict) --
The semantic consolidation override configuration.
appendToPrompt (string) --
The text to append to the prompt for semantic consolidation.
modelId (string) --
The model ID to use for semantic consolidation.
summaryConsolidationOverride (dict) --
The summary consolidation override configuration.
appendToPrompt (string) --
The text to append to the prompt for summary consolidation.
modelId (string) --
The model ID to use for summary consolidation.
userPreferenceConsolidationOverride (dict) --
The user preference consolidation override configuration.
appendToPrompt (string) --
The text to append to the prompt for user preference consolidation.
modelId (string) --
The model ID to use for user preference consolidation.
episodicConsolidationOverride (dict) --
The configurations to override the default consolidation step for the episodic memory strategy.
appendToPrompt (string) --
The text appended to the prompt for the consolidation step of the episodic memory strategy.
modelId (string) --
The model ID used for the consolidation step of the episodic memory strategy.
reflection (dict) --
The reflection configuration for the memory strategy.
customReflectionConfiguration (dict) --
The configuration for a custom reflection strategy.
episodicReflectionOverride (dict) --
The configuration for a reflection strategy to override the default one.
appendToPrompt (string) --
The text appended to the prompt for the reflection step of the episodic memory strategy.
modelId (string) --
The model ID used for the reflection step of the episodic memory strategy.
namespaces (list) --
This is a legacy parameter. The namespaces over which reflections were created. Can be less nested than the episodic namespaces.
(string) --
namespaceTemplates (list) --
The namespaceTemplates over which reflections were created. Can be less nested than the episodic namespaces.
(string) --
memoryRecordSchema (dict) --
Schema for metadata fields on records generated by this reflection override.
metadataSchema (list) --
The metadata field definitions for this strategy.
(dict) --
A metadata field definition within a strategy's schema.
key (string) --
The metadata field name. Must match an indexed key to be queryable via metadata filters.
type (string) --
The MetadataValueType.
extractionType (string) --
Specifies whether the metadata value is extracted by the LLM or passed through deterministically from the event.
extractionConfig (dict) --
Configuration for extracting this metadata value from conversational content. Applicable only if extractionType is LLM inferred.
llmExtractionConfig (dict) --
Model-based extraction using a definition and instructions.
llmExtractionInstruction (string) --
Instructions for extraction. Supports built-in operators like LATEST_VALUE or custom natural-language instructions.
definition (string) --
Description of what this metadata field represents.
validation (dict) --
Validation rules to constrain extracted values.
stringValidation (dict) --
Validation for STRING fields.
allowedValues (list) --
Allowed values for this STRING field.
(string) --
stringListValidation (dict) --
Validation for STRINGLIST fields.
allowedValues (list) --
Allowed values for items in this STRINGLIST field.
(string) --
maxItems (integer) --
Maximum number of items in the string list.
numberValidation (dict) --
Validation for NUMBER fields.
minValue (float) --
Minimum allowed value.
maxValue (float) --
Maximum allowed value.
episodicReflectionConfiguration (dict) --
The configuration for the episodic reflection strategy.
namespaces (list) --
This is a legacy parameter, use namespaceTemplates. The namespaces for which to create reflections. Can be less nested than the episodic namespaces.
(string) --
namespaceTemplates (list) --
The namespaceTemplates for which to create reflections. Can be less nested than the episodic namespaces.
(string) --
memoryRecordSchema (dict) --
"Schema for metadata fields on records generated by reflections.
metadataSchema (list) --
The metadata field definitions for this strategy.
(dict) --
A metadata field definition within a strategy's schema.
key (string) --
The metadata field name. Must match an indexed key to be queryable via metadata filters.
type (string) --
The MetadataValueType.
extractionType (string) --
Specifies whether the metadata value is extracted by the LLM or passed through deterministically from the event.
extractionConfig (dict) --
Configuration for extracting this metadata value from conversational content. Applicable only if extractionType is LLM inferred.
llmExtractionConfig (dict) --
Model-based extraction using a definition and instructions.
llmExtractionInstruction (string) --
Instructions for extraction. Supports built-in operators like LATEST_VALUE or custom natural-language instructions.
definition (string) --
Description of what this metadata field represents.
validation (dict) --
Validation rules to constrain extracted values.
stringValidation (dict) --
Validation for STRING fields.
allowedValues (list) --
Allowed values for this STRING field.
(string) --
stringListValidation (dict) --
Validation for STRINGLIST fields.
allowedValues (list) --
Allowed values for items in this STRINGLIST field.
(string) --
maxItems (integer) --
Maximum number of items in the string list.
numberValidation (dict) --
Validation for NUMBER fields.
minValue (float) --
Minimum allowed value.
maxValue (float) --
Maximum allowed value.
selfManagedConfiguration (dict) --
Self-managed configuration settings.
triggerConditions (list) --
A list of conditions that trigger memory processing.
(dict) --
Condition that triggers memory processing.
messageBasedTrigger (dict) --
Message based trigger configuration.
messageCount (integer) --
The number of messages that trigger memory processing.
tokenBasedTrigger (dict) --
Token based trigger configuration.
tokenCount (integer) --
Number of tokens that trigger memory processing.
timeBasedTrigger (dict) --
Time based trigger configuration.
idleSessionTimeout (integer) --
Idle session timeout (seconds) that triggers memory processing.
invocationConfiguration (dict) --
The configuration to use when invoking memory processing.
topicArn (string) --
The ARN of the SNS topic for job notifications.
payloadDeliveryBucketName (string) --
The S3 bucket name for event payload delivery.
historicalContextWindowSize (integer) --
The number of historical messages to include in processing context.
type (string) --
The type of the memory strategy.
namespaces (list) --
This is a legacy parameter. The namespaces associated with the memory strategy.
(string) --
namespaceTemplates (list) --
The namespaceTemplates associated with the memory strategy.
(string) --
createdAt (datetime) --
The timestamp when the memory strategy was created.
updatedAt (datetime) --
The timestamp when the memory strategy was last updated.
status (string) --
The current status of the memory strategy.
memoryRecordSchema (dict) --
Schema for metadata fields on records generated by this strategy.
metadataSchema (list) --
The metadata field definitions for this strategy.
(dict) --
A metadata field definition within a strategy's schema.
key (string) --
The metadata field name. Must match an indexed key to be queryable via metadata filters.
type (string) --
The MetadataValueType.
extractionType (string) --
Specifies whether the metadata value is extracted by the LLM or passed through deterministically from the event.
extractionConfig (dict) --
Configuration for extracting this metadata value from conversational content. Applicable only if extractionType is LLM inferred.
llmExtractionConfig (dict) --
Model-based extraction using a definition and instructions.
llmExtractionInstruction (string) --
Instructions for extraction. Supports built-in operators like LATEST_VALUE or custom natural-language instructions.
definition (string) --
Description of what this metadata field represents.
validation (dict) --
Validation rules to constrain extracted values.
stringValidation (dict) --
Validation for STRING fields.
allowedValues (list) --
Allowed values for this STRING field.
(string) --
stringListValidation (dict) --
Validation for STRINGLIST fields.
allowedValues (list) --
Allowed values for items in this STRINGLIST field.
(string) --
maxItems (integer) --
Maximum number of items in the string list.
numberValidation (dict) --
Validation for NUMBER fields.
minValue (float) --
Minimum allowed value.
maxValue (float) --
Maximum allowed value.
indexedKeys (list) --
The indexed metadata keys for this memory. Only indexed keys can be used in metadata filters.
(dict) --
A metadata key indexed for filtering.
key (string) --
The metadata key name to index.
type (string) --
The data type of the indexed key.
streamDeliveryResources (dict) --
Configuration for streaming memory record data to external resources.
resources (list) --
List of stream delivery resource configurations.
(dict) --
Supported stream delivery resource types.
kinesis (dict) --
Kinesis Data Stream configuration.
dataStreamArn (string) --
ARN of the Kinesis Data Stream.
contentConfigurations (list) --
Content configurations for stream delivery.
(dict) --
Defines what content to stream and at what level of detail.
type (string) --
Type of content to stream.
level (string) --
Level of detail for streamed content.
managedByResourceArn (string) --
ARN of the resource managing this memory (e.g. a harness). When set, strategy modifications and deletion are only allowed through the managing resource.
{'authorizerConfiguration': {'customJWTAuthorizer': {'allowedWorkloadConfiguration': {'hostingEnvironments': [{'arn': 'string'}],
'workloadIdentities': ['string']}}}}
Retrieves information about a specific payment manager.
See also: AWS API Documentation
Request Syntax
client.get_payment_manager(
paymentManagerId='string'
)
string
[REQUIRED]
The unique identifier of the payment manager to retrieve.
dict
Response Syntax
{
'paymentManagerArn': 'string',
'paymentManagerId': 'string',
'name': 'string',
'description': 'string',
'authorizerType': 'CUSTOM_JWT'|'AWS_IAM',
'authorizerConfiguration': {
'customJWTAuthorizer': {
'discoveryUrl': 'string',
'allowedAudience': [
'string',
],
'allowedClients': [
'string',
],
'allowedScopes': [
'string',
],
'customClaims': [
{
'inboundTokenClaimName': 'string',
'inboundTokenClaimValueType': 'STRING'|'STRING_ARRAY',
'authorizingClaimMatchValue': {
'claimMatchValue': {
'matchValueString': 'string',
'matchValueStringList': [
'string',
]
},
'claimMatchOperator': 'EQUALS'|'CONTAINS'|'CONTAINS_ANY'
}
},
],
'privateEndpoint': {
'selfManagedLatticeResource': {
'resourceConfigurationIdentifier': 'string'
},
'managedVpcResource': {
'vpcIdentifier': 'string',
'subnetIds': [
'string',
],
'endpointIpAddressType': 'IPV4'|'IPV6',
'securityGroupIds': [
'string',
],
'tags': {
'string': 'string'
},
'routingDomain': 'string'
}
},
'privateEndpointOverrides': [
{
'domain': 'string',
'privateEndpoint': {
'selfManagedLatticeResource': {
'resourceConfigurationIdentifier': 'string'
},
'managedVpcResource': {
'vpcIdentifier': 'string',
'subnetIds': [
'string',
],
'endpointIpAddressType': 'IPV4'|'IPV6',
'securityGroupIds': [
'string',
],
'tags': {
'string': 'string'
},
'routingDomain': 'string'
}
}
},
],
'allowedWorkloadConfiguration': {
'hostingEnvironments': [
{
'arn': 'string'
},
],
'workloadIdentities': [
'string',
]
}
}
},
'roleArn': 'string',
'workloadIdentityDetails': {
'workloadIdentityArn': 'string'
},
'createdAt': datetime(2015, 1, 1),
'lastUpdatedAt': datetime(2015, 1, 1),
'status': 'CREATING'|'UPDATING'|'DELETING'|'READY'|'CREATE_FAILED'|'UPDATE_FAILED'|'DELETE_FAILED',
'tags': {
'string': 'string'
}
}
Response Structure
(dict) --
paymentManagerArn (string) --
The Amazon Resource Name (ARN) of the payment manager.
paymentManagerId (string) --
The unique identifier of the payment manager.
name (string) --
The name of the payment manager.
description (string) --
The description of the payment manager.
authorizerType (string) --
The type of authorizer used by the payment manager.
CUSTOM_JWT - Authorize with a bearer token.
AWS_IAM - Authorize with your Amazon Web Services IAM credentials.
authorizerConfiguration (dict) --
Represents inbound authorization configuration options used to authenticate incoming requests.
customJWTAuthorizer (dict) --
The inbound JWT-based authorization, specifying how incoming requests should be authenticated.
discoveryUrl (string) --
This URL is used to fetch OpenID Connect configuration or authorization server metadata for validating incoming tokens.
allowedAudience (list) --
Represents individual audience values that are validated in the incoming JWT token validation process.
(string) --
allowedClients (list) --
Represents individual client IDs that are validated in the incoming JWT token validation process.
(string) --
allowedScopes (list) --
An array of scopes that are allowed to access the token.
(string) --
customClaims (list) --
An array of objects that define a custom claim validation name, value, and operation
(dict) --
Defines the name of a custom claim field and rules for finding matches to authenticate its value.
inboundTokenClaimName (string) --
The name of the custom claim field to check.
inboundTokenClaimValueType (string) --
The data type of the claim value to check for.
Use STRING if you want to find an exact match to a string you define.
Use STRING_ARRAY if you want to fnd a match to at least one value in an array you define.
authorizingClaimMatchValue (dict) --
Defines the value or values to match for and the relationship of the match.
claimMatchValue (dict) --
The value or values to match for.
matchValueString (string) --
The string value to match for.
matchValueStringList (list) --
An array of strings to check for a match.
(string) --
claimMatchOperator (string) --
Defines the relationship between the claim field value and the value or values you're matching for.
privateEndpoint (dict) --
The private endpoint configuration for a gateway target. Defines how the gateway connects to private resources in your VPC.
selfManagedLatticeResource (dict) --
Configuration for connecting to a private resource using a self-managed VPC Lattice resource configuration.
resourceConfigurationIdentifier (string) --
The ARN or ID of the VPC Lattice resource configuration.
managedVpcResource (dict) --
Configuration for connecting to a private resource using a managed VPC Lattice resource. The gateway creates and manages the VPC Lattice resources on your behalf.
vpcIdentifier (string) --
The ID of the VPC that contains your private resource.
subnetIds (list) --
The subnet IDs within the VPC where the VPC Lattice resource gateway is placed.
(string) --
endpointIpAddressType (string) --
The IP address type for the resource configuration endpoint.
securityGroupIds (list) --
The security group IDs to associate with the VPC Lattice resource gateway. If not specified, the default security group for the VPC is used.
(string) --
tags (dict) --
Tags to apply to the managed VPC Lattice resource gateway.
(string) --
(string) --
routingDomain (string) --
An intermediate domain to use as the resource configuration endpoint instead of the actual target domain. Use this when you want to route traffic through an intermediate component such as a VPC endpoint or internal load balancer. For more information, see xref:lattice-vpc-egress-routing-domain[Route traffic through an intermediate domain].
privateEndpointOverrides (list) --
The private endpoint overrides for the custom JWT authorizer configuration.
(dict) --
A mapping of a specific domain to a private endpoint for secure connectivity through a VPC Lattice resource configuration.
domain (string) --
The domain to override with a private endpoint.
privateEndpoint (dict) --
The private endpoint configuration for the specified domain.
selfManagedLatticeResource (dict) --
Configuration for connecting to a private resource using a self-managed VPC Lattice resource configuration.
resourceConfigurationIdentifier (string) --
The ARN or ID of the VPC Lattice resource configuration.
managedVpcResource (dict) --
Configuration for connecting to a private resource using a managed VPC Lattice resource. The gateway creates and manages the VPC Lattice resources on your behalf.
vpcIdentifier (string) --
The ID of the VPC that contains your private resource.
subnetIds (list) --
The subnet IDs within the VPC where the VPC Lattice resource gateway is placed.
(string) --
endpointIpAddressType (string) --
The IP address type for the resource configuration endpoint.
securityGroupIds (list) --
The security group IDs to associate with the VPC Lattice resource gateway. If not specified, the default security group for the VPC is used.
(string) --
tags (dict) --
Tags to apply to the managed VPC Lattice resource gateway.
(string) --
(string) --
routingDomain (string) --
An intermediate domain to use as the resource configuration endpoint instead of the actual target domain. Use this when you want to route traffic through an intermediate component such as a VPC endpoint or internal load balancer. For more information, see xref:lattice-vpc-egress-routing-domain[Route traffic through an intermediate domain].
allowedWorkloadConfiguration (dict) --
The configuration that restricts which workloads in the request's identity chain are allowed to invoke the target, identified by their hosting environments and workload identities. At launch, this is supported only for AgentCore Runtime targets, and the allowed workloads are AgentCore Gateways.
hostingEnvironments (list) --
The list of hosting environments whose workloads are allowed to invoke the target. At launch, the only supported hosting environment is AgentCore Gateway.
(dict) --
A hosting environment whose workloads are allowed to invoke the target. At launch, the only supported hosting environment is AgentCore Gateway.
arn (string) --
The Amazon Resource Name (ARN) of the hosting environment.
workloadIdentities (list) --
The list of workload identities that are allowed to invoke the target.
(string) --
roleArn (string) --
The Amazon Resource Name (ARN) of the IAM role associated with the payment manager.
workloadIdentityDetails (dict) --
The information about the workload identity.
workloadIdentityArn (string) --
The ARN associated with the workload identity.
createdAt (datetime) --
The timestamp when the payment manager was created.
lastUpdatedAt (datetime) --
The timestamp when the payment manager was last updated.
status (string) --
The current status of the payment manager. Possible values include CREATING, READY, UPDATING, DELETING, CREATE_FAILED, UPDATE_FAILED, and DELETE_FAILED.
tags (dict) --
The tags associated with the payment manager.
(string) --
(string) --
{'definition': {'policy': {'statement': 'string'}},
'enforcementMode': 'ACTIVE | LOG_ONLY'}
Retrieves detailed information about a specific policy within the AgentCore Policy system. This operation returns the complete policy definition, metadata, and current status, allowing administrators to review and manage policy configurations.
See also: AWS API Documentation
Request Syntax
client.get_policy(
policyEngineId='string',
policyId='string'
)
string
[REQUIRED]
The identifier of the policy engine that manages the policy to be retrieved.
string
[REQUIRED]
The unique identifier of the policy to be retrieved. This must be a valid policy ID that exists within the specified policy engine.
dict
Response Syntax
{
'policyId': 'string',
'name': 'string',
'policyEngineId': 'string',
'createdAt': datetime(2015, 1, 1),
'updatedAt': datetime(2015, 1, 1),
'policyArn': 'string',
'status': 'CREATING'|'ACTIVE'|'UPDATING'|'DELETING'|'CREATE_FAILED'|'UPDATE_FAILED'|'DELETE_FAILED',
'enforcementMode': 'ACTIVE'|'LOG_ONLY',
'definition': {
'cedar': {
'statement': 'string'
},
'policyGeneration': {
'policyGenerationId': 'string',
'policyGenerationAssetId': 'string'
},
'policy': {
'statement': 'string'
}
},
'description': 'string',
'statusReasons': [
'string',
]
}
Response Structure
(dict) --
policyId (string) --
The unique identifier of the retrieved policy. This matches the policy ID provided in the request and serves as the system identifier for the policy.
name (string) --
The customer-assigned name of the policy. This is the human-readable identifier that was specified when the policy was created.
policyEngineId (string) --
The identifier of the policy engine that manages this policy. This confirms the policy engine context for the retrieved policy.
createdAt (datetime) --
The timestamp when the policy was originally created.
updatedAt (datetime) --
The timestamp when the policy was last modified. This tracks the most recent changes to the policy configuration.
policyArn (string) --
The Amazon Resource Name (ARN) of the policy. This globally unique identifier can be used for cross-service references and IAM policy statements.
status (string) --
The current status of the policy.
enforcementMode (string) --
The current enforcement mode of the policy.
definition (dict) --
The Cedar policy statement that defines the access control rules. This contains the actual policy logic used for agent behavior control and access decisions.
cedar (dict) --
The Cedar policy definition within the policy definition structure. This contains the Cedar policy statement that defines the authorization logic using Cedar's human-readable, analyzable policy language. Cedar policies specify principals (who can access), actions (what operations are allowed), resources (what can be accessed), and optional conditions for fine-grained control. Cedar provides a formal policy language designed for authorization with deterministic evaluation, making policies testable, reviewable, and auditable. All Cedar policies follow a default-deny model where actions are denied unless explicitly permitted, and forbid policies always override permit policies.
statement (string) --
The Cedar policy statement that defines the authorization logic. This statement follows Cedar syntax and specifies principals, actions, resources, and conditions that determine when access should be allowed or denied.
policyGeneration (dict) --
The generated policy asset information within the policy definition structure. This contains information identifying a generated policy asset from the AI-powered policy generation process within the AgentCore Policy system. Each asset contains a Cedar policy statement generated from natural language input, along with associated metadata and analysis findings to help users evaluate and select the most appropriate policy option.
policyGenerationId (string) --
The unique identifier for this policy generation request.
policyGenerationAssetId (string) --
The unique identifier for this generated policy asset within the policy generation request.
policy (dict) --
An AgentCore policy statement that defines the access control rules. The statement can be a Cedar policy or a guardrails definition.
statement (string) --
The body of the AgentCore policy statement. Contains the policy logic, which can be a Cedar policy or a guardrails definition.
description (string) --
The human-readable description of the policy's purpose and functionality. This helps administrators understand and manage the policy.
statusReasons (list) --
Additional information about the policy status. This provides details about any failures or the current state of the policy.
(string) --
{'enforcementMode': 'ACTIVE | LOG_ONLY'}
Retrieves a metadata-only summary of a specific policy without decrypting customer content. This lightweight read operation returns resource identifiers, status, and timestamps, but does not include the policy definition, description, or status reasons. Because this operation does not require access to the customer's KMS key, it is suitable for resource discovery, inventory, and integration scenarios where only metadata is needed.
See also: AWS API Documentation
Request Syntax
client.get_policy_summary(
policyEngineId='string',
policyId='string'
)
string
[REQUIRED]
The identifier of the policy engine that manages the policy to retrieve the summary for.
string
[REQUIRED]
The unique identifier of the policy to retrieve the summary for. This must be a valid policy ID that exists within the specified policy engine.
dict
Response Syntax
{
'policyId': 'string',
'name': 'string',
'policyEngineId': 'string',
'createdAt': datetime(2015, 1, 1),
'updatedAt': datetime(2015, 1, 1),
'policyArn': 'string',
'status': 'CREATING'|'ACTIVE'|'UPDATING'|'DELETING'|'CREATE_FAILED'|'UPDATE_FAILED'|'DELETE_FAILED',
'enforcementMode': 'ACTIVE'|'LOG_ONLY'
}
Response Structure
(dict) --
policyId (string) --
The unique identifier of the policy.
name (string) --
The customer-assigned name of the policy.
policyEngineId (string) --
The identifier of the policy engine that manages this policy.
createdAt (datetime) --
The timestamp when the policy was originally created.
updatedAt (datetime) --
The timestamp when the policy was last modified.
policyArn (string) --
The Amazon Resource Name (ARN) of the policy.
status (string) --
The current status of the policy.
enforcementMode (string) --
The current enforcement mode of the policy.
{'authorizerConfiguration': {'customJWTAuthorizer': {'allowedWorkloadConfiguration': {'hostingEnvironments': [{'arn': 'string'}],
'workloadIdentities': ['string']}}}}
Retrieves information about a specific registry.
See also: AWS API Documentation
Request Syntax
client.get_registry(
registryId='string'
)
string
[REQUIRED]
The identifier of the registry to retrieve. You can specify either the Amazon Resource Name (ARN) or the ID of the registry.
dict
Response Syntax
{
'name': 'string',
'description': 'string',
'registryId': 'string',
'registryArn': 'string',
'authorizerType': 'CUSTOM_JWT'|'AWS_IAM',
'authorizerConfiguration': {
'customJWTAuthorizer': {
'discoveryUrl': 'string',
'allowedAudience': [
'string',
],
'allowedClients': [
'string',
],
'allowedScopes': [
'string',
],
'customClaims': [
{
'inboundTokenClaimName': 'string',
'inboundTokenClaimValueType': 'STRING'|'STRING_ARRAY',
'authorizingClaimMatchValue': {
'claimMatchValue': {
'matchValueString': 'string',
'matchValueStringList': [
'string',
]
},
'claimMatchOperator': 'EQUALS'|'CONTAINS'|'CONTAINS_ANY'
}
},
],
'privateEndpoint': {
'selfManagedLatticeResource': {
'resourceConfigurationIdentifier': 'string'
},
'managedVpcResource': {
'vpcIdentifier': 'string',
'subnetIds': [
'string',
],
'endpointIpAddressType': 'IPV4'|'IPV6',
'securityGroupIds': [
'string',
],
'tags': {
'string': 'string'
},
'routingDomain': 'string'
}
},
'privateEndpointOverrides': [
{
'domain': 'string',
'privateEndpoint': {
'selfManagedLatticeResource': {
'resourceConfigurationIdentifier': 'string'
},
'managedVpcResource': {
'vpcIdentifier': 'string',
'subnetIds': [
'string',
],
'endpointIpAddressType': 'IPV4'|'IPV6',
'securityGroupIds': [
'string',
],
'tags': {
'string': 'string'
},
'routingDomain': 'string'
}
}
},
],
'allowedWorkloadConfiguration': {
'hostingEnvironments': [
{
'arn': 'string'
},
],
'workloadIdentities': [
'string',
]
}
}
},
'approvalConfiguration': {
'autoApproval': True|False
},
'status': 'CREATING'|'READY'|'UPDATING'|'CREATE_FAILED'|'UPDATE_FAILED'|'DELETING'|'DELETE_FAILED',
'statusReason': 'string',
'createdAt': datetime(2015, 1, 1),
'updatedAt': datetime(2015, 1, 1)
}
Response Structure
(dict) --
name (string) --
The name of the registry.
description (string) --
The description of the registry.
registryId (string) --
The unique identifier of the registry.
registryArn (string) --
The Amazon Resource Name (ARN) of the registry.
authorizerType (string) --
The type of authorizer used by the registry. This controls the authorization method for the Search and Invoke APIs used by consumers.
CUSTOM_JWT - Authorize with a bearer token.
AWS_IAM - Authorize with your Amazon Web Services IAM credentials.
authorizerConfiguration (dict) --
The authorizer configuration for the registry. For details, see the AuthorizerConfiguration data type.
customJWTAuthorizer (dict) --
The inbound JWT-based authorization, specifying how incoming requests should be authenticated.
discoveryUrl (string) --
This URL is used to fetch OpenID Connect configuration or authorization server metadata for validating incoming tokens.
allowedAudience (list) --
Represents individual audience values that are validated in the incoming JWT token validation process.
(string) --
allowedClients (list) --
Represents individual client IDs that are validated in the incoming JWT token validation process.
(string) --
allowedScopes (list) --
An array of scopes that are allowed to access the token.
(string) --
customClaims (list) --
An array of objects that define a custom claim validation name, value, and operation
(dict) --
Defines the name of a custom claim field and rules for finding matches to authenticate its value.
inboundTokenClaimName (string) --
The name of the custom claim field to check.
inboundTokenClaimValueType (string) --
The data type of the claim value to check for.
Use STRING if you want to find an exact match to a string you define.
Use STRING_ARRAY if you want to fnd a match to at least one value in an array you define.
authorizingClaimMatchValue (dict) --
Defines the value or values to match for and the relationship of the match.
claimMatchValue (dict) --
The value or values to match for.
matchValueString (string) --
The string value to match for.
matchValueStringList (list) --
An array of strings to check for a match.
(string) --
claimMatchOperator (string) --
Defines the relationship between the claim field value and the value or values you're matching for.
privateEndpoint (dict) --
The private endpoint configuration for a gateway target. Defines how the gateway connects to private resources in your VPC.
selfManagedLatticeResource (dict) --
Configuration for connecting to a private resource using a self-managed VPC Lattice resource configuration.
resourceConfigurationIdentifier (string) --
The ARN or ID of the VPC Lattice resource configuration.
managedVpcResource (dict) --
Configuration for connecting to a private resource using a managed VPC Lattice resource. The gateway creates and manages the VPC Lattice resources on your behalf.
vpcIdentifier (string) --
The ID of the VPC that contains your private resource.
subnetIds (list) --
The subnet IDs within the VPC where the VPC Lattice resource gateway is placed.
(string) --
endpointIpAddressType (string) --
The IP address type for the resource configuration endpoint.
securityGroupIds (list) --
The security group IDs to associate with the VPC Lattice resource gateway. If not specified, the default security group for the VPC is used.
(string) --
tags (dict) --
Tags to apply to the managed VPC Lattice resource gateway.
(string) --
(string) --
routingDomain (string) --
An intermediate domain to use as the resource configuration endpoint instead of the actual target domain. Use this when you want to route traffic through an intermediate component such as a VPC endpoint or internal load balancer. For more information, see xref:lattice-vpc-egress-routing-domain[Route traffic through an intermediate domain].
privateEndpointOverrides (list) --
The private endpoint overrides for the custom JWT authorizer configuration.
(dict) --
A mapping of a specific domain to a private endpoint for secure connectivity through a VPC Lattice resource configuration.
domain (string) --
The domain to override with a private endpoint.
privateEndpoint (dict) --
The private endpoint configuration for the specified domain.
selfManagedLatticeResource (dict) --
Configuration for connecting to a private resource using a self-managed VPC Lattice resource configuration.
resourceConfigurationIdentifier (string) --
The ARN or ID of the VPC Lattice resource configuration.
managedVpcResource (dict) --
Configuration for connecting to a private resource using a managed VPC Lattice resource. The gateway creates and manages the VPC Lattice resources on your behalf.
vpcIdentifier (string) --
The ID of the VPC that contains your private resource.
subnetIds (list) --
The subnet IDs within the VPC where the VPC Lattice resource gateway is placed.
(string) --
endpointIpAddressType (string) --
The IP address type for the resource configuration endpoint.
securityGroupIds (list) --
The security group IDs to associate with the VPC Lattice resource gateway. If not specified, the default security group for the VPC is used.
(string) --
tags (dict) --
Tags to apply to the managed VPC Lattice resource gateway.
(string) --
(string) --
routingDomain (string) --
An intermediate domain to use as the resource configuration endpoint instead of the actual target domain. Use this when you want to route traffic through an intermediate component such as a VPC endpoint or internal load balancer. For more information, see xref:lattice-vpc-egress-routing-domain[Route traffic through an intermediate domain].
allowedWorkloadConfiguration (dict) --
The configuration that restricts which workloads in the request's identity chain are allowed to invoke the target, identified by their hosting environments and workload identities. At launch, this is supported only for AgentCore Runtime targets, and the allowed workloads are AgentCore Gateways.
hostingEnvironments (list) --
The list of hosting environments whose workloads are allowed to invoke the target. At launch, the only supported hosting environment is AgentCore Gateway.
(dict) --
A hosting environment whose workloads are allowed to invoke the target. At launch, the only supported hosting environment is AgentCore Gateway.
arn (string) --
The Amazon Resource Name (ARN) of the hosting environment.
workloadIdentities (list) --
The list of workload identities that are allowed to invoke the target.
(string) --
approvalConfiguration (dict) --
The approval configuration for registry records. For details, see the ApprovalConfiguration data type.
autoApproval (boolean) --
Whether registry records are auto-approved. When set to true, records are automatically approved upon creation. When set to false (the default), records require explicit approval for security purposes.
status (string) --
The current status of the registry. Possible values include CREATING, READY, UPDATING, CREATE_FAILED, UPDATE_FAILED, DELETING, and DELETE_FAILED.
statusReason (string) --
The reason for the current status, typically set when the status is a failure state.
createdAt (datetime) --
The timestamp when the registry was created.
updatedAt (datetime) --
The timestamp when the registry was last updated.
{'items': {'authorizationData': {'oauth2': {'authorizationUrl': 'string',
'userId': 'string'}},
'lastSynchronizedAt': 'timestamp',
'listingMode': 'DEFAULT | DYNAMIC',
'targetType': 'OPEN_API_SCHEMA | SMITHY_MODEL | MCP_SERVER | LAMBDA '
'| API_GATEWAY | CONNECTOR | AGENTCORE_RUNTIME | '
'PASSTHROUGH | PROVIDER'}}
Lists all targets for a specific gateway.
See also: AWS API Documentation
Request Syntax
client.list_gateway_targets(
gatewayIdentifier='string',
maxResults=123,
nextToken='string'
)
string
[REQUIRED]
The identifier of the gateway to list targets for.
integer
The maximum number of results to return in the response. If the total number of results is greater than this value, use the token returned in the response in the nextToken field when making another request to return the next batch of results.
string
If the total number of results is greater than the maxResults value provided in the request, enter the token returned in the nextToken field in the response in this field to return the next batch of results.
dict
Response Syntax
{
'items': [
{
'targetId': 'string',
'name': 'string',
'status': 'CREATING'|'UPDATING'|'UPDATE_UNSUCCESSFUL'|'DELETING'|'READY'|'FAILED'|'SYNCHRONIZING'|'SYNCHRONIZE_UNSUCCESSFUL'|'CREATE_PENDING_AUTH'|'UPDATE_PENDING_AUTH'|'SYNCHRONIZE_PENDING_AUTH',
'description': 'string',
'createdAt': datetime(2015, 1, 1),
'updatedAt': datetime(2015, 1, 1),
'resourcePriority': 123,
'lastSynchronizedAt': datetime(2015, 1, 1),
'authorizationData': {
'oauth2': {
'authorizationUrl': 'string',
'userId': 'string'
}
},
'targetType': 'OPEN_API_SCHEMA'|'SMITHY_MODEL'|'MCP_SERVER'|'LAMBDA'|'API_GATEWAY'|'CONNECTOR'|'AGENTCORE_RUNTIME'|'PASSTHROUGH'|'PROVIDER',
'listingMode': 'DEFAULT'|'DYNAMIC'
},
],
'nextToken': 'string'
}
Response Structure
(dict) --
items (list) --
The list of gateway target summaries.
(dict) --
Contains summary information about a gateway target. A target represents an endpoint that the gateway can connect to.
targetId (string) --
The unique identifier of the target.
name (string) --
The name of the target.
status (string) --
The current status of the target.
description (string) --
The description of the target.
createdAt (datetime) --
The timestamp when the target was created.
updatedAt (datetime) --
The timestamp when the target was last updated.
resourcePriority (integer) --
Priority for resolving resource URI conflicts across targets. Lower values take precedence. Defaults to 1000 when not set.
lastSynchronizedAt (datetime) --
The timestamp when the target was last synchronized.
authorizationData (dict) --
Contains the authorization data that is returned when a gateway target is configured with a credential provider with authorization code grant type and requires user federation.
oauth2 (dict) --
OAuth2 authorization data for the gateway target.
authorizationUrl (string) --
The URL to initiate the authorization process. This URL is provided when the OAuth2 access token requires user authorization.
userId (string) --
The user identifier associated with the OAuth2 authorization session that is defined by AgentCore Gateway.
targetType (string) --
The type of the target.
listingMode (string) --
The listing mode for the target. MCP resources for DEFAULT targets are cached at the control plane for faster access. MCP resources for DYNAMIC targets are retrieved dynamically when listing tools.
nextToken (string) --
If the total number of results is greater than the maxResults value provided in the request, use this token when making another request in the nextToken field to return the next batch of results.
{'harnesses': {'harnessVersion': 'string'}}
Operation to list harnesses.
See also: AWS API Documentation
Request Syntax
client.list_harnesses(
maxResults=123,
nextToken='string'
)
integer
The maximum number of results to return in a single call.
string
The token for the next set of results.
dict
Response Syntax
{
'harnesses': [
{
'harnessId': 'string',
'harnessName': 'string',
'arn': 'string',
'status': 'CREATING'|'CREATE_FAILED'|'UPDATING'|'UPDATE_FAILED'|'READY'|'DELETING'|'DELETE_FAILED',
'createdAt': datetime(2015, 1, 1),
'updatedAt': datetime(2015, 1, 1),
'harnessVersion': 'string'
},
],
'nextToken': 'string'
}
Response Structure
(dict) --
harnesses (list) --
The list of harness summaries.
(dict) --
Summary information about a harness.
harnessId (string) --
The ID of the harness.
harnessName (string) --
The name of the harness.
arn (string) --
The ARN of the harness.
status (string) --
The current status of the harness.
createdAt (datetime) --
The timestamp when the harness was created.
updatedAt (datetime) --
The timestamp when the harness was last updated.
harnessVersion (string) --
The latest version of the harness.
nextToken (string) --
The token for the next set of results.
{'memories': {'managedByResourceArn': 'string'}}
Lists the available Amazon Bedrock AgentCore Memory resources in the current Amazon Web Services Region.
See also: AWS API Documentation
Request Syntax
client.list_memories(
maxResults=123,
nextToken='string'
)
integer
The maximum number of results to return in a single call. The default value is 10. The maximum value is 50.
string
The token for the next set of results. Use the value returned in the previous response in the next request to retrieve the next set of results.
dict
Response Syntax
{
'memories': [
{
'arn': 'string',
'id': 'string',
'status': 'CREATING'|'ACTIVE'|'FAILED'|'DELETING'|'UPDATING',
'createdAt': datetime(2015, 1, 1),
'updatedAt': datetime(2015, 1, 1),
'managedByResourceArn': 'string'
},
],
'nextToken': 'string'
}
Response Structure
(dict) --
memories (list) --
The list of AgentCore Memory resource summaries.
(dict) --
Contains summary information about a memory resource.
arn (string) --
The Amazon Resource Name (ARN) of the memory.
id (string) --
The unique identifier of the memory.
status (string) --
The current status of the memory.
createdAt (datetime) --
The timestamp when the memory was created.
updatedAt (datetime) --
The timestamp when the memory was last updated.
managedByResourceArn (string) --
ARN of the resource managing this memory (e.g. a harness). Null if not managed.
nextToken (string) --
A token to retrieve the next page of results.
{'policies': {'definition': {'policy': {'statement': 'string'}},
'enforcementMode': 'ACTIVE | LOG_ONLY'}}
Retrieves a list of policies within the AgentCore Policy engine. This operation supports pagination and filtering to help administrators manage and discover policies across policy engines. Results can be filtered by policy engine or resource associations.
See also: AWS API Documentation
Request Syntax
client.list_policies(
nextToken='string',
maxResults=123,
policyEngineId='string',
targetResourceScope='string'
)
string
A pagination token returned from a previous ListPolicies call. Use this token to retrieve the next page of results when the response is paginated.
integer
The maximum number of policies to return in a single response. If not specified, the default is 10 policies per page, with a maximum of 100 per page.
string
[REQUIRED]
The identifier of the policy engine whose policies to retrieve.
string
Optional filter to list policies that apply to a specific resource scope or resource type. This helps narrow down policy results to those relevant for particular Amazon Web Services resources, agent tools, or operational contexts within the policy engine ecosystem.
dict
Response Syntax
{
'policies': [
{
'policyId': 'string',
'name': 'string',
'policyEngineId': 'string',
'createdAt': datetime(2015, 1, 1),
'updatedAt': datetime(2015, 1, 1),
'policyArn': 'string',
'status': 'CREATING'|'ACTIVE'|'UPDATING'|'DELETING'|'CREATE_FAILED'|'UPDATE_FAILED'|'DELETE_FAILED',
'enforcementMode': 'ACTIVE'|'LOG_ONLY',
'definition': {
'cedar': {
'statement': 'string'
},
'policyGeneration': {
'policyGenerationId': 'string',
'policyGenerationAssetId': 'string'
},
'policy': {
'statement': 'string'
}
},
'description': 'string',
'statusReasons': [
'string',
]
},
],
'nextToken': 'string'
}
Response Structure
(dict) --
policies (list) --
An array of policy objects that match the specified criteria. Each policy object contains the policy metadata, status, and key identifiers for further operations.
(dict) --
Represents a complete policy resource within the AgentCore Policy system. Policies are ARN-able resources that contain Cedar policy statements and associated metadata for controlling agent behavior and access decisions. Each policy belongs to a policy engine and defines fine-grained authorization rules that are evaluated in real-time as agents interact with tools through Gateway. Policies use the Cedar policy language to specify who (principals based on OAuth claims like username, role, or scope) can perform what actions (tool calls) on which resources (Gateways), with optional conditions for attribute-based access control. Multiple policies can apply to a single request, with Cedar's forbid-wins semantics ensuring that security restrictions are never accidentally overridden.
policyId (string) --
The unique identifier for the policy. This system-generated identifier consists of the user name plus a 10-character generated suffix and serves as the primary key for policy operations.
name (string) --
The customer-assigned immutable name for the policy. This human-readable identifier must be unique within the account and cannot exceed 48 characters.
policyEngineId (string) --
The identifier of the policy engine that manages this policy. This establishes the policy engine context for policy evaluation and management.
createdAt (datetime) --
The timestamp when the policy was originally created. This is automatically set by the service and used for auditing and lifecycle management.
updatedAt (datetime) --
The timestamp when the policy was last modified. This tracks the most recent changes to the policy configuration or metadata.
policyArn (string) --
The Amazon Resource Name (ARN) of the policy. This globally unique identifier can be used for cross-service references and IAM policy statements.
status (string) --
The current status of the policy.
enforcementMode (string) --
The current enforcement mode of the policy.
definition (dict) --
The Cedar policy statement that defines the access control rules. This contains the actual policy logic used for agent behavior control and access decisions.
cedar (dict) --
The Cedar policy definition within the policy definition structure. This contains the Cedar policy statement that defines the authorization logic using Cedar's human-readable, analyzable policy language. Cedar policies specify principals (who can access), actions (what operations are allowed), resources (what can be accessed), and optional conditions for fine-grained control. Cedar provides a formal policy language designed for authorization with deterministic evaluation, making policies testable, reviewable, and auditable. All Cedar policies follow a default-deny model where actions are denied unless explicitly permitted, and forbid policies always override permit policies.
statement (string) --
The Cedar policy statement that defines the authorization logic. This statement follows Cedar syntax and specifies principals, actions, resources, and conditions that determine when access should be allowed or denied.
policyGeneration (dict) --
The generated policy asset information within the policy definition structure. This contains information identifying a generated policy asset from the AI-powered policy generation process within the AgentCore Policy system. Each asset contains a Cedar policy statement generated from natural language input, along with associated metadata and analysis findings to help users evaluate and select the most appropriate policy option.
policyGenerationId (string) --
The unique identifier for this policy generation request.
policyGenerationAssetId (string) --
The unique identifier for this generated policy asset within the policy generation request.
policy (dict) --
An AgentCore policy statement that defines the access control rules. The statement can be a Cedar policy or a guardrails definition.
statement (string) --
The body of the AgentCore policy statement. Contains the policy logic, which can be a Cedar policy or a guardrails definition.
description (string) --
A human-readable description of the policy's purpose and functionality. Limited to 4,096 characters, this helps administrators understand and manage the policy.
statusReasons (list) --
Additional information about the policy status. This provides details about any failures or the current state of the policy lifecycle.
(string) --
nextToken (string) --
A pagination token that can be used in subsequent ListPolicies calls to retrieve additional results. This token is only present when there are more results available.
{'policyGenerationAssets': {'definition': {'policy': {'statement': 'string'}}}}
Retrieves a list of generated policy assets from a policy generation request within the AgentCore Policy system. This operation returns the actual Cedar policies and related artifacts produced by the AI-powered policy generation process, allowing users to review and select from multiple generated policy options.
See also: AWS API Documentation
Request Syntax
client.list_policy_generation_assets(
policyGenerationId='string',
policyEngineId='string',
nextToken='string',
maxResults=123
)
string
[REQUIRED]
The unique identifier of the policy generation request whose assets are to be retrieved. This must be a valid generation ID from a previous StartPolicyGeneration call that has completed processing.
string
[REQUIRED]
The unique identifier of the policy engine associated with the policy generation request. This provides the context for the generation operation and ensures assets are retrieved from the correct policy engine.
string
A pagination token returned from a previous ListPolicyGenerationAssets call. Use this token to retrieve the next page of assets when the response is paginated due to large numbers of generated policy options.
integer
The maximum number of policy generation assets to return in a single response. If not specified, the default is 10 assets per page, with a maximum of 100 per page. This helps control response size when dealing with policy generations that produce many alternative policy options.
dict
Response Syntax
{
'policyGenerationAssets': [
{
'policyGenerationAssetId': 'string',
'definition': {
'cedar': {
'statement': 'string'
},
'policyGeneration': {
'policyGenerationId': 'string',
'policyGenerationAssetId': 'string'
},
'policy': {
'statement': 'string'
}
},
'rawTextFragment': 'string',
'findings': [
{
'type': 'VALID'|'INVALID'|'NOT_TRANSLATABLE'|'ALLOW_ALL'|'ALLOW_NONE'|'DENY_ALL'|'DENY_NONE',
'description': 'string'
},
]
},
],
'nextToken': 'string'
}
Response Structure
(dict) --
policyGenerationAssets (list) --
An array of generated policy assets including Cedar policies and related artifacts from the AI-powered policy generation process. Each asset represents a different policy option or variation generated from the original natural language input.
(dict) --
Represents a generated policy asset from the AI-powered policy generation process within the AgentCore Policy system. Each asset contains a Cedar policy statement generated from natural language input, along with associated metadata and analysis findings to help users evaluate and select the most appropriate policy option.
policyGenerationAssetId (string) --
The unique identifier for this generated policy asset within the policy generation request. This ID can be used to reference specific generated policy options when creating actual policies from the generation results.
definition (dict) --
Represents the definition structure for policies within the AgentCore Policy system. This structure encapsulates different policy formats and languages that can be used to define access control rules.
cedar (dict) --
The Cedar policy definition within the policy definition structure. This contains the Cedar policy statement that defines the authorization logic using Cedar's human-readable, analyzable policy language. Cedar policies specify principals (who can access), actions (what operations are allowed), resources (what can be accessed), and optional conditions for fine-grained control. Cedar provides a formal policy language designed for authorization with deterministic evaluation, making policies testable, reviewable, and auditable. All Cedar policies follow a default-deny model where actions are denied unless explicitly permitted, and forbid policies always override permit policies.
statement (string) --
The Cedar policy statement that defines the authorization logic. This statement follows Cedar syntax and specifies principals, actions, resources, and conditions that determine when access should be allowed or denied.
policyGeneration (dict) --
The generated policy asset information within the policy definition structure. This contains information identifying a generated policy asset from the AI-powered policy generation process within the AgentCore Policy system. Each asset contains a Cedar policy statement generated from natural language input, along with associated metadata and analysis findings to help users evaluate and select the most appropriate policy option.
policyGenerationId (string) --
The unique identifier for this policy generation request.
policyGenerationAssetId (string) --
The unique identifier for this generated policy asset within the policy generation request.
policy (dict) --
An AgentCore policy statement that defines the access control rules. The statement can be a Cedar policy or a guardrails definition.
statement (string) --
The body of the AgentCore policy statement. Contains the policy logic, which can be a Cedar policy or a guardrails definition.
rawTextFragment (string) --
The portion of the original natural language input that this generated policy asset addresses. This helps users understand which part of their policy description was translated into this specific Cedar policy statement, enabling better policy selection and refinement. When a single natural language input describes multiple authorization requirements, the generation process creates separate policy assets for each requirement, with each asset's rawTextFragment showing which requirement it addresses. Use this mapping to verify that all parts of your natural language input were correctly translated into Cedar policies.
findings (list) --
Analysis findings and insights related to this specific generated policy asset. These findings may include validation results, potential issues, or recommendations for improvement to help users evaluate the quality and appropriateness of the generated policy.
(dict) --
Represents a finding or issue discovered during policy generation or validation. Findings provide insights about potential problems, recommendations, or validation results from policy analysis operations. Finding types include: VALID (policy is ready to use), INVALID (policy has validation errors that must be fixed), NOT_TRANSLATABLE (input couldn't be converted to policy), ALLOW_ALL (policy would allow all actions, potential security risk), ALLOW_NONE (policy would allow no actions, unusable), DENY_ALL (policy would deny all actions, may be too restrictive), and DENY_NONE (policy would deny no actions, ineffective). Review all findings before creating policies from generated assets to ensure they match your security requirements.
type (string) --
The type or category of the finding. This classifies the finding as an error, warning, recommendation, or informational message to help users understand the severity and nature of the issue.
description (string) --
A human-readable description of the finding. This provides detailed information about the issue, recommendation, or validation result to help users understand and address the finding.
nextToken (string) --
A pagination token that can be used in subsequent ListPolicyGenerationAssets calls to retrieve additional assets. This token is only present when there are more generated policy assets available beyond the current response.
{'policies': {'enforcementMode': 'ACTIVE | LOG_ONLY'}}
Retrieves a paginated list of metadata-only policy summaries within a policy engine without decrypting customer content. This lightweight read operation returns resource identifiers, status, and timestamps for each policy, but does not include policy definitions, descriptions, or status reasons. Because this operation does not require access to the customer's KMS key, it is suitable for resource discovery, inventory, and integration scenarios where only metadata is needed.
See also: AWS API Documentation
Request Syntax
client.list_policy_summaries(
nextToken='string',
maxResults=123,
policyEngineId='string',
targetResourceScope='string'
)
string
A pagination token returned from a previous ListPolicySummaries call. Use this token to retrieve the next page of results when the response is paginated.
integer
The maximum number of policy summaries to return in a single response.
string
[REQUIRED]
The identifier of the policy engine whose policy summaries to retrieve.
string
Optional filter to list policy summaries that apply to a specific resource scope or resource type. This helps narrow down results to those relevant for particular Amazon Web Services resources, agent tools, or operational contexts within the policy engine ecosystem.
dict
Response Syntax
{
'policies': [
{
'policyId': 'string',
'name': 'string',
'policyEngineId': 'string',
'createdAt': datetime(2015, 1, 1),
'updatedAt': datetime(2015, 1, 1),
'policyArn': 'string',
'status': 'CREATING'|'ACTIVE'|'UPDATING'|'DELETING'|'CREATE_FAILED'|'UPDATE_FAILED'|'DELETE_FAILED',
'enforcementMode': 'ACTIVE'|'LOG_ONLY'
},
],
'nextToken': 'string'
}
Response Structure
(dict) --
policies (list) --
An array of policy summary objects that match the specified criteria. Each summary contains resource identifiers, status, and timestamps without customer-encrypted content.
(dict) --
Represents a metadata-only summary of a policy resource. This structure contains resource identifiers, status, and timestamps without customer-encrypted fields such as definition, description, or status reasons. Policy summaries are returned by operations that do not require access to the customer's KMS key.
policyId (string) --
The unique identifier for the policy.
name (string) --
The customer-assigned name of the policy.
policyEngineId (string) --
The identifier of the policy engine that manages this policy.
createdAt (datetime) --
The timestamp when the policy was originally created.
updatedAt (datetime) --
The timestamp when the policy was last modified.
policyArn (string) --
The Amazon Resource Name (ARN) of the policy.
status (string) --
The current status of the policy.
enforcementMode (string) --
The current enforcement mode of the policy.
nextToken (string) --
A pagination token that can be used in subsequent ListPolicySummaries calls to retrieve additional results. This token is only present when there are more results available.
{'targets': {'targetConfiguration': {'http': {'agentcoreRuntime': {'schema': {'source': {'inlinePayload': 'string',
's3': {'bucketOwnerAccountId': 'string',
'uri': 'string'}}}},
'passthrough': {'endpoint': 'string',
'protocolType': 'MCP '
'| '
'A2A '
'| '
'INFERENCE '
'| '
'CUSTOM',
'schema': {'source': {'inlinePayload': 'string',
's3': {'bucketOwnerAccountId': 'string',
'uri': 'string'}}},
'stickinessConfiguration': {'identifier': 'string',
'timeout': 'integer'}}},
'inference': {'connector': {'source': {'connectorId': 'string'}},
'provider': {'endpoint': 'string',
'modelMapping': {'providerPrefix': {'separator': 'string',
'strip': 'boolean'}},
'operations': [{'models': [{'model': 'string'}],
'path': 'string',
'providerPath': 'string'}]}},
'mcp': {'connector': {'configurations': [{'description': 'string',
'name': 'string',
'parameterOverrides': [{'description': 'string',
'path': 'string',
'visible': 'boolean'}],
'parameterValues': {}}],
'enabled': ['string'],
'source': {'connectorId': 'string'}}}}}}
Synchronizes the gateway targets by fetching the latest tool definitions from the target endpoints.
You cannot synchronize a target that is in a pending authorization state ( CREATE_PENDING_AUTH, UPDATE_PENDING_AUTH, or SYNCHRONIZE_PENDING_AUTH). Wait for the authorization to complete or fail before synchronizing.
You cannot synchronize a target that has a static tool schema ( mcpToolSchema) configured. Remove the static schema through an UpdateGatewayTarget call to enable dynamic tool synchronization.
See also: AWS API Documentation
Request Syntax
client.synchronize_gateway_targets(
gatewayIdentifier='string',
targetIdList=[
'string',
]
)
string
[REQUIRED]
The gateway Identifier.
list
[REQUIRED]
The target ID list.
(string) --
dict
Response Syntax
{
'targets': [
{
'gatewayArn': 'string',
'targetId': 'string',
'createdAt': datetime(2015, 1, 1),
'updatedAt': datetime(2015, 1, 1),
'status': 'CREATING'|'UPDATING'|'UPDATE_UNSUCCESSFUL'|'DELETING'|'READY'|'FAILED'|'SYNCHRONIZING'|'SYNCHRONIZE_UNSUCCESSFUL'|'CREATE_PENDING_AUTH'|'UPDATE_PENDING_AUTH'|'SYNCHRONIZE_PENDING_AUTH',
'statusReasons': [
'string',
],
'name': 'string',
'description': 'string',
'targetConfiguration': {
'mcp': {
'openApiSchema': {
's3': {
'uri': 'string',
'bucketOwnerAccountId': 'string'
},
'inlinePayload': 'string'
},
'smithyModel': {
's3': {
'uri': 'string',
'bucketOwnerAccountId': 'string'
},
'inlinePayload': 'string'
},
'lambda': {
'lambdaArn': 'string',
'toolSchema': {
's3': {
'uri': 'string',
'bucketOwnerAccountId': 'string'
},
'inlinePayload': [
{
'name': 'string',
'description': 'string',
'inputSchema': {
'type': 'string'|'number'|'object'|'array'|'boolean'|'integer',
'properties': {
'string': {'... recursive ...'}
},
'required': [
'string',
],
'items': {'... recursive ...'},
'description': 'string'
},
'outputSchema': {
'type': 'string'|'number'|'object'|'array'|'boolean'|'integer',
'properties': {
'string': {'... recursive ...'}
},
'required': [
'string',
],
'items': {'... recursive ...'},
'description': 'string'
}
},
]
}
},
'mcpServer': {
'endpoint': 'string',
'mcpToolSchema': {
's3': {
'uri': 'string',
'bucketOwnerAccountId': 'string'
},
'inlinePayload': 'string'
},
'listingMode': 'DEFAULT'|'DYNAMIC',
'resourcePriority': 123
},
'apiGateway': {
'restApiId': 'string',
'stage': 'string',
'apiGatewayToolConfiguration': {
'toolOverrides': [
{
'name': 'string',
'description': 'string',
'path': 'string',
'method': 'GET'|'DELETE'|'HEAD'|'OPTIONS'|'PATCH'|'PUT'|'POST'
},
],
'toolFilters': [
{
'filterPath': 'string',
'methods': [
'GET'|'DELETE'|'HEAD'|'OPTIONS'|'PATCH'|'PUT'|'POST',
]
},
]
}
},
'connector': {
'source': {
'connectorId': 'string'
},
'enabled': [
'string',
],
'configurations': [
{
'name': 'string',
'description': 'string',
'parameterValues': {...}|[...]|123|123.4|'string'|True|None,
'parameterOverrides': [
{
'path': 'string',
'description': 'string',
'visible': True|False
},
]
},
]
}
},
'http': {
'agentcoreRuntime': {
'arn': 'string',
'qualifier': 'string',
'schema': {
'source': {
's3': {
'uri': 'string',
'bucketOwnerAccountId': 'string'
},
'inlinePayload': 'string'
}
}
},
'passthrough': {
'endpoint': 'string',
'protocolType': 'MCP'|'A2A'|'INFERENCE'|'CUSTOM',
'schema': {
'source': {
's3': {
'uri': 'string',
'bucketOwnerAccountId': 'string'
},
'inlinePayload': 'string'
}
},
'stickinessConfiguration': {
'identifier': 'string',
'timeout': 123
}
}
},
'inference': {
'connector': {
'source': {
'connectorId': 'string'
}
},
'provider': {
'endpoint': 'string',
'modelMapping': {
'providerPrefix': {
'strip': True|False,
'separator': 'string'
}
},
'operations': [
{
'path': 'string',
'providerPath': 'string',
'models': [
{
'model': 'string'
},
]
},
]
}
}
},
'credentialProviderConfigurations': [
{
'credentialProviderType': 'GATEWAY_IAM_ROLE'|'OAUTH'|'API_KEY'|'CALLER_IAM_CREDENTIALS'|'JWT_PASSTHROUGH',
'credentialProvider': {
'oauthCredentialProvider': {
'providerArn': 'string',
'scopes': [
'string',
],
'customParameters': {
'string': 'string'
},
'grantType': 'CLIENT_CREDENTIALS'|'AUTHORIZATION_CODE'|'TOKEN_EXCHANGE',
'defaultReturnUrl': 'string'
},
'apiKeyCredentialProvider': {
'providerArn': 'string',
'credentialParameterName': 'string',
'credentialPrefix': 'string',
'credentialLocation': 'HEADER'|'QUERY_PARAMETER'
},
'iamCredentialProvider': {
'service': 'string',
'region': 'string'
}
}
},
],
'lastSynchronizedAt': datetime(2015, 1, 1),
'metadataConfiguration': {
'allowedRequestHeaders': [
'string',
],
'allowedQueryParameters': [
'string',
],
'allowedResponseHeaders': [
'string',
]
},
'privateEndpoint': {
'selfManagedLatticeResource': {
'resourceConfigurationIdentifier': 'string'
},
'managedVpcResource': {
'vpcIdentifier': 'string',
'subnetIds': [
'string',
],
'endpointIpAddressType': 'IPV4'|'IPV6',
'securityGroupIds': [
'string',
],
'tags': {
'string': 'string'
},
'routingDomain': 'string'
}
},
'privateEndpointManagedResources': [
{
'domain': 'string',
'resourceGatewayArn': 'string',
'resourceAssociationArn': 'string'
},
],
'authorizationData': {
'oauth2': {
'authorizationUrl': 'string',
'userId': 'string'
}
},
'protocolType': 'MCP'|'HTTP'
},
]
}
Response Structure
(dict) --
targets (list) --
The gateway targets for synchronization.
(dict) --
The gateway target.
gatewayArn (string) --
The Amazon Resource Name (ARN) of the gateway target.
targetId (string) --
The target ID.
createdAt (datetime) --
The date and time at which the target was created.
updatedAt (datetime) --
The date and time at which the target was updated.
status (string) --
The status of the gateway target.
statusReasons (list) --
The status reasons for the target status.
(string) --
name (string) --
The name of the gateway target.
description (string) --
The description for the gateway target.
targetConfiguration (dict) --
The configuration for a gateway target. This structure defines how the gateway connects to and interacts with the target endpoint.
mcp (dict) --
The Model Context Protocol (MCP) configuration for the target. This configuration defines how the gateway uses MCP to communicate with the target.
openApiSchema (dict) --
The OpenAPI schema for the Model Context Protocol target. This schema defines the API structure of the target.
s3 (dict) --
The Amazon S3 configuration for a gateway. This structure defines how the gateway accesses files in Amazon S3.
uri (string) --
The URI of the Amazon S3 object. This URI specifies the location of the object in Amazon S3.
bucketOwnerAccountId (string) --
The account ID of the Amazon S3 bucket owner. This ID is used for cross-account access to the bucket.
inlinePayload (string) --
The inline payload containing the API schema definition.
smithyModel (dict) --
The Smithy model for the Model Context Protocol target. This model defines the API structure of the target using the Smithy specification.
s3 (dict) --
The Amazon S3 configuration for a gateway. This structure defines how the gateway accesses files in Amazon S3.
uri (string) --
The URI of the Amazon S3 object. This URI specifies the location of the object in Amazon S3.
bucketOwnerAccountId (string) --
The account ID of the Amazon S3 bucket owner. This ID is used for cross-account access to the bucket.
inlinePayload (string) --
The inline payload containing the API schema definition.
lambda (dict) --
The Lambda configuration for the Model Context Protocol target. This configuration defines how the gateway uses a Lambda function to communicate with the target.
lambdaArn (string) --
The Amazon Resource Name (ARN) of the Lambda function. This function is invoked by the gateway to communicate with the target.
toolSchema (dict) --
The tool schema for the Lambda function. This schema defines the structure of the tools that the Lambda function provides.
s3 (dict) --
The Amazon S3 location of the tool schema. This location contains the schema definition file.
uri (string) --
The URI of the Amazon S3 object. This URI specifies the location of the object in Amazon S3.
bucketOwnerAccountId (string) --
The account ID of the Amazon S3 bucket owner. This ID is used for cross-account access to the bucket.
inlinePayload (list) --
The inline payload of the tool schema. This payload contains the schema definition directly in the request.
(dict) --
A tool definition for a gateway target. This structure defines a tool that the target exposes through the Model Context Protocol.
name (string) --
The name of the tool. This name identifies the tool in the Model Context Protocol.
description (string) --
The description of the tool. This description provides information about the purpose and usage of the tool.
inputSchema (dict) --
The input schema for the tool. This schema defines the structure of the input that the tool accepts.
type (string) --
The type of the schema definition. This field specifies the data type of the schema.
properties (dict) --
The properties of the schema definition. These properties define the fields in the schema.
(string) --
(dict) --
A schema definition for a gateway target. This structure defines the structure of the API that the target exposes.
required (list) --
The required fields in the schema definition. These fields must be provided when using the schema.
(string) --
items (dict) --
The items in the schema definition. This field is used for array types to define the structure of the array elements.
description (string) --
The description of the schema definition. This description provides information about the purpose and usage of the schema.
outputSchema (dict) --
The output schema for the tool. This schema defines the structure of the output that the tool produces.
type (string) --
The type of the schema definition. This field specifies the data type of the schema.
properties (dict) --
The properties of the schema definition. These properties define the fields in the schema.
(string) --
(dict) --
A schema definition for a gateway target. This structure defines the structure of the API that the target exposes.
required (list) --
The required fields in the schema definition. These fields must be provided when using the schema.
(string) --
items (dict) --
The items in the schema definition. This field is used for array types to define the structure of the array elements.
description (string) --
The description of the schema definition. This description provides information about the purpose and usage of the schema.
mcpServer (dict) --
The MCP server specified as the gateway target.
endpoint (string) --
The endpoint for the MCP server target configuration.
mcpToolSchema (dict) --
The tool schema configuration for the MCP server target. Supported only when the credential provider is configured with an authorization code grant type. Dynamic tool discovery/synchronization will be disabled when target is configured with mcpToolSchema.
s3 (dict) --
The Amazon S3 location of the tool schema. This location contains the schema definition file.
uri (string) --
The URI of the Amazon S3 object. This URI specifies the location of the object in Amazon S3.
bucketOwnerAccountId (string) --
The account ID of the Amazon S3 bucket owner. This ID is used for cross-account access to the bucket.
inlinePayload (string) --
The inline payload containing the MCP tool schema definition.
listingMode (string) --
The listing mode for the MCP server target configuration. MCP resources for default targets are cached at the control plane for faster access. MCP resources for dynamic targets will be dynamically retrieved when listing tools.
resourcePriority (integer) --
Priority for resolving MCP server targets with shared resource URIs. Lower values take precedence. Defaults to 1000 when not set.
apiGateway (dict) --
The configuration for an Amazon API Gateway target.
restApiId (string) --
The ID of the API Gateway REST API.
stage (string) --
The ID of the stage of the REST API to add as a target.
apiGatewayToolConfiguration (dict) --
The configuration for defining REST API tool filters and overrides for the gateway target.
toolOverrides (list) --
A list of explicit tool definitions with optional custom names and descriptions.
(dict) --
Settings to override configurations for a tool.
name (string) --
The name of tool. Identifies the tool in the Model Context Protocol.
description (string) --
The description of the tool. Provides information about the purpose and usage of the tool. If not provided, uses the description from the API's OpenAPI specification.
path (string) --
Resource path in the REST API (e.g., /pets). Must explicitly match an existing path in the REST API.
method (string) --
The HTTP method to expose for the specified path.
toolFilters (list) --
A list of path and method patterns to expose as tools using metadata from the REST API's OpenAPI specification.
(dict) --
Specifies which operations from an API Gateway REST API are exposed as tools. Tool names and descriptions are derived from the operationId and description fields in the API's exported OpenAPI specification.
filterPath (string) --
Resource path to match in the REST API. Supports exact paths (for example, /pets) or wildcard paths (for example, /pets/* to match all paths under /pets). Must match existing paths in the REST API.
methods (list) --
The methods to filter for.
(string) --
connector (dict) --
The connector integration configuration for the Model Context Protocol target. This configuration defines how the gateway uses a pre-built connector to communicate with the target.
source (dict) --
The source configuration identifying which connector to use.
connectorId (string) --
The identifier for the connector integration (for example, bedrock-knowledge-bases).
enabled (list) --
A list of tool names to enable from this connector. If absent, all tools provided by the connector are enabled.
(string) --
configurations (list) --
A list of per-tool configurations for the connector.
(dict) --
Configuration for a single tool within a connector.
name (string) --
The tool or operation name (for example, retrieve or webSearch).
description (string) --
An agent-facing description override for this tool.
parameterValues (:ref:`document<document>`) --
Parameters to set as fixed or default values when provisioning this tool.
parameterOverrides (list) --
Parameters to expose to the agent at runtime, with optional description overrides.
(dict) --
Specifies a parameter override for a connector tool, allowing you to control parameter visibility and descriptions.
path (string) --
A JSON Pointer path identifying the parameter (for example, /numberOfResults or /filter).
description (string) --
An agent-facing description override for this parameter.
visible (boolean) --
Whether this parameter is visible to the agent. If not specified, uses the service default.
http (dict) --
The HTTP target configuration. Use this to route gateway requests to an HTTP-based endpoint such as an AgentCore Runtime.
agentcoreRuntime (dict) --
The AgentCore Runtime target configuration for HTTP-based communication with an agent runtime.
arn (string) --
The Amazon Resource Name (ARN) of the AgentCore Runtime to route requests to.
qualifier (string) --
The qualifier for the agent runtime, used to target a specific endpoint version. If not specified, the default endpoint is used.
schema (dict) --
The API schema configuration that defines the structure of the runtime target's API.
source (dict) --
Configuration for API schema.
s3 (dict) --
The Amazon S3 configuration for a gateway. This structure defines how the gateway accesses files in Amazon S3.
uri (string) --
The URI of the Amazon S3 object. This URI specifies the location of the object in Amazon S3.
bucketOwnerAccountId (string) --
The account ID of the Amazon S3 bucket owner. This ID is used for cross-account access to the bucket.
inlinePayload (string) --
The inline payload containing the API schema definition.
passthrough (dict) --
The passthrough configuration for the HTTP target. A passthrough target forwards requests directly to an external HTTP endpoint.
endpoint (string) --
The HTTPS endpoint that the gateway forwards requests to for this passthrough target.
protocolType (string) --
The application protocol the passthrough target implements. Required for passthrough targets.
schema (dict) --
The API schema configuration that defines the structure of the passthrough target's API.
source (dict) --
Configuration for API schema.
s3 (dict) --
The Amazon S3 configuration for a gateway. This structure defines how the gateway accesses files in Amazon S3.
uri (string) --
The URI of the Amazon S3 object. This URI specifies the location of the object in Amazon S3.
bucketOwnerAccountId (string) --
The account ID of the Amazon S3 bucket owner. This ID is used for cross-account access to the bucket.
inlinePayload (string) --
The inline payload containing the API schema definition.
stickinessConfiguration (dict) --
The session stickiness configuration for the passthrough target. This configuration routes requests within the same session to the same target.
identifier (string) --
The expression that identifies where to extract the session identifier from the request (for example, $context.header.x-session-id).
timeout (integer) --
The session stickiness timeout, in seconds. After this duration of inactivity, the session affinity expires. Valid values range from 1 to 86400.
inference (dict) --
The inference configuration for the target. This configuration routes requests to a large language model (LLM) provider.
connector (dict) --
The connector-based inference configuration. Use this option to route requests to an LLM provider through a built-in connector that includes predefined provider rules.
source (dict) --
The source configuration identifying which inference connector to use.
connectorId (string) --
The identifier for the inference connector (for example, bedrock-mantle, openai, or anthropic).
provider (dict) --
The provider-based inference configuration. Use this option to explicitly configure the endpoint, model mapping, and operations for an LLM provider.
endpoint (string) --
The HTTPS endpoint of the inference provider that the gateway forwards requests to.
modelMapping (dict) --
The configuration that translates client-facing model IDs to the model IDs expected by the provider.
providerPrefix (dict) --
The provider prefix configuration used for model ID translation.
strip (boolean) --
Whether clients can omit the provider prefix from model IDs. If true, the gateway accepts model IDs without the prefix and restores the full prefixed form before forwarding to the provider. The default is false.
separator (string) --
The single character that separates the provider prefix from the model name (for example, .). The default is ..
operations (list) --
A list of per-operation configurations that map request paths to the models supported for each operation.
(dict) --
The configuration for a specific inference operation, including its request path and the models that the operation supports.
path (string) --
The request path for this operation (for example, /v1/messages or /v1/responses).
providerPath (string) --
The provider path to forward requests to, if it differs from the request path. For example, /anthropic/v1/messages when the provider expects a different path than the client-facing /v1/messages.
models (list) --
The list of models supported for this operation.
(dict) --
A model entry that specifies a model supported for an inference operation.
model (string) --
The model ID or glob pattern that identifies the model (for example, anthropic.claude-opus-* or openai.gpt-oss-*).
credentialProviderConfigurations (list) --
The provider configurations.
(dict) --
The configuration for a credential provider. This structure defines how the gateway authenticates with the target endpoint.
credentialProviderType (string) --
The type of credential provider. This field specifies which authentication method the gateway uses.
credentialProvider (dict) --
The credential provider. This field contains the specific configuration for the credential provider type.
oauthCredentialProvider (dict) --
The OAuth credential provider. This provider uses OAuth authentication to access the target endpoint.
providerArn (string) --
The Amazon Resource Name (ARN) of the OAuth credential provider. This ARN identifies the provider in Amazon Web Services.
scopes (list) --
The OAuth scopes for the credential provider. These scopes define the level of access requested from the OAuth provider.
(string) --
customParameters (dict) --
The custom parameters for the OAuth credential provider. These parameters provide additional configuration for the OAuth authentication process.
(string) --
(string) --
grantType (string) --
Specifies the kind of credentials to use for authorization:
CLIENT_CREDENTIALS - Authorization with a client ID and secret.
AUTHORIZATION_CODE - Authorization with a token that is specific to an individual end user.
TOKEN_EXCHANGE - Authorization using on-behalf-of token exchange. An inbound user token is exchanged for a downstream access token scoped to the target audience.
defaultReturnUrl (string) --
The URL where the end user's browser is redirected after obtaining the authorization code. Generally points to the customer's application.
apiKeyCredentialProvider (dict) --
The API key credential provider. This provider uses an API key to authenticate with the target endpoint.
providerArn (string) --
The Amazon Resource Name (ARN) of the API key credential provider. This ARN identifies the provider in Amazon Web Services.
credentialParameterName (string) --
The name of the credential parameter for the API key. This parameter name is used when sending the API key to the target endpoint.
credentialPrefix (string) --
The prefix for the API key credential. This prefix is added to the API key when sending it to the target endpoint.
credentialLocation (string) --
The location of the API key credential. This field specifies where in the request the API key should be placed.
iamCredentialProvider (dict) --
The IAM credential provider. This provider uses IAM authentication with SigV4 signing to access the target endpoint.
service (string) --
The target Amazon Web Services service name used for SigV4 signing. This value identifies the service that the gateway authenticates with when making requests to the target endpoint.
region (string) --
The Amazon Web Services Region used for SigV4 signing. If not specified, defaults to the gateway's Region.
lastSynchronizedAt (datetime) --
The last synchronization time.
metadataConfiguration (dict) --
The metadata configuration for HTTP header and query parameter propagation to and from this gateway target.
allowedRequestHeaders (list) --
A list of HTTP headers that are allowed to be propagated from incoming client requests to the target.
(string) --
allowedQueryParameters (list) --
A list of URL query parameters that are allowed to be propagated from incoming gateway URL to the target.
(string) --
allowedResponseHeaders (list) --
A list of HTTP headers that are allowed to be propagated from the target response back to the client.
(string) --
privateEndpoint (dict) --
The private endpoint configuration for a gateway target. Defines how the gateway connects to private resources in your VPC.
selfManagedLatticeResource (dict) --
Configuration for connecting to a private resource using a self-managed VPC Lattice resource configuration.
resourceConfigurationIdentifier (string) --
The ARN or ID of the VPC Lattice resource configuration.
managedVpcResource (dict) --
Configuration for connecting to a private resource using a managed VPC Lattice resource. The gateway creates and manages the VPC Lattice resources on your behalf.
vpcIdentifier (string) --
The ID of the VPC that contains your private resource.
subnetIds (list) --
The subnet IDs within the VPC where the VPC Lattice resource gateway is placed.
(string) --
endpointIpAddressType (string) --
The IP address type for the resource configuration endpoint.
securityGroupIds (list) --
The security group IDs to associate with the VPC Lattice resource gateway. If not specified, the default security group for the VPC is used.
(string) --
tags (dict) --
Tags to apply to the managed VPC Lattice resource gateway.
(string) --
(string) --
routingDomain (string) --
An intermediate domain to use as the resource configuration endpoint instead of the actual target domain. Use this when you want to route traffic through an intermediate component such as a VPC endpoint or internal load balancer. For more information, see xref:lattice-vpc-egress-routing-domain[Route traffic through an intermediate domain].
privateEndpointManagedResources (list) --
A list of managed resources created by the gateway for private endpoint connectivity. These resources are created in your account when you use a managed VPC Lattice resource configuration.
(dict) --
Details of a resource created and managed by the gateway for private endpoint connectivity.
domain (string) --
The domain associated with this managed resource.
resourceGatewayArn (string) --
The ARN of the VPC Lattice resource gateway created in your account.
resourceAssociationArn (string) --
The ARN of the service network resource association.
authorizationData (dict) --
OAuth2 authorization data for the gateway target. This data is returned when a target is configured with a credential provider with authorization code grant type and requires user federation.
oauth2 (dict) --
OAuth2 authorization data for the gateway target.
authorizationUrl (string) --
The URL to initiate the authorization process. This URL is provided when the OAuth2 access token requires user authorization.
userId (string) --
The user identifier associated with the OAuth2 authorization session that is defined by AgentCore Gateway.
protocolType (string) --
The protocol type of the gateway target.
{'authorizerConfiguration': {'customJWTAuthorizer': {'allowedWorkloadConfiguration': {'hostingEnvironments': [{'arn': 'string'}],
'workloadIdentities': ['string']}}}}
Updates an existing Amazon Secure Agent.
See also: AWS API Documentation
Request Syntax
client.update_agent_runtime(
agentRuntimeId='string',
agentRuntimeArtifact={
'containerConfiguration': {
'containerUri': 'string'
},
'codeConfiguration': {
'code': {
's3': {
'bucket': 'string',
'prefix': 'string',
'versionId': 'string'
}
},
'runtime': 'PYTHON_3_10'|'PYTHON_3_11'|'PYTHON_3_12'|'PYTHON_3_13'|'PYTHON_3_14'|'NODE_22',
'entryPoint': [
'string',
]
}
},
roleArn='string',
networkConfiguration={
'networkMode': 'PUBLIC'|'VPC',
'networkModeConfig': {
'securityGroups': [
'string',
],
'subnets': [
'string',
],
'requireServiceS3Endpoint': True|False
}
},
description='string',
authorizerConfiguration={
'customJWTAuthorizer': {
'discoveryUrl': 'string',
'allowedAudience': [
'string',
],
'allowedClients': [
'string',
],
'allowedScopes': [
'string',
],
'customClaims': [
{
'inboundTokenClaimName': 'string',
'inboundTokenClaimValueType': 'STRING'|'STRING_ARRAY',
'authorizingClaimMatchValue': {
'claimMatchValue': {
'matchValueString': 'string',
'matchValueStringList': [
'string',
]
},
'claimMatchOperator': 'EQUALS'|'CONTAINS'|'CONTAINS_ANY'
}
},
],
'privateEndpoint': {
'selfManagedLatticeResource': {
'resourceConfigurationIdentifier': 'string'
},
'managedVpcResource': {
'vpcIdentifier': 'string',
'subnetIds': [
'string',
],
'endpointIpAddressType': 'IPV4'|'IPV6',
'securityGroupIds': [
'string',
],
'tags': {
'string': 'string'
},
'routingDomain': 'string'
}
},
'privateEndpointOverrides': [
{
'domain': 'string',
'privateEndpoint': {
'selfManagedLatticeResource': {
'resourceConfigurationIdentifier': 'string'
},
'managedVpcResource': {
'vpcIdentifier': 'string',
'subnetIds': [
'string',
],
'endpointIpAddressType': 'IPV4'|'IPV6',
'securityGroupIds': [
'string',
],
'tags': {
'string': 'string'
},
'routingDomain': 'string'
}
}
},
],
'allowedWorkloadConfiguration': {
'hostingEnvironments': [
{
'arn': 'string'
},
],
'workloadIdentities': [
'string',
]
}
}
},
requestHeaderConfiguration={
'requestHeaderAllowlist': [
'string',
]
},
protocolConfiguration={
'serverProtocol': 'MCP'|'HTTP'|'A2A'|'AGUI'
},
lifecycleConfiguration={
'idleRuntimeSessionTimeout': 123,
'maxLifetime': 123
},
metadataConfiguration={
'requireMMDSV2': True|False
},
environmentVariables={
'string': 'string'
},
filesystemConfigurations=[
{
'sessionStorage': {
'mountPath': 'string'
},
's3FilesAccessPoint': {
'accessPointArn': 'string',
'mountPath': 'string'
},
'efsAccessPoint': {
'accessPointArn': 'string',
'mountPath': 'string'
}
},
],
clientToken='string'
)
string
[REQUIRED]
The unique identifier of the AgentCore Runtime to update.
dict
[REQUIRED]
The updated artifact of the AgentCore Runtime.
containerConfiguration (dict) --
The container configuration for the agent artifact.
containerUri (string) -- [REQUIRED]
The ECR URI of the container.
codeConfiguration (dict) --
The code configuration for the agent runtime artifact, including the source code location and execution settings.
code (dict) -- [REQUIRED]
The source code location and configuration details.
s3 (dict) --
The Amazon Amazon S3 object that contains the source code for the agent runtime.
bucket (string) -- [REQUIRED]
The name of the Amazon S3 bucket. This bucket contains the stored data.
prefix (string) -- [REQUIRED]
The prefix for objects in the Amazon S3 bucket. This prefix is added to the object keys to organize the data.
versionId (string) --
The version ID of the Amazon Amazon S3 object. If not specified, the latest version of the object is used.
runtime (string) -- [REQUIRED]
The runtime environment for executing the agent code. Specify the programming language and version to use for the agent runtime. For valid values, see the list of supported runtimes.
entryPoint (list) -- [REQUIRED]
The entry point for the code execution, specifying the function or method that should be invoked when the code runs.
(string) --
string
[REQUIRED]
The updated IAM role ARN that provides permissions for the AgentCore Runtime.
dict
[REQUIRED]
The updated network configuration for the AgentCore Runtime.
networkMode (string) -- [REQUIRED]
The network mode for the AgentCore Runtime.
networkModeConfig (dict) --
The network mode configuration for the AgentCore Runtime.
securityGroups (list) -- [REQUIRED]
The security groups associated with the VPC configuration.
(string) --
subnets (list) -- [REQUIRED]
The subnets associated with the VPC configuration.
(string) --
requireServiceS3Endpoint (boolean) --
Controls whether a service-managed Amazon S3 gateway endpoint is provisioned in the VPC network topology for the agent runtime. This gateway is used by Amazon Bedrock AgentCore Runtime to download code and container images during agent startup.
Starting May 5, 2026, Amazon Bedrock AgentCore Runtime is gradually rolling out a change to how network isolation is configured for VPC mode agents. Agent runtimes created on or after this rollout will no longer include the service-managed Amazon S3 gateway. Instead, all network access, including to Amazon S3, is governed exclusively by your VPC configuration. This field cannot be set on agent runtimes created after the rollout. Passing this field in an UpdateAgentRuntime request for these agent runtimes returns a ValidationException.
Agent runtimes created before the rollout are not affected and continue to operate with the service-managed Amazon S3 gateway. To enforce full VPC network isolation on these existing agent runtimes, set this field to false via the UpdateAgentRuntime API. Before opting out, ensure your VPC provides the Amazon S3 access required for agent startup. If this field is not specified or is set to true, the service-managed Amazon S3 gateway remains provisioned.
This field is only supported in the UpdateAgentRuntime API for pre-rollout agent runtimes. Passing this field in a CreateAgentRuntime request returns a ValidationException.
string
The updated description of the AgentCore Runtime.
dict
The updated authorizer configuration for the AgentCore Runtime.
customJWTAuthorizer (dict) --
The inbound JWT-based authorization, specifying how incoming requests should be authenticated.
discoveryUrl (string) -- [REQUIRED]
This URL is used to fetch OpenID Connect configuration or authorization server metadata for validating incoming tokens.
allowedAudience (list) --
Represents individual audience values that are validated in the incoming JWT token validation process.
(string) --
allowedClients (list) --
Represents individual client IDs that are validated in the incoming JWT token validation process.
(string) --
allowedScopes (list) --
An array of scopes that are allowed to access the token.
(string) --
customClaims (list) --
An array of objects that define a custom claim validation name, value, and operation
(dict) --
Defines the name of a custom claim field and rules for finding matches to authenticate its value.
inboundTokenClaimName (string) -- [REQUIRED]
The name of the custom claim field to check.
inboundTokenClaimValueType (string) -- [REQUIRED]
The data type of the claim value to check for.
Use STRING if you want to find an exact match to a string you define.
Use STRING_ARRAY if you want to fnd a match to at least one value in an array you define.
authorizingClaimMatchValue (dict) -- [REQUIRED]
Defines the value or values to match for and the relationship of the match.
claimMatchValue (dict) -- [REQUIRED]
The value or values to match for.
matchValueString (string) --
The string value to match for.
matchValueStringList (list) --
An array of strings to check for a match.
(string) --
claimMatchOperator (string) -- [REQUIRED]
Defines the relationship between the claim field value and the value or values you're matching for.
privateEndpoint (dict) --
The private endpoint configuration for a gateway target. Defines how the gateway connects to private resources in your VPC.
selfManagedLatticeResource (dict) --
Configuration for connecting to a private resource using a self-managed VPC Lattice resource configuration.
resourceConfigurationIdentifier (string) --
The ARN or ID of the VPC Lattice resource configuration.
managedVpcResource (dict) --
Configuration for connecting to a private resource using a managed VPC Lattice resource. The gateway creates and manages the VPC Lattice resources on your behalf.
vpcIdentifier (string) -- [REQUIRED]
The ID of the VPC that contains your private resource.
subnetIds (list) -- [REQUIRED]
The subnet IDs within the VPC where the VPC Lattice resource gateway is placed.
(string) --
endpointIpAddressType (string) -- [REQUIRED]
The IP address type for the resource configuration endpoint.
securityGroupIds (list) --
The security group IDs to associate with the VPC Lattice resource gateway. If not specified, the default security group for the VPC is used.
(string) --
tags (dict) --
Tags to apply to the managed VPC Lattice resource gateway.
(string) --
(string) --
routingDomain (string) --
An intermediate domain to use as the resource configuration endpoint instead of the actual target domain. Use this when you want to route traffic through an intermediate component such as a VPC endpoint or internal load balancer. For more information, see xref:lattice-vpc-egress-routing-domain[Route traffic through an intermediate domain].
privateEndpointOverrides (list) --
The private endpoint overrides for the custom JWT authorizer configuration.
(dict) --
A mapping of a specific domain to a private endpoint for secure connectivity through a VPC Lattice resource configuration.
domain (string) -- [REQUIRED]
The domain to override with a private endpoint.
privateEndpoint (dict) -- [REQUIRED]
The private endpoint configuration for the specified domain.
selfManagedLatticeResource (dict) --
Configuration for connecting to a private resource using a self-managed VPC Lattice resource configuration.
resourceConfigurationIdentifier (string) --
The ARN or ID of the VPC Lattice resource configuration.
managedVpcResource (dict) --
Configuration for connecting to a private resource using a managed VPC Lattice resource. The gateway creates and manages the VPC Lattice resources on your behalf.
vpcIdentifier (string) -- [REQUIRED]
The ID of the VPC that contains your private resource.
subnetIds (list) -- [REQUIRED]
The subnet IDs within the VPC where the VPC Lattice resource gateway is placed.
(string) --
endpointIpAddressType (string) -- [REQUIRED]
The IP address type for the resource configuration endpoint.
securityGroupIds (list) --
The security group IDs to associate with the VPC Lattice resource gateway. If not specified, the default security group for the VPC is used.
(string) --
tags (dict) --
Tags to apply to the managed VPC Lattice resource gateway.
(string) --
(string) --
routingDomain (string) --
An intermediate domain to use as the resource configuration endpoint instead of the actual target domain. Use this when you want to route traffic through an intermediate component such as a VPC endpoint or internal load balancer. For more information, see xref:lattice-vpc-egress-routing-domain[Route traffic through an intermediate domain].
allowedWorkloadConfiguration (dict) --
The configuration that restricts which workloads in the request's identity chain are allowed to invoke the target, identified by their hosting environments and workload identities. At launch, this is supported only for AgentCore Runtime targets, and the allowed workloads are AgentCore Gateways.
hostingEnvironments (list) --
The list of hosting environments whose workloads are allowed to invoke the target. At launch, the only supported hosting environment is AgentCore Gateway.
(dict) --
A hosting environment whose workloads are allowed to invoke the target. At launch, the only supported hosting environment is AgentCore Gateway.
arn (string) -- [REQUIRED]
The Amazon Resource Name (ARN) of the hosting environment.
workloadIdentities (list) --
The list of workload identities that are allowed to invoke the target.
(string) --
dict
The updated configuration for HTTP request headers that will be passed through to the runtime.
requestHeaderAllowlist (list) --
A list of HTTP request headers that are allowed to be passed through to the runtime.
(string) --
dict
The protocol configuration for an agent runtime. This structure defines how the agent runtime communicates with clients.
serverProtocol (string) -- [REQUIRED]
The server protocol for the agent runtime. This field specifies which protocol the agent runtime uses to communicate with clients.
dict
The updated life cycle configuration for the AgentCore Runtime.
idleRuntimeSessionTimeout (integer) --
Timeout in seconds for idle runtime sessions. When a session remains idle for this duration, it will be automatically terminated. Default: 900 seconds (15 minutes).
maxLifetime (integer) --
Maximum lifetime for the instance in seconds. Once reached, instances will be automatically terminated and replaced. Default: 28800 seconds (8 hours).
dict
The updated configuration for microVM Metadata Service (MMDS) settings for the AgentCore Runtime.
requireMMDSV2 (boolean) -- [REQUIRED]
Enables MMDSv2 (microVM Metadata Service Version 2) requirement for the agent runtime. When set to true, the runtime microVM will only accept MMDSv2 requests.
dict
Updated environment variables to set in the AgentCore Runtime environment.
(string) --
(string) --
list
The updated filesystem configurations to mount into the AgentCore Runtime.
(dict) --
Configuration for a filesystem that can be mounted into the AgentCore Runtime.
sessionStorage (dict) --
Configuration for session storage. Session storage provides persistent storage that is preserved across AgentCore Runtime session invocations.
mountPath (string) -- [REQUIRED]
The mount path for the session storage filesystem inside the AgentCore Runtime. The path must be under /mnt with exactly one subdirectory level (for example, /mnt/data).
s3FilesAccessPoint (dict) --
Configuration for an Amazon S3 Files access point to mount into the AgentCore Runtime.
accessPointArn (string) -- [REQUIRED]
The ARN of the S3 Files access point to mount into the AgentCore Runtime.
mountPath (string) -- [REQUIRED]
The mount path for the S3 Files access point inside the AgentCore Runtime. The path must be under /mnt with exactly one subdirectory level (for example, /mnt/data).
efsAccessPoint (dict) --
Configuration for an Amazon EFS access point to mount into the AgentCore Runtime.
accessPointArn (string) -- [REQUIRED]
The ARN of the EFS access point to mount into the AgentCore Runtime.
mountPath (string) -- [REQUIRED]
The mount path for the EFS access point inside the AgentCore Runtime. The path must be under /mnt with exactly one subdirectory level (for example, /mnt/data).
string
A unique, case-sensitive identifier to ensure idempotency of the request.
This field is autopopulated if not provided.
dict
Response Syntax
{
'agentRuntimeArn': 'string',
'agentRuntimeId': 'string',
'workloadIdentityDetails': {
'workloadIdentityArn': 'string'
},
'agentRuntimeVersion': 'string',
'createdAt': datetime(2015, 1, 1),
'lastUpdatedAt': datetime(2015, 1, 1),
'status': 'CREATING'|'CREATE_FAILED'|'UPDATING'|'UPDATE_FAILED'|'READY'|'DELETING'
}
Response Structure
(dict) --
agentRuntimeArn (string) --
The Amazon Resource Name (ARN) of the updated AgentCore Runtime.
agentRuntimeId (string) --
The unique identifier of the updated AgentCore Runtime.
workloadIdentityDetails (dict) --
The workload identity details for the updated AgentCore Runtime.
workloadIdentityArn (string) --
The ARN associated with the workload identity.
agentRuntimeVersion (string) --
The version of the updated AgentCore Runtime.
createdAt (datetime) --
The timestamp when the AgentCore Runtime was created.
lastUpdatedAt (datetime) --
The timestamp when the AgentCore Runtime was last updated.
status (string) --
The current status of the updated AgentCore Runtime.
{'authorizerConfiguration': {'customJWTAuthorizer': {'allowedWorkloadConfiguration': {'hostingEnvironments': [{'arn': 'string'}],
'workloadIdentities': ['string']}}},
'customTransformConfiguration': {'lambda': {'arn': 'string'}},
'interceptorConfigurations': {'inputConfiguration': {'payloadFilter': {'exclude': [{'field': 'RESPONSE_BODY'}]}}},
'wafConfiguration': {'failureMode': 'FAIL_CLOSE | FAIL_OPEN'}}
Response {'authorizerConfiguration': {'customJWTAuthorizer': {'allowedWorkloadConfiguration': {'hostingEnvironments': [{'arn': 'string'}],
'workloadIdentities': ['string']}}},
'customTransformConfiguration': {'lambda': {'arn': 'string'}},
'interceptorConfigurations': {'inputConfiguration': {'payloadFilter': {'exclude': [{'field': 'RESPONSE_BODY'}]}}},
'wafConfiguration': {'failureMode': 'FAIL_CLOSE | FAIL_OPEN'},
'webAclArn': 'string'}
Updates an existing gateway.
See also: AWS API Documentation
Request Syntax
client.update_gateway(
gatewayIdentifier='string',
name='string',
description='string',
roleArn='string',
protocolType='MCP',
protocolConfiguration={
'mcp': {
'supportedVersions': [
'string',
],
'instructions': 'string',
'searchType': 'SEMANTIC',
'sessionConfiguration': {
'sessionTimeoutInSeconds': 123
},
'streamingConfiguration': {
'enableResponseStreaming': True|False
}
}
},
authorizerType='CUSTOM_JWT'|'AWS_IAM'|'NONE'|'AUTHENTICATE_ONLY',
authorizerConfiguration={
'customJWTAuthorizer': {
'discoveryUrl': 'string',
'allowedAudience': [
'string',
],
'allowedClients': [
'string',
],
'allowedScopes': [
'string',
],
'customClaims': [
{
'inboundTokenClaimName': 'string',
'inboundTokenClaimValueType': 'STRING'|'STRING_ARRAY',
'authorizingClaimMatchValue': {
'claimMatchValue': {
'matchValueString': 'string',
'matchValueStringList': [
'string',
]
},
'claimMatchOperator': 'EQUALS'|'CONTAINS'|'CONTAINS_ANY'
}
},
],
'privateEndpoint': {
'selfManagedLatticeResource': {
'resourceConfigurationIdentifier': 'string'
},
'managedVpcResource': {
'vpcIdentifier': 'string',
'subnetIds': [
'string',
],
'endpointIpAddressType': 'IPV4'|'IPV6',
'securityGroupIds': [
'string',
],
'tags': {
'string': 'string'
},
'routingDomain': 'string'
}
},
'privateEndpointOverrides': [
{
'domain': 'string',
'privateEndpoint': {
'selfManagedLatticeResource': {
'resourceConfigurationIdentifier': 'string'
},
'managedVpcResource': {
'vpcIdentifier': 'string',
'subnetIds': [
'string',
],
'endpointIpAddressType': 'IPV4'|'IPV6',
'securityGroupIds': [
'string',
],
'tags': {
'string': 'string'
},
'routingDomain': 'string'
}
}
},
],
'allowedWorkloadConfiguration': {
'hostingEnvironments': [
{
'arn': 'string'
},
],
'workloadIdentities': [
'string',
]
}
}
},
kmsKeyArn='string',
customTransformConfiguration={
'lambda': {
'arn': 'string'
}
},
interceptorConfigurations=[
{
'interceptor': {
'lambda': {
'arn': 'string'
}
},
'interceptionPoints': [
'REQUEST'|'RESPONSE',
],
'inputConfiguration': {
'passRequestHeaders': True|False,
'payloadFilter': {
'exclude': [
{
'field': 'RESPONSE_BODY'
},
]
}
}
},
],
policyEngineConfiguration={
'arn': 'string',
'mode': 'LOG_ONLY'|'ENFORCE'
},
exceptionLevel='DEBUG',
wafConfiguration={
'failureMode': 'FAIL_CLOSE'|'FAIL_OPEN'
}
)
string
[REQUIRED]
The identifier of the gateway to update.
string
[REQUIRED]
The name of the gateway. This name must be the same as the one when the gateway was created.
string
The updated description for the gateway.
string
[REQUIRED]
The updated IAM role ARN that provides permissions for the gateway.
string
The updated protocol type for the gateway.
dict
The configuration for a gateway protocol. This structure defines how the gateway communicates with external services.
mcp (dict) --
The configuration for the Model Context Protocol (MCP). This protocol enables communication between Amazon Bedrock Agent and external tools.
supportedVersions (list) --
The supported versions of the Model Context Protocol. This field specifies which versions of the protocol the gateway can use.
(string) --
instructions (string) --
The instructions for using the Model Context Protocol gateway. These instructions provide guidance on how to interact with the gateway.
searchType (string) --
The search type for the Model Context Protocol gateway. This field specifies how the gateway handles search operations.
sessionConfiguration (dict) --
The session configuration for the MCP gateway. This configuration controls session behavior, including session timeout settings.
sessionTimeoutInSeconds (integer) --
The session timeout in seconds. After this timeout, the session expires and subsequent requests to this session will receive an error. The minimum value is 900 seconds (15 minutes), the maximum value is 28800 seconds (8 hours), and the default value is 3600 seconds (1 hour).
streamingConfiguration (dict) --
The streaming configuration for the MCP gateway. This configuration controls whether response streaming is enabled for the gateway.
enableResponseStreaming (boolean) --
Indicates whether response streaming is enabled for the gateway. When set to true, the gateway streams responses from targets back to the client.
string
[REQUIRED]
The updated authorizer type for the gateway.
dict
The updated authorizer configuration for the gateway.
customJWTAuthorizer (dict) --
The inbound JWT-based authorization, specifying how incoming requests should be authenticated.
discoveryUrl (string) -- [REQUIRED]
This URL is used to fetch OpenID Connect configuration or authorization server metadata for validating incoming tokens.
allowedAudience (list) --
Represents individual audience values that are validated in the incoming JWT token validation process.
(string) --
allowedClients (list) --
Represents individual client IDs that are validated in the incoming JWT token validation process.
(string) --
allowedScopes (list) --
An array of scopes that are allowed to access the token.
(string) --
customClaims (list) --
An array of objects that define a custom claim validation name, value, and operation
(dict) --
Defines the name of a custom claim field and rules for finding matches to authenticate its value.
inboundTokenClaimName (string) -- [REQUIRED]
The name of the custom claim field to check.
inboundTokenClaimValueType (string) -- [REQUIRED]
The data type of the claim value to check for.
Use STRING if you want to find an exact match to a string you define.
Use STRING_ARRAY if you want to fnd a match to at least one value in an array you define.
authorizingClaimMatchValue (dict) -- [REQUIRED]
Defines the value or values to match for and the relationship of the match.
claimMatchValue (dict) -- [REQUIRED]
The value or values to match for.
matchValueString (string) --
The string value to match for.
matchValueStringList (list) --
An array of strings to check for a match.
(string) --
claimMatchOperator (string) -- [REQUIRED]
Defines the relationship between the claim field value and the value or values you're matching for.
privateEndpoint (dict) --
The private endpoint configuration for a gateway target. Defines how the gateway connects to private resources in your VPC.
selfManagedLatticeResource (dict) --
Configuration for connecting to a private resource using a self-managed VPC Lattice resource configuration.
resourceConfigurationIdentifier (string) --
The ARN or ID of the VPC Lattice resource configuration.
managedVpcResource (dict) --
Configuration for connecting to a private resource using a managed VPC Lattice resource. The gateway creates and manages the VPC Lattice resources on your behalf.
vpcIdentifier (string) -- [REQUIRED]
The ID of the VPC that contains your private resource.
subnetIds (list) -- [REQUIRED]
The subnet IDs within the VPC where the VPC Lattice resource gateway is placed.
(string) --
endpointIpAddressType (string) -- [REQUIRED]
The IP address type for the resource configuration endpoint.
securityGroupIds (list) --
The security group IDs to associate with the VPC Lattice resource gateway. If not specified, the default security group for the VPC is used.
(string) --
tags (dict) --
Tags to apply to the managed VPC Lattice resource gateway.
(string) --
(string) --
routingDomain (string) --
An intermediate domain to use as the resource configuration endpoint instead of the actual target domain. Use this when you want to route traffic through an intermediate component such as a VPC endpoint or internal load balancer. For more information, see xref:lattice-vpc-egress-routing-domain[Route traffic through an intermediate domain].
privateEndpointOverrides (list) --
The private endpoint overrides for the custom JWT authorizer configuration.
(dict) --
A mapping of a specific domain to a private endpoint for secure connectivity through a VPC Lattice resource configuration.
domain (string) -- [REQUIRED]
The domain to override with a private endpoint.
privateEndpoint (dict) -- [REQUIRED]
The private endpoint configuration for the specified domain.
selfManagedLatticeResource (dict) --
Configuration for connecting to a private resource using a self-managed VPC Lattice resource configuration.
resourceConfigurationIdentifier (string) --
The ARN or ID of the VPC Lattice resource configuration.
managedVpcResource (dict) --
Configuration for connecting to a private resource using a managed VPC Lattice resource. The gateway creates and manages the VPC Lattice resources on your behalf.
vpcIdentifier (string) -- [REQUIRED]
The ID of the VPC that contains your private resource.
subnetIds (list) -- [REQUIRED]
The subnet IDs within the VPC where the VPC Lattice resource gateway is placed.
(string) --
endpointIpAddressType (string) -- [REQUIRED]
The IP address type for the resource configuration endpoint.
securityGroupIds (list) --
The security group IDs to associate with the VPC Lattice resource gateway. If not specified, the default security group for the VPC is used.
(string) --
tags (dict) --
Tags to apply to the managed VPC Lattice resource gateway.
(string) --
(string) --
routingDomain (string) --
An intermediate domain to use as the resource configuration endpoint instead of the actual target domain. Use this when you want to route traffic through an intermediate component such as a VPC endpoint or internal load balancer. For more information, see xref:lattice-vpc-egress-routing-domain[Route traffic through an intermediate domain].
allowedWorkloadConfiguration (dict) --
The configuration that restricts which workloads in the request's identity chain are allowed to invoke the target, identified by their hosting environments and workload identities. At launch, this is supported only for AgentCore Runtime targets, and the allowed workloads are AgentCore Gateways.
hostingEnvironments (list) --
The list of hosting environments whose workloads are allowed to invoke the target. At launch, the only supported hosting environment is AgentCore Gateway.
(dict) --
A hosting environment whose workloads are allowed to invoke the target. At launch, the only supported hosting environment is AgentCore Gateway.
arn (string) -- [REQUIRED]
The Amazon Resource Name (ARN) of the hosting environment.
workloadIdentities (list) --
The list of workload identities that are allowed to invoke the target.
(string) --
string
The updated ARN of the KMS key used to encrypt the gateway.
dict
The updated custom transformation configuration for the gateway. This configuration defines how the gateway transforms requests and responses.
lambda (dict) --
The Lambda configuration for custom transformations. This configuration defines how the gateway uses a Lambda function to transform data.
arn (string) --
The Amazon Resource Name (ARN) of the Lambda function. This function is invoked by the gateway to transform data.
list
The updated interceptor configurations for the gateway.
(dict) --
The configuration for an interceptor on a gateway. This structure defines settings for an interceptor that will be invoked during the invocation of the gateway.
interceptor (dict) -- [REQUIRED]
The infrastructure settings of an interceptor configuration. This structure defines how the interceptor can be invoked.
lambda (dict) --
The details of the lambda function used for the interceptor.
arn (string) -- [REQUIRED]
The arn of the lambda function to be invoked for the interceptor.
interceptionPoints (list) -- [REQUIRED]
The supported points of interception. This field specifies which points during the gateway invocation to invoke the interceptor
(string) --
inputConfiguration (dict) --
The configuration for the input of the interceptor. This field specifies how the input to the interceptor is constructed
passRequestHeaders (boolean) -- [REQUIRED]
Indicates whether to pass request headers as input into the interceptor. When set to true, request headers will be passed.
payloadFilter (dict) --
The filter that determines which parts of the request or response payload are passed as input to the interceptor.
exclude (list) -- [REQUIRED]
The list of selectors that identify payload fields to exclude from the interceptor input.
(dict) --
A selector that identifies a payload field to exclude from the interceptor input.
field (string) --
The field to exclude from the interceptor input.
dict
The updated policy engine configuration for the gateway. A policy engine is a collection of policies that evaluates and authorizes agent tool calls. When associated with a gateway, the policy engine intercepts all agent requests and determines whether to allow or deny each action based on the defined policies.
arn (string) -- [REQUIRED]
The ARN of the policy engine. The policy engine contains Cedar policies that define fine-grained authorization rules specifying who can perform what actions on which resources as agents interact through the gateway.
mode (string) -- [REQUIRED]
The enforcement mode for the policy engine. Valid values include:
LOG_ONLY - The policy engine evaluates each action against your policies and adds traces on whether tool calls would be allowed or denied, but does not enforce the decision. Use this mode to test and validate policies before enabling enforcement.
ENFORCE - The policy engine evaluates actions against your policies and enforces decisions by allowing or denying agent operations. Test and validate policies in LOG_ONLY mode before enabling enforcement to avoid unintended denials or adversely affecting production traffic.
string
The level of detail in error messages returned when invoking the gateway.
If the value is DEBUG, granular exception messages are returned to help a user debug the gateway.
If the value is omitted, a generic error message is returned to the end user.
dict
The updated Amazon Web Services WAF configuration for the gateway.
failureMode (string) --
The failure mode that determines how the gateway handles requests when Amazon Web Services WAF is unreachable or times out. Valid values include:
FAIL_CLOSE - The gateway blocks requests when Amazon Web Services WAF cannot be evaluated.
FAIL_OPEN - The gateway allows requests when Amazon Web Services WAF cannot be evaluated.
dict
Response Syntax
{
'gatewayArn': 'string',
'gatewayId': 'string',
'gatewayUrl': 'string',
'createdAt': datetime(2015, 1, 1),
'updatedAt': datetime(2015, 1, 1),
'status': 'CREATING'|'UPDATING'|'UPDATE_UNSUCCESSFUL'|'DELETING'|'READY'|'FAILED',
'statusReasons': [
'string',
],
'name': 'string',
'description': 'string',
'roleArn': 'string',
'protocolType': 'MCP',
'protocolConfiguration': {
'mcp': {
'supportedVersions': [
'string',
],
'instructions': 'string',
'searchType': 'SEMANTIC',
'sessionConfiguration': {
'sessionTimeoutInSeconds': 123
},
'streamingConfiguration': {
'enableResponseStreaming': True|False
}
}
},
'authorizerType': 'CUSTOM_JWT'|'AWS_IAM'|'NONE'|'AUTHENTICATE_ONLY',
'authorizerConfiguration': {
'customJWTAuthorizer': {
'discoveryUrl': 'string',
'allowedAudience': [
'string',
],
'allowedClients': [
'string',
],
'allowedScopes': [
'string',
],
'customClaims': [
{
'inboundTokenClaimName': 'string',
'inboundTokenClaimValueType': 'STRING'|'STRING_ARRAY',
'authorizingClaimMatchValue': {
'claimMatchValue': {
'matchValueString': 'string',
'matchValueStringList': [
'string',
]
},
'claimMatchOperator': 'EQUALS'|'CONTAINS'|'CONTAINS_ANY'
}
},
],
'privateEndpoint': {
'selfManagedLatticeResource': {
'resourceConfigurationIdentifier': 'string'
},
'managedVpcResource': {
'vpcIdentifier': 'string',
'subnetIds': [
'string',
],
'endpointIpAddressType': 'IPV4'|'IPV6',
'securityGroupIds': [
'string',
],
'tags': {
'string': 'string'
},
'routingDomain': 'string'
}
},
'privateEndpointOverrides': [
{
'domain': 'string',
'privateEndpoint': {
'selfManagedLatticeResource': {
'resourceConfigurationIdentifier': 'string'
},
'managedVpcResource': {
'vpcIdentifier': 'string',
'subnetIds': [
'string',
],
'endpointIpAddressType': 'IPV4'|'IPV6',
'securityGroupIds': [
'string',
],
'tags': {
'string': 'string'
},
'routingDomain': 'string'
}
}
},
],
'allowedWorkloadConfiguration': {
'hostingEnvironments': [
{
'arn': 'string'
},
],
'workloadIdentities': [
'string',
]
}
}
},
'kmsKeyArn': 'string',
'customTransformConfiguration': {
'lambda': {
'arn': 'string'
}
},
'interceptorConfigurations': [
{
'interceptor': {
'lambda': {
'arn': 'string'
}
},
'interceptionPoints': [
'REQUEST'|'RESPONSE',
],
'inputConfiguration': {
'passRequestHeaders': True|False,
'payloadFilter': {
'exclude': [
{
'field': 'RESPONSE_BODY'
},
]
}
}
},
],
'policyEngineConfiguration': {
'arn': 'string',
'mode': 'LOG_ONLY'|'ENFORCE'
},
'workloadIdentityDetails': {
'workloadIdentityArn': 'string'
},
'exceptionLevel': 'DEBUG',
'webAclArn': 'string',
'wafConfiguration': {
'failureMode': 'FAIL_CLOSE'|'FAIL_OPEN'
}
}
Response Structure
(dict) --
gatewayArn (string) --
The Amazon Resource Name (ARN) of the updated gateway.
gatewayId (string) --
The unique identifier of the updated gateway.
gatewayUrl (string) --
An endpoint for invoking the updated gateway.
createdAt (datetime) --
The timestamp when the gateway was created.
updatedAt (datetime) --
The timestamp when the gateway was last updated.
status (string) --
The current status of the updated gateway.
statusReasons (list) --
The reasons for the current status of the updated gateway.
(string) --
name (string) --
The name of the gateway.
description (string) --
The updated description of the gateway.
roleArn (string) --
The updated IAM role ARN that provides permissions for the gateway.
protocolType (string) --
The updated protocol type for the gateway.
protocolConfiguration (dict) --
The configuration for a gateway protocol. This structure defines how the gateway communicates with external services.
mcp (dict) --
The configuration for the Model Context Protocol (MCP). This protocol enables communication between Amazon Bedrock Agent and external tools.
supportedVersions (list) --
The supported versions of the Model Context Protocol. This field specifies which versions of the protocol the gateway can use.
(string) --
instructions (string) --
The instructions for using the Model Context Protocol gateway. These instructions provide guidance on how to interact with the gateway.
searchType (string) --
The search type for the Model Context Protocol gateway. This field specifies how the gateway handles search operations.
sessionConfiguration (dict) --
The session configuration for the MCP gateway. This configuration controls session behavior, including session timeout settings.
sessionTimeoutInSeconds (integer) --
The session timeout in seconds. After this timeout, the session expires and subsequent requests to this session will receive an error. The minimum value is 900 seconds (15 minutes), the maximum value is 28800 seconds (8 hours), and the default value is 3600 seconds (1 hour).
streamingConfiguration (dict) --
The streaming configuration for the MCP gateway. This configuration controls whether response streaming is enabled for the gateway.
enableResponseStreaming (boolean) --
Indicates whether response streaming is enabled for the gateway. When set to true, the gateway streams responses from targets back to the client.
authorizerType (string) --
The updated authorizer type for the gateway.
authorizerConfiguration (dict) --
The updated authorizer configuration for the gateway.
customJWTAuthorizer (dict) --
The inbound JWT-based authorization, specifying how incoming requests should be authenticated.
discoveryUrl (string) --
This URL is used to fetch OpenID Connect configuration or authorization server metadata for validating incoming tokens.
allowedAudience (list) --
Represents individual audience values that are validated in the incoming JWT token validation process.
(string) --
allowedClients (list) --
Represents individual client IDs that are validated in the incoming JWT token validation process.
(string) --
allowedScopes (list) --
An array of scopes that are allowed to access the token.
(string) --
customClaims (list) --
An array of objects that define a custom claim validation name, value, and operation
(dict) --
Defines the name of a custom claim field and rules for finding matches to authenticate its value.
inboundTokenClaimName (string) --
The name of the custom claim field to check.
inboundTokenClaimValueType (string) --
The data type of the claim value to check for.
Use STRING if you want to find an exact match to a string you define.
Use STRING_ARRAY if you want to fnd a match to at least one value in an array you define.
authorizingClaimMatchValue (dict) --
Defines the value or values to match for and the relationship of the match.
claimMatchValue (dict) --
The value or values to match for.
matchValueString (string) --
The string value to match for.
matchValueStringList (list) --
An array of strings to check for a match.
(string) --
claimMatchOperator (string) --
Defines the relationship between the claim field value and the value or values you're matching for.
privateEndpoint (dict) --
The private endpoint configuration for a gateway target. Defines how the gateway connects to private resources in your VPC.
selfManagedLatticeResource (dict) --
Configuration for connecting to a private resource using a self-managed VPC Lattice resource configuration.
resourceConfigurationIdentifier (string) --
The ARN or ID of the VPC Lattice resource configuration.
managedVpcResource (dict) --
Configuration for connecting to a private resource using a managed VPC Lattice resource. The gateway creates and manages the VPC Lattice resources on your behalf.
vpcIdentifier (string) --
The ID of the VPC that contains your private resource.
subnetIds (list) --
The subnet IDs within the VPC where the VPC Lattice resource gateway is placed.
(string) --
endpointIpAddressType (string) --
The IP address type for the resource configuration endpoint.
securityGroupIds (list) --
The security group IDs to associate with the VPC Lattice resource gateway. If not specified, the default security group for the VPC is used.
(string) --
tags (dict) --
Tags to apply to the managed VPC Lattice resource gateway.
(string) --
(string) --
routingDomain (string) --
An intermediate domain to use as the resource configuration endpoint instead of the actual target domain. Use this when you want to route traffic through an intermediate component such as a VPC endpoint or internal load balancer. For more information, see xref:lattice-vpc-egress-routing-domain[Route traffic through an intermediate domain].
privateEndpointOverrides (list) --
The private endpoint overrides for the custom JWT authorizer configuration.
(dict) --
A mapping of a specific domain to a private endpoint for secure connectivity through a VPC Lattice resource configuration.
domain (string) --
The domain to override with a private endpoint.
privateEndpoint (dict) --
The private endpoint configuration for the specified domain.
selfManagedLatticeResource (dict) --
Configuration for connecting to a private resource using a self-managed VPC Lattice resource configuration.
resourceConfigurationIdentifier (string) --
The ARN or ID of the VPC Lattice resource configuration.
managedVpcResource (dict) --
Configuration for connecting to a private resource using a managed VPC Lattice resource. The gateway creates and manages the VPC Lattice resources on your behalf.
vpcIdentifier (string) --
The ID of the VPC that contains your private resource.
subnetIds (list) --
The subnet IDs within the VPC where the VPC Lattice resource gateway is placed.
(string) --
endpointIpAddressType (string) --
The IP address type for the resource configuration endpoint.
securityGroupIds (list) --
The security group IDs to associate with the VPC Lattice resource gateway. If not specified, the default security group for the VPC is used.
(string) --
tags (dict) --
Tags to apply to the managed VPC Lattice resource gateway.
(string) --
(string) --
routingDomain (string) --
An intermediate domain to use as the resource configuration endpoint instead of the actual target domain. Use this when you want to route traffic through an intermediate component such as a VPC endpoint or internal load balancer. For more information, see xref:lattice-vpc-egress-routing-domain[Route traffic through an intermediate domain].
allowedWorkloadConfiguration (dict) --
The configuration that restricts which workloads in the request's identity chain are allowed to invoke the target, identified by their hosting environments and workload identities. At launch, this is supported only for AgentCore Runtime targets, and the allowed workloads are AgentCore Gateways.
hostingEnvironments (list) --
The list of hosting environments whose workloads are allowed to invoke the target. At launch, the only supported hosting environment is AgentCore Gateway.
(dict) --
A hosting environment whose workloads are allowed to invoke the target. At launch, the only supported hosting environment is AgentCore Gateway.
arn (string) --
The Amazon Resource Name (ARN) of the hosting environment.
workloadIdentities (list) --
The list of workload identities that are allowed to invoke the target.
(string) --
kmsKeyArn (string) --
The updated ARN of the KMS key used to encrypt the gateway.
customTransformConfiguration (dict) --
The custom transformation configuration for the gateway. This configuration defines how the gateway transforms requests and responses.
lambda (dict) --
The Lambda configuration for custom transformations. This configuration defines how the gateway uses a Lambda function to transform data.
arn (string) --
The Amazon Resource Name (ARN) of the Lambda function. This function is invoked by the gateway to transform data.
interceptorConfigurations (list) --
The updated interceptor configurations for the gateway.
(dict) --
The configuration for an interceptor on a gateway. This structure defines settings for an interceptor that will be invoked during the invocation of the gateway.
interceptor (dict) --
The infrastructure settings of an interceptor configuration. This structure defines how the interceptor can be invoked.
lambda (dict) --
The details of the lambda function used for the interceptor.
arn (string) --
The arn of the lambda function to be invoked for the interceptor.
interceptionPoints (list) --
The supported points of interception. This field specifies which points during the gateway invocation to invoke the interceptor
(string) --
inputConfiguration (dict) --
The configuration for the input of the interceptor. This field specifies how the input to the interceptor is constructed
passRequestHeaders (boolean) --
Indicates whether to pass request headers as input into the interceptor. When set to true, request headers will be passed.
payloadFilter (dict) --
The filter that determines which parts of the request or response payload are passed as input to the interceptor.
exclude (list) --
The list of selectors that identify payload fields to exclude from the interceptor input.
(dict) --
A selector that identifies a payload field to exclude from the interceptor input.
field (string) --
The field to exclude from the interceptor input.
policyEngineConfiguration (dict) --
The updated policy engine configuration for the gateway.
arn (string) --
The ARN of the policy engine. The policy engine contains Cedar policies that define fine-grained authorization rules specifying who can perform what actions on which resources as agents interact through the gateway.
mode (string) --
The enforcement mode for the policy engine. Valid values include:
LOG_ONLY - The policy engine evaluates each action against your policies and adds traces on whether tool calls would be allowed or denied, but does not enforce the decision. Use this mode to test and validate policies before enabling enforcement.
ENFORCE - The policy engine evaluates actions against your policies and enforces decisions by allowing or denying agent operations. Test and validate policies in LOG_ONLY mode before enabling enforcement to avoid unintended denials or adversely affecting production traffic.
workloadIdentityDetails (dict) --
The workload identity details for the updated gateway.
workloadIdentityArn (string) --
The ARN associated with the workload identity.
exceptionLevel (string) --
The level of detail in error messages returned when invoking the gateway.
If the value is DEBUG, granular exception messages are returned to help a user debug the gateway.
If the value is omitted, a generic error message is returned to the end user.
webAclArn (string) --
The Amazon Resource Name (ARN) of the Amazon Web Services WAF web ACL associated with the gateway.
wafConfiguration (dict) --
The Amazon Web Services WAF configuration for the gateway.
failureMode (string) --
The failure mode that determines how the gateway handles requests when Amazon Web Services WAF is unreachable or times out. Valid values include:
FAIL_CLOSE - The gateway blocks requests when Amazon Web Services WAF cannot be evaluated.
FAIL_OPEN - The gateway allows requests when Amazon Web Services WAF cannot be evaluated.
{'targetConfiguration': {'http': {'agentcoreRuntime': {'schema': {'source': {'inlinePayload': 'string',
's3': {'bucketOwnerAccountId': 'string',
'uri': 'string'}}}},
'passthrough': {'endpoint': 'string',
'protocolType': 'MCP | A2A | '
'INFERENCE | '
'CUSTOM',
'schema': {'source': {'inlinePayload': 'string',
's3': {'bucketOwnerAccountId': 'string',
'uri': 'string'}}},
'stickinessConfiguration': {'identifier': 'string',
'timeout': 'integer'}}},
'inference': {'connector': {'source': {'connectorId': 'string'}},
'provider': {'endpoint': 'string',
'modelMapping': {'providerPrefix': {'separator': 'string',
'strip': 'boolean'}},
'operations': [{'models': [{'model': 'string'}],
'path': 'string',
'providerPath': 'string'}]}},
'mcp': {'connector': {'configurations': [{'description': 'string',
'name': 'string',
'parameterOverrides': [{'description': 'string',
'path': 'string',
'visible': 'boolean'}],
'parameterValues': {}}],
'enabled': ['string'],
'source': {'connectorId': 'string'}}}}}
Updates an existing gateway target.
You cannot update a target that is in a pending authorization state ( CREATE_PENDING_AUTH, UPDATE_PENDING_AUTH, or SYNCHRONIZE_PENDING_AUTH). Wait for the authorization to complete or fail before updating the target.
See also: AWS API Documentation
Request Syntax
client.update_gateway_target(
gatewayIdentifier='string',
targetId='string',
name='string',
description='string',
targetConfiguration={
'mcp': {
'openApiSchema': {
's3': {
'uri': 'string',
'bucketOwnerAccountId': 'string'
},
'inlinePayload': 'string'
},
'smithyModel': {
's3': {
'uri': 'string',
'bucketOwnerAccountId': 'string'
},
'inlinePayload': 'string'
},
'lambda': {
'lambdaArn': 'string',
'toolSchema': {
's3': {
'uri': 'string',
'bucketOwnerAccountId': 'string'
},
'inlinePayload': [
{
'name': 'string',
'description': 'string',
'inputSchema': {
'type': 'string'|'number'|'object'|'array'|'boolean'|'integer',
'properties': {
'string': {'... recursive ...'}
},
'required': [
'string',
],
'items': {'... recursive ...'},
'description': 'string'
},
'outputSchema': {
'type': 'string'|'number'|'object'|'array'|'boolean'|'integer',
'properties': {
'string': {'... recursive ...'}
},
'required': [
'string',
],
'items': {'... recursive ...'},
'description': 'string'
}
},
]
}
},
'mcpServer': {
'endpoint': 'string',
'mcpToolSchema': {
's3': {
'uri': 'string',
'bucketOwnerAccountId': 'string'
},
'inlinePayload': 'string'
},
'listingMode': 'DEFAULT'|'DYNAMIC',
'resourcePriority': 123
},
'apiGateway': {
'restApiId': 'string',
'stage': 'string',
'apiGatewayToolConfiguration': {
'toolOverrides': [
{
'name': 'string',
'description': 'string',
'path': 'string',
'method': 'GET'|'DELETE'|'HEAD'|'OPTIONS'|'PATCH'|'PUT'|'POST'
},
],
'toolFilters': [
{
'filterPath': 'string',
'methods': [
'GET'|'DELETE'|'HEAD'|'OPTIONS'|'PATCH'|'PUT'|'POST',
]
},
]
}
},
'connector': {
'source': {
'connectorId': 'string'
},
'enabled': [
'string',
],
'configurations': [
{
'name': 'string',
'description': 'string',
'parameterValues': {...}|[...]|123|123.4|'string'|True|None,
'parameterOverrides': [
{
'path': 'string',
'description': 'string',
'visible': True|False
},
]
},
]
}
},
'http': {
'agentcoreRuntime': {
'arn': 'string',
'qualifier': 'string',
'schema': {
'source': {
's3': {
'uri': 'string',
'bucketOwnerAccountId': 'string'
},
'inlinePayload': 'string'
}
}
},
'passthrough': {
'endpoint': 'string',
'protocolType': 'MCP'|'A2A'|'INFERENCE'|'CUSTOM',
'schema': {
'source': {
's3': {
'uri': 'string',
'bucketOwnerAccountId': 'string'
},
'inlinePayload': 'string'
}
},
'stickinessConfiguration': {
'identifier': 'string',
'timeout': 123
}
}
},
'inference': {
'connector': {
'source': {
'connectorId': 'string'
}
},
'provider': {
'endpoint': 'string',
'modelMapping': {
'providerPrefix': {
'strip': True|False,
'separator': 'string'
}
},
'operations': [
{
'path': 'string',
'providerPath': 'string',
'models': [
{
'model': 'string'
},
]
},
]
}
}
},
credentialProviderConfigurations=[
{
'credentialProviderType': 'GATEWAY_IAM_ROLE'|'OAUTH'|'API_KEY'|'CALLER_IAM_CREDENTIALS'|'JWT_PASSTHROUGH',
'credentialProvider': {
'oauthCredentialProvider': {
'providerArn': 'string',
'scopes': [
'string',
],
'customParameters': {
'string': 'string'
},
'grantType': 'CLIENT_CREDENTIALS'|'AUTHORIZATION_CODE'|'TOKEN_EXCHANGE',
'defaultReturnUrl': 'string'
},
'apiKeyCredentialProvider': {
'providerArn': 'string',
'credentialParameterName': 'string',
'credentialPrefix': 'string',
'credentialLocation': 'HEADER'|'QUERY_PARAMETER'
},
'iamCredentialProvider': {
'service': 'string',
'region': 'string'
}
}
},
],
metadataConfiguration={
'allowedRequestHeaders': [
'string',
],
'allowedQueryParameters': [
'string',
],
'allowedResponseHeaders': [
'string',
]
},
privateEndpoint={
'selfManagedLatticeResource': {
'resourceConfigurationIdentifier': 'string'
},
'managedVpcResource': {
'vpcIdentifier': 'string',
'subnetIds': [
'string',
],
'endpointIpAddressType': 'IPV4'|'IPV6',
'securityGroupIds': [
'string',
],
'tags': {
'string': 'string'
},
'routingDomain': 'string'
}
}
)
string
[REQUIRED]
The unique identifier of the gateway associated with the target.
string
[REQUIRED]
The unique identifier of the gateway target to update.
string
The updated name for the gateway target.
string
The updated description for the gateway target.
dict
[REQUIRED]
The configuration for a gateway target. This structure defines how the gateway connects to and interacts with the target endpoint.
mcp (dict) --
The Model Context Protocol (MCP) configuration for the target. This configuration defines how the gateway uses MCP to communicate with the target.
openApiSchema (dict) --
The OpenAPI schema for the Model Context Protocol target. This schema defines the API structure of the target.
s3 (dict) --
The Amazon S3 configuration for a gateway. This structure defines how the gateway accesses files in Amazon S3.
uri (string) --
The URI of the Amazon S3 object. This URI specifies the location of the object in Amazon S3.
bucketOwnerAccountId (string) --
The account ID of the Amazon S3 bucket owner. This ID is used for cross-account access to the bucket.
inlinePayload (string) --
The inline payload containing the API schema definition.
smithyModel (dict) --
The Smithy model for the Model Context Protocol target. This model defines the API structure of the target using the Smithy specification.
s3 (dict) --
The Amazon S3 configuration for a gateway. This structure defines how the gateway accesses files in Amazon S3.
uri (string) --
The URI of the Amazon S3 object. This URI specifies the location of the object in Amazon S3.
bucketOwnerAccountId (string) --
The account ID of the Amazon S3 bucket owner. This ID is used for cross-account access to the bucket.
inlinePayload (string) --
The inline payload containing the API schema definition.
lambda (dict) --
The Lambda configuration for the Model Context Protocol target. This configuration defines how the gateway uses a Lambda function to communicate with the target.
lambdaArn (string) -- [REQUIRED]
The Amazon Resource Name (ARN) of the Lambda function. This function is invoked by the gateway to communicate with the target.
toolSchema (dict) -- [REQUIRED]
The tool schema for the Lambda function. This schema defines the structure of the tools that the Lambda function provides.
s3 (dict) --
The Amazon S3 location of the tool schema. This location contains the schema definition file.
uri (string) --
The URI of the Amazon S3 object. This URI specifies the location of the object in Amazon S3.
bucketOwnerAccountId (string) --
The account ID of the Amazon S3 bucket owner. This ID is used for cross-account access to the bucket.
inlinePayload (list) --
The inline payload of the tool schema. This payload contains the schema definition directly in the request.
(dict) --
A tool definition for a gateway target. This structure defines a tool that the target exposes through the Model Context Protocol.
name (string) -- [REQUIRED]
The name of the tool. This name identifies the tool in the Model Context Protocol.
description (string) -- [REQUIRED]
The description of the tool. This description provides information about the purpose and usage of the tool.
inputSchema (dict) -- [REQUIRED]
The input schema for the tool. This schema defines the structure of the input that the tool accepts.
type (string) -- [REQUIRED]
The type of the schema definition. This field specifies the data type of the schema.
properties (dict) --
The properties of the schema definition. These properties define the fields in the schema.
(string) --
(dict) --
A schema definition for a gateway target. This structure defines the structure of the API that the target exposes.
required (list) --
The required fields in the schema definition. These fields must be provided when using the schema.
(string) --
items (dict) --
The items in the schema definition. This field is used for array types to define the structure of the array elements.
description (string) --
The description of the schema definition. This description provides information about the purpose and usage of the schema.
outputSchema (dict) --
The output schema for the tool. This schema defines the structure of the output that the tool produces.
type (string) -- [REQUIRED]
The type of the schema definition. This field specifies the data type of the schema.
properties (dict) --
The properties of the schema definition. These properties define the fields in the schema.
(string) --
(dict) --
A schema definition for a gateway target. This structure defines the structure of the API that the target exposes.
required (list) --
The required fields in the schema definition. These fields must be provided when using the schema.
(string) --
items (dict) --
The items in the schema definition. This field is used for array types to define the structure of the array elements.
description (string) --
The description of the schema definition. This description provides information about the purpose and usage of the schema.
mcpServer (dict) --
The MCP server specified as the gateway target.
endpoint (string) -- [REQUIRED]
The endpoint for the MCP server target configuration.
mcpToolSchema (dict) --
The tool schema configuration for the MCP server target. Supported only when the credential provider is configured with an authorization code grant type. Dynamic tool discovery/synchronization will be disabled when target is configured with mcpToolSchema.
s3 (dict) --
The Amazon S3 location of the tool schema. This location contains the schema definition file.
uri (string) --
The URI of the Amazon S3 object. This URI specifies the location of the object in Amazon S3.
bucketOwnerAccountId (string) --
The account ID of the Amazon S3 bucket owner. This ID is used for cross-account access to the bucket.
inlinePayload (string) --
The inline payload containing the MCP tool schema definition.
listingMode (string) --
The listing mode for the MCP server target configuration. MCP resources for default targets are cached at the control plane for faster access. MCP resources for dynamic targets will be dynamically retrieved when listing tools.
resourcePriority (integer) --
Priority for resolving MCP server targets with shared resource URIs. Lower values take precedence. Defaults to 1000 when not set.
apiGateway (dict) --
The configuration for an Amazon API Gateway target.
restApiId (string) -- [REQUIRED]
The ID of the API Gateway REST API.
stage (string) -- [REQUIRED]
The ID of the stage of the REST API to add as a target.
apiGatewayToolConfiguration (dict) -- [REQUIRED]
The configuration for defining REST API tool filters and overrides for the gateway target.
toolOverrides (list) --
A list of explicit tool definitions with optional custom names and descriptions.
(dict) --
Settings to override configurations for a tool.
name (string) -- [REQUIRED]
The name of tool. Identifies the tool in the Model Context Protocol.
description (string) --
The description of the tool. Provides information about the purpose and usage of the tool. If not provided, uses the description from the API's OpenAPI specification.
path (string) -- [REQUIRED]
Resource path in the REST API (e.g., /pets). Must explicitly match an existing path in the REST API.
method (string) -- [REQUIRED]
The HTTP method to expose for the specified path.
toolFilters (list) -- [REQUIRED]
A list of path and method patterns to expose as tools using metadata from the REST API's OpenAPI specification.
(dict) --
Specifies which operations from an API Gateway REST API are exposed as tools. Tool names and descriptions are derived from the operationId and description fields in the API's exported OpenAPI specification.
filterPath (string) -- [REQUIRED]
Resource path to match in the REST API. Supports exact paths (for example, /pets) or wildcard paths (for example, /pets/* to match all paths under /pets). Must match existing paths in the REST API.
methods (list) -- [REQUIRED]
The methods to filter for.
(string) --
connector (dict) --
The connector integration configuration for the Model Context Protocol target. This configuration defines how the gateway uses a pre-built connector to communicate with the target.
source (dict) -- [REQUIRED]
The source configuration identifying which connector to use.
connectorId (string) -- [REQUIRED]
The identifier for the connector integration (for example, bedrock-knowledge-bases).
enabled (list) --
A list of tool names to enable from this connector. If absent, all tools provided by the connector are enabled.
(string) --
configurations (list) --
A list of per-tool configurations for the connector.
(dict) --
Configuration for a single tool within a connector.
name (string) -- [REQUIRED]
The tool or operation name (for example, retrieve or webSearch).
description (string) --
An agent-facing description override for this tool.
parameterValues (:ref:`document<document>`) --
Parameters to set as fixed or default values when provisioning this tool.
parameterOverrides (list) --
Parameters to expose to the agent at runtime, with optional description overrides.
(dict) --
Specifies a parameter override for a connector tool, allowing you to control parameter visibility and descriptions.
path (string) -- [REQUIRED]
A JSON Pointer path identifying the parameter (for example, /numberOfResults or /filter).
description (string) --
An agent-facing description override for this parameter.
visible (boolean) --
Whether this parameter is visible to the agent. If not specified, uses the service default.
http (dict) --
The HTTP target configuration. Use this to route gateway requests to an HTTP-based endpoint such as an AgentCore Runtime.
agentcoreRuntime (dict) --
The AgentCore Runtime target configuration for HTTP-based communication with an agent runtime.
arn (string) -- [REQUIRED]
The Amazon Resource Name (ARN) of the AgentCore Runtime to route requests to.
qualifier (string) --
The qualifier for the agent runtime, used to target a specific endpoint version. If not specified, the default endpoint is used.
schema (dict) --
The API schema configuration that defines the structure of the runtime target's API.
source (dict) -- [REQUIRED]
Configuration for API schema.
s3 (dict) --
The Amazon S3 configuration for a gateway. This structure defines how the gateway accesses files in Amazon S3.
uri (string) --
The URI of the Amazon S3 object. This URI specifies the location of the object in Amazon S3.
bucketOwnerAccountId (string) --
The account ID of the Amazon S3 bucket owner. This ID is used for cross-account access to the bucket.
inlinePayload (string) --
The inline payload containing the API schema definition.
passthrough (dict) --
The passthrough configuration for the HTTP target. A passthrough target forwards requests directly to an external HTTP endpoint.
endpoint (string) -- [REQUIRED]
The HTTPS endpoint that the gateway forwards requests to for this passthrough target.
protocolType (string) -- [REQUIRED]
The application protocol the passthrough target implements. Required for passthrough targets.
schema (dict) --
The API schema configuration that defines the structure of the passthrough target's API.
source (dict) -- [REQUIRED]
Configuration for API schema.
s3 (dict) --
The Amazon S3 configuration for a gateway. This structure defines how the gateway accesses files in Amazon S3.
uri (string) --
The URI of the Amazon S3 object. This URI specifies the location of the object in Amazon S3.
bucketOwnerAccountId (string) --
The account ID of the Amazon S3 bucket owner. This ID is used for cross-account access to the bucket.
inlinePayload (string) --
The inline payload containing the API schema definition.
stickinessConfiguration (dict) --
The session stickiness configuration for the passthrough target. This configuration routes requests within the same session to the same target.
identifier (string) -- [REQUIRED]
The expression that identifies where to extract the session identifier from the request (for example, $context.header.x-session-id).
timeout (integer) --
The session stickiness timeout, in seconds. After this duration of inactivity, the session affinity expires. Valid values range from 1 to 86400.
inference (dict) --
The inference configuration for the target. This configuration routes requests to a large language model (LLM) provider.
connector (dict) --
The connector-based inference configuration. Use this option to route requests to an LLM provider through a built-in connector that includes predefined provider rules.
source (dict) -- [REQUIRED]
The source configuration identifying which inference connector to use.
connectorId (string) -- [REQUIRED]
The identifier for the inference connector (for example, bedrock-mantle, openai, or anthropic).
provider (dict) --
The provider-based inference configuration. Use this option to explicitly configure the endpoint, model mapping, and operations for an LLM provider.
endpoint (string) -- [REQUIRED]
The HTTPS endpoint of the inference provider that the gateway forwards requests to.
modelMapping (dict) --
The configuration that translates client-facing model IDs to the model IDs expected by the provider.
providerPrefix (dict) --
The provider prefix configuration used for model ID translation.
strip (boolean) --
Whether clients can omit the provider prefix from model IDs. If true, the gateway accepts model IDs without the prefix and restores the full prefixed form before forwarding to the provider. The default is false.
separator (string) --
The single character that separates the provider prefix from the model name (for example, .). The default is ..
operations (list) --
A list of per-operation configurations that map request paths to the models supported for each operation.
(dict) --
The configuration for a specific inference operation, including its request path and the models that the operation supports.
path (string) -- [REQUIRED]
The request path for this operation (for example, /v1/messages or /v1/responses).
providerPath (string) --
The provider path to forward requests to, if it differs from the request path. For example, /anthropic/v1/messages when the provider expects a different path than the client-facing /v1/messages.
models (list) --
The list of models supported for this operation.
(dict) --
A model entry that specifies a model supported for an inference operation.
model (string) -- [REQUIRED]
The model ID or glob pattern that identifies the model (for example, anthropic.claude-opus-* or openai.gpt-oss-*).
list
The updated credential provider configurations for the gateway target.
(dict) --
The configuration for a credential provider. This structure defines how the gateway authenticates with the target endpoint.
credentialProviderType (string) -- [REQUIRED]
The type of credential provider. This field specifies which authentication method the gateway uses.
credentialProvider (dict) --
The credential provider. This field contains the specific configuration for the credential provider type.
oauthCredentialProvider (dict) --
The OAuth credential provider. This provider uses OAuth authentication to access the target endpoint.
providerArn (string) -- [REQUIRED]
The Amazon Resource Name (ARN) of the OAuth credential provider. This ARN identifies the provider in Amazon Web Services.
scopes (list) -- [REQUIRED]
The OAuth scopes for the credential provider. These scopes define the level of access requested from the OAuth provider.
(string) --
customParameters (dict) --
The custom parameters for the OAuth credential provider. These parameters provide additional configuration for the OAuth authentication process.
(string) --
(string) --
grantType (string) --
Specifies the kind of credentials to use for authorization:
CLIENT_CREDENTIALS - Authorization with a client ID and secret.
AUTHORIZATION_CODE - Authorization with a token that is specific to an individual end user.
TOKEN_EXCHANGE - Authorization using on-behalf-of token exchange. An inbound user token is exchanged for a downstream access token scoped to the target audience.
defaultReturnUrl (string) --
The URL where the end user's browser is redirected after obtaining the authorization code. Generally points to the customer's application.
apiKeyCredentialProvider (dict) --
The API key credential provider. This provider uses an API key to authenticate with the target endpoint.
providerArn (string) -- [REQUIRED]
The Amazon Resource Name (ARN) of the API key credential provider. This ARN identifies the provider in Amazon Web Services.
credentialParameterName (string) --
The name of the credential parameter for the API key. This parameter name is used when sending the API key to the target endpoint.
credentialPrefix (string) --
The prefix for the API key credential. This prefix is added to the API key when sending it to the target endpoint.
credentialLocation (string) --
The location of the API key credential. This field specifies where in the request the API key should be placed.
iamCredentialProvider (dict) --
The IAM credential provider. This provider uses IAM authentication with SigV4 signing to access the target endpoint.
service (string) -- [REQUIRED]
The target Amazon Web Services service name used for SigV4 signing. This value identifies the service that the gateway authenticates with when making requests to the target endpoint.
region (string) --
The Amazon Web Services Region used for SigV4 signing. If not specified, defaults to the gateway's Region.
dict
Configuration for HTTP header and query parameter propagation to the gateway target.
allowedRequestHeaders (list) --
A list of HTTP headers that are allowed to be propagated from incoming client requests to the target.
(string) --
allowedQueryParameters (list) --
A list of URL query parameters that are allowed to be propagated from incoming gateway URL to the target.
(string) --
allowedResponseHeaders (list) --
A list of HTTP headers that are allowed to be propagated from the target response back to the client.
(string) --
dict
The private endpoint configuration for the gateway target. Use this to connect the gateway to private resources in your VPC.
selfManagedLatticeResource (dict) --
Configuration for connecting to a private resource using a self-managed VPC Lattice resource configuration.
resourceConfigurationIdentifier (string) --
The ARN or ID of the VPC Lattice resource configuration.
managedVpcResource (dict) --
Configuration for connecting to a private resource using a managed VPC Lattice resource. The gateway creates and manages the VPC Lattice resources on your behalf.
vpcIdentifier (string) -- [REQUIRED]
The ID of the VPC that contains your private resource.
subnetIds (list) -- [REQUIRED]
The subnet IDs within the VPC where the VPC Lattice resource gateway is placed.
(string) --
endpointIpAddressType (string) -- [REQUIRED]
The IP address type for the resource configuration endpoint.
securityGroupIds (list) --
The security group IDs to associate with the VPC Lattice resource gateway. If not specified, the default security group for the VPC is used.
(string) --
tags (dict) --
Tags to apply to the managed VPC Lattice resource gateway.
(string) --
(string) --
routingDomain (string) --
An intermediate domain to use as the resource configuration endpoint instead of the actual target domain. Use this when you want to route traffic through an intermediate component such as a VPC endpoint or internal load balancer. For more information, see xref:lattice-vpc-egress-routing-domain[Route traffic through an intermediate domain].
dict
Response Syntax
{
'gatewayArn': 'string',
'targetId': 'string',
'createdAt': datetime(2015, 1, 1),
'updatedAt': datetime(2015, 1, 1),
'status': 'CREATING'|'UPDATING'|'UPDATE_UNSUCCESSFUL'|'DELETING'|'READY'|'FAILED'|'SYNCHRONIZING'|'SYNCHRONIZE_UNSUCCESSFUL'|'CREATE_PENDING_AUTH'|'UPDATE_PENDING_AUTH'|'SYNCHRONIZE_PENDING_AUTH',
'statusReasons': [
'string',
],
'name': 'string',
'description': 'string',
'targetConfiguration': {
'mcp': {
'openApiSchema': {
's3': {
'uri': 'string',
'bucketOwnerAccountId': 'string'
},
'inlinePayload': 'string'
},
'smithyModel': {
's3': {
'uri': 'string',
'bucketOwnerAccountId': 'string'
},
'inlinePayload': 'string'
},
'lambda': {
'lambdaArn': 'string',
'toolSchema': {
's3': {
'uri': 'string',
'bucketOwnerAccountId': 'string'
},
'inlinePayload': [
{
'name': 'string',
'description': 'string',
'inputSchema': {
'type': 'string'|'number'|'object'|'array'|'boolean'|'integer',
'properties': {
'string': {'... recursive ...'}
},
'required': [
'string',
],
'items': {'... recursive ...'},
'description': 'string'
},
'outputSchema': {
'type': 'string'|'number'|'object'|'array'|'boolean'|'integer',
'properties': {
'string': {'... recursive ...'}
},
'required': [
'string',
],
'items': {'... recursive ...'},
'description': 'string'
}
},
]
}
},
'mcpServer': {
'endpoint': 'string',
'mcpToolSchema': {
's3': {
'uri': 'string',
'bucketOwnerAccountId': 'string'
},
'inlinePayload': 'string'
},
'listingMode': 'DEFAULT'|'DYNAMIC',
'resourcePriority': 123
},
'apiGateway': {
'restApiId': 'string',
'stage': 'string',
'apiGatewayToolConfiguration': {
'toolOverrides': [
{
'name': 'string',
'description': 'string',
'path': 'string',
'method': 'GET'|'DELETE'|'HEAD'|'OPTIONS'|'PATCH'|'PUT'|'POST'
},
],
'toolFilters': [
{
'filterPath': 'string',
'methods': [
'GET'|'DELETE'|'HEAD'|'OPTIONS'|'PATCH'|'PUT'|'POST',
]
},
]
}
},
'connector': {
'source': {
'connectorId': 'string'
},
'enabled': [
'string',
],
'configurations': [
{
'name': 'string',
'description': 'string',
'parameterValues': {...}|[...]|123|123.4|'string'|True|None,
'parameterOverrides': [
{
'path': 'string',
'description': 'string',
'visible': True|False
},
]
},
]
}
},
'http': {
'agentcoreRuntime': {
'arn': 'string',
'qualifier': 'string',
'schema': {
'source': {
's3': {
'uri': 'string',
'bucketOwnerAccountId': 'string'
},
'inlinePayload': 'string'
}
}
},
'passthrough': {
'endpoint': 'string',
'protocolType': 'MCP'|'A2A'|'INFERENCE'|'CUSTOM',
'schema': {
'source': {
's3': {
'uri': 'string',
'bucketOwnerAccountId': 'string'
},
'inlinePayload': 'string'
}
},
'stickinessConfiguration': {
'identifier': 'string',
'timeout': 123
}
}
},
'inference': {
'connector': {
'source': {
'connectorId': 'string'
}
},
'provider': {
'endpoint': 'string',
'modelMapping': {
'providerPrefix': {
'strip': True|False,
'separator': 'string'
}
},
'operations': [
{
'path': 'string',
'providerPath': 'string',
'models': [
{
'model': 'string'
},
]
},
]
}
}
},
'credentialProviderConfigurations': [
{
'credentialProviderType': 'GATEWAY_IAM_ROLE'|'OAUTH'|'API_KEY'|'CALLER_IAM_CREDENTIALS'|'JWT_PASSTHROUGH',
'credentialProvider': {
'oauthCredentialProvider': {
'providerArn': 'string',
'scopes': [
'string',
],
'customParameters': {
'string': 'string'
},
'grantType': 'CLIENT_CREDENTIALS'|'AUTHORIZATION_CODE'|'TOKEN_EXCHANGE',
'defaultReturnUrl': 'string'
},
'apiKeyCredentialProvider': {
'providerArn': 'string',
'credentialParameterName': 'string',
'credentialPrefix': 'string',
'credentialLocation': 'HEADER'|'QUERY_PARAMETER'
},
'iamCredentialProvider': {
'service': 'string',
'region': 'string'
}
}
},
],
'lastSynchronizedAt': datetime(2015, 1, 1),
'metadataConfiguration': {
'allowedRequestHeaders': [
'string',
],
'allowedQueryParameters': [
'string',
],
'allowedResponseHeaders': [
'string',
]
},
'privateEndpoint': {
'selfManagedLatticeResource': {
'resourceConfigurationIdentifier': 'string'
},
'managedVpcResource': {
'vpcIdentifier': 'string',
'subnetIds': [
'string',
],
'endpointIpAddressType': 'IPV4'|'IPV6',
'securityGroupIds': [
'string',
],
'tags': {
'string': 'string'
},
'routingDomain': 'string'
}
},
'privateEndpointManagedResources': [
{
'domain': 'string',
'resourceGatewayArn': 'string',
'resourceAssociationArn': 'string'
},
],
'authorizationData': {
'oauth2': {
'authorizationUrl': 'string',
'userId': 'string'
}
},
'protocolType': 'MCP'|'HTTP'
}
Response Structure
(dict) --
gatewayArn (string) --
The Amazon Resource Name (ARN) of the gateway.
targetId (string) --
The unique identifier of the updated gateway target.
createdAt (datetime) --
The timestamp when the gateway target was created.
updatedAt (datetime) --
The timestamp when the gateway target was last updated.
status (string) --
The current status of the updated gateway target.
statusReasons (list) --
The reasons for the current status of the updated gateway target.
(string) --
name (string) --
The updated name of the gateway target.
description (string) --
The updated description of the gateway target.
targetConfiguration (dict) --
The configuration for a gateway target. This structure defines how the gateway connects to and interacts with the target endpoint.
mcp (dict) --
The Model Context Protocol (MCP) configuration for the target. This configuration defines how the gateway uses MCP to communicate with the target.
openApiSchema (dict) --
The OpenAPI schema for the Model Context Protocol target. This schema defines the API structure of the target.
s3 (dict) --
The Amazon S3 configuration for a gateway. This structure defines how the gateway accesses files in Amazon S3.
uri (string) --
The URI of the Amazon S3 object. This URI specifies the location of the object in Amazon S3.
bucketOwnerAccountId (string) --
The account ID of the Amazon S3 bucket owner. This ID is used for cross-account access to the bucket.
inlinePayload (string) --
The inline payload containing the API schema definition.
smithyModel (dict) --
The Smithy model for the Model Context Protocol target. This model defines the API structure of the target using the Smithy specification.
s3 (dict) --
The Amazon S3 configuration for a gateway. This structure defines how the gateway accesses files in Amazon S3.
uri (string) --
The URI of the Amazon S3 object. This URI specifies the location of the object in Amazon S3.
bucketOwnerAccountId (string) --
The account ID of the Amazon S3 bucket owner. This ID is used for cross-account access to the bucket.
inlinePayload (string) --
The inline payload containing the API schema definition.
lambda (dict) --
The Lambda configuration for the Model Context Protocol target. This configuration defines how the gateway uses a Lambda function to communicate with the target.
lambdaArn (string) --
The Amazon Resource Name (ARN) of the Lambda function. This function is invoked by the gateway to communicate with the target.
toolSchema (dict) --
The tool schema for the Lambda function. This schema defines the structure of the tools that the Lambda function provides.
s3 (dict) --
The Amazon S3 location of the tool schema. This location contains the schema definition file.
uri (string) --
The URI of the Amazon S3 object. This URI specifies the location of the object in Amazon S3.
bucketOwnerAccountId (string) --
The account ID of the Amazon S3 bucket owner. This ID is used for cross-account access to the bucket.
inlinePayload (list) --
The inline payload of the tool schema. This payload contains the schema definition directly in the request.
(dict) --
A tool definition for a gateway target. This structure defines a tool that the target exposes through the Model Context Protocol.
name (string) --
The name of the tool. This name identifies the tool in the Model Context Protocol.
description (string) --
The description of the tool. This description provides information about the purpose and usage of the tool.
inputSchema (dict) --
The input schema for the tool. This schema defines the structure of the input that the tool accepts.
type (string) --
The type of the schema definition. This field specifies the data type of the schema.
properties (dict) --
The properties of the schema definition. These properties define the fields in the schema.
(string) --
(dict) --
A schema definition for a gateway target. This structure defines the structure of the API that the target exposes.
required (list) --
The required fields in the schema definition. These fields must be provided when using the schema.
(string) --
items (dict) --
The items in the schema definition. This field is used for array types to define the structure of the array elements.
description (string) --
The description of the schema definition. This description provides information about the purpose and usage of the schema.
outputSchema (dict) --
The output schema for the tool. This schema defines the structure of the output that the tool produces.
type (string) --
The type of the schema definition. This field specifies the data type of the schema.
properties (dict) --
The properties of the schema definition. These properties define the fields in the schema.
(string) --
(dict) --
A schema definition for a gateway target. This structure defines the structure of the API that the target exposes.
required (list) --
The required fields in the schema definition. These fields must be provided when using the schema.
(string) --
items (dict) --
The items in the schema definition. This field is used for array types to define the structure of the array elements.
description (string) --
The description of the schema definition. This description provides information about the purpose and usage of the schema.
mcpServer (dict) --
The MCP server specified as the gateway target.
endpoint (string) --
The endpoint for the MCP server target configuration.
mcpToolSchema (dict) --
The tool schema configuration for the MCP server target. Supported only when the credential provider is configured with an authorization code grant type. Dynamic tool discovery/synchronization will be disabled when target is configured with mcpToolSchema.
s3 (dict) --
The Amazon S3 location of the tool schema. This location contains the schema definition file.
uri (string) --
The URI of the Amazon S3 object. This URI specifies the location of the object in Amazon S3.
bucketOwnerAccountId (string) --
The account ID of the Amazon S3 bucket owner. This ID is used for cross-account access to the bucket.
inlinePayload (string) --
The inline payload containing the MCP tool schema definition.
listingMode (string) --
The listing mode for the MCP server target configuration. MCP resources for default targets are cached at the control plane for faster access. MCP resources for dynamic targets will be dynamically retrieved when listing tools.
resourcePriority (integer) --
Priority for resolving MCP server targets with shared resource URIs. Lower values take precedence. Defaults to 1000 when not set.
apiGateway (dict) --
The configuration for an Amazon API Gateway target.
restApiId (string) --
The ID of the API Gateway REST API.
stage (string) --
The ID of the stage of the REST API to add as a target.
apiGatewayToolConfiguration (dict) --
The configuration for defining REST API tool filters and overrides for the gateway target.
toolOverrides (list) --
A list of explicit tool definitions with optional custom names and descriptions.
(dict) --
Settings to override configurations for a tool.
name (string) --
The name of tool. Identifies the tool in the Model Context Protocol.
description (string) --
The description of the tool. Provides information about the purpose and usage of the tool. If not provided, uses the description from the API's OpenAPI specification.
path (string) --
Resource path in the REST API (e.g., /pets). Must explicitly match an existing path in the REST API.
method (string) --
The HTTP method to expose for the specified path.
toolFilters (list) --
A list of path and method patterns to expose as tools using metadata from the REST API's OpenAPI specification.
(dict) --
Specifies which operations from an API Gateway REST API are exposed as tools. Tool names and descriptions are derived from the operationId and description fields in the API's exported OpenAPI specification.
filterPath (string) --
Resource path to match in the REST API. Supports exact paths (for example, /pets) or wildcard paths (for example, /pets/* to match all paths under /pets). Must match existing paths in the REST API.
methods (list) --
The methods to filter for.
(string) --
connector (dict) --
The connector integration configuration for the Model Context Protocol target. This configuration defines how the gateway uses a pre-built connector to communicate with the target.
source (dict) --
The source configuration identifying which connector to use.
connectorId (string) --
The identifier for the connector integration (for example, bedrock-knowledge-bases).
enabled (list) --
A list of tool names to enable from this connector. If absent, all tools provided by the connector are enabled.
(string) --
configurations (list) --
A list of per-tool configurations for the connector.
(dict) --
Configuration for a single tool within a connector.
name (string) --
The tool or operation name (for example, retrieve or webSearch).
description (string) --
An agent-facing description override for this tool.
parameterValues (:ref:`document<document>`) --
Parameters to set as fixed or default values when provisioning this tool.
parameterOverrides (list) --
Parameters to expose to the agent at runtime, with optional description overrides.
(dict) --
Specifies a parameter override for a connector tool, allowing you to control parameter visibility and descriptions.
path (string) --
A JSON Pointer path identifying the parameter (for example, /numberOfResults or /filter).
description (string) --
An agent-facing description override for this parameter.
visible (boolean) --
Whether this parameter is visible to the agent. If not specified, uses the service default.
http (dict) --
The HTTP target configuration. Use this to route gateway requests to an HTTP-based endpoint such as an AgentCore Runtime.
agentcoreRuntime (dict) --
The AgentCore Runtime target configuration for HTTP-based communication with an agent runtime.
arn (string) --
The Amazon Resource Name (ARN) of the AgentCore Runtime to route requests to.
qualifier (string) --
The qualifier for the agent runtime, used to target a specific endpoint version. If not specified, the default endpoint is used.
schema (dict) --
The API schema configuration that defines the structure of the runtime target's API.
source (dict) --
Configuration for API schema.
s3 (dict) --
The Amazon S3 configuration for a gateway. This structure defines how the gateway accesses files in Amazon S3.
uri (string) --
The URI of the Amazon S3 object. This URI specifies the location of the object in Amazon S3.
bucketOwnerAccountId (string) --
The account ID of the Amazon S3 bucket owner. This ID is used for cross-account access to the bucket.
inlinePayload (string) --
The inline payload containing the API schema definition.
passthrough (dict) --
The passthrough configuration for the HTTP target. A passthrough target forwards requests directly to an external HTTP endpoint.
endpoint (string) --
The HTTPS endpoint that the gateway forwards requests to for this passthrough target.
protocolType (string) --
The application protocol the passthrough target implements. Required for passthrough targets.
schema (dict) --
The API schema configuration that defines the structure of the passthrough target's API.
source (dict) --
Configuration for API schema.
s3 (dict) --
The Amazon S3 configuration for a gateway. This structure defines how the gateway accesses files in Amazon S3.
uri (string) --
The URI of the Amazon S3 object. This URI specifies the location of the object in Amazon S3.
bucketOwnerAccountId (string) --
The account ID of the Amazon S3 bucket owner. This ID is used for cross-account access to the bucket.
inlinePayload (string) --
The inline payload containing the API schema definition.
stickinessConfiguration (dict) --
The session stickiness configuration for the passthrough target. This configuration routes requests within the same session to the same target.
identifier (string) --
The expression that identifies where to extract the session identifier from the request (for example, $context.header.x-session-id).
timeout (integer) --
The session stickiness timeout, in seconds. After this duration of inactivity, the session affinity expires. Valid values range from 1 to 86400.
inference (dict) --
The inference configuration for the target. This configuration routes requests to a large language model (LLM) provider.
connector (dict) --
The connector-based inference configuration. Use this option to route requests to an LLM provider through a built-in connector that includes predefined provider rules.
source (dict) --
The source configuration identifying which inference connector to use.
connectorId (string) --
The identifier for the inference connector (for example, bedrock-mantle, openai, or anthropic).
provider (dict) --
The provider-based inference configuration. Use this option to explicitly configure the endpoint, model mapping, and operations for an LLM provider.
endpoint (string) --
The HTTPS endpoint of the inference provider that the gateway forwards requests to.
modelMapping (dict) --
The configuration that translates client-facing model IDs to the model IDs expected by the provider.
providerPrefix (dict) --
The provider prefix configuration used for model ID translation.
strip (boolean) --
Whether clients can omit the provider prefix from model IDs. If true, the gateway accepts model IDs without the prefix and restores the full prefixed form before forwarding to the provider. The default is false.
separator (string) --
The single character that separates the provider prefix from the model name (for example, .). The default is ..
operations (list) --
A list of per-operation configurations that map request paths to the models supported for each operation.
(dict) --
The configuration for a specific inference operation, including its request path and the models that the operation supports.
path (string) --
The request path for this operation (for example, /v1/messages or /v1/responses).
providerPath (string) --
The provider path to forward requests to, if it differs from the request path. For example, /anthropic/v1/messages when the provider expects a different path than the client-facing /v1/messages.
models (list) --
The list of models supported for this operation.
(dict) --
A model entry that specifies a model supported for an inference operation.
model (string) --
The model ID or glob pattern that identifies the model (for example, anthropic.claude-opus-* or openai.gpt-oss-*).
credentialProviderConfigurations (list) --
The updated credential provider configurations for the gateway target.
(dict) --
The configuration for a credential provider. This structure defines how the gateway authenticates with the target endpoint.
credentialProviderType (string) --
The type of credential provider. This field specifies which authentication method the gateway uses.
credentialProvider (dict) --
The credential provider. This field contains the specific configuration for the credential provider type.
oauthCredentialProvider (dict) --
The OAuth credential provider. This provider uses OAuth authentication to access the target endpoint.
providerArn (string) --
The Amazon Resource Name (ARN) of the OAuth credential provider. This ARN identifies the provider in Amazon Web Services.
scopes (list) --
The OAuth scopes for the credential provider. These scopes define the level of access requested from the OAuth provider.
(string) --
customParameters (dict) --
The custom parameters for the OAuth credential provider. These parameters provide additional configuration for the OAuth authentication process.
(string) --
(string) --
grantType (string) --
Specifies the kind of credentials to use for authorization:
CLIENT_CREDENTIALS - Authorization with a client ID and secret.
AUTHORIZATION_CODE - Authorization with a token that is specific to an individual end user.
TOKEN_EXCHANGE - Authorization using on-behalf-of token exchange. An inbound user token is exchanged for a downstream access token scoped to the target audience.
defaultReturnUrl (string) --
The URL where the end user's browser is redirected after obtaining the authorization code. Generally points to the customer's application.
apiKeyCredentialProvider (dict) --
The API key credential provider. This provider uses an API key to authenticate with the target endpoint.
providerArn (string) --
The Amazon Resource Name (ARN) of the API key credential provider. This ARN identifies the provider in Amazon Web Services.
credentialParameterName (string) --
The name of the credential parameter for the API key. This parameter name is used when sending the API key to the target endpoint.
credentialPrefix (string) --
The prefix for the API key credential. This prefix is added to the API key when sending it to the target endpoint.
credentialLocation (string) --
The location of the API key credential. This field specifies where in the request the API key should be placed.
iamCredentialProvider (dict) --
The IAM credential provider. This provider uses IAM authentication with SigV4 signing to access the target endpoint.
service (string) --
The target Amazon Web Services service name used for SigV4 signing. This value identifies the service that the gateway authenticates with when making requests to the target endpoint.
region (string) --
The Amazon Web Services Region used for SigV4 signing. If not specified, defaults to the gateway's Region.
lastSynchronizedAt (datetime) --
The date and time at which the targets were last synchronized.
metadataConfiguration (dict) --
The metadata configuration that was applied to the gateway target.
allowedRequestHeaders (list) --
A list of HTTP headers that are allowed to be propagated from incoming client requests to the target.
(string) --
allowedQueryParameters (list) --
A list of URL query parameters that are allowed to be propagated from incoming gateway URL to the target.
(string) --
allowedResponseHeaders (list) --
A list of HTTP headers that are allowed to be propagated from the target response back to the client.
(string) --
privateEndpoint (dict) --
The private endpoint configuration for the gateway target.
selfManagedLatticeResource (dict) --
Configuration for connecting to a private resource using a self-managed VPC Lattice resource configuration.
resourceConfigurationIdentifier (string) --
The ARN or ID of the VPC Lattice resource configuration.
managedVpcResource (dict) --
Configuration for connecting to a private resource using a managed VPC Lattice resource. The gateway creates and manages the VPC Lattice resources on your behalf.
vpcIdentifier (string) --
The ID of the VPC that contains your private resource.
subnetIds (list) --
The subnet IDs within the VPC where the VPC Lattice resource gateway is placed.
(string) --
endpointIpAddressType (string) --
The IP address type for the resource configuration endpoint.
securityGroupIds (list) --
The security group IDs to associate with the VPC Lattice resource gateway. If not specified, the default security group for the VPC is used.
(string) --
tags (dict) --
Tags to apply to the managed VPC Lattice resource gateway.
(string) --
(string) --
routingDomain (string) --
An intermediate domain to use as the resource configuration endpoint instead of the actual target domain. Use this when you want to route traffic through an intermediate component such as a VPC endpoint or internal load balancer. For more information, see xref:lattice-vpc-egress-routing-domain[Route traffic through an intermediate domain].
privateEndpointManagedResources (list) --
The managed resources created by the gateway for private endpoint connectivity.
(dict) --
Details of a resource created and managed by the gateway for private endpoint connectivity.
domain (string) --
The domain associated with this managed resource.
resourceGatewayArn (string) --
The ARN of the VPC Lattice resource gateway created in your account.
resourceAssociationArn (string) --
The ARN of the service network resource association.
authorizationData (dict) --
OAuth2 authorization data for the updated gateway target. This data is returned when a target is configured with a credential provider with authorization code grant type and requires user federation.
oauth2 (dict) --
OAuth2 authorization data for the gateway target.
authorizationUrl (string) --
The URL to initiate the authorization process. This URL is provided when the OAuth2 access token requires user authorization.
userId (string) --
The user identifier associated with the OAuth2 authorization session that is defined by AgentCore Gateway.
protocolType (string) --
The protocol type of the updated gateway target.
{'authorizerConfiguration': {'optionalValue': {'customJWTAuthorizer': {'allowedWorkloadConfiguration': {'hostingEnvironments': [{'arn': 'string'}],
'workloadIdentities': ['string']}}}},
'memory': {'optionalValue': {'disabled': {},
'managedMemoryConfiguration': {'arn': 'string',
'encryptionKeyArn': 'string',
'eventExpiryDuration': 'integer',
'strategies': ['SEMANTIC '
'| '
'SUMMARIZATION '
'| '
'USER_PREFERENCE '
'| '
'EPISODIC']}}},
'skills': {'awsSkills': {'paths': ['string']}}}
Response {'harness': {'authorizerConfiguration': {'customJWTAuthorizer': {'allowedWorkloadConfiguration': {'hostingEnvironments': [{'arn': 'string'}],
'workloadIdentities': ['string']}}},
'harnessVersion': 'string',
'memory': {'disabled': {},
'managedMemoryConfiguration': {'arn': 'string',
'encryptionKeyArn': 'string',
'eventExpiryDuration': 'integer',
'strategies': ['SEMANTIC '
'| '
'SUMMARIZATION '
'| '
'USER_PREFERENCE '
'| '
'EPISODIC']}},
'skills': {'awsSkills': {'paths': ['string']}}}}
Operation to update a harness.
See also: AWS API Documentation
Request Syntax
client.update_harness(
harnessId='string',
clientToken='string',
executionRoleArn='string',
environment={
'agentCoreRuntimeEnvironment': {
'lifecycleConfiguration': {
'idleRuntimeSessionTimeout': 123,
'maxLifetime': 123
},
'networkConfiguration': {
'networkMode': 'PUBLIC'|'VPC',
'networkModeConfig': {
'securityGroups': [
'string',
],
'subnets': [
'string',
],
'requireServiceS3Endpoint': True|False
}
},
'filesystemConfigurations': [
{
'sessionStorage': {
'mountPath': 'string'
},
's3FilesAccessPoint': {
'accessPointArn': 'string',
'mountPath': 'string'
},
'efsAccessPoint': {
'accessPointArn': 'string',
'mountPath': 'string'
}
},
]
}
},
environmentArtifact={
'optionalValue': {
'containerConfiguration': {
'containerUri': 'string'
}
}
},
environmentVariables={
'string': 'string'
},
authorizerConfiguration={
'optionalValue': {
'customJWTAuthorizer': {
'discoveryUrl': 'string',
'allowedAudience': [
'string',
],
'allowedClients': [
'string',
],
'allowedScopes': [
'string',
],
'customClaims': [
{
'inboundTokenClaimName': 'string',
'inboundTokenClaimValueType': 'STRING'|'STRING_ARRAY',
'authorizingClaimMatchValue': {
'claimMatchValue': {
'matchValueString': 'string',
'matchValueStringList': [
'string',
]
},
'claimMatchOperator': 'EQUALS'|'CONTAINS'|'CONTAINS_ANY'
}
},
],
'privateEndpoint': {
'selfManagedLatticeResource': {
'resourceConfigurationIdentifier': 'string'
},
'managedVpcResource': {
'vpcIdentifier': 'string',
'subnetIds': [
'string',
],
'endpointIpAddressType': 'IPV4'|'IPV6',
'securityGroupIds': [
'string',
],
'tags': {
'string': 'string'
},
'routingDomain': 'string'
}
},
'privateEndpointOverrides': [
{
'domain': 'string',
'privateEndpoint': {
'selfManagedLatticeResource': {
'resourceConfigurationIdentifier': 'string'
},
'managedVpcResource': {
'vpcIdentifier': 'string',
'subnetIds': [
'string',
],
'endpointIpAddressType': 'IPV4'|'IPV6',
'securityGroupIds': [
'string',
],
'tags': {
'string': 'string'
},
'routingDomain': 'string'
}
}
},
],
'allowedWorkloadConfiguration': {
'hostingEnvironments': [
{
'arn': 'string'
},
],
'workloadIdentities': [
'string',
]
}
}
}
},
model={
'bedrockModelConfig': {
'modelId': 'string',
'maxTokens': 123,
'temperature': ...,
'topP': ...,
'apiFormat': 'converse_stream'|'responses'|'chat_completions',
'additionalParams': {...}|[...]|123|123.4|'string'|True|None
},
'openAiModelConfig': {
'modelId': 'string',
'apiKeyArn': 'string',
'maxTokens': 123,
'temperature': ...,
'topP': ...,
'apiFormat': 'chat_completions'|'responses',
'additionalParams': {...}|[...]|123|123.4|'string'|True|None
},
'geminiModelConfig': {
'modelId': 'string',
'apiKeyArn': 'string',
'maxTokens': 123,
'temperature': ...,
'topP': ...,
'topK': 123
},
'liteLlmModelConfig': {
'modelId': 'string',
'apiKeyArn': 'string',
'apiBase': 'string',
'maxTokens': 123,
'temperature': ...,
'topP': ...,
'additionalParams': {...}|[...]|123|123.4|'string'|True|None
}
},
systemPrompt=[
{
'text': 'string'
},
],
tools=[
{
'type': 'remote_mcp'|'agentcore_browser'|'agentcore_gateway'|'inline_function'|'agentcore_code_interpreter',
'name': 'string',
'config': {
'remoteMcp': {
'url': 'string',
'headers': {
'string': 'string'
}
},
'agentCoreBrowser': {
'browserArn': 'string'
},
'agentCoreGateway': {
'gatewayArn': 'string',
'outboundAuth': {
'awsIam': {}
,
'none': {}
,
'oauth': {
'providerArn': 'string',
'scopes': [
'string',
],
'customParameters': {
'string': 'string'
},
'grantType': 'CLIENT_CREDENTIALS'|'AUTHORIZATION_CODE'|'TOKEN_EXCHANGE',
'defaultReturnUrl': 'string'
}
}
},
'inlineFunction': {
'description': 'string',
'inputSchema': {...}|[...]|123|123.4|'string'|True|None
},
'agentCoreCodeInterpreter': {
'codeInterpreterArn': 'string'
}
}
},
],
skills=[
{
'path': 'string',
's3': {
'uri': 'string'
},
'git': {
'url': 'string',
'path': 'string',
'auth': {
'credentialArn': 'string',
'username': 'string'
}
},
'awsSkills': {
'paths': [
'string',
]
}
},
],
allowedTools=[
'string',
],
memory={
'optionalValue': {
'agentCoreMemoryConfiguration': {
'arn': 'string',
'actorId': 'string',
'messagesCount': 123,
'retrievalConfig': {
'string': {
'topK': 123,
'relevanceScore': ...,
'strategyId': 'string'
}
}
},
'managedMemoryConfiguration': {
'arn': 'string',
'strategies': [
'SEMANTIC'|'SUMMARIZATION'|'USER_PREFERENCE'|'EPISODIC',
],
'eventExpiryDuration': 123,
'encryptionKeyArn': 'string'
},
'disabled': {}
}
},
truncation={
'strategy': 'sliding_window'|'summarization'|'none',
'config': {
'slidingWindow': {
'messagesCount': 123
},
'summarization': {
'summaryRatio': ...,
'preserveRecentMessages': 123,
'summarizationSystemPrompt': 'string'
}
}
},
maxIterations=123,
maxTokens=123,
timeoutSeconds=123
)
string
[REQUIRED]
The ID of the harness to update.
string
A unique, case-sensitive identifier to ensure idempotency of the request.
This field is autopopulated if not provided.
string
The ARN of the IAM role that the harness assumes when running. If not specified, the existing value is retained.
dict
The compute environment configuration for the harness. If not specified, the existing value is retained.
agentCoreRuntimeEnvironment (dict) --
The AgentCore Runtime environment configuration.
lifecycleConfiguration (dict) --
LifecycleConfiguration lets you manage the lifecycle of runtime sessions and resources in AgentCore Runtime. This configuration helps optimize resource utilization by automatically cleaning up idle sessions and preventing long-running instances from consuming resources indefinitely.
idleRuntimeSessionTimeout (integer) --
Timeout in seconds for idle runtime sessions. When a session remains idle for this duration, it will be automatically terminated. Default: 900 seconds (15 minutes).
maxLifetime (integer) --
Maximum lifetime for the instance in seconds. Once reached, instances will be automatically terminated and replaced. Default: 28800 seconds (8 hours).
networkConfiguration (dict) --
SecurityConfig for the Agent.
networkMode (string) -- [REQUIRED]
The network mode for the AgentCore Runtime.
networkModeConfig (dict) --
The network mode configuration for the AgentCore Runtime.
securityGroups (list) -- [REQUIRED]
The security groups associated with the VPC configuration.
(string) --
subnets (list) -- [REQUIRED]
The subnets associated with the VPC configuration.
(string) --
requireServiceS3Endpoint (boolean) --
Controls whether a service-managed Amazon S3 gateway endpoint is provisioned in the VPC network topology for the agent runtime. This gateway is used by Amazon Bedrock AgentCore Runtime to download code and container images during agent startup.
Starting May 5, 2026, Amazon Bedrock AgentCore Runtime is gradually rolling out a change to how network isolation is configured for VPC mode agents. Agent runtimes created on or after this rollout will no longer include the service-managed Amazon S3 gateway. Instead, all network access, including to Amazon S3, is governed exclusively by your VPC configuration. This field cannot be set on agent runtimes created after the rollout. Passing this field in an UpdateAgentRuntime request for these agent runtimes returns a ValidationException.
Agent runtimes created before the rollout are not affected and continue to operate with the service-managed Amazon S3 gateway. To enforce full VPC network isolation on these existing agent runtimes, set this field to false via the UpdateAgentRuntime API. Before opting out, ensure your VPC provides the Amazon S3 access required for agent startup. If this field is not specified or is set to true, the service-managed Amazon S3 gateway remains provisioned.
This field is only supported in the UpdateAgentRuntime API for pre-rollout agent runtimes. Passing this field in a CreateAgentRuntime request returns a ValidationException.
filesystemConfigurations (list) --
The filesystem configurations for the runtime environment.
(dict) --
Configuration for a filesystem that can be mounted into the AgentCore Runtime.
sessionStorage (dict) --
Configuration for session storage. Session storage provides persistent storage that is preserved across AgentCore Runtime session invocations.
mountPath (string) -- [REQUIRED]
The mount path for the session storage filesystem inside the AgentCore Runtime. The path must be under /mnt with exactly one subdirectory level (for example, /mnt/data).
s3FilesAccessPoint (dict) --
Configuration for an Amazon S3 Files access point to mount into the AgentCore Runtime.
accessPointArn (string) -- [REQUIRED]
The ARN of the S3 Files access point to mount into the AgentCore Runtime.
mountPath (string) -- [REQUIRED]
The mount path for the S3 Files access point inside the AgentCore Runtime. The path must be under /mnt with exactly one subdirectory level (for example, /mnt/data).
efsAccessPoint (dict) --
Configuration for an Amazon EFS access point to mount into the AgentCore Runtime.
accessPointArn (string) -- [REQUIRED]
The ARN of the EFS access point to mount into the AgentCore Runtime.
mountPath (string) -- [REQUIRED]
The mount path for the EFS access point inside the AgentCore Runtime. The path must be under /mnt with exactly one subdirectory level (for example, /mnt/data).
dict
The environment artifact for the harness. Use the optionalValue wrapper to set a new value, or set it to null to clear the existing configuration.
optionalValue (dict) --
The updated environment artifact value, or null to clear the existing configuration.
containerConfiguration (dict) --
Representation of a container configuration.
containerUri (string) -- [REQUIRED]
The ECR URI of the container.
dict
Environment variables to set in the harness runtime environment. If specified, this replaces all existing environment variables. If not specified, the existing value is retained.
(string) --
(string) --
dict
Wrapper for updating an optional AuthorizerConfiguration field with PATCH semantics. When present in an update request, the authorizer configuration is replaced with optionalValue. When absent, the authorizer configuration is left unchanged. To unset, include the wrapper with optionalValue not specified.
optionalValue (dict) --
The updated authorizer configuration value. If not specified, it will clear the current authorizer configuration of the resource.
customJWTAuthorizer (dict) --
The inbound JWT-based authorization, specifying how incoming requests should be authenticated.
discoveryUrl (string) -- [REQUIRED]
This URL is used to fetch OpenID Connect configuration or authorization server metadata for validating incoming tokens.
allowedAudience (list) --
Represents individual audience values that are validated in the incoming JWT token validation process.
(string) --
allowedClients (list) --
Represents individual client IDs that are validated in the incoming JWT token validation process.
(string) --
allowedScopes (list) --
An array of scopes that are allowed to access the token.
(string) --
customClaims (list) --
An array of objects that define a custom claim validation name, value, and operation
(dict) --
Defines the name of a custom claim field and rules for finding matches to authenticate its value.
inboundTokenClaimName (string) -- [REQUIRED]
The name of the custom claim field to check.
inboundTokenClaimValueType (string) -- [REQUIRED]
The data type of the claim value to check for.
Use STRING if you want to find an exact match to a string you define.
Use STRING_ARRAY if you want to fnd a match to at least one value in an array you define.
authorizingClaimMatchValue (dict) -- [REQUIRED]
Defines the value or values to match for and the relationship of the match.
claimMatchValue (dict) -- [REQUIRED]
The value or values to match for.
matchValueString (string) --
The string value to match for.
matchValueStringList (list) --
An array of strings to check for a match.
(string) --
claimMatchOperator (string) -- [REQUIRED]
Defines the relationship between the claim field value and the value or values you're matching for.
privateEndpoint (dict) --
The private endpoint configuration for a gateway target. Defines how the gateway connects to private resources in your VPC.
selfManagedLatticeResource (dict) --
Configuration for connecting to a private resource using a self-managed VPC Lattice resource configuration.
resourceConfigurationIdentifier (string) --
The ARN or ID of the VPC Lattice resource configuration.
managedVpcResource (dict) --
Configuration for connecting to a private resource using a managed VPC Lattice resource. The gateway creates and manages the VPC Lattice resources on your behalf.
vpcIdentifier (string) -- [REQUIRED]
The ID of the VPC that contains your private resource.
subnetIds (list) -- [REQUIRED]
The subnet IDs within the VPC where the VPC Lattice resource gateway is placed.
(string) --
endpointIpAddressType (string) -- [REQUIRED]
The IP address type for the resource configuration endpoint.
securityGroupIds (list) --
The security group IDs to associate with the VPC Lattice resource gateway. If not specified, the default security group for the VPC is used.
(string) --
tags (dict) --
Tags to apply to the managed VPC Lattice resource gateway.
(string) --
(string) --
routingDomain (string) --
An intermediate domain to use as the resource configuration endpoint instead of the actual target domain. Use this when you want to route traffic through an intermediate component such as a VPC endpoint or internal load balancer. For more information, see xref:lattice-vpc-egress-routing-domain[Route traffic through an intermediate domain].
privateEndpointOverrides (list) --
The private endpoint overrides for the custom JWT authorizer configuration.
(dict) --
A mapping of a specific domain to a private endpoint for secure connectivity through a VPC Lattice resource configuration.
domain (string) -- [REQUIRED]
The domain to override with a private endpoint.
privateEndpoint (dict) -- [REQUIRED]
The private endpoint configuration for the specified domain.
selfManagedLatticeResource (dict) --
Configuration for connecting to a private resource using a self-managed VPC Lattice resource configuration.
resourceConfigurationIdentifier (string) --
The ARN or ID of the VPC Lattice resource configuration.
managedVpcResource (dict) --
Configuration for connecting to a private resource using a managed VPC Lattice resource. The gateway creates and manages the VPC Lattice resources on your behalf.
vpcIdentifier (string) -- [REQUIRED]
The ID of the VPC that contains your private resource.
subnetIds (list) -- [REQUIRED]
The subnet IDs within the VPC where the VPC Lattice resource gateway is placed.
(string) --
endpointIpAddressType (string) -- [REQUIRED]
The IP address type for the resource configuration endpoint.
securityGroupIds (list) --
The security group IDs to associate with the VPC Lattice resource gateway. If not specified, the default security group for the VPC is used.
(string) --
tags (dict) --
Tags to apply to the managed VPC Lattice resource gateway.
(string) --
(string) --
routingDomain (string) --
An intermediate domain to use as the resource configuration endpoint instead of the actual target domain. Use this when you want to route traffic through an intermediate component such as a VPC endpoint or internal load balancer. For more information, see xref:lattice-vpc-egress-routing-domain[Route traffic through an intermediate domain].
allowedWorkloadConfiguration (dict) --
The configuration that restricts which workloads in the request's identity chain are allowed to invoke the target, identified by their hosting environments and workload identities. At launch, this is supported only for AgentCore Runtime targets, and the allowed workloads are AgentCore Gateways.
hostingEnvironments (list) --
The list of hosting environments whose workloads are allowed to invoke the target. At launch, the only supported hosting environment is AgentCore Gateway.
(dict) --
A hosting environment whose workloads are allowed to invoke the target. At launch, the only supported hosting environment is AgentCore Gateway.
arn (string) -- [REQUIRED]
The Amazon Resource Name (ARN) of the hosting environment.
workloadIdentities (list) --
The list of workload identities that are allowed to invoke the target.
(string) --
dict
The model configuration for the harness. If not specified, the existing value is retained.
bedrockModelConfig (dict) --
Configuration for an Amazon Bedrock model.
modelId (string) -- [REQUIRED]
The Bedrock model ID.
maxTokens (integer) --
The maximum number of tokens to allow in the generated response per model call.
temperature (float) --
The temperature to set when calling the model.
topP (float) --
The topP set when calling the model.
apiFormat (string) --
The API format to use when calling the Bedrock provider.
additionalParams (:ref:`document<document>`) --
Provider-specific parameters passed through to the model provider unchanged.
openAiModelConfig (dict) --
Configuration for an OpenAI model.
modelId (string) -- [REQUIRED]
The OpenAI model ID.
apiKeyArn (string) -- [REQUIRED]
The ARN of your OpenAI API key on AgentCore Identity.
maxTokens (integer) --
The maximum number of tokens to allow in the generated response per model call.
temperature (float) --
The temperature to set when calling the model.
topP (float) --
The topP set when calling the model.
apiFormat (string) --
The API format to use when calling the OpenAI provider.
additionalParams (:ref:`document<document>`) --
Provider-specific parameters passed through to the model provider unchanged.
geminiModelConfig (dict) --
Configuration for a Google Gemini model.
modelId (string) -- [REQUIRED]
The Gemini model ID.
apiKeyArn (string) -- [REQUIRED]
The ARN of your Gemini API key on AgentCore Identity.
maxTokens (integer) --
The maximum number of tokens to allow in the generated response per model call.
temperature (float) --
The temperature to set when calling the model.
topP (float) --
The topP set when calling the model.
topK (integer) --
The topK set when calling the model.
liteLlmModelConfig (dict) --
The LiteLLM model configuration for connecting to third-party model providers.
modelId (string) -- [REQUIRED]
The LiteLLM model identifier (e.g., "anthropic/claude-3-sonnet").
apiKeyArn (string) --
The ARN of the API key in AgentCore Identity for authenticating with the model provider.
apiBase (string) --
The base URL for the model provider's API endpoint.
maxTokens (integer) --
The maximum number of tokens to allow in the generated response per iteration.
temperature (float) --
The temperature to set when calling the model.
topP (float) --
The topP set when calling the model.
additionalParams (:ref:`document<document>`) --
Provider-specific parameters passed through to the model provider unchanged.
list
The system prompt that defines the agent's behavior. If not specified, the existing value is retained.
(dict) --
A content block in the system prompt.
text (string) --
The text content of the system prompt block.
list
The tools available to the agent. If specified, this replaces all existing tools. If not specified, the existing value is retained.
(dict) --
A tool available to the agent loop.
type (string) -- [REQUIRED]
The type of tool.
name (string) --
Unique name for the tool. If not provided, a name will be inferred or generated.
config (dict) --
Tool-specific configuration.
remoteMcp (dict) --
Configuration for remote MCP server.
url (string) -- [REQUIRED]
URL of the MCP endpoint.
headers (dict) --
Custom headers to include when connecting to the remote MCP server.
(string) --
The key of an HTTP header.
(string) --
The value of an HTTP header.
agentCoreBrowser (dict) --
Configuration for AgentCore Browser.
browserArn (string) --
If not populated, the built-in Browser ARN is used.
agentCoreGateway (dict) --
Configuration for AgentCore Gateway.
gatewayArn (string) -- [REQUIRED]
The ARN of the desired AgentCore Gateway.
outboundAuth (dict) --
How harness authenticates to this Gateway. Defaults to AWS_IAM (SigV4) if omitted.
awsIam (dict) --
SigV4-sign requests using the agent's execution role.
none (dict) --
No authentication.
oauth (dict) --
Use OAuth credentials for outbound authentication to the gateway.
providerArn (string) -- [REQUIRED]
The Amazon Resource Name (ARN) of the OAuth credential provider. This ARN identifies the provider in Amazon Web Services.
scopes (list) -- [REQUIRED]
The OAuth scopes for the credential provider. These scopes define the level of access requested from the OAuth provider.
(string) --
customParameters (dict) --
The custom parameters for the OAuth credential provider. These parameters provide additional configuration for the OAuth authentication process.
(string) --
(string) --
grantType (string) --
Specifies the kind of credentials to use for authorization:
CLIENT_CREDENTIALS - Authorization with a client ID and secret.
AUTHORIZATION_CODE - Authorization with a token that is specific to an individual end user.
TOKEN_EXCHANGE - Authorization using on-behalf-of token exchange. An inbound user token is exchanged for a downstream access token scoped to the target audience.
defaultReturnUrl (string) --
The URL where the end user's browser is redirected after obtaining the authorization code. Generally points to the customer's application.
inlineFunction (dict) --
Configuration for an inline function tool.
description (string) -- [REQUIRED]
Description of what the tool does, provided to the model.
inputSchema (:ref:`document<document>`) -- [REQUIRED]
JSON Schema describing the tool's input parameters.
agentCoreCodeInterpreter (dict) --
Configuration for AgentCore Code Interpreter.
codeInterpreterArn (string) --
If not populated, the built-in Code Interpreter ARN is used.
list
The skills available to the agent. If specified, this replaces all existing skills. If not specified, the existing value is retained.
(dict) --
A skill available to the agent.
path (string) --
The filesystem path to the skill definition.
s3 (dict) --
An S3 source containing the skill.
uri (string) -- [REQUIRED]
The S3 URI pointing to the skill directory (e.g., s3://bucket/skills/my-skill/).
git (dict) --
A git repository containing the skill.
url (string) -- [REQUIRED]
The HTTPS URL of the git repository.
path (string) --
Subdirectory within the repository containing the skill.
auth (dict) --
Authentication configuration for private repositories.
credentialArn (string) -- [REQUIRED]
The ARN of the credential in AgentCore Identity containing the password or personal access token.
username (string) --
Username for authentication. Defaults to 'oauth2' if not specified.
awsSkills (dict) --
AWS Skills baked into the harness's underlying Runtime.
paths (list) --
Optionally filter allowed skills with glob syntax, e.g., ['core-skills/*'].
(string) --
list
The tools that the agent is allowed to use. If specified, this replaces all existing allowed tools. If not specified, the existing value is retained.
(string) --
dict
The AgentCore Memory configuration. Use the optionalValue wrapper to set a new value, or set it to null to clear the existing configuration.
optionalValue (dict) --
The updated memory configuration value, or null to clear the existing configuration.
agentCoreMemoryConfiguration (dict) --
The AgentCore Memory configuration.
arn (string) -- [REQUIRED]
The ARN of the AgentCore Memory resource.
actorId (string) --
The actor ID for memory operations.
messagesCount (integer) --
The number of messages to retrieve from memory.
retrievalConfig (dict) --
The retrieval configuration for long-term memory, mapping namespace path templates to retrieval settings.
(string) --
(dict) --
Configuration for memory retrieval within a namespace.
topK (integer) --
The maximum number of memory entries to retrieve.
relevanceScore (float) --
The minimum relevance score for retrieved memories.
strategyId (string) --
The ID of the retrieval strategy to use.
managedMemoryConfiguration (dict) --
Harness creates and manages a memory resource in the customer's account.
arn (string) --
The ARN of the managed AgentCore Memory resource. Read-only on Get, ignored on Create/Update input.
strategies (list) --
Strategy types to enable. Defaults to [SEMANTIC, SUMMARIZATION].
(string) --
eventExpiryDuration (integer) --
Event retention in days. Defaults to 30.
encryptionKeyArn (string) --
Customer-managed KMS key. Defaults to AWS-owned key. Not updatable after creation.
disabled (dict) --
Explicitly opt out of memory.
dict
The truncation configuration for managing conversation context. If not specified, the existing value is retained.
strategy (string) -- [REQUIRED]
The truncation strategy to use.
config (dict) --
The strategy-specific configuration.
slidingWindow (dict) --
Configuration for sliding window truncation.
messagesCount (integer) --
The number of recent messages to retain in the context window.
summarization (dict) --
Configuration for summarization-based truncation.
summaryRatio (float) --
The ratio of content to summarize.
preserveRecentMessages (integer) --
The number of recent messages to preserve without summarization.
summarizationSystemPrompt (string) --
The system prompt used for generating summaries.
integer
The maximum number of iterations the agent loop can execute per invocation. If not specified, the existing value is retained.
integer
The maximum total number of output tokens the agent can generate across all model calls within a single invocation. If not specified, the existing value is retained.
integer
The maximum duration in seconds for the agent loop execution per invocation. If not specified, the existing value is retained.
dict
Response Syntax
{
'harness': {
'harnessId': 'string',
'harnessName': 'string',
'arn': 'string',
'status': 'CREATING'|'CREATE_FAILED'|'UPDATING'|'UPDATE_FAILED'|'READY'|'DELETING'|'DELETE_FAILED',
'harnessVersion': 'string',
'executionRoleArn': 'string',
'createdAt': datetime(2015, 1, 1),
'updatedAt': datetime(2015, 1, 1),
'model': {
'bedrockModelConfig': {
'modelId': 'string',
'maxTokens': 123,
'temperature': ...,
'topP': ...,
'apiFormat': 'converse_stream'|'responses'|'chat_completions',
'additionalParams': {...}|[...]|123|123.4|'string'|True|None
},
'openAiModelConfig': {
'modelId': 'string',
'apiKeyArn': 'string',
'maxTokens': 123,
'temperature': ...,
'topP': ...,
'apiFormat': 'chat_completions'|'responses',
'additionalParams': {...}|[...]|123|123.4|'string'|True|None
},
'geminiModelConfig': {
'modelId': 'string',
'apiKeyArn': 'string',
'maxTokens': 123,
'temperature': ...,
'topP': ...,
'topK': 123
},
'liteLlmModelConfig': {
'modelId': 'string',
'apiKeyArn': 'string',
'apiBase': 'string',
'maxTokens': 123,
'temperature': ...,
'topP': ...,
'additionalParams': {...}|[...]|123|123.4|'string'|True|None
}
},
'systemPrompt': [
{
'text': 'string'
},
],
'tools': [
{
'type': 'remote_mcp'|'agentcore_browser'|'agentcore_gateway'|'inline_function'|'agentcore_code_interpreter',
'name': 'string',
'config': {
'remoteMcp': {
'url': 'string',
'headers': {
'string': 'string'
}
},
'agentCoreBrowser': {
'browserArn': 'string'
},
'agentCoreGateway': {
'gatewayArn': 'string',
'outboundAuth': {
'awsIam': {},
'none': {},
'oauth': {
'providerArn': 'string',
'scopes': [
'string',
],
'customParameters': {
'string': 'string'
},
'grantType': 'CLIENT_CREDENTIALS'|'AUTHORIZATION_CODE'|'TOKEN_EXCHANGE',
'defaultReturnUrl': 'string'
}
}
},
'inlineFunction': {
'description': 'string',
'inputSchema': {...}|[...]|123|123.4|'string'|True|None
},
'agentCoreCodeInterpreter': {
'codeInterpreterArn': 'string'
}
}
},
],
'skills': [
{
'path': 'string',
's3': {
'uri': 'string'
},
'git': {
'url': 'string',
'path': 'string',
'auth': {
'credentialArn': 'string',
'username': 'string'
}
},
'awsSkills': {
'paths': [
'string',
]
}
},
],
'allowedTools': [
'string',
],
'truncation': {
'strategy': 'sliding_window'|'summarization'|'none',
'config': {
'slidingWindow': {
'messagesCount': 123
},
'summarization': {
'summaryRatio': ...,
'preserveRecentMessages': 123,
'summarizationSystemPrompt': 'string'
}
}
},
'environment': {
'agentCoreRuntimeEnvironment': {
'agentRuntimeArn': 'string',
'agentRuntimeName': 'string',
'agentRuntimeId': 'string',
'lifecycleConfiguration': {
'idleRuntimeSessionTimeout': 123,
'maxLifetime': 123
},
'networkConfiguration': {
'networkMode': 'PUBLIC'|'VPC',
'networkModeConfig': {
'securityGroups': [
'string',
],
'subnets': [
'string',
],
'requireServiceS3Endpoint': True|False
}
},
'filesystemConfigurations': [
{
'sessionStorage': {
'mountPath': 'string'
},
's3FilesAccessPoint': {
'accessPointArn': 'string',
'mountPath': 'string'
},
'efsAccessPoint': {
'accessPointArn': 'string',
'mountPath': 'string'
}
},
]
}
},
'environmentArtifact': {
'containerConfiguration': {
'containerUri': 'string'
}
},
'environmentVariables': {
'string': 'string'
},
'authorizerConfiguration': {
'customJWTAuthorizer': {
'discoveryUrl': 'string',
'allowedAudience': [
'string',
],
'allowedClients': [
'string',
],
'allowedScopes': [
'string',
],
'customClaims': [
{
'inboundTokenClaimName': 'string',
'inboundTokenClaimValueType': 'STRING'|'STRING_ARRAY',
'authorizingClaimMatchValue': {
'claimMatchValue': {
'matchValueString': 'string',
'matchValueStringList': [
'string',
]
},
'claimMatchOperator': 'EQUALS'|'CONTAINS'|'CONTAINS_ANY'
}
},
],
'privateEndpoint': {
'selfManagedLatticeResource': {
'resourceConfigurationIdentifier': 'string'
},
'managedVpcResource': {
'vpcIdentifier': 'string',
'subnetIds': [
'string',
],
'endpointIpAddressType': 'IPV4'|'IPV6',
'securityGroupIds': [
'string',
],
'tags': {
'string': 'string'
},
'routingDomain': 'string'
}
},
'privateEndpointOverrides': [
{
'domain': 'string',
'privateEndpoint': {
'selfManagedLatticeResource': {
'resourceConfigurationIdentifier': 'string'
},
'managedVpcResource': {
'vpcIdentifier': 'string',
'subnetIds': [
'string',
],
'endpointIpAddressType': 'IPV4'|'IPV6',
'securityGroupIds': [
'string',
],
'tags': {
'string': 'string'
},
'routingDomain': 'string'
}
}
},
],
'allowedWorkloadConfiguration': {
'hostingEnvironments': [
{
'arn': 'string'
},
],
'workloadIdentities': [
'string',
]
}
}
},
'memory': {
'agentCoreMemoryConfiguration': {
'arn': 'string',
'actorId': 'string',
'messagesCount': 123,
'retrievalConfig': {
'string': {
'topK': 123,
'relevanceScore': ...,
'strategyId': 'string'
}
}
},
'managedMemoryConfiguration': {
'arn': 'string',
'strategies': [
'SEMANTIC'|'SUMMARIZATION'|'USER_PREFERENCE'|'EPISODIC',
],
'eventExpiryDuration': 123,
'encryptionKeyArn': 'string'
},
'disabled': {}
},
'maxIterations': 123,
'maxTokens': 123,
'timeoutSeconds': 123,
'failureReason': 'string'
}
}
Response Structure
(dict) --
harness (dict) --
The updated harness.
harnessId (string) --
The ID of the harness.
harnessName (string) --
The name of the harness.
arn (string) --
The ARN of the harness.
status (string) --
The status of the harness.
harnessVersion (string) --
The version of the harness. Incremented on every successful UpdateHarness.
executionRoleArn (string) --
IAM role the harness assumes when running.
createdAt (datetime) --
The createdAt time of the harness.
updatedAt (datetime) --
The updatedAt time of the harness.
model (dict) --
The configuration of the default model used by the Harness.
bedrockModelConfig (dict) --
Configuration for an Amazon Bedrock model.
modelId (string) --
The Bedrock model ID.
maxTokens (integer) --
The maximum number of tokens to allow in the generated response per model call.
temperature (float) --
The temperature to set when calling the model.
topP (float) --
The topP set when calling the model.
apiFormat (string) --
The API format to use when calling the Bedrock provider.
additionalParams (:ref:`document<document>`) --
Provider-specific parameters passed through to the model provider unchanged.
openAiModelConfig (dict) --
Configuration for an OpenAI model.
modelId (string) --
The OpenAI model ID.
apiKeyArn (string) --
The ARN of your OpenAI API key on AgentCore Identity.
maxTokens (integer) --
The maximum number of tokens to allow in the generated response per model call.
temperature (float) --
The temperature to set when calling the model.
topP (float) --
The topP set when calling the model.
apiFormat (string) --
The API format to use when calling the OpenAI provider.
additionalParams (:ref:`document<document>`) --
Provider-specific parameters passed through to the model provider unchanged.
geminiModelConfig (dict) --
Configuration for a Google Gemini model.
modelId (string) --
The Gemini model ID.
apiKeyArn (string) --
The ARN of your Gemini API key on AgentCore Identity.
maxTokens (integer) --
The maximum number of tokens to allow in the generated response per model call.
temperature (float) --
The temperature to set when calling the model.
topP (float) --
The topP set when calling the model.
topK (integer) --
The topK set when calling the model.
liteLlmModelConfig (dict) --
The LiteLLM model configuration for connecting to third-party model providers.
modelId (string) --
The LiteLLM model identifier (e.g., "anthropic/claude-3-sonnet").
apiKeyArn (string) --
The ARN of the API key in AgentCore Identity for authenticating with the model provider.
apiBase (string) --
The base URL for the model provider's API endpoint.
maxTokens (integer) --
The maximum number of tokens to allow in the generated response per iteration.
temperature (float) --
The temperature to set when calling the model.
topP (float) --
The topP set when calling the model.
additionalParams (:ref:`document<document>`) --
Provider-specific parameters passed through to the model provider unchanged.
systemPrompt (list) --
The system prompt of the harness.
(dict) --
A content block in the system prompt.
text (string) --
The text content of the system prompt block.
tools (list) --
The tools of the harness.
(dict) --
A tool available to the agent loop.
type (string) --
The type of tool.
name (string) --
Unique name for the tool. If not provided, a name will be inferred or generated.
config (dict) --
Tool-specific configuration.
remoteMcp (dict) --
Configuration for remote MCP server.
url (string) --
URL of the MCP endpoint.
headers (dict) --
Custom headers to include when connecting to the remote MCP server.
(string) --
The key of an HTTP header.
(string) --
The value of an HTTP header.
agentCoreBrowser (dict) --
Configuration for AgentCore Browser.
browserArn (string) --
If not populated, the built-in Browser ARN is used.
agentCoreGateway (dict) --
Configuration for AgentCore Gateway.
gatewayArn (string) --
The ARN of the desired AgentCore Gateway.
outboundAuth (dict) --
How harness authenticates to this Gateway. Defaults to AWS_IAM (SigV4) if omitted.
awsIam (dict) --
SigV4-sign requests using the agent's execution role.
none (dict) --
No authentication.
oauth (dict) --
Use OAuth credentials for outbound authentication to the gateway.
providerArn (string) --
The Amazon Resource Name (ARN) of the OAuth credential provider. This ARN identifies the provider in Amazon Web Services.
scopes (list) --
The OAuth scopes for the credential provider. These scopes define the level of access requested from the OAuth provider.
(string) --
customParameters (dict) --
The custom parameters for the OAuth credential provider. These parameters provide additional configuration for the OAuth authentication process.
(string) --
(string) --
grantType (string) --
Specifies the kind of credentials to use for authorization:
CLIENT_CREDENTIALS - Authorization with a client ID and secret.
AUTHORIZATION_CODE - Authorization with a token that is specific to an individual end user.
TOKEN_EXCHANGE - Authorization using on-behalf-of token exchange. An inbound user token is exchanged for a downstream access token scoped to the target audience.
defaultReturnUrl (string) --
The URL where the end user's browser is redirected after obtaining the authorization code. Generally points to the customer's application.
inlineFunction (dict) --
Configuration for an inline function tool.
description (string) --
Description of what the tool does, provided to the model.
inputSchema (:ref:`document<document>`) --
JSON Schema describing the tool's input parameters.
agentCoreCodeInterpreter (dict) --
Configuration for AgentCore Code Interpreter.
codeInterpreterArn (string) --
If not populated, the built-in Code Interpreter ARN is used.
skills (list) --
The skills of the harness.
(dict) --
A skill available to the agent.
path (string) --
The filesystem path to the skill definition.
s3 (dict) --
An S3 source containing the skill.
uri (string) --
The S3 URI pointing to the skill directory (e.g., s3://bucket/skills/my-skill/).
git (dict) --
A git repository containing the skill.
url (string) --
The HTTPS URL of the git repository.
path (string) --
Subdirectory within the repository containing the skill.
auth (dict) --
Authentication configuration for private repositories.
credentialArn (string) --
The ARN of the credential in AgentCore Identity containing the password or personal access token.
username (string) --
Username for authentication. Defaults to 'oauth2' if not specified.
awsSkills (dict) --
AWS Skills baked into the harness's underlying Runtime.
paths (list) --
Optionally filter allowed skills with glob syntax, e.g., ['core-skills/*'].
(string) --
allowedTools (list) --
The allowed tools of the harness. All tools are allowed by default.
(string) --
truncation (dict) --
Configuration for truncating model context.
strategy (string) --
The truncation strategy to use.
config (dict) --
The strategy-specific configuration.
slidingWindow (dict) --
Configuration for sliding window truncation.
messagesCount (integer) --
The number of recent messages to retain in the context window.
summarization (dict) --
Configuration for summarization-based truncation.
summaryRatio (float) --
The ratio of content to summarize.
preserveRecentMessages (integer) --
The number of recent messages to preserve without summarization.
summarizationSystemPrompt (string) --
The system prompt used for generating summaries.
environment (dict) --
The compute environment on which the Harness runs.
agentCoreRuntimeEnvironment (dict) --
The AgentCore Runtime environment configuration.
agentRuntimeArn (string) --
The ARN of the underlying AgentCore Runtime.
agentRuntimeName (string) --
The name of the underlying AgentCore Runtime.
agentRuntimeId (string) --
The ID of the underlying AgentCore Runtime.
lifecycleConfiguration (dict) --
LifecycleConfiguration lets you manage the lifecycle of runtime sessions and resources in AgentCore Runtime. This configuration helps optimize resource utilization by automatically cleaning up idle sessions and preventing long-running instances from consuming resources indefinitely.
idleRuntimeSessionTimeout (integer) --
Timeout in seconds for idle runtime sessions. When a session remains idle for this duration, it will be automatically terminated. Default: 900 seconds (15 minutes).
maxLifetime (integer) --
Maximum lifetime for the instance in seconds. Once reached, instances will be automatically terminated and replaced. Default: 28800 seconds (8 hours).
networkConfiguration (dict) --
SecurityConfig for the Agent.
networkMode (string) --
The network mode for the AgentCore Runtime.
networkModeConfig (dict) --
The network mode configuration for the AgentCore Runtime.
securityGroups (list) --
The security groups associated with the VPC configuration.
(string) --
subnets (list) --
The subnets associated with the VPC configuration.
(string) --
requireServiceS3Endpoint (boolean) --
Controls whether a service-managed Amazon S3 gateway endpoint is provisioned in the VPC network topology for the agent runtime. This gateway is used by Amazon Bedrock AgentCore Runtime to download code and container images during agent startup.
Starting May 5, 2026, Amazon Bedrock AgentCore Runtime is gradually rolling out a change to how network isolation is configured for VPC mode agents. Agent runtimes created on or after this rollout will no longer include the service-managed Amazon S3 gateway. Instead, all network access, including to Amazon S3, is governed exclusively by your VPC configuration. This field cannot be set on agent runtimes created after the rollout. Passing this field in an UpdateAgentRuntime request for these agent runtimes returns a ValidationException.
Agent runtimes created before the rollout are not affected and continue to operate with the service-managed Amazon S3 gateway. To enforce full VPC network isolation on these existing agent runtimes, set this field to false via the UpdateAgentRuntime API. Before opting out, ensure your VPC provides the Amazon S3 access required for agent startup. If this field is not specified or is set to true, the service-managed Amazon S3 gateway remains provisioned.
This field is only supported in the UpdateAgentRuntime API for pre-rollout agent runtimes. Passing this field in a CreateAgentRuntime request returns a ValidationException.
filesystemConfigurations (list) --
The filesystem configurations for the runtime environment.
(dict) --
Configuration for a filesystem that can be mounted into the AgentCore Runtime.
sessionStorage (dict) --
Configuration for session storage. Session storage provides persistent storage that is preserved across AgentCore Runtime session invocations.
mountPath (string) --
The mount path for the session storage filesystem inside the AgentCore Runtime. The path must be under /mnt with exactly one subdirectory level (for example, /mnt/data).
s3FilesAccessPoint (dict) --
Configuration for an Amazon S3 Files access point to mount into the AgentCore Runtime.
accessPointArn (string) --
The ARN of the S3 Files access point to mount into the AgentCore Runtime.
mountPath (string) --
The mount path for the S3 Files access point inside the AgentCore Runtime. The path must be under /mnt with exactly one subdirectory level (for example, /mnt/data).
efsAccessPoint (dict) --
Configuration for an Amazon EFS access point to mount into the AgentCore Runtime.
accessPointArn (string) --
The ARN of the EFS access point to mount into the AgentCore Runtime.
mountPath (string) --
The mount path for the EFS access point inside the AgentCore Runtime. The path must be under /mnt with exactly one subdirectory level (for example, /mnt/data).
environmentArtifact (dict) --
The environment artifact (e.g., container) in which the Harness operates.
containerConfiguration (dict) --
Representation of a container configuration.
containerUri (string) --
The ECR URI of the container.
environmentVariables (dict) --
Environment variables exposed in the environment in which the harness operates.
(string) --
(string) --
authorizerConfiguration (dict) --
Represents inbound authorization configuration options used to authenticate incoming requests.
customJWTAuthorizer (dict) --
The inbound JWT-based authorization, specifying how incoming requests should be authenticated.
discoveryUrl (string) --
This URL is used to fetch OpenID Connect configuration or authorization server metadata for validating incoming tokens.
allowedAudience (list) --
Represents individual audience values that are validated in the incoming JWT token validation process.
(string) --
allowedClients (list) --
Represents individual client IDs that are validated in the incoming JWT token validation process.
(string) --
allowedScopes (list) --
An array of scopes that are allowed to access the token.
(string) --
customClaims (list) --
An array of objects that define a custom claim validation name, value, and operation
(dict) --
Defines the name of a custom claim field and rules for finding matches to authenticate its value.
inboundTokenClaimName (string) --
The name of the custom claim field to check.
inboundTokenClaimValueType (string) --
The data type of the claim value to check for.
Use STRING if you want to find an exact match to a string you define.
Use STRING_ARRAY if you want to fnd a match to at least one value in an array you define.
authorizingClaimMatchValue (dict) --
Defines the value or values to match for and the relationship of the match.
claimMatchValue (dict) --
The value or values to match for.
matchValueString (string) --
The string value to match for.
matchValueStringList (list) --
An array of strings to check for a match.
(string) --
claimMatchOperator (string) --
Defines the relationship between the claim field value and the value or values you're matching for.
privateEndpoint (dict) --
The private endpoint configuration for a gateway target. Defines how the gateway connects to private resources in your VPC.
selfManagedLatticeResource (dict) --
Configuration for connecting to a private resource using a self-managed VPC Lattice resource configuration.
resourceConfigurationIdentifier (string) --
The ARN or ID of the VPC Lattice resource configuration.
managedVpcResource (dict) --
Configuration for connecting to a private resource using a managed VPC Lattice resource. The gateway creates and manages the VPC Lattice resources on your behalf.
vpcIdentifier (string) --
The ID of the VPC that contains your private resource.
subnetIds (list) --
The subnet IDs within the VPC where the VPC Lattice resource gateway is placed.
(string) --
endpointIpAddressType (string) --
The IP address type for the resource configuration endpoint.
securityGroupIds (list) --
The security group IDs to associate with the VPC Lattice resource gateway. If not specified, the default security group for the VPC is used.
(string) --
tags (dict) --
Tags to apply to the managed VPC Lattice resource gateway.
(string) --
(string) --
routingDomain (string) --
An intermediate domain to use as the resource configuration endpoint instead of the actual target domain. Use this when you want to route traffic through an intermediate component such as a VPC endpoint or internal load balancer. For more information, see xref:lattice-vpc-egress-routing-domain[Route traffic through an intermediate domain].
privateEndpointOverrides (list) --
The private endpoint overrides for the custom JWT authorizer configuration.
(dict) --
A mapping of a specific domain to a private endpoint for secure connectivity through a VPC Lattice resource configuration.
domain (string) --
The domain to override with a private endpoint.
privateEndpoint (dict) --
The private endpoint configuration for the specified domain.
selfManagedLatticeResource (dict) --
Configuration for connecting to a private resource using a self-managed VPC Lattice resource configuration.
resourceConfigurationIdentifier (string) --
The ARN or ID of the VPC Lattice resource configuration.
managedVpcResource (dict) --
Configuration for connecting to a private resource using a managed VPC Lattice resource. The gateway creates and manages the VPC Lattice resources on your behalf.
vpcIdentifier (string) --
The ID of the VPC that contains your private resource.
subnetIds (list) --
The subnet IDs within the VPC where the VPC Lattice resource gateway is placed.
(string) --
endpointIpAddressType (string) --
The IP address type for the resource configuration endpoint.
securityGroupIds (list) --
The security group IDs to associate with the VPC Lattice resource gateway. If not specified, the default security group for the VPC is used.
(string) --
tags (dict) --
Tags to apply to the managed VPC Lattice resource gateway.
(string) --
(string) --
routingDomain (string) --
An intermediate domain to use as the resource configuration endpoint instead of the actual target domain. Use this when you want to route traffic through an intermediate component such as a VPC endpoint or internal load balancer. For more information, see xref:lattice-vpc-egress-routing-domain[Route traffic through an intermediate domain].
allowedWorkloadConfiguration (dict) --
The configuration that restricts which workloads in the request's identity chain are allowed to invoke the target, identified by their hosting environments and workload identities. At launch, this is supported only for AgentCore Runtime targets, and the allowed workloads are AgentCore Gateways.
hostingEnvironments (list) --
The list of hosting environments whose workloads are allowed to invoke the target. At launch, the only supported hosting environment is AgentCore Gateway.
(dict) --
A hosting environment whose workloads are allowed to invoke the target. At launch, the only supported hosting environment is AgentCore Gateway.
arn (string) --
The Amazon Resource Name (ARN) of the hosting environment.
workloadIdentities (list) --
The list of workload identities that are allowed to invoke the target.
(string) --
memory (dict) --
AgentCore Memory instance configuration for short and long term memory.
agentCoreMemoryConfiguration (dict) --
The AgentCore Memory configuration.
arn (string) --
The ARN of the AgentCore Memory resource.
actorId (string) --
The actor ID for memory operations.
messagesCount (integer) --
The number of messages to retrieve from memory.
retrievalConfig (dict) --
The retrieval configuration for long-term memory, mapping namespace path templates to retrieval settings.
(string) --
(dict) --
Configuration for memory retrieval within a namespace.
topK (integer) --
The maximum number of memory entries to retrieve.
relevanceScore (float) --
The minimum relevance score for retrieved memories.
strategyId (string) --
The ID of the retrieval strategy to use.
managedMemoryConfiguration (dict) --
Harness creates and manages a memory resource in the customer's account.
arn (string) --
The ARN of the managed AgentCore Memory resource. Read-only on Get, ignored on Create/Update input.
strategies (list) --
Strategy types to enable. Defaults to [SEMANTIC, SUMMARIZATION].
(string) --
eventExpiryDuration (integer) --
Event retention in days. Defaults to 30.
encryptionKeyArn (string) --
Customer-managed KMS key. Defaults to AWS-owned key. Not updatable after creation.
disabled (dict) --
Explicitly opt out of memory.
maxIterations (integer) --
The maximum number of iterations in the agent loop allowed before exiting per invocation.
maxTokens (integer) --
The maximum total number of output tokens the agent can generate across all model calls within a single invocation.
timeoutSeconds (integer) --
The maximum duration per invocation.
failureReason (string) --
Reason why create or update operations fail.
{'memory': {'managedByResourceArn': 'string'}}
Update an Amazon Bedrock AgentCore Memory resource memory.
See also: AWS API Documentation
Request Syntax
client.update_memory(
clientToken='string',
memoryId='string',
description='string',
eventExpiryDuration=123,
memoryExecutionRoleArn='string',
memoryStrategies={
'addMemoryStrategies': [
{
'semanticMemoryStrategy': {
'name': 'string',
'description': 'string',
'namespaces': [
'string',
],
'namespaceTemplates': [
'string',
],
'memoryRecordSchema': {
'metadataSchema': [
{
'key': 'string',
'type': 'STRING'|'STRINGLIST'|'NUMBER',
'extractionType': 'LLM_INFERRED'|'STRICTLY_CONSISTENT',
'extractionConfig': {
'llmExtractionConfig': {
'llmExtractionInstruction': 'string',
'definition': 'string',
'validation': {
'stringValidation': {
'allowedValues': [
'string',
]
},
'stringListValidation': {
'allowedValues': [
'string',
],
'maxItems': 123
},
'numberValidation': {
'minValue': 123.0,
'maxValue': 123.0
}
}
}
}
},
]
}
},
'summaryMemoryStrategy': {
'name': 'string',
'description': 'string',
'namespaces': [
'string',
],
'namespaceTemplates': [
'string',
],
'memoryRecordSchema': {
'metadataSchema': [
{
'key': 'string',
'type': 'STRING'|'STRINGLIST'|'NUMBER',
'extractionType': 'LLM_INFERRED'|'STRICTLY_CONSISTENT',
'extractionConfig': {
'llmExtractionConfig': {
'llmExtractionInstruction': 'string',
'definition': 'string',
'validation': {
'stringValidation': {
'allowedValues': [
'string',
]
},
'stringListValidation': {
'allowedValues': [
'string',
],
'maxItems': 123
},
'numberValidation': {
'minValue': 123.0,
'maxValue': 123.0
}
}
}
}
},
]
}
},
'userPreferenceMemoryStrategy': {
'name': 'string',
'description': 'string',
'namespaces': [
'string',
],
'namespaceTemplates': [
'string',
],
'memoryRecordSchema': {
'metadataSchema': [
{
'key': 'string',
'type': 'STRING'|'STRINGLIST'|'NUMBER',
'extractionType': 'LLM_INFERRED'|'STRICTLY_CONSISTENT',
'extractionConfig': {
'llmExtractionConfig': {
'llmExtractionInstruction': 'string',
'definition': 'string',
'validation': {
'stringValidation': {
'allowedValues': [
'string',
]
},
'stringListValidation': {
'allowedValues': [
'string',
],
'maxItems': 123
},
'numberValidation': {
'minValue': 123.0,
'maxValue': 123.0
}
}
}
}
},
]
}
},
'customMemoryStrategy': {
'name': 'string',
'description': 'string',
'namespaces': [
'string',
],
'namespaceTemplates': [
'string',
],
'configuration': {
'semanticOverride': {
'extraction': {
'appendToPrompt': 'string',
'modelId': 'string'
},
'consolidation': {
'appendToPrompt': 'string',
'modelId': 'string'
}
},
'summaryOverride': {
'consolidation': {
'appendToPrompt': 'string',
'modelId': 'string'
}
},
'userPreferenceOverride': {
'extraction': {
'appendToPrompt': 'string',
'modelId': 'string'
},
'consolidation': {
'appendToPrompt': 'string',
'modelId': 'string'
}
},
'episodicOverride': {
'extraction': {
'appendToPrompt': 'string',
'modelId': 'string'
},
'consolidation': {
'appendToPrompt': 'string',
'modelId': 'string'
},
'reflection': {
'appendToPrompt': 'string',
'modelId': 'string',
'namespaces': [
'string',
],
'namespaceTemplates': [
'string',
],
'memoryRecordSchema': {
'metadataSchema': [
{
'key': 'string',
'type': 'STRING'|'STRINGLIST'|'NUMBER',
'extractionType': 'LLM_INFERRED'|'STRICTLY_CONSISTENT',
'extractionConfig': {
'llmExtractionConfig': {
'llmExtractionInstruction': 'string',
'definition': 'string',
'validation': {
'stringValidation': {
'allowedValues': [
'string',
]
},
'stringListValidation': {
'allowedValues': [
'string',
],
'maxItems': 123
},
'numberValidation': {
'minValue': 123.0,
'maxValue': 123.0
}
}
}
}
},
]
}
}
},
'selfManagedConfiguration': {
'triggerConditions': [
{
'messageBasedTrigger': {
'messageCount': 123
},
'tokenBasedTrigger': {
'tokenCount': 123
},
'timeBasedTrigger': {
'idleSessionTimeout': 123
}
},
],
'invocationConfiguration': {
'topicArn': 'string',
'payloadDeliveryBucketName': 'string'
},
'historicalContextWindowSize': 123
}
},
'memoryRecordSchema': {
'metadataSchema': [
{
'key': 'string',
'type': 'STRING'|'STRINGLIST'|'NUMBER',
'extractionType': 'LLM_INFERRED'|'STRICTLY_CONSISTENT',
'extractionConfig': {
'llmExtractionConfig': {
'llmExtractionInstruction': 'string',
'definition': 'string',
'validation': {
'stringValidation': {
'allowedValues': [
'string',
]
},
'stringListValidation': {
'allowedValues': [
'string',
],
'maxItems': 123
},
'numberValidation': {
'minValue': 123.0,
'maxValue': 123.0
}
}
}
}
},
]
}
},
'episodicMemoryStrategy': {
'name': 'string',
'description': 'string',
'namespaces': [
'string',
],
'namespaceTemplates': [
'string',
],
'reflectionConfiguration': {
'namespaces': [
'string',
],
'namespaceTemplates': [
'string',
],
'memoryRecordSchema': {
'metadataSchema': [
{
'key': 'string',
'type': 'STRING'|'STRINGLIST'|'NUMBER',
'extractionType': 'LLM_INFERRED'|'STRICTLY_CONSISTENT',
'extractionConfig': {
'llmExtractionConfig': {
'llmExtractionInstruction': 'string',
'definition': 'string',
'validation': {
'stringValidation': {
'allowedValues': [
'string',
]
},
'stringListValidation': {
'allowedValues': [
'string',
],
'maxItems': 123
},
'numberValidation': {
'minValue': 123.0,
'maxValue': 123.0
}
}
}
}
},
]
}
},
'memoryRecordSchema': {
'metadataSchema': [
{
'key': 'string',
'type': 'STRING'|'STRINGLIST'|'NUMBER',
'extractionType': 'LLM_INFERRED'|'STRICTLY_CONSISTENT',
'extractionConfig': {
'llmExtractionConfig': {
'llmExtractionInstruction': 'string',
'definition': 'string',
'validation': {
'stringValidation': {
'allowedValues': [
'string',
]
},
'stringListValidation': {
'allowedValues': [
'string',
],
'maxItems': 123
},
'numberValidation': {
'minValue': 123.0,
'maxValue': 123.0
}
}
}
}
},
]
}
}
},
],
'modifyMemoryStrategies': [
{
'memoryStrategyId': 'string',
'description': 'string',
'namespaces': [
'string',
],
'namespaceTemplates': [
'string',
],
'configuration': {
'extraction': {
'customExtractionConfiguration': {
'semanticExtractionOverride': {
'appendToPrompt': 'string',
'modelId': 'string'
},
'userPreferenceExtractionOverride': {
'appendToPrompt': 'string',
'modelId': 'string'
},
'episodicExtractionOverride': {
'appendToPrompt': 'string',
'modelId': 'string'
}
}
},
'consolidation': {
'customConsolidationConfiguration': {
'semanticConsolidationOverride': {
'appendToPrompt': 'string',
'modelId': 'string'
},
'summaryConsolidationOverride': {
'appendToPrompt': 'string',
'modelId': 'string'
},
'userPreferenceConsolidationOverride': {
'appendToPrompt': 'string',
'modelId': 'string'
},
'episodicConsolidationOverride': {
'appendToPrompt': 'string',
'modelId': 'string'
}
}
},
'reflection': {
'episodicReflectionConfiguration': {
'namespaces': [
'string',
],
'namespaceTemplates': [
'string',
],
'memoryRecordSchema': {
'metadataSchema': [
{
'key': 'string',
'type': 'STRING'|'STRINGLIST'|'NUMBER',
'extractionType': 'LLM_INFERRED'|'STRICTLY_CONSISTENT',
'extractionConfig': {
'llmExtractionConfig': {
'llmExtractionInstruction': 'string',
'definition': 'string',
'validation': {
'stringValidation': {
'allowedValues': [
'string',
]
},
'stringListValidation': {
'allowedValues': [
'string',
],
'maxItems': 123
},
'numberValidation': {
'minValue': 123.0,
'maxValue': 123.0
}
}
}
}
},
]
}
},
'customReflectionConfiguration': {
'episodicReflectionOverride': {
'appendToPrompt': 'string',
'modelId': 'string',
'namespaces': [
'string',
],
'namespaceTemplates': [
'string',
],
'memoryRecordSchema': {
'metadataSchema': [
{
'key': 'string',
'type': 'STRING'|'STRINGLIST'|'NUMBER',
'extractionType': 'LLM_INFERRED'|'STRICTLY_CONSISTENT',
'extractionConfig': {
'llmExtractionConfig': {
'llmExtractionInstruction': 'string',
'definition': 'string',
'validation': {
'stringValidation': {
'allowedValues': [
'string',
]
},
'stringListValidation': {
'allowedValues': [
'string',
],
'maxItems': 123
},
'numberValidation': {
'minValue': 123.0,
'maxValue': 123.0
}
}
}
}
},
]
}
}
}
},
'selfManagedConfiguration': {
'triggerConditions': [
{
'messageBasedTrigger': {
'messageCount': 123
},
'tokenBasedTrigger': {
'tokenCount': 123
},
'timeBasedTrigger': {
'idleSessionTimeout': 123
}
},
],
'invocationConfiguration': {
'topicArn': 'string',
'payloadDeliveryBucketName': 'string'
},
'historicalContextWindowSize': 123
}
},
'memoryRecordSchema': {
'metadataSchema': [
{
'key': 'string',
'type': 'STRING'|'STRINGLIST'|'NUMBER',
'extractionType': 'LLM_INFERRED'|'STRICTLY_CONSISTENT',
'extractionConfig': {
'llmExtractionConfig': {
'llmExtractionInstruction': 'string',
'definition': 'string',
'validation': {
'stringValidation': {
'allowedValues': [
'string',
]
},
'stringListValidation': {
'allowedValues': [
'string',
],
'maxItems': 123
},
'numberValidation': {
'minValue': 123.0,
'maxValue': 123.0
}
}
}
}
},
]
}
},
],
'deleteMemoryStrategies': [
{
'memoryStrategyId': 'string'
},
]
},
addIndexedKeys=[
{
'key': 'string',
'type': 'STRING'|'STRINGLIST'|'NUMBER'
},
],
streamDeliveryResources={
'resources': [
{
'kinesis': {
'dataStreamArn': 'string',
'contentConfigurations': [
{
'type': 'MEMORY_RECORDS',
'level': 'METADATA_ONLY'|'FULL_CONTENT'
},
]
}
},
]
}
)
string
A client token is used for keeping track of idempotent requests. It can contain a session id which can be around 250 chars, combined with a unique AWS identifier.
This field is autopopulated if not provided.
string
[REQUIRED]
The unique identifier of the memory to update.
string
The updated description of the AgentCore Memory resource.
integer
The number of days after which memory events will expire, between 7 and 365 days.
string
The ARN of the IAM role that provides permissions for the AgentCore Memory resource.
dict
The memory strategies to add, modify, or delete.
addMemoryStrategies (list) --
The list of memory strategies to add.
(dict) --
Contains input information for creating a memory strategy.
semanticMemoryStrategy (dict) --
Input for creating a semantic memory strategy.
name (string) -- [REQUIRED]
The name of the semantic memory strategy.
description (string) --
The description of the semantic memory strategy.
namespaces (list) --
This is a legacy parameter, use namespaceTemplates. The namespaces associated with the semantic memory strategy.
(string) --
namespaceTemplates (list) --
The namespaceTemplates associated with the semantic memory strategy.
(string) --
memoryRecordSchema (dict) --
Schema for metadata on memory records generated by a strategy.
metadataSchema (list) --
The metadata field definitions for this strategy.
(dict) --
A metadata field definition within a strategy's schema.
key (string) -- [REQUIRED]
The metadata field name. Must match an indexed key to be queryable via metadata filters.
type (string) --
The MetadataValueType.
extractionType (string) --
Specifies whether the metadata value is extracted by the LLM or passed through deterministically from the event.
extractionConfig (dict) --
Configuration for extracting this metadata value from conversational content. Applicable only if extractionType is LLM inferred.
llmExtractionConfig (dict) --
Model-based extraction using a definition and instructions.
llmExtractionInstruction (string) --
Instructions for extraction. Supports built-in operators like LATEST_VALUE or custom natural-language instructions.
definition (string) -- [REQUIRED]
Description of what this metadata field represents.
validation (dict) --
Validation rules to constrain extracted values.
stringValidation (dict) --
Validation for STRING fields.
allowedValues (list) -- [REQUIRED]
Allowed values for this STRING field.
(string) --
stringListValidation (dict) --
Validation for STRINGLIST fields.
allowedValues (list) --
Allowed values for items in this STRINGLIST field.
(string) --
maxItems (integer) --
Maximum number of items in the string list.
numberValidation (dict) --
Validation for NUMBER fields.
minValue (float) --
Minimum allowed value.
maxValue (float) --
Maximum allowed value.
summaryMemoryStrategy (dict) --
Input for creating a summary memory strategy.
name (string) -- [REQUIRED]
The name of the summary memory strategy.
description (string) --
The description of the summary memory strategy.
namespaces (list) --
This is a legacy parameter, use namespaceTemplates. The namespaces associated with the summary memory strategy.
(string) --
namespaceTemplates (list) --
The namespaceTemplates associated with the summary memory strategy.
(string) --
memoryRecordSchema (dict) --
Schema for metadata fields on records generated by this strategy.
metadataSchema (list) --
The metadata field definitions for this strategy.
(dict) --
A metadata field definition within a strategy's schema.
key (string) -- [REQUIRED]
The metadata field name. Must match an indexed key to be queryable via metadata filters.
type (string) --
The MetadataValueType.
extractionType (string) --
Specifies whether the metadata value is extracted by the LLM or passed through deterministically from the event.
extractionConfig (dict) --
Configuration for extracting this metadata value from conversational content. Applicable only if extractionType is LLM inferred.
llmExtractionConfig (dict) --
Model-based extraction using a definition and instructions.
llmExtractionInstruction (string) --
Instructions for extraction. Supports built-in operators like LATEST_VALUE or custom natural-language instructions.
definition (string) -- [REQUIRED]
Description of what this metadata field represents.
validation (dict) --
Validation rules to constrain extracted values.
stringValidation (dict) --
Validation for STRING fields.
allowedValues (list) -- [REQUIRED]
Allowed values for this STRING field.
(string) --
stringListValidation (dict) --
Validation for STRINGLIST fields.
allowedValues (list) --
Allowed values for items in this STRINGLIST field.
(string) --
maxItems (integer) --
Maximum number of items in the string list.
numberValidation (dict) --
Validation for NUMBER fields.
minValue (float) --
Minimum allowed value.
maxValue (float) --
Maximum allowed value.
userPreferenceMemoryStrategy (dict) --
Input for creating a user preference memory strategy.
name (string) -- [REQUIRED]
The name of the user preference memory strategy.
description (string) --
The description of the user preference memory strategy.
namespaces (list) --
This is a legacy parameter, use namespaceTemplates. The namespaces associated with the user preference memory strategy.
(string) --
namespaceTemplates (list) --
The namespaceTemplates associated with the user preference memory strategy.
(string) --
memoryRecordSchema (dict) --
Schema for metadata fields on records generated by this strategy.
metadataSchema (list) --
The metadata field definitions for this strategy.
(dict) --
A metadata field definition within a strategy's schema.
key (string) -- [REQUIRED]
The metadata field name. Must match an indexed key to be queryable via metadata filters.
type (string) --
The MetadataValueType.
extractionType (string) --
Specifies whether the metadata value is extracted by the LLM or passed through deterministically from the event.
extractionConfig (dict) --
Configuration for extracting this metadata value from conversational content. Applicable only if extractionType is LLM inferred.
llmExtractionConfig (dict) --
Model-based extraction using a definition and instructions.
llmExtractionInstruction (string) --
Instructions for extraction. Supports built-in operators like LATEST_VALUE or custom natural-language instructions.
definition (string) -- [REQUIRED]
Description of what this metadata field represents.
validation (dict) --
Validation rules to constrain extracted values.
stringValidation (dict) --
Validation for STRING fields.
allowedValues (list) -- [REQUIRED]
Allowed values for this STRING field.
(string) --
stringListValidation (dict) --
Validation for STRINGLIST fields.
allowedValues (list) --
Allowed values for items in this STRINGLIST field.
(string) --
maxItems (integer) --
Maximum number of items in the string list.
numberValidation (dict) --
Validation for NUMBER fields.
minValue (float) --
Minimum allowed value.
maxValue (float) --
Maximum allowed value.
customMemoryStrategy (dict) --
Input for creating a custom memory strategy.
name (string) -- [REQUIRED]
The name of the custom memory strategy.
description (string) --
The description of the custom memory strategy.
namespaces (list) --
This is a legacy parameter, use namespaceTemplates. The namespaces associated with the custom memory strategy.
(string) --
namespaceTemplates (list) --
The namespaceTemplates associated with the custom memory strategy.
(string) --
configuration (dict) --
The configuration for the custom memory strategy.
semanticOverride (dict) --
The semantic override configuration for a custom memory strategy.
extraction (dict) --
The extraction configuration for a semantic override.
appendToPrompt (string) -- [REQUIRED]
The text to append to the prompt for semantic extraction.
modelId (string) -- [REQUIRED]
The model ID to use for semantic extraction.
consolidation (dict) --
The consolidation configuration for a semantic override.
appendToPrompt (string) -- [REQUIRED]
The text to append to the prompt for semantic consolidation.
modelId (string) -- [REQUIRED]
The model ID to use for semantic consolidation.
summaryOverride (dict) --
The summary override configuration for a custom memory strategy.
consolidation (dict) --
The consolidation configuration for a summary override.
appendToPrompt (string) -- [REQUIRED]
The text to append to the prompt for summary consolidation.
modelId (string) -- [REQUIRED]
The model ID to use for summary consolidation.
userPreferenceOverride (dict) --
The user preference override configuration for a custom memory strategy.
extraction (dict) --
The extraction configuration for a user preference override.
appendToPrompt (string) -- [REQUIRED]
The text to append to the prompt for user preference extraction.
modelId (string) -- [REQUIRED]
The model ID to use for user preference extraction.
consolidation (dict) --
The consolidation configuration for a user preference override.
appendToPrompt (string) -- [REQUIRED]
The text to append to the prompt for user preference consolidation.
modelId (string) -- [REQUIRED]
The model ID to use for user preference consolidation.
episodicOverride (dict) --
The episodic memory strategy override configuration for a custom memory strategy.
extraction (dict) --
Contains configurations for overriding the extraction step of the episodic memory strategy.
appendToPrompt (string) -- [REQUIRED]
The text to append to the prompt for the extraction step of the episodic memory strategy.
modelId (string) -- [REQUIRED]
The model ID to use for the extraction step of the episodic memory strategy.
consolidation (dict) --
Contains configurations for overriding the consolidation step of the episodic memory strategy.
appendToPrompt (string) -- [REQUIRED]
The text to append to the prompt for the consolidation step of the episodic memory strategy.
modelId (string) -- [REQUIRED]
The model ID to use for the consolidation step of the episodic memory strategy.
reflection (dict) --
Contains configurations for overriding the reflection step of the episodic memory strategy.
appendToPrompt (string) -- [REQUIRED]
The text to append to the prompt for reflection step of the episodic memory strategy.
modelId (string) -- [REQUIRED]
The model ID to use for the reflection step of the episodic memory strategy.
namespaces (list) --
This is a legacy parameter, use namespaceTemplates. The namespaces to use for episodic reflection. Can be less nested than the episodic namespaces.
(string) --
namespaceTemplates (list) --
The namespaceTemplates to use for episodic reflection. Can be less nested than the episodic namespaces.
(string) --
memoryRecordSchema (dict) --
Schema for metadata fields on records generated by this reflection override.
metadataSchema (list) --
The metadata field definitions for this strategy.
(dict) --
A metadata field definition within a strategy's schema.
key (string) -- [REQUIRED]
The metadata field name. Must match an indexed key to be queryable via metadata filters.
type (string) --
The MetadataValueType.
extractionType (string) --
Specifies whether the metadata value is extracted by the LLM or passed through deterministically from the event.
extractionConfig (dict) --
Configuration for extracting this metadata value from conversational content. Applicable only if extractionType is LLM inferred.
llmExtractionConfig (dict) --
Model-based extraction using a definition and instructions.
llmExtractionInstruction (string) --
Instructions for extraction. Supports built-in operators like LATEST_VALUE or custom natural-language instructions.
definition (string) -- [REQUIRED]
Description of what this metadata field represents.
validation (dict) --
Validation rules to constrain extracted values.
stringValidation (dict) --
Validation for STRING fields.
allowedValues (list) -- [REQUIRED]
Allowed values for this STRING field.
(string) --
stringListValidation (dict) --
Validation for STRINGLIST fields.
allowedValues (list) --
Allowed values for items in this STRINGLIST field.
(string) --
maxItems (integer) --
Maximum number of items in the string list.
numberValidation (dict) --
Validation for NUMBER fields.
minValue (float) --
Minimum allowed value.
maxValue (float) --
Maximum allowed value.
selfManagedConfiguration (dict) --
The self managed configuration for a custom memory strategy.
triggerConditions (list) --
A list of conditions that trigger memory processing.
(dict) --
Condition that triggers memory processing.
messageBasedTrigger (dict) --
Message based trigger configuration.
messageCount (integer) --
The number of messages that trigger memory processing.
tokenBasedTrigger (dict) --
Token based trigger configuration.
tokenCount (integer) --
Number of tokens that trigger memory processing.
timeBasedTrigger (dict) --
Time based trigger configuration.
idleSessionTimeout (integer) --
Idle session timeout (seconds) that triggers memory processing.
invocationConfiguration (dict) -- [REQUIRED]
Configuration to invoke a self-managed memory processing pipeline with.
topicArn (string) -- [REQUIRED]
The ARN of the SNS topic for job notifications.
payloadDeliveryBucketName (string) -- [REQUIRED]
The S3 bucket name for event payload delivery.
historicalContextWindowSize (integer) --
Number of historical messages to include in processing context.
memoryRecordSchema (dict) --
Schema for metadata fields on records generated by this strategy.
metadataSchema (list) --
The metadata field definitions for this strategy.
(dict) --
A metadata field definition within a strategy's schema.
key (string) -- [REQUIRED]
The metadata field name. Must match an indexed key to be queryable via metadata filters.
type (string) --
The MetadataValueType.
extractionType (string) --
Specifies whether the metadata value is extracted by the LLM or passed through deterministically from the event.
extractionConfig (dict) --
Configuration for extracting this metadata value from conversational content. Applicable only if extractionType is LLM inferred.
llmExtractionConfig (dict) --
Model-based extraction using a definition and instructions.
llmExtractionInstruction (string) --
Instructions for extraction. Supports built-in operators like LATEST_VALUE or custom natural-language instructions.
definition (string) -- [REQUIRED]
Description of what this metadata field represents.
validation (dict) --
Validation rules to constrain extracted values.
stringValidation (dict) --
Validation for STRING fields.
allowedValues (list) -- [REQUIRED]
Allowed values for this STRING field.
(string) --
stringListValidation (dict) --
Validation for STRINGLIST fields.
allowedValues (list) --
Allowed values for items in this STRINGLIST field.
(string) --
maxItems (integer) --
Maximum number of items in the string list.
numberValidation (dict) --
Validation for NUMBER fields.
minValue (float) --
Minimum allowed value.
maxValue (float) --
Maximum allowed value.
episodicMemoryStrategy (dict) --
Input for creating an episodic memory strategy
name (string) -- [REQUIRED]
The name of the episodic memory strategy.
description (string) --
The description of the episodic memory strategy.
namespaces (list) --
This is a legacy parameter, use namespaceTemplates. The namespaces for which to create episodes.
(string) --
namespaceTemplates (list) --
The namespaceTemplates for which to create episodes.
(string) --
reflectionConfiguration (dict) --
The configuration for the reflections created with the episodic memory strategy.
namespaces (list) --
This is a legacy parameter, use namespaceTemplates. The namespaces over which to create reflections. Can be less nested than episode namespaces.
(string) --
namespaceTemplates (list) --
The namespaceTemplates over which to create reflections. Can be less nested than episode namespaces.
(string) --
memoryRecordSchema (dict) --
Schema for metadata fields on records generated by reflections.
metadataSchema (list) --
The metadata field definitions for this strategy.
(dict) --
A metadata field definition within a strategy's schema.
key (string) -- [REQUIRED]
The metadata field name. Must match an indexed key to be queryable via metadata filters.
type (string) --
The MetadataValueType.
extractionType (string) --
Specifies whether the metadata value is extracted by the LLM or passed through deterministically from the event.
extractionConfig (dict) --
Configuration for extracting this metadata value from conversational content. Applicable only if extractionType is LLM inferred.
llmExtractionConfig (dict) --
Model-based extraction using a definition and instructions.
llmExtractionInstruction (string) --
Instructions for extraction. Supports built-in operators like LATEST_VALUE or custom natural-language instructions.
definition (string) -- [REQUIRED]
Description of what this metadata field represents.
validation (dict) --
Validation rules to constrain extracted values.
stringValidation (dict) --
Validation for STRING fields.
allowedValues (list) -- [REQUIRED]
Allowed values for this STRING field.
(string) --
stringListValidation (dict) --
Validation for STRINGLIST fields.
allowedValues (list) --
Allowed values for items in this STRINGLIST field.
(string) --
maxItems (integer) --
Maximum number of items in the string list.
numberValidation (dict) --
Validation for NUMBER fields.
minValue (float) --
Minimum allowed value.
maxValue (float) --
Maximum allowed value.
memoryRecordSchema (dict) --
Schema for metadata fields on records generated by this strategy.
metadataSchema (list) --
The metadata field definitions for this strategy.
(dict) --
A metadata field definition within a strategy's schema.
key (string) -- [REQUIRED]
The metadata field name. Must match an indexed key to be queryable via metadata filters.
type (string) --
The MetadataValueType.
extractionType (string) --
Specifies whether the metadata value is extracted by the LLM or passed through deterministically from the event.
extractionConfig (dict) --
Configuration for extracting this metadata value from conversational content. Applicable only if extractionType is LLM inferred.
llmExtractionConfig (dict) --
Model-based extraction using a definition and instructions.
llmExtractionInstruction (string) --
Instructions for extraction. Supports built-in operators like LATEST_VALUE or custom natural-language instructions.
definition (string) -- [REQUIRED]
Description of what this metadata field represents.
validation (dict) --
Validation rules to constrain extracted values.
stringValidation (dict) --
Validation for STRING fields.
allowedValues (list) -- [REQUIRED]
Allowed values for this STRING field.
(string) --
stringListValidation (dict) --
Validation for STRINGLIST fields.
allowedValues (list) --
Allowed values for items in this STRINGLIST field.
(string) --
maxItems (integer) --
Maximum number of items in the string list.
numberValidation (dict) --
Validation for NUMBER fields.
minValue (float) --
Minimum allowed value.
maxValue (float) --
Maximum allowed value.
modifyMemoryStrategies (list) --
The list of memory strategies to modify.
(dict) --
Input for modifying a memory strategy.
memoryStrategyId (string) -- [REQUIRED]
The unique identifier of the memory strategy to modify.
description (string) --
The updated description of the memory strategy.
namespaces (list) --
This is a legacy parameter, use namespaceTemplates. The updated namespaces for the memory strategy.
(string) --
namespaceTemplates (list) --
The updated namespaceTemplates for the memory strategy.
(string) --
configuration (dict) --
The updated configuration for the memory strategy.
extraction (dict) --
The updated extraction configuration.
customExtractionConfiguration (dict) --
The updated custom extraction configuration.
semanticExtractionOverride (dict) --
The semantic extraction override configuration input.
appendToPrompt (string) -- [REQUIRED]
The text to append to the prompt for semantic extraction.
modelId (string) -- [REQUIRED]
The model ID to use for semantic extraction.
userPreferenceExtractionOverride (dict) --
The user preference extraction override configuration input.
appendToPrompt (string) -- [REQUIRED]
The text to append to the prompt for user preference extraction.
modelId (string) -- [REQUIRED]
The model ID to use for user preference extraction.
episodicExtractionOverride (dict) --
Configurations to override the extraction step of the episodic strategy.
appendToPrompt (string) -- [REQUIRED]
The text to append to the prompt for the extraction step of the episodic memory strategy.
modelId (string) -- [REQUIRED]
The model ID to use for the extraction step of the episodic memory strategy.
consolidation (dict) --
The updated consolidation configuration.
customConsolidationConfiguration (dict) --
The updated custom consolidation configuration.
semanticConsolidationOverride (dict) --
The semantic consolidation override configuration input.
appendToPrompt (string) -- [REQUIRED]
The text to append to the prompt for semantic consolidation.
modelId (string) -- [REQUIRED]
The model ID to use for semantic consolidation.
summaryConsolidationOverride (dict) --
The summary consolidation override configuration input.
appendToPrompt (string) -- [REQUIRED]
The text to append to the prompt for summary consolidation.
modelId (string) -- [REQUIRED]
The model ID to use for summary consolidation.
userPreferenceConsolidationOverride (dict) --
The user preference consolidation override configuration input.
appendToPrompt (string) -- [REQUIRED]
The text to append to the prompt for user preference consolidation.
modelId (string) -- [REQUIRED]
The model ID to use for user preference consolidation.
episodicConsolidationOverride (dict) --
Configurations to override the consolidation step of the episodic strategy.
appendToPrompt (string) -- [REQUIRED]
The text to append to the prompt for the consolidation step of the episodic memory strategy.
modelId (string) -- [REQUIRED]
The model ID to use for the consolidation step of the episodic memory strategy.
reflection (dict) --
The updated reflection configuration.
episodicReflectionConfiguration (dict) --
The updated episodic reflection configuration.
namespaces (list) --
This is a legacy parameter, use namespaceTemplates. The namespaces over which to create reflections. Can be less nested than episode namespaces.
(string) --
namespaceTemplates (list) --
The namespaceTemplates over which to create reflections. Can be less nested than episode namespaces.
(string) --
memoryRecordSchema (dict) --
Schema for metadata fields on records generated by reflections.
metadataSchema (list) --
The metadata field definitions for this strategy.
(dict) --
A metadata field definition within a strategy's schema.
key (string) -- [REQUIRED]
The metadata field name. Must match an indexed key to be queryable via metadata filters.
type (string) --
The MetadataValueType.
extractionType (string) --
Specifies whether the metadata value is extracted by the LLM or passed through deterministically from the event.
extractionConfig (dict) --
Configuration for extracting this metadata value from conversational content. Applicable only if extractionType is LLM inferred.
llmExtractionConfig (dict) --
Model-based extraction using a definition and instructions.
llmExtractionInstruction (string) --
Instructions for extraction. Supports built-in operators like LATEST_VALUE or custom natural-language instructions.
definition (string) -- [REQUIRED]
Description of what this metadata field represents.
validation (dict) --
Validation rules to constrain extracted values.
stringValidation (dict) --
Validation for STRING fields.
allowedValues (list) -- [REQUIRED]
Allowed values for this STRING field.
(string) --
stringListValidation (dict) --
Validation for STRINGLIST fields.
allowedValues (list) --
Allowed values for items in this STRINGLIST field.
(string) --
maxItems (integer) --
Maximum number of items in the string list.
numberValidation (dict) --
Validation for NUMBER fields.
minValue (float) --
Minimum allowed value.
maxValue (float) --
Maximum allowed value.
customReflectionConfiguration (dict) --
The updated custom reflection configuration.
episodicReflectionOverride (dict) --
The reflection override configuration input.
appendToPrompt (string) -- [REQUIRED]
The text to append to the prompt for reflection step of the episodic memory strategy.
modelId (string) -- [REQUIRED]
The model ID to use for the reflection step of the episodic memory strategy.
namespaces (list) --
This is a legacy parameter, use namespaceTemplates. The namespaces to use for episodic reflection. Can be less nested than the episodic namespaces.
(string) --
namespaceTemplates (list) --
The namespaceTemplates to use for episodic reflection. Can be less nested than the episodic namespaces.
(string) --
memoryRecordSchema (dict) --
Schema for metadata fields on records generated by this reflection override.
metadataSchema (list) --
The metadata field definitions for this strategy.
(dict) --
A metadata field definition within a strategy's schema.
key (string) -- [REQUIRED]
The metadata field name. Must match an indexed key to be queryable via metadata filters.
type (string) --
The MetadataValueType.
extractionType (string) --
Specifies whether the metadata value is extracted by the LLM or passed through deterministically from the event.
extractionConfig (dict) --
Configuration for extracting this metadata value from conversational content. Applicable only if extractionType is LLM inferred.
llmExtractionConfig (dict) --
Model-based extraction using a definition and instructions.
llmExtractionInstruction (string) --
Instructions for extraction. Supports built-in operators like LATEST_VALUE or custom natural-language instructions.
definition (string) -- [REQUIRED]
Description of what this metadata field represents.
validation (dict) --
Validation rules to constrain extracted values.
stringValidation (dict) --
Validation for STRING fields.
allowedValues (list) -- [REQUIRED]
Allowed values for this STRING field.
(string) --
stringListValidation (dict) --
Validation for STRINGLIST fields.
allowedValues (list) --
Allowed values for items in this STRINGLIST field.
(string) --
maxItems (integer) --
Maximum number of items in the string list.
numberValidation (dict) --
Validation for NUMBER fields.
minValue (float) --
Minimum allowed value.
maxValue (float) --
Maximum allowed value.
selfManagedConfiguration (dict) --
The updated self-managed configuration.
triggerConditions (list) --
The updated list of conditions that trigger memory processing.
(dict) --
Condition that triggers memory processing.
messageBasedTrigger (dict) --
Message based trigger configuration.
messageCount (integer) --
The number of messages that trigger memory processing.
tokenBasedTrigger (dict) --
Token based trigger configuration.
tokenCount (integer) --
Number of tokens that trigger memory processing.
timeBasedTrigger (dict) --
Time based trigger configuration.
idleSessionTimeout (integer) --
Idle session timeout (seconds) that triggers memory processing.
invocationConfiguration (dict) --
The updated configuration to invoke self-managed memory processing pipeline.
topicArn (string) --
The updated ARN of the SNS topic for job notifications.
payloadDeliveryBucketName (string) --
The updated S3 bucket name for event payload delivery.
historicalContextWindowSize (integer) --
The updated number of historical messages to include in processing context.
memoryRecordSchema (dict) --
Updated metadata schema for records generated by this strategy.
metadataSchema (list) --
The metadata field definitions for this strategy.
(dict) --
A metadata field definition within a strategy's schema.
key (string) -- [REQUIRED]
The metadata field name. Must match an indexed key to be queryable via metadata filters.
type (string) --
The MetadataValueType.
extractionType (string) --
Specifies whether the metadata value is extracted by the LLM or passed through deterministically from the event.
extractionConfig (dict) --
Configuration for extracting this metadata value from conversational content. Applicable only if extractionType is LLM inferred.
llmExtractionConfig (dict) --
Model-based extraction using a definition and instructions.
llmExtractionInstruction (string) --
Instructions for extraction. Supports built-in operators like LATEST_VALUE or custom natural-language instructions.
definition (string) -- [REQUIRED]
Description of what this metadata field represents.
validation (dict) --
Validation rules to constrain extracted values.
stringValidation (dict) --
Validation for STRING fields.
allowedValues (list) -- [REQUIRED]
Allowed values for this STRING field.
(string) --
stringListValidation (dict) --
Validation for STRINGLIST fields.
allowedValues (list) --
Allowed values for items in this STRINGLIST field.
(string) --
maxItems (integer) --
Maximum number of items in the string list.
numberValidation (dict) --
Validation for NUMBER fields.
minValue (float) --
Minimum allowed value.
maxValue (float) --
Maximum allowed value.
deleteMemoryStrategies (list) --
The list of memory strategies to delete.
(dict) --
Input for deleting a memory strategy.
memoryStrategyId (string) -- [REQUIRED]
The unique identifier of the memory strategy to delete.
list
Additional metadata keys to index. Previously indexed keys cannot be removed.
(dict) --
A metadata key indexed for filtering.
key (string) -- [REQUIRED]
The metadata key name to index.
type (string) -- [REQUIRED]
The data type of the indexed key.
dict
Configuration for streaming memory record data to external resources.
resources (list) -- [REQUIRED]
List of stream delivery resource configurations.
(dict) --
Supported stream delivery resource types.
kinesis (dict) --
Kinesis Data Stream configuration.
dataStreamArn (string) -- [REQUIRED]
ARN of the Kinesis Data Stream.
contentConfigurations (list) -- [REQUIRED]
Content configurations for stream delivery.
(dict) --
Defines what content to stream and at what level of detail.
type (string) -- [REQUIRED]
Type of content to stream.
level (string) --
Level of detail for streamed content.
dict
Response Syntax
{
'memory': {
'arn': 'string',
'id': 'string',
'name': 'string',
'description': 'string',
'encryptionKeyArn': 'string',
'memoryExecutionRoleArn': 'string',
'eventExpiryDuration': 123,
'status': 'CREATING'|'ACTIVE'|'FAILED'|'DELETING'|'UPDATING',
'failureReason': 'string',
'createdAt': datetime(2015, 1, 1),
'updatedAt': datetime(2015, 1, 1),
'strategies': [
{
'strategyId': 'string',
'name': 'string',
'description': 'string',
'configuration': {
'type': 'SEMANTIC_OVERRIDE'|'SUMMARY_OVERRIDE'|'USER_PREFERENCE_OVERRIDE'|'SELF_MANAGED'|'EPISODIC_OVERRIDE',
'extraction': {
'customExtractionConfiguration': {
'semanticExtractionOverride': {
'appendToPrompt': 'string',
'modelId': 'string'
},
'userPreferenceExtractionOverride': {
'appendToPrompt': 'string',
'modelId': 'string'
},
'episodicExtractionOverride': {
'appendToPrompt': 'string',
'modelId': 'string'
}
}
},
'consolidation': {
'customConsolidationConfiguration': {
'semanticConsolidationOverride': {
'appendToPrompt': 'string',
'modelId': 'string'
},
'summaryConsolidationOverride': {
'appendToPrompt': 'string',
'modelId': 'string'
},
'userPreferenceConsolidationOverride': {
'appendToPrompt': 'string',
'modelId': 'string'
},
'episodicConsolidationOverride': {
'appendToPrompt': 'string',
'modelId': 'string'
}
}
},
'reflection': {
'customReflectionConfiguration': {
'episodicReflectionOverride': {
'appendToPrompt': 'string',
'modelId': 'string',
'namespaces': [
'string',
],
'namespaceTemplates': [
'string',
],
'memoryRecordSchema': {
'metadataSchema': [
{
'key': 'string',
'type': 'STRING'|'STRINGLIST'|'NUMBER',
'extractionType': 'LLM_INFERRED'|'STRICTLY_CONSISTENT',
'extractionConfig': {
'llmExtractionConfig': {
'llmExtractionInstruction': 'string',
'definition': 'string',
'validation': {
'stringValidation': {
'allowedValues': [
'string',
]
},
'stringListValidation': {
'allowedValues': [
'string',
],
'maxItems': 123
},
'numberValidation': {
'minValue': 123.0,
'maxValue': 123.0
}
}
}
}
},
]
}
}
},
'episodicReflectionConfiguration': {
'namespaces': [
'string',
],
'namespaceTemplates': [
'string',
],
'memoryRecordSchema': {
'metadataSchema': [
{
'key': 'string',
'type': 'STRING'|'STRINGLIST'|'NUMBER',
'extractionType': 'LLM_INFERRED'|'STRICTLY_CONSISTENT',
'extractionConfig': {
'llmExtractionConfig': {
'llmExtractionInstruction': 'string',
'definition': 'string',
'validation': {
'stringValidation': {
'allowedValues': [
'string',
]
},
'stringListValidation': {
'allowedValues': [
'string',
],
'maxItems': 123
},
'numberValidation': {
'minValue': 123.0,
'maxValue': 123.0
}
}
}
}
},
]
}
}
},
'selfManagedConfiguration': {
'triggerConditions': [
{
'messageBasedTrigger': {
'messageCount': 123
},
'tokenBasedTrigger': {
'tokenCount': 123
},
'timeBasedTrigger': {
'idleSessionTimeout': 123
}
},
],
'invocationConfiguration': {
'topicArn': 'string',
'payloadDeliveryBucketName': 'string'
},
'historicalContextWindowSize': 123
}
},
'type': 'SEMANTIC'|'SUMMARIZATION'|'USER_PREFERENCE'|'CUSTOM'|'EPISODIC',
'namespaces': [
'string',
],
'namespaceTemplates': [
'string',
],
'createdAt': datetime(2015, 1, 1),
'updatedAt': datetime(2015, 1, 1),
'status': 'CREATING'|'ACTIVE'|'DELETING'|'FAILED',
'memoryRecordSchema': {
'metadataSchema': [
{
'key': 'string',
'type': 'STRING'|'STRINGLIST'|'NUMBER',
'extractionType': 'LLM_INFERRED'|'STRICTLY_CONSISTENT',
'extractionConfig': {
'llmExtractionConfig': {
'llmExtractionInstruction': 'string',
'definition': 'string',
'validation': {
'stringValidation': {
'allowedValues': [
'string',
]
},
'stringListValidation': {
'allowedValues': [
'string',
],
'maxItems': 123
},
'numberValidation': {
'minValue': 123.0,
'maxValue': 123.0
}
}
}
}
},
]
}
},
],
'indexedKeys': [
{
'key': 'string',
'type': 'STRING'|'STRINGLIST'|'NUMBER'
},
],
'streamDeliveryResources': {
'resources': [
{
'kinesis': {
'dataStreamArn': 'string',
'contentConfigurations': [
{
'type': 'MEMORY_RECORDS',
'level': 'METADATA_ONLY'|'FULL_CONTENT'
},
]
}
},
]
},
'managedByResourceArn': 'string'
}
}
Response Structure
(dict) --
memory (dict) --
The updated AgentCore Memory resource details.
arn (string) --
The Amazon Resource Name (ARN) of the memory.
id (string) --
The unique identifier of the memory.
name (string) --
The name of the memory.
description (string) --
The description of the memory.
encryptionKeyArn (string) --
The ARN of the KMS key used to encrypt the memory.
memoryExecutionRoleArn (string) --
The ARN of the IAM role that provides permissions for the memory.
eventExpiryDuration (integer) --
The number of days after which memory events will expire.
status (string) --
The current status of the memory.
failureReason (string) --
The reason for failure if the memory is in a failed state.
createdAt (datetime) --
The timestamp when the memory was created.
updatedAt (datetime) --
The timestamp when the memory was last updated.
strategies (list) --
The list of memory strategies associated with this memory.
(dict) --
Contains information about a memory strategy.
strategyId (string) --
The unique identifier of the memory strategy.
name (string) --
The name of the memory strategy.
description (string) --
The description of the memory strategy.
configuration (dict) --
The configuration of the memory strategy.
type (string) --
The type of override for the strategy configuration.
extraction (dict) --
The extraction configuration for the memory strategy.
customExtractionConfiguration (dict) --
The custom extraction configuration.
semanticExtractionOverride (dict) --
The semantic extraction override configuration.
appendToPrompt (string) --
The text to append to the prompt for semantic extraction.
modelId (string) --
The model ID to use for semantic extraction.
userPreferenceExtractionOverride (dict) --
The user preference extraction override configuration.
appendToPrompt (string) --
The text to append to the prompt for user preference extraction.
modelId (string) --
The model ID to use for user preference extraction.
episodicExtractionOverride (dict) --
The configurations to override the default extraction step for the episodic memory strategy.
appendToPrompt (string) --
The text appended to the prompt for the extraction step of the episodic memory strategy.
modelId (string) --
The model ID used for the extraction step of the episodic memory strategy.
consolidation (dict) --
The consolidation configuration for the memory strategy.
customConsolidationConfiguration (dict) --
The custom consolidation configuration.
semanticConsolidationOverride (dict) --
The semantic consolidation override configuration.
appendToPrompt (string) --
The text to append to the prompt for semantic consolidation.
modelId (string) --
The model ID to use for semantic consolidation.
summaryConsolidationOverride (dict) --
The summary consolidation override configuration.
appendToPrompt (string) --
The text to append to the prompt for summary consolidation.
modelId (string) --
The model ID to use for summary consolidation.
userPreferenceConsolidationOverride (dict) --
The user preference consolidation override configuration.
appendToPrompt (string) --
The text to append to the prompt for user preference consolidation.
modelId (string) --
The model ID to use for user preference consolidation.
episodicConsolidationOverride (dict) --
The configurations to override the default consolidation step for the episodic memory strategy.
appendToPrompt (string) --
The text appended to the prompt for the consolidation step of the episodic memory strategy.
modelId (string) --
The model ID used for the consolidation step of the episodic memory strategy.
reflection (dict) --
The reflection configuration for the memory strategy.
customReflectionConfiguration (dict) --
The configuration for a custom reflection strategy.
episodicReflectionOverride (dict) --
The configuration for a reflection strategy to override the default one.
appendToPrompt (string) --
The text appended to the prompt for the reflection step of the episodic memory strategy.
modelId (string) --
The model ID used for the reflection step of the episodic memory strategy.
namespaces (list) --
This is a legacy parameter. The namespaces over which reflections were created. Can be less nested than the episodic namespaces.
(string) --
namespaceTemplates (list) --
The namespaceTemplates over which reflections were created. Can be less nested than the episodic namespaces.
(string) --
memoryRecordSchema (dict) --
Schema for metadata fields on records generated by this reflection override.
metadataSchema (list) --
The metadata field definitions for this strategy.
(dict) --
A metadata field definition within a strategy's schema.
key (string) --
The metadata field name. Must match an indexed key to be queryable via metadata filters.
type (string) --
The MetadataValueType.
extractionType (string) --
Specifies whether the metadata value is extracted by the LLM or passed through deterministically from the event.
extractionConfig (dict) --
Configuration for extracting this metadata value from conversational content. Applicable only if extractionType is LLM inferred.
llmExtractionConfig (dict) --
Model-based extraction using a definition and instructions.
llmExtractionInstruction (string) --
Instructions for extraction. Supports built-in operators like LATEST_VALUE or custom natural-language instructions.
definition (string) --
Description of what this metadata field represents.
validation (dict) --
Validation rules to constrain extracted values.
stringValidation (dict) --
Validation for STRING fields.
allowedValues (list) --
Allowed values for this STRING field.
(string) --
stringListValidation (dict) --
Validation for STRINGLIST fields.
allowedValues (list) --
Allowed values for items in this STRINGLIST field.
(string) --
maxItems (integer) --
Maximum number of items in the string list.
numberValidation (dict) --
Validation for NUMBER fields.
minValue (float) --
Minimum allowed value.
maxValue (float) --
Maximum allowed value.
episodicReflectionConfiguration (dict) --
The configuration for the episodic reflection strategy.
namespaces (list) --
This is a legacy parameter, use namespaceTemplates. The namespaces for which to create reflections. Can be less nested than the episodic namespaces.
(string) --
namespaceTemplates (list) --
The namespaceTemplates for which to create reflections. Can be less nested than the episodic namespaces.
(string) --
memoryRecordSchema (dict) --
"Schema for metadata fields on records generated by reflections.
metadataSchema (list) --
The metadata field definitions for this strategy.
(dict) --
A metadata field definition within a strategy's schema.
key (string) --
The metadata field name. Must match an indexed key to be queryable via metadata filters.
type (string) --
The MetadataValueType.
extractionType (string) --
Specifies whether the metadata value is extracted by the LLM or passed through deterministically from the event.
extractionConfig (dict) --
Configuration for extracting this metadata value from conversational content. Applicable only if extractionType is LLM inferred.
llmExtractionConfig (dict) --
Model-based extraction using a definition and instructions.
llmExtractionInstruction (string) --
Instructions for extraction. Supports built-in operators like LATEST_VALUE or custom natural-language instructions.
definition (string) --
Description of what this metadata field represents.
validation (dict) --
Validation rules to constrain extracted values.
stringValidation (dict) --
Validation for STRING fields.
allowedValues (list) --
Allowed values for this STRING field.
(string) --
stringListValidation (dict) --
Validation for STRINGLIST fields.
allowedValues (list) --
Allowed values for items in this STRINGLIST field.
(string) --
maxItems (integer) --
Maximum number of items in the string list.
numberValidation (dict) --
Validation for NUMBER fields.
minValue (float) --
Minimum allowed value.
maxValue (float) --
Maximum allowed value.
selfManagedConfiguration (dict) --
Self-managed configuration settings.
triggerConditions (list) --
A list of conditions that trigger memory processing.
(dict) --
Condition that triggers memory processing.
messageBasedTrigger (dict) --
Message based trigger configuration.
messageCount (integer) --
The number of messages that trigger memory processing.
tokenBasedTrigger (dict) --
Token based trigger configuration.
tokenCount (integer) --
Number of tokens that trigger memory processing.
timeBasedTrigger (dict) --
Time based trigger configuration.
idleSessionTimeout (integer) --
Idle session timeout (seconds) that triggers memory processing.
invocationConfiguration (dict) --
The configuration to use when invoking memory processing.
topicArn (string) --
The ARN of the SNS topic for job notifications.
payloadDeliveryBucketName (string) --
The S3 bucket name for event payload delivery.
historicalContextWindowSize (integer) --
The number of historical messages to include in processing context.
type (string) --
The type of the memory strategy.
namespaces (list) --
This is a legacy parameter. The namespaces associated with the memory strategy.
(string) --
namespaceTemplates (list) --
The namespaceTemplates associated with the memory strategy.
(string) --
createdAt (datetime) --
The timestamp when the memory strategy was created.
updatedAt (datetime) --
The timestamp when the memory strategy was last updated.
status (string) --
The current status of the memory strategy.
memoryRecordSchema (dict) --
Schema for metadata fields on records generated by this strategy.
metadataSchema (list) --
The metadata field definitions for this strategy.
(dict) --
A metadata field definition within a strategy's schema.
key (string) --
The metadata field name. Must match an indexed key to be queryable via metadata filters.
type (string) --
The MetadataValueType.
extractionType (string) --
Specifies whether the metadata value is extracted by the LLM or passed through deterministically from the event.
extractionConfig (dict) --
Configuration for extracting this metadata value from conversational content. Applicable only if extractionType is LLM inferred.
llmExtractionConfig (dict) --
Model-based extraction using a definition and instructions.
llmExtractionInstruction (string) --
Instructions for extraction. Supports built-in operators like LATEST_VALUE or custom natural-language instructions.
definition (string) --
Description of what this metadata field represents.
validation (dict) --
Validation rules to constrain extracted values.
stringValidation (dict) --
Validation for STRING fields.
allowedValues (list) --
Allowed values for this STRING field.
(string) --
stringListValidation (dict) --
Validation for STRINGLIST fields.
allowedValues (list) --
Allowed values for items in this STRINGLIST field.
(string) --
maxItems (integer) --
Maximum number of items in the string list.
numberValidation (dict) --
Validation for NUMBER fields.
minValue (float) --
Minimum allowed value.
maxValue (float) --
Maximum allowed value.
indexedKeys (list) --
The indexed metadata keys for this memory. Only indexed keys can be used in metadata filters.
(dict) --
A metadata key indexed for filtering.
key (string) --
The metadata key name to index.
type (string) --
The data type of the indexed key.
streamDeliveryResources (dict) --
Configuration for streaming memory record data to external resources.
resources (list) --
List of stream delivery resource configurations.
(dict) --
Supported stream delivery resource types.
kinesis (dict) --
Kinesis Data Stream configuration.
dataStreamArn (string) --
ARN of the Kinesis Data Stream.
contentConfigurations (list) --
Content configurations for stream delivery.
(dict) --
Defines what content to stream and at what level of detail.
type (string) --
Type of content to stream.
level (string) --
Level of detail for streamed content.
managedByResourceArn (string) --
ARN of the resource managing this memory (e.g. a harness). When set, strategy modifications and deletion are only allowed through the managing resource.
{'authorizerConfiguration': {'customJWTAuthorizer': {'allowedWorkloadConfiguration': {'hostingEnvironments': [{'arn': 'string'}],
'workloadIdentities': ['string']}}}}
Updates an existing payment manager. This operation uses PATCH semantics, so you only need to specify the fields you want to change.
See also: AWS API Documentation
Request Syntax
client.update_payment_manager(
paymentManagerId='string',
description='string',
authorizerType='CUSTOM_JWT'|'AWS_IAM',
authorizerConfiguration={
'customJWTAuthorizer': {
'discoveryUrl': 'string',
'allowedAudience': [
'string',
],
'allowedClients': [
'string',
],
'allowedScopes': [
'string',
],
'customClaims': [
{
'inboundTokenClaimName': 'string',
'inboundTokenClaimValueType': 'STRING'|'STRING_ARRAY',
'authorizingClaimMatchValue': {
'claimMatchValue': {
'matchValueString': 'string',
'matchValueStringList': [
'string',
]
},
'claimMatchOperator': 'EQUALS'|'CONTAINS'|'CONTAINS_ANY'
}
},
],
'privateEndpoint': {
'selfManagedLatticeResource': {
'resourceConfigurationIdentifier': 'string'
},
'managedVpcResource': {
'vpcIdentifier': 'string',
'subnetIds': [
'string',
],
'endpointIpAddressType': 'IPV4'|'IPV6',
'securityGroupIds': [
'string',
],
'tags': {
'string': 'string'
},
'routingDomain': 'string'
}
},
'privateEndpointOverrides': [
{
'domain': 'string',
'privateEndpoint': {
'selfManagedLatticeResource': {
'resourceConfigurationIdentifier': 'string'
},
'managedVpcResource': {
'vpcIdentifier': 'string',
'subnetIds': [
'string',
],
'endpointIpAddressType': 'IPV4'|'IPV6',
'securityGroupIds': [
'string',
],
'tags': {
'string': 'string'
},
'routingDomain': 'string'
}
}
},
],
'allowedWorkloadConfiguration': {
'hostingEnvironments': [
{
'arn': 'string'
},
],
'workloadIdentities': [
'string',
]
}
}
},
roleArn='string',
clientToken='string'
)
string
[REQUIRED]
The unique identifier of the payment manager to update.
string
The updated description of the payment manager.
string
The updated authorizer type for the payment manager.
dict
The updated authorizer configuration for the payment manager.
customJWTAuthorizer (dict) --
The inbound JWT-based authorization, specifying how incoming requests should be authenticated.
discoveryUrl (string) -- [REQUIRED]
This URL is used to fetch OpenID Connect configuration or authorization server metadata for validating incoming tokens.
allowedAudience (list) --
Represents individual audience values that are validated in the incoming JWT token validation process.
(string) --
allowedClients (list) --
Represents individual client IDs that are validated in the incoming JWT token validation process.
(string) --
allowedScopes (list) --
An array of scopes that are allowed to access the token.
(string) --
customClaims (list) --
An array of objects that define a custom claim validation name, value, and operation
(dict) --
Defines the name of a custom claim field and rules for finding matches to authenticate its value.
inboundTokenClaimName (string) -- [REQUIRED]
The name of the custom claim field to check.
inboundTokenClaimValueType (string) -- [REQUIRED]
The data type of the claim value to check for.
Use STRING if you want to find an exact match to a string you define.
Use STRING_ARRAY if you want to fnd a match to at least one value in an array you define.
authorizingClaimMatchValue (dict) -- [REQUIRED]
Defines the value or values to match for and the relationship of the match.
claimMatchValue (dict) -- [REQUIRED]
The value or values to match for.
matchValueString (string) --
The string value to match for.
matchValueStringList (list) --
An array of strings to check for a match.
(string) --
claimMatchOperator (string) -- [REQUIRED]
Defines the relationship between the claim field value and the value or values you're matching for.
privateEndpoint (dict) --
The private endpoint configuration for a gateway target. Defines how the gateway connects to private resources in your VPC.
selfManagedLatticeResource (dict) --
Configuration for connecting to a private resource using a self-managed VPC Lattice resource configuration.
resourceConfigurationIdentifier (string) --
The ARN or ID of the VPC Lattice resource configuration.
managedVpcResource (dict) --
Configuration for connecting to a private resource using a managed VPC Lattice resource. The gateway creates and manages the VPC Lattice resources on your behalf.
vpcIdentifier (string) -- [REQUIRED]
The ID of the VPC that contains your private resource.
subnetIds (list) -- [REQUIRED]
The subnet IDs within the VPC where the VPC Lattice resource gateway is placed.
(string) --
endpointIpAddressType (string) -- [REQUIRED]
The IP address type for the resource configuration endpoint.
securityGroupIds (list) --
The security group IDs to associate with the VPC Lattice resource gateway. If not specified, the default security group for the VPC is used.
(string) --
tags (dict) --
Tags to apply to the managed VPC Lattice resource gateway.
(string) --
(string) --
routingDomain (string) --
An intermediate domain to use as the resource configuration endpoint instead of the actual target domain. Use this when you want to route traffic through an intermediate component such as a VPC endpoint or internal load balancer. For more information, see xref:lattice-vpc-egress-routing-domain[Route traffic through an intermediate domain].
privateEndpointOverrides (list) --
The private endpoint overrides for the custom JWT authorizer configuration.
(dict) --
A mapping of a specific domain to a private endpoint for secure connectivity through a VPC Lattice resource configuration.
domain (string) -- [REQUIRED]
The domain to override with a private endpoint.
privateEndpoint (dict) -- [REQUIRED]
The private endpoint configuration for the specified domain.
selfManagedLatticeResource (dict) --
Configuration for connecting to a private resource using a self-managed VPC Lattice resource configuration.
resourceConfigurationIdentifier (string) --
The ARN or ID of the VPC Lattice resource configuration.
managedVpcResource (dict) --
Configuration for connecting to a private resource using a managed VPC Lattice resource. The gateway creates and manages the VPC Lattice resources on your behalf.
vpcIdentifier (string) -- [REQUIRED]
The ID of the VPC that contains your private resource.
subnetIds (list) -- [REQUIRED]
The subnet IDs within the VPC where the VPC Lattice resource gateway is placed.
(string) --
endpointIpAddressType (string) -- [REQUIRED]
The IP address type for the resource configuration endpoint.
securityGroupIds (list) --
The security group IDs to associate with the VPC Lattice resource gateway. If not specified, the default security group for the VPC is used.
(string) --
tags (dict) --
Tags to apply to the managed VPC Lattice resource gateway.
(string) --
(string) --
routingDomain (string) --
An intermediate domain to use as the resource configuration endpoint instead of the actual target domain. Use this when you want to route traffic through an intermediate component such as a VPC endpoint or internal load balancer. For more information, see xref:lattice-vpc-egress-routing-domain[Route traffic through an intermediate domain].
allowedWorkloadConfiguration (dict) --
The configuration that restricts which workloads in the request's identity chain are allowed to invoke the target, identified by their hosting environments and workload identities. At launch, this is supported only for AgentCore Runtime targets, and the allowed workloads are AgentCore Gateways.
hostingEnvironments (list) --
The list of hosting environments whose workloads are allowed to invoke the target. At launch, the only supported hosting environment is AgentCore Gateway.
(dict) --
A hosting environment whose workloads are allowed to invoke the target. At launch, the only supported hosting environment is AgentCore Gateway.
arn (string) -- [REQUIRED]
The Amazon Resource Name (ARN) of the hosting environment.
workloadIdentities (list) --
The list of workload identities that are allowed to invoke the target.
(string) --
string
The updated Amazon Resource Name (ARN) of the IAM role for the payment manager.
string
A unique, case-sensitive identifier to ensure that the API request completes no more than one time. If you don't specify this field, a value is randomly generated for you. If this token matches a previous request, the service ignores the request, but doesn't return an error. For more information, see Ensuring idempotency.
This field is autopopulated if not provided.
dict
Response Syntax
{
'paymentManagerArn': 'string',
'paymentManagerId': 'string',
'name': 'string',
'authorizerType': 'CUSTOM_JWT'|'AWS_IAM',
'roleArn': 'string',
'workloadIdentityDetails': {
'workloadIdentityArn': 'string'
},
'lastUpdatedAt': datetime(2015, 1, 1),
'status': 'CREATING'|'UPDATING'|'DELETING'|'READY'|'CREATE_FAILED'|'UPDATE_FAILED'|'DELETE_FAILED'
}
Response Structure
(dict) --
paymentManagerArn (string) --
The Amazon Resource Name (ARN) of the updated payment manager.
paymentManagerId (string) --
The unique identifier of the updated payment manager.
name (string) --
The name of the updated payment manager.
authorizerType (string) --
The type of authorizer for the updated payment manager.
roleArn (string) --
The Amazon Resource Name (ARN) of the IAM role associated with the updated payment manager.
workloadIdentityDetails (dict) --
The information about the workload identity.
workloadIdentityArn (string) --
The ARN associated with the workload identity.
lastUpdatedAt (datetime) --
The timestamp when the payment manager was last updated.
status (string) --
The current status of the updated payment manager. Possible values include CREATING, READY, UPDATING, DELETING, CREATE_FAILED, UPDATE_FAILED, and DELETE_FAILED.
{'definition': {'policy': {'statement': 'string'}},
'enforcementMode': 'ACTIVE | LOG_ONLY'}
Updates an existing policy within the AgentCore Policy system. This operation allows modification of the policy description and definition while maintaining the policy's identity. The updated policy is validated against the Cedar schema before being applied. This is an asynchronous operation. Use the GetPolicy operation to poll the status field to track completion.
See also: AWS API Documentation
Request Syntax
client.update_policy(
policyEngineId='string',
policyId='string',
description={
'optionalValue': 'string'
},
definition={
'cedar': {
'statement': 'string'
},
'policyGeneration': {
'policyGenerationId': 'string',
'policyGenerationAssetId': 'string'
},
'policy': {
'statement': 'string'
}
},
validationMode='FAIL_ON_ANY_FINDINGS'|'IGNORE_ALL_FINDINGS',
enforcementMode='ACTIVE'|'LOG_ONLY'
)
string
[REQUIRED]
The identifier of the policy engine that manages the policy to be updated. This ensures the policy is updated within the correct policy engine context.
string
[REQUIRED]
The unique identifier of the policy to be updated. This must be a valid policy ID that exists within the specified policy engine.
dict
The new human-readable description for the policy. This optional field allows updating the policy's documentation while keeping the same policy logic.
optionalValue (string) --
Represents an optional value that is used to update the human-readable description of the resource. If not specified, it will clear the current description of the resource.
dict
The new Cedar policy statement that defines the access control rules. This replaces the existing policy definition with new logic while maintaining the policy's identity.
cedar (dict) --
The Cedar policy definition within the policy definition structure. This contains the Cedar policy statement that defines the authorization logic using Cedar's human-readable, analyzable policy language. Cedar policies specify principals (who can access), actions (what operations are allowed), resources (what can be accessed), and optional conditions for fine-grained control. Cedar provides a formal policy language designed for authorization with deterministic evaluation, making policies testable, reviewable, and auditable. All Cedar policies follow a default-deny model where actions are denied unless explicitly permitted, and forbid policies always override permit policies.
statement (string) -- [REQUIRED]
The Cedar policy statement that defines the authorization logic. This statement follows Cedar syntax and specifies principals, actions, resources, and conditions that determine when access should be allowed or denied.
policyGeneration (dict) --
The generated policy asset information within the policy definition structure. This contains information identifying a generated policy asset from the AI-powered policy generation process within the AgentCore Policy system. Each asset contains a Cedar policy statement generated from natural language input, along with associated metadata and analysis findings to help users evaluate and select the most appropriate policy option.
policyGenerationId (string) -- [REQUIRED]
The unique identifier for this policy generation request.
policyGenerationAssetId (string) -- [REQUIRED]
The unique identifier for this generated policy asset within the policy generation request.
policy (dict) --
An AgentCore policy statement that defines the access control rules. The statement can be a Cedar policy or a guardrails definition.
statement (string) -- [REQUIRED]
The body of the AgentCore policy statement. Contains the policy logic, which can be a Cedar policy or a guardrails definition.
string
The validation mode for the policy update. Determines how Cedar analyzer validation results are handled during policy updates. FAIL_ON_ANY_FINDINGS runs the Cedar analyzer and fails the update if validation issues are detected, ensuring the policy conforms to the Cedar schema and tool context. IGNORE_ALL_FINDINGS runs the Cedar analyzer but allows updates despite validation warnings. Use FAIL_ON_ANY_FINDINGS to ensure policy correctness during updates, especially when modifying policy logic or conditions.
string
The enforcement mode for the policy. Run this policy in LOG_ONLY mode to collect data on how it affects your application. Once you are satisfied with the data gathered, switch the policy to ACTIVE. If you omit this field, the policy's existing enforcement mode is unchanged.
dict
Response Syntax
{
'policyId': 'string',
'name': 'string',
'policyEngineId': 'string',
'createdAt': datetime(2015, 1, 1),
'updatedAt': datetime(2015, 1, 1),
'policyArn': 'string',
'status': 'CREATING'|'ACTIVE'|'UPDATING'|'DELETING'|'CREATE_FAILED'|'UPDATE_FAILED'|'DELETE_FAILED',
'enforcementMode': 'ACTIVE'|'LOG_ONLY',
'definition': {
'cedar': {
'statement': 'string'
},
'policyGeneration': {
'policyGenerationId': 'string',
'policyGenerationAssetId': 'string'
},
'policy': {
'statement': 'string'
}
},
'description': 'string',
'statusReasons': [
'string',
]
}
Response Structure
(dict) --
policyId (string) --
The unique identifier of the updated policy.
name (string) --
The name of the updated policy.
policyEngineId (string) --
The identifier of the policy engine managing the updated policy.
createdAt (datetime) --
The original creation timestamp of the policy.
updatedAt (datetime) --
The timestamp when the policy was last updated.
policyArn (string) --
The ARN of the updated policy.
status (string) --
The current status of the updated policy.
enforcementMode (string) --
The current enforcement mode of the updated policy.
definition (dict) --
The updated Cedar policy statement.
cedar (dict) --
The Cedar policy definition within the policy definition structure. This contains the Cedar policy statement that defines the authorization logic using Cedar's human-readable, analyzable policy language. Cedar policies specify principals (who can access), actions (what operations are allowed), resources (what can be accessed), and optional conditions for fine-grained control. Cedar provides a formal policy language designed for authorization with deterministic evaluation, making policies testable, reviewable, and auditable. All Cedar policies follow a default-deny model where actions are denied unless explicitly permitted, and forbid policies always override permit policies.
statement (string) --
The Cedar policy statement that defines the authorization logic. This statement follows Cedar syntax and specifies principals, actions, resources, and conditions that determine when access should be allowed or denied.
policyGeneration (dict) --
The generated policy asset information within the policy definition structure. This contains information identifying a generated policy asset from the AI-powered policy generation process within the AgentCore Policy system. Each asset contains a Cedar policy statement generated from natural language input, along with associated metadata and analysis findings to help users evaluate and select the most appropriate policy option.
policyGenerationId (string) --
The unique identifier for this policy generation request.
policyGenerationAssetId (string) --
The unique identifier for this generated policy asset within the policy generation request.
policy (dict) --
An AgentCore policy statement that defines the access control rules. The statement can be a Cedar policy or a guardrails definition.
statement (string) --
The body of the AgentCore policy statement. Contains the policy logic, which can be a Cedar policy or a guardrails definition.
description (string) --
The updated description of the policy.
statusReasons (list) --
Additional information about the update status.
(string) --
{'authorizerConfiguration': {'optionalValue': {'customJWTAuthorizer': {'allowedWorkloadConfiguration': {'hostingEnvironments': [{'arn': 'string'}],
'workloadIdentities': ['string']}}}}}
Response {'authorizerConfiguration': {'customJWTAuthorizer': {'allowedWorkloadConfiguration': {'hostingEnvironments': [{'arn': 'string'}],
'workloadIdentities': ['string']}}}}
Updates an existing registry. This operation uses PATCH semantics, so you only need to specify the fields you want to change.
See also: AWS API Documentation
Request Syntax
client.update_registry(
registryId='string',
name='string',
description={
'optionalValue': 'string'
},
authorizerConfiguration={
'optionalValue': {
'customJWTAuthorizer': {
'discoveryUrl': 'string',
'allowedAudience': [
'string',
],
'allowedClients': [
'string',
],
'allowedScopes': [
'string',
],
'customClaims': [
{
'inboundTokenClaimName': 'string',
'inboundTokenClaimValueType': 'STRING'|'STRING_ARRAY',
'authorizingClaimMatchValue': {
'claimMatchValue': {
'matchValueString': 'string',
'matchValueStringList': [
'string',
]
},
'claimMatchOperator': 'EQUALS'|'CONTAINS'|'CONTAINS_ANY'
}
},
],
'privateEndpoint': {
'selfManagedLatticeResource': {
'resourceConfigurationIdentifier': 'string'
},
'managedVpcResource': {
'vpcIdentifier': 'string',
'subnetIds': [
'string',
],
'endpointIpAddressType': 'IPV4'|'IPV6',
'securityGroupIds': [
'string',
],
'tags': {
'string': 'string'
},
'routingDomain': 'string'
}
},
'privateEndpointOverrides': [
{
'domain': 'string',
'privateEndpoint': {
'selfManagedLatticeResource': {
'resourceConfigurationIdentifier': 'string'
},
'managedVpcResource': {
'vpcIdentifier': 'string',
'subnetIds': [
'string',
],
'endpointIpAddressType': 'IPV4'|'IPV6',
'securityGroupIds': [
'string',
],
'tags': {
'string': 'string'
},
'routingDomain': 'string'
}
}
},
],
'allowedWorkloadConfiguration': {
'hostingEnvironments': [
{
'arn': 'string'
},
],
'workloadIdentities': [
'string',
]
}
}
}
},
approvalConfiguration={
'optionalValue': {
'autoApproval': True|False
}
}
)
string
[REQUIRED]
The identifier of the registry to update. You can specify either the Amazon Resource Name (ARN) or the ID of the registry.
string
The updated name of the registry.
dict
The updated description of the registry. To clear the description, include the UpdatedDescription wrapper with optionalValue not specified.
optionalValue (string) --
Represents an optional value that is used to update the human-readable description of the resource. If not specified, it will clear the current description of the resource.
dict
The updated authorizer configuration for the registry. Changing the authorizer configuration can break existing consumers of the registry who are using the authorization type prior to the update.
optionalValue (dict) --
The updated authorizer configuration value. If not specified, it will clear the current authorizer configuration of the resource.
customJWTAuthorizer (dict) --
The inbound JWT-based authorization, specifying how incoming requests should be authenticated.
discoveryUrl (string) -- [REQUIRED]
This URL is used to fetch OpenID Connect configuration or authorization server metadata for validating incoming tokens.
allowedAudience (list) --
Represents individual audience values that are validated in the incoming JWT token validation process.
(string) --
allowedClients (list) --
Represents individual client IDs that are validated in the incoming JWT token validation process.
(string) --
allowedScopes (list) --
An array of scopes that are allowed to access the token.
(string) --
customClaims (list) --
An array of objects that define a custom claim validation name, value, and operation
(dict) --
Defines the name of a custom claim field and rules for finding matches to authenticate its value.
inboundTokenClaimName (string) -- [REQUIRED]
The name of the custom claim field to check.
inboundTokenClaimValueType (string) -- [REQUIRED]
The data type of the claim value to check for.
Use STRING if you want to find an exact match to a string you define.
Use STRING_ARRAY if you want to fnd a match to at least one value in an array you define.
authorizingClaimMatchValue (dict) -- [REQUIRED]
Defines the value or values to match for and the relationship of the match.
claimMatchValue (dict) -- [REQUIRED]
The value or values to match for.
matchValueString (string) --
The string value to match for.
matchValueStringList (list) --
An array of strings to check for a match.
(string) --
claimMatchOperator (string) -- [REQUIRED]
Defines the relationship between the claim field value and the value or values you're matching for.
privateEndpoint (dict) --
The private endpoint configuration for a gateway target. Defines how the gateway connects to private resources in your VPC.
selfManagedLatticeResource (dict) --
Configuration for connecting to a private resource using a self-managed VPC Lattice resource configuration.
resourceConfigurationIdentifier (string) --
The ARN or ID of the VPC Lattice resource configuration.
managedVpcResource (dict) --
Configuration for connecting to a private resource using a managed VPC Lattice resource. The gateway creates and manages the VPC Lattice resources on your behalf.
vpcIdentifier (string) -- [REQUIRED]
The ID of the VPC that contains your private resource.
subnetIds (list) -- [REQUIRED]
The subnet IDs within the VPC where the VPC Lattice resource gateway is placed.
(string) --
endpointIpAddressType (string) -- [REQUIRED]
The IP address type for the resource configuration endpoint.
securityGroupIds (list) --
The security group IDs to associate with the VPC Lattice resource gateway. If not specified, the default security group for the VPC is used.
(string) --
tags (dict) --
Tags to apply to the managed VPC Lattice resource gateway.
(string) --
(string) --
routingDomain (string) --
An intermediate domain to use as the resource configuration endpoint instead of the actual target domain. Use this when you want to route traffic through an intermediate component such as a VPC endpoint or internal load balancer. For more information, see xref:lattice-vpc-egress-routing-domain[Route traffic through an intermediate domain].
privateEndpointOverrides (list) --
The private endpoint overrides for the custom JWT authorizer configuration.
(dict) --
A mapping of a specific domain to a private endpoint for secure connectivity through a VPC Lattice resource configuration.
domain (string) -- [REQUIRED]
The domain to override with a private endpoint.
privateEndpoint (dict) -- [REQUIRED]
The private endpoint configuration for the specified domain.
selfManagedLatticeResource (dict) --
Configuration for connecting to a private resource using a self-managed VPC Lattice resource configuration.
resourceConfigurationIdentifier (string) --
The ARN or ID of the VPC Lattice resource configuration.
managedVpcResource (dict) --
Configuration for connecting to a private resource using a managed VPC Lattice resource. The gateway creates and manages the VPC Lattice resources on your behalf.
vpcIdentifier (string) -- [REQUIRED]
The ID of the VPC that contains your private resource.
subnetIds (list) -- [REQUIRED]
The subnet IDs within the VPC where the VPC Lattice resource gateway is placed.
(string) --
endpointIpAddressType (string) -- [REQUIRED]
The IP address type for the resource configuration endpoint.
securityGroupIds (list) --
The security group IDs to associate with the VPC Lattice resource gateway. If not specified, the default security group for the VPC is used.
(string) --
tags (dict) --
Tags to apply to the managed VPC Lattice resource gateway.
(string) --
(string) --
routingDomain (string) --
An intermediate domain to use as the resource configuration endpoint instead of the actual target domain. Use this when you want to route traffic through an intermediate component such as a VPC endpoint or internal load balancer. For more information, see xref:lattice-vpc-egress-routing-domain[Route traffic through an intermediate domain].
allowedWorkloadConfiguration (dict) --
The configuration that restricts which workloads in the request's identity chain are allowed to invoke the target, identified by their hosting environments and workload identities. At launch, this is supported only for AgentCore Runtime targets, and the allowed workloads are AgentCore Gateways.
hostingEnvironments (list) --
The list of hosting environments whose workloads are allowed to invoke the target. At launch, the only supported hosting environment is AgentCore Gateway.
(dict) --
A hosting environment whose workloads are allowed to invoke the target. At launch, the only supported hosting environment is AgentCore Gateway.
arn (string) -- [REQUIRED]
The Amazon Resource Name (ARN) of the hosting environment.
workloadIdentities (list) --
The list of workload identities that are allowed to invoke the target.
(string) --
dict
The updated approval configuration for registry records. The updated configuration only affects new records that move to PENDING_APPROVAL status after the change. Existing records already in PENDING_APPROVAL status are not affected.
optionalValue (dict) --
The updated approval configuration value. Set to null to unset the approval configuration.
autoApproval (boolean) --
Whether registry records are auto-approved. When set to true, records are automatically approved upon creation. When set to false (the default), records require explicit approval for security purposes.
dict
Response Syntax
{
'name': 'string',
'description': 'string',
'registryId': 'string',
'registryArn': 'string',
'authorizerType': 'CUSTOM_JWT'|'AWS_IAM',
'authorizerConfiguration': {
'customJWTAuthorizer': {
'discoveryUrl': 'string',
'allowedAudience': [
'string',
],
'allowedClients': [
'string',
],
'allowedScopes': [
'string',
],
'customClaims': [
{
'inboundTokenClaimName': 'string',
'inboundTokenClaimValueType': 'STRING'|'STRING_ARRAY',
'authorizingClaimMatchValue': {
'claimMatchValue': {
'matchValueString': 'string',
'matchValueStringList': [
'string',
]
},
'claimMatchOperator': 'EQUALS'|'CONTAINS'|'CONTAINS_ANY'
}
},
],
'privateEndpoint': {
'selfManagedLatticeResource': {
'resourceConfigurationIdentifier': 'string'
},
'managedVpcResource': {
'vpcIdentifier': 'string',
'subnetIds': [
'string',
],
'endpointIpAddressType': 'IPV4'|'IPV6',
'securityGroupIds': [
'string',
],
'tags': {
'string': 'string'
},
'routingDomain': 'string'
}
},
'privateEndpointOverrides': [
{
'domain': 'string',
'privateEndpoint': {
'selfManagedLatticeResource': {
'resourceConfigurationIdentifier': 'string'
},
'managedVpcResource': {
'vpcIdentifier': 'string',
'subnetIds': [
'string',
],
'endpointIpAddressType': 'IPV4'|'IPV6',
'securityGroupIds': [
'string',
],
'tags': {
'string': 'string'
},
'routingDomain': 'string'
}
}
},
],
'allowedWorkloadConfiguration': {
'hostingEnvironments': [
{
'arn': 'string'
},
],
'workloadIdentities': [
'string',
]
}
}
},
'approvalConfiguration': {
'autoApproval': True|False
},
'status': 'CREATING'|'READY'|'UPDATING'|'CREATE_FAILED'|'UPDATE_FAILED'|'DELETING'|'DELETE_FAILED',
'statusReason': 'string',
'createdAt': datetime(2015, 1, 1),
'updatedAt': datetime(2015, 1, 1)
}
Response Structure
(dict) --
name (string) --
The name of the updated registry.
description (string) --
The description of the updated registry.
registryId (string) --
The unique identifier of the updated registry.
registryArn (string) --
The Amazon Resource Name (ARN) of the updated registry.
authorizerType (string) --
The type of authorizer used by the updated registry. This controls the authorization method for the Search and Invoke APIs used by consumers.
CUSTOM_JWT - Authorize with a bearer token.
AWS_IAM - Authorize with your Amazon Web Services IAM credentials.
authorizerConfiguration (dict) --
The authorizer configuration for the updated registry. For details, see the AuthorizerConfiguration data type.
customJWTAuthorizer (dict) --
The inbound JWT-based authorization, specifying how incoming requests should be authenticated.
discoveryUrl (string) --
This URL is used to fetch OpenID Connect configuration or authorization server metadata for validating incoming tokens.
allowedAudience (list) --
Represents individual audience values that are validated in the incoming JWT token validation process.
(string) --
allowedClients (list) --
Represents individual client IDs that are validated in the incoming JWT token validation process.
(string) --
allowedScopes (list) --
An array of scopes that are allowed to access the token.
(string) --
customClaims (list) --
An array of objects that define a custom claim validation name, value, and operation
(dict) --
Defines the name of a custom claim field and rules for finding matches to authenticate its value.
inboundTokenClaimName (string) --
The name of the custom claim field to check.
inboundTokenClaimValueType (string) --
The data type of the claim value to check for.
Use STRING if you want to find an exact match to a string you define.
Use STRING_ARRAY if you want to fnd a match to at least one value in an array you define.
authorizingClaimMatchValue (dict) --
Defines the value or values to match for and the relationship of the match.
claimMatchValue (dict) --
The value or values to match for.
matchValueString (string) --
The string value to match for.
matchValueStringList (list) --
An array of strings to check for a match.
(string) --
claimMatchOperator (string) --
Defines the relationship between the claim field value and the value or values you're matching for.
privateEndpoint (dict) --
The private endpoint configuration for a gateway target. Defines how the gateway connects to private resources in your VPC.
selfManagedLatticeResource (dict) --
Configuration for connecting to a private resource using a self-managed VPC Lattice resource configuration.
resourceConfigurationIdentifier (string) --
The ARN or ID of the VPC Lattice resource configuration.
managedVpcResource (dict) --
Configuration for connecting to a private resource using a managed VPC Lattice resource. The gateway creates and manages the VPC Lattice resources on your behalf.
vpcIdentifier (string) --
The ID of the VPC that contains your private resource.
subnetIds (list) --
The subnet IDs within the VPC where the VPC Lattice resource gateway is placed.
(string) --
endpointIpAddressType (string) --
The IP address type for the resource configuration endpoint.
securityGroupIds (list) --
The security group IDs to associate with the VPC Lattice resource gateway. If not specified, the default security group for the VPC is used.
(string) --
tags (dict) --
Tags to apply to the managed VPC Lattice resource gateway.
(string) --
(string) --
routingDomain (string) --
An intermediate domain to use as the resource configuration endpoint instead of the actual target domain. Use this when you want to route traffic through an intermediate component such as a VPC endpoint or internal load balancer. For more information, see xref:lattice-vpc-egress-routing-domain[Route traffic through an intermediate domain].
privateEndpointOverrides (list) --
The private endpoint overrides for the custom JWT authorizer configuration.
(dict) --
A mapping of a specific domain to a private endpoint for secure connectivity through a VPC Lattice resource configuration.
domain (string) --
The domain to override with a private endpoint.
privateEndpoint (dict) --
The private endpoint configuration for the specified domain.
selfManagedLatticeResource (dict) --
Configuration for connecting to a private resource using a self-managed VPC Lattice resource configuration.
resourceConfigurationIdentifier (string) --
The ARN or ID of the VPC Lattice resource configuration.
managedVpcResource (dict) --
Configuration for connecting to a private resource using a managed VPC Lattice resource. The gateway creates and manages the VPC Lattice resources on your behalf.
vpcIdentifier (string) --
The ID of the VPC that contains your private resource.
subnetIds (list) --
The subnet IDs within the VPC where the VPC Lattice resource gateway is placed.
(string) --
endpointIpAddressType (string) --
The IP address type for the resource configuration endpoint.
securityGroupIds (list) --
The security group IDs to associate with the VPC Lattice resource gateway. If not specified, the default security group for the VPC is used.
(string) --
tags (dict) --
Tags to apply to the managed VPC Lattice resource gateway.
(string) --
(string) --
routingDomain (string) --
An intermediate domain to use as the resource configuration endpoint instead of the actual target domain. Use this when you want to route traffic through an intermediate component such as a VPC endpoint or internal load balancer. For more information, see xref:lattice-vpc-egress-routing-domain[Route traffic through an intermediate domain].
allowedWorkloadConfiguration (dict) --
The configuration that restricts which workloads in the request's identity chain are allowed to invoke the target, identified by their hosting environments and workload identities. At launch, this is supported only for AgentCore Runtime targets, and the allowed workloads are AgentCore Gateways.
hostingEnvironments (list) --
The list of hosting environments whose workloads are allowed to invoke the target. At launch, the only supported hosting environment is AgentCore Gateway.
(dict) --
A hosting environment whose workloads are allowed to invoke the target. At launch, the only supported hosting environment is AgentCore Gateway.
arn (string) --
The Amazon Resource Name (ARN) of the hosting environment.
workloadIdentities (list) --
The list of workload identities that are allowed to invoke the target.
(string) --
approvalConfiguration (dict) --
The approval configuration for the updated registry. For details, see the ApprovalConfiguration data type.
autoApproval (boolean) --
Whether registry records are auto-approved. When set to true, records are automatically approved upon creation. When set to false (the default), records require explicit approval for security purposes.
status (string) --
The current status of the updated registry. Possible values include CREATING, READY, UPDATING, CREATE_FAILED, UPDATE_FAILED, DELETING, and DELETE_FAILED.
statusReason (string) --
The reason for the current status of the updated registry.
createdAt (datetime) --
The timestamp when the registry was created.
updatedAt (datetime) --
The timestamp when the registry was last updated.