2026/05/04 - Amazon Bedrock AgentCore Control - 3 updated api methods
Changes Amazon Bedrock AgentCore gateways now support MCP Sessions and response streaming from MCP targets. Session timeouts can be set between 15 minutes and 8 hours, and response streaming enables forwarding stream events sent by MCP targets to gateway users.
{'protocolConfiguration': {'mcp': {'sessionConfiguration': {'sessionTimeoutInSeconds': 'integer'},
'streamingConfiguration': {'enableResponseStreaming': 'boolean'}}}}
Creates a gateway for Amazon Bedrock Agent. A gateway serves as an integration point between your agent and external services.
If you specify CUSTOM_JWT as the authorizerType, you must provide an authorizerConfiguration.
See also: AWS API Documentation
Request Syntax
client.create_gateway(
name='string',
description='string',
clientToken='string',
roleArn='string',
protocolType='MCP',
protocolConfiguration={
'mcp': {
'supportedVersions': [
'string',
],
'instructions': 'string',
'searchType': 'SEMANTIC',
'sessionConfiguration': {
'sessionTimeoutInSeconds': 123
},
'streamingConfiguration': {
'enableResponseStreaming': True|False
}
}
},
authorizerType='CUSTOM_JWT'|'AWS_IAM'|'NONE'|'AUTHENTICATE_ONLY',
authorizerConfiguration={
'customJWTAuthorizer': {
'discoveryUrl': 'string',
'allowedAudience': [
'string',
],
'allowedClients': [
'string',
],
'allowedScopes': [
'string',
],
'customClaims': [
{
'inboundTokenClaimName': 'string',
'inboundTokenClaimValueType': 'STRING'|'STRING_ARRAY',
'authorizingClaimMatchValue': {
'claimMatchValue': {
'matchValueString': 'string',
'matchValueStringList': [
'string',
]
},
'claimMatchOperator': 'EQUALS'|'CONTAINS'|'CONTAINS_ANY'
}
},
],
'privateEndpoint': {
'selfManagedLatticeResource': {
'resourceConfigurationIdentifier': 'string'
},
'managedVpcResource': {
'vpcIdentifier': 'string',
'subnetIds': [
'string',
],
'endpointIpAddressType': 'IPV4'|'IPV6',
'securityGroupIds': [
'string',
],
'tags': {
'string': 'string'
},
'routingDomain': 'string'
}
},
'privateEndpointOverrides': [
{
'domain': 'string',
'privateEndpoint': {
'selfManagedLatticeResource': {
'resourceConfigurationIdentifier': 'string'
},
'managedVpcResource': {
'vpcIdentifier': 'string',
'subnetIds': [
'string',
],
'endpointIpAddressType': 'IPV4'|'IPV6',
'securityGroupIds': [
'string',
],
'tags': {
'string': 'string'
},
'routingDomain': 'string'
}
}
},
]
}
},
kmsKeyArn='string',
interceptorConfigurations=[
{
'interceptor': {
'lambda': {
'arn': 'string'
}
},
'interceptionPoints': [
'REQUEST'|'RESPONSE',
],
'inputConfiguration': {
'passRequestHeaders': True|False
}
},
],
policyEngineConfiguration={
'arn': 'string',
'mode': 'LOG_ONLY'|'ENFORCE'
},
exceptionLevel='DEBUG',
tags={
'string': 'string'
}
)
string
[REQUIRED]
The name of the gateway. The name must be unique within your account.
string
The description of the gateway.
string
A unique, case-sensitive identifier to ensure that the API request completes no more than one time. If you don't specify this field, a value is randomly generated for you. If this token matches a previous request, the service ignores the request, but doesn't return an error. For more information, see Ensuring idempotency.
This field is autopopulated if not provided.
string
[REQUIRED]
The Amazon Resource Name (ARN) of the IAM role that provides permissions for the gateway to access Amazon Web Services services.
string
The protocol type for the gateway.
dict
The configuration settings for the protocol specified in the protocolType parameter.
mcp (dict) --
The configuration for the Model Context Protocol (MCP). This protocol enables communication between Amazon Bedrock Agent and external tools.
supportedVersions (list) --
The supported versions of the Model Context Protocol. This field specifies which versions of the protocol the gateway can use.
(string) --
instructions (string) --
The instructions for using the Model Context Protocol gateway. These instructions provide guidance on how to interact with the gateway.
searchType (string) --
The search type for the Model Context Protocol gateway. This field specifies how the gateway handles search operations.
sessionConfiguration (dict) --
The session configuration for the MCP gateway. This configuration controls session behavior, including session timeout settings.
sessionTimeoutInSeconds (integer) --
The session timeout in seconds. After this timeout, the session expires and subsequent requests to this session will receive an error. The minimum value is 900 seconds (15 minutes), the maximum value is 28800 seconds (8 hours), and the default value is 3600 seconds (1 hour).
streamingConfiguration (dict) --
The streaming configuration for the MCP gateway. This configuration controls whether response streaming is enabled for the gateway.
enableResponseStreaming (boolean) --
Indicates whether response streaming is enabled for the gateway. When set to true, the gateway streams responses from targets back to the client.
string
[REQUIRED]
The type of authorizer to use for the gateway.
CUSTOM_JWT - Authorize with a bearer token.
AWS_IAM - Authorize with your Amazon Web Services IAM credentials.
NONE - No authorization
dict
The authorizer configuration for the gateway. Required if authorizerType is CUSTOM_JWT.
customJWTAuthorizer (dict) --
The inbound JWT-based authorization, specifying how incoming requests should be authenticated.
discoveryUrl (string) -- [REQUIRED]
This URL is used to fetch OpenID Connect configuration or authorization server metadata for validating incoming tokens.
allowedAudience (list) --
Represents individual audience values that are validated in the incoming JWT token validation process.
(string) --
allowedClients (list) --
Represents individual client IDs that are validated in the incoming JWT token validation process.
(string) --
allowedScopes (list) --
An array of scopes that are allowed to access the token.
(string) --
customClaims (list) --
An array of objects that define a custom claim validation name, value, and operation
(dict) --
Defines the name of a custom claim field and rules for finding matches to authenticate its value.
inboundTokenClaimName (string) -- [REQUIRED]
The name of the custom claim field to check.
inboundTokenClaimValueType (string) -- [REQUIRED]
The data type of the claim value to check for.
Use STRING if you want to find an exact match to a string you define.
Use STRING_ARRAY if you want to fnd a match to at least one value in an array you define.
authorizingClaimMatchValue (dict) -- [REQUIRED]
Defines the value or values to match for and the relationship of the match.
claimMatchValue (dict) -- [REQUIRED]
The value or values to match for.
matchValueString (string) --
The string value to match for.
matchValueStringList (list) --
An array of strings to check for a match.
(string) --
claimMatchOperator (string) -- [REQUIRED]
Defines the relationship between the claim field value and the value or values you're matching for.
privateEndpoint (dict) --
The private endpoint configuration for a gateway target. Defines how the gateway connects to private resources in your VPC.
selfManagedLatticeResource (dict) --
Configuration for connecting to a private resource using a self-managed VPC Lattice resource configuration.
resourceConfigurationIdentifier (string) --
The ARN or ID of the VPC Lattice resource configuration.
managedVpcResource (dict) --
Configuration for connecting to a private resource using a managed VPC Lattice resource. The gateway creates and manages the VPC Lattice resources on your behalf.
vpcIdentifier (string) -- [REQUIRED]
The ID of the VPC that contains your private resource.
subnetIds (list) -- [REQUIRED]
The subnet IDs within the VPC where the VPC Lattice resource gateway is placed.
(string) --
endpointIpAddressType (string) -- [REQUIRED]
The IP address type for the resource configuration endpoint.
securityGroupIds (list) --
The security group IDs to associate with the VPC Lattice resource gateway. If not specified, the default security group for the VPC is used.
(string) --
tags (dict) --
Tags to apply to the managed VPC Lattice resource gateway.
(string) --
(string) --
routingDomain (string) --
An intermediate domain to use as the resource configuration endpoint instead of the actual target domain. Use this when you want to route traffic through an intermediate component such as a VPC endpoint or internal load balancer. For more information, see xref:lattice-vpc-egress-routing-domain[Route traffic through an intermediate domain].
privateEndpointOverrides (list) --
A list of private endpoint overrides for the JWT authorizer. Each override maps a specific domain to a private endpoint, enabling secure connectivity through VPC Lattice resource configurations.
(dict) --
A mapping of a specific domain to a private endpoint for secure connectivity through a VPC Lattice resource configuration.
domain (string) -- [REQUIRED]
The domain to override with a private endpoint.
privateEndpoint (dict) -- [REQUIRED]
The private endpoint configuration for the specified domain.
selfManagedLatticeResource (dict) --
Configuration for connecting to a private resource using a self-managed VPC Lattice resource configuration.
resourceConfigurationIdentifier (string) --
The ARN or ID of the VPC Lattice resource configuration.
managedVpcResource (dict) --
Configuration for connecting to a private resource using a managed VPC Lattice resource. The gateway creates and manages the VPC Lattice resources on your behalf.
vpcIdentifier (string) -- [REQUIRED]
The ID of the VPC that contains your private resource.
subnetIds (list) -- [REQUIRED]
The subnet IDs within the VPC where the VPC Lattice resource gateway is placed.
(string) --
endpointIpAddressType (string) -- [REQUIRED]
The IP address type for the resource configuration endpoint.
securityGroupIds (list) --
The security group IDs to associate with the VPC Lattice resource gateway. If not specified, the default security group for the VPC is used.
(string) --
tags (dict) --
Tags to apply to the managed VPC Lattice resource gateway.
(string) --
(string) --
routingDomain (string) --
An intermediate domain to use as the resource configuration endpoint instead of the actual target domain. Use this when you want to route traffic through an intermediate component such as a VPC endpoint or internal load balancer. For more information, see xref:lattice-vpc-egress-routing-domain[Route traffic through an intermediate domain].
string
The Amazon Resource Name (ARN) of the KMS key used to encrypt data associated with the gateway.
list
A list of configuration settings for a gateway interceptor. Gateway interceptors allow custom code to be invoked during gateway invocations.
(dict) --
The configuration for an interceptor on a gateway. This structure defines settings for an interceptor that will be invoked during the invocation of the gateway.
interceptor (dict) -- [REQUIRED]
The infrastructure settings of an interceptor configuration. This structure defines how the interceptor can be invoked.
lambda (dict) --
The details of the lambda function used for the interceptor.
arn (string) -- [REQUIRED]
The arn of the lambda function to be invoked for the interceptor.
interceptionPoints (list) -- [REQUIRED]
The supported points of interception. This field specifies which points during the gateway invocation to invoke the interceptor
(string) --
inputConfiguration (dict) --
The configuration for the input of the interceptor. This field specifies how the input to the interceptor is constructed
passRequestHeaders (boolean) -- [REQUIRED]
Indicates whether to pass request headers as input into the interceptor. When set to true, request headers will be passed.
dict
The policy engine configuration for the gateway. A policy engine is a collection of policies that evaluates and authorizes agent tool calls. When associated with a gateway, the policy engine intercepts all agent requests and determines whether to allow or deny each action based on the defined policies.
arn (string) -- [REQUIRED]
The ARN of the policy engine. The policy engine contains Cedar policies that define fine-grained authorization rules specifying who can perform what actions on which resources as agents interact through the gateway.
mode (string) -- [REQUIRED]
The enforcement mode for the policy engine. Valid values include:
LOG_ONLY - The policy engine evaluates each action against your policies and adds traces on whether tool calls would be allowed or denied, but does not enforce the decision. Use this mode to test and validate policies before enabling enforcement.
ENFORCE - The policy engine evaluates actions against your policies and enforces decisions by allowing or denying agent operations. Test and validate policies in LOG_ONLY mode before enabling enforcement to avoid unintended denials or adversely affecting production traffic.
string
The level of detail in error messages returned when invoking the gateway.
If the value is DEBUG, granular exception messages are returned to help a user debug the gateway.
If the value is omitted, a generic error message is returned to the end user.
dict
A map of key-value pairs to associate with the gateway as metadata tags.
(string) --
(string) --
dict
Response Syntax
{
'gatewayArn': 'string',
'gatewayId': 'string',
'gatewayUrl': 'string',
'createdAt': datetime(2015, 1, 1),
'updatedAt': datetime(2015, 1, 1),
'status': 'CREATING'|'UPDATING'|'UPDATE_UNSUCCESSFUL'|'DELETING'|'READY'|'FAILED',
'statusReasons': [
'string',
],
'name': 'string',
'description': 'string',
'roleArn': 'string',
'protocolType': 'MCP',
'protocolConfiguration': {
'mcp': {
'supportedVersions': [
'string',
],
'instructions': 'string',
'searchType': 'SEMANTIC',
'sessionConfiguration': {
'sessionTimeoutInSeconds': 123
},
'streamingConfiguration': {
'enableResponseStreaming': True|False
}
}
},
'authorizerType': 'CUSTOM_JWT'|'AWS_IAM'|'NONE'|'AUTHENTICATE_ONLY',
'authorizerConfiguration': {
'customJWTAuthorizer': {
'discoveryUrl': 'string',
'allowedAudience': [
'string',
],
'allowedClients': [
'string',
],
'allowedScopes': [
'string',
],
'customClaims': [
{
'inboundTokenClaimName': 'string',
'inboundTokenClaimValueType': 'STRING'|'STRING_ARRAY',
'authorizingClaimMatchValue': {
'claimMatchValue': {
'matchValueString': 'string',
'matchValueStringList': [
'string',
]
},
'claimMatchOperator': 'EQUALS'|'CONTAINS'|'CONTAINS_ANY'
}
},
],
'privateEndpoint': {
'selfManagedLatticeResource': {
'resourceConfigurationIdentifier': 'string'
},
'managedVpcResource': {
'vpcIdentifier': 'string',
'subnetIds': [
'string',
],
'endpointIpAddressType': 'IPV4'|'IPV6',
'securityGroupIds': [
'string',
],
'tags': {
'string': 'string'
},
'routingDomain': 'string'
}
},
'privateEndpointOverrides': [
{
'domain': 'string',
'privateEndpoint': {
'selfManagedLatticeResource': {
'resourceConfigurationIdentifier': 'string'
},
'managedVpcResource': {
'vpcIdentifier': 'string',
'subnetIds': [
'string',
],
'endpointIpAddressType': 'IPV4'|'IPV6',
'securityGroupIds': [
'string',
],
'tags': {
'string': 'string'
},
'routingDomain': 'string'
}
}
},
]
}
},
'kmsKeyArn': 'string',
'interceptorConfigurations': [
{
'interceptor': {
'lambda': {
'arn': 'string'
}
},
'interceptionPoints': [
'REQUEST'|'RESPONSE',
],
'inputConfiguration': {
'passRequestHeaders': True|False
}
},
],
'policyEngineConfiguration': {
'arn': 'string',
'mode': 'LOG_ONLY'|'ENFORCE'
},
'workloadIdentityDetails': {
'workloadIdentityArn': 'string'
},
'exceptionLevel': 'DEBUG'
}
Response Structure
(dict) --
gatewayArn (string) --
The Amazon Resource Name (ARN) of the created gateway.
gatewayId (string) --
The unique identifier of the created gateway.
gatewayUrl (string) --
The URL endpoint for the created gateway.
createdAt (datetime) --
The timestamp when the gateway was created.
updatedAt (datetime) --
The timestamp when the gateway was last updated.
status (string) --
The current status of the gateway.
statusReasons (list) --
The reasons for the current status of the gateway.
(string) --
name (string) --
The name of the gateway.
description (string) --
The description of the gateway.
roleArn (string) --
The Amazon Resource Name (ARN) of the IAM role associated with the gateway.
protocolType (string) --
The protocol type of the gateway.
protocolConfiguration (dict) --
The configuration settings for the protocol used by the gateway.
mcp (dict) --
The configuration for the Model Context Protocol (MCP). This protocol enables communication between Amazon Bedrock Agent and external tools.
supportedVersions (list) --
The supported versions of the Model Context Protocol. This field specifies which versions of the protocol the gateway can use.
(string) --
instructions (string) --
The instructions for using the Model Context Protocol gateway. These instructions provide guidance on how to interact with the gateway.
searchType (string) --
The search type for the Model Context Protocol gateway. This field specifies how the gateway handles search operations.
sessionConfiguration (dict) --
The session configuration for the MCP gateway. This configuration controls session behavior, including session timeout settings.
sessionTimeoutInSeconds (integer) --
The session timeout in seconds. After this timeout, the session expires and subsequent requests to this session will receive an error. The minimum value is 900 seconds (15 minutes), the maximum value is 28800 seconds (8 hours), and the default value is 3600 seconds (1 hour).
streamingConfiguration (dict) --
The streaming configuration for the MCP gateway. This configuration controls whether response streaming is enabled for the gateway.
enableResponseStreaming (boolean) --
Indicates whether response streaming is enabled for the gateway. When set to true, the gateway streams responses from targets back to the client.
authorizerType (string) --
The type of authorizer used by the gateway.
authorizerConfiguration (dict) --
The authorizer configuration for the created gateway.
customJWTAuthorizer (dict) --
The inbound JWT-based authorization, specifying how incoming requests should be authenticated.
discoveryUrl (string) --
This URL is used to fetch OpenID Connect configuration or authorization server metadata for validating incoming tokens.
allowedAudience (list) --
Represents individual audience values that are validated in the incoming JWT token validation process.
(string) --
allowedClients (list) --
Represents individual client IDs that are validated in the incoming JWT token validation process.
(string) --
allowedScopes (list) --
An array of scopes that are allowed to access the token.
(string) --
customClaims (list) --
An array of objects that define a custom claim validation name, value, and operation
(dict) --
Defines the name of a custom claim field and rules for finding matches to authenticate its value.
inboundTokenClaimName (string) --
The name of the custom claim field to check.
inboundTokenClaimValueType (string) --
The data type of the claim value to check for.
Use STRING if you want to find an exact match to a string you define.
Use STRING_ARRAY if you want to fnd a match to at least one value in an array you define.
authorizingClaimMatchValue (dict) --
Defines the value or values to match for and the relationship of the match.
claimMatchValue (dict) --
The value or values to match for.
matchValueString (string) --
The string value to match for.
matchValueStringList (list) --
An array of strings to check for a match.
(string) --
claimMatchOperator (string) --
Defines the relationship between the claim field value and the value or values you're matching for.
privateEndpoint (dict) --
The private endpoint configuration for a gateway target. Defines how the gateway connects to private resources in your VPC.
selfManagedLatticeResource (dict) --
Configuration for connecting to a private resource using a self-managed VPC Lattice resource configuration.
resourceConfigurationIdentifier (string) --
The ARN or ID of the VPC Lattice resource configuration.
managedVpcResource (dict) --
Configuration for connecting to a private resource using a managed VPC Lattice resource. The gateway creates and manages the VPC Lattice resources on your behalf.
vpcIdentifier (string) --
The ID of the VPC that contains your private resource.
subnetIds (list) --
The subnet IDs within the VPC where the VPC Lattice resource gateway is placed.
(string) --
endpointIpAddressType (string) --
The IP address type for the resource configuration endpoint.
securityGroupIds (list) --
The security group IDs to associate with the VPC Lattice resource gateway. If not specified, the default security group for the VPC is used.
(string) --
tags (dict) --
Tags to apply to the managed VPC Lattice resource gateway.
(string) --
(string) --
routingDomain (string) --
An intermediate domain to use as the resource configuration endpoint instead of the actual target domain. Use this when you want to route traffic through an intermediate component such as a VPC endpoint or internal load balancer. For more information, see xref:lattice-vpc-egress-routing-domain[Route traffic through an intermediate domain].
privateEndpointOverrides (list) --
A list of private endpoint overrides for the JWT authorizer. Each override maps a specific domain to a private endpoint, enabling secure connectivity through VPC Lattice resource configurations.
(dict) --
A mapping of a specific domain to a private endpoint for secure connectivity through a VPC Lattice resource configuration.
domain (string) --
The domain to override with a private endpoint.
privateEndpoint (dict) --
The private endpoint configuration for the specified domain.
selfManagedLatticeResource (dict) --
Configuration for connecting to a private resource using a self-managed VPC Lattice resource configuration.
resourceConfigurationIdentifier (string) --
The ARN or ID of the VPC Lattice resource configuration.
managedVpcResource (dict) --
Configuration for connecting to a private resource using a managed VPC Lattice resource. The gateway creates and manages the VPC Lattice resources on your behalf.
vpcIdentifier (string) --
The ID of the VPC that contains your private resource.
subnetIds (list) --
The subnet IDs within the VPC where the VPC Lattice resource gateway is placed.
(string) --
endpointIpAddressType (string) --
The IP address type for the resource configuration endpoint.
securityGroupIds (list) --
The security group IDs to associate with the VPC Lattice resource gateway. If not specified, the default security group for the VPC is used.
(string) --
tags (dict) --
Tags to apply to the managed VPC Lattice resource gateway.
(string) --
(string) --
routingDomain (string) --
An intermediate domain to use as the resource configuration endpoint instead of the actual target domain. Use this when you want to route traffic through an intermediate component such as a VPC endpoint or internal load balancer. For more information, see xref:lattice-vpc-egress-routing-domain[Route traffic through an intermediate domain].
kmsKeyArn (string) --
The Amazon Resource Name (ARN) of the KMS key used to encrypt data associated with the gateway.
interceptorConfigurations (list) --
The list of interceptor configurations for the created gateway.
(dict) --
The configuration for an interceptor on a gateway. This structure defines settings for an interceptor that will be invoked during the invocation of the gateway.
interceptor (dict) --
The infrastructure settings of an interceptor configuration. This structure defines how the interceptor can be invoked.
lambda (dict) --
The details of the lambda function used for the interceptor.
arn (string) --
The arn of the lambda function to be invoked for the interceptor.
interceptionPoints (list) --
The supported points of interception. This field specifies which points during the gateway invocation to invoke the interceptor
(string) --
inputConfiguration (dict) --
The configuration for the input of the interceptor. This field specifies how the input to the interceptor is constructed
passRequestHeaders (boolean) --
Indicates whether to pass request headers as input into the interceptor. When set to true, request headers will be passed.
policyEngineConfiguration (dict) --
The policy engine configuration for the created gateway.
arn (string) --
The ARN of the policy engine. The policy engine contains Cedar policies that define fine-grained authorization rules specifying who can perform what actions on which resources as agents interact through the gateway.
mode (string) --
The enforcement mode for the policy engine. Valid values include:
LOG_ONLY - The policy engine evaluates each action against your policies and adds traces on whether tool calls would be allowed or denied, but does not enforce the decision. Use this mode to test and validate policies before enabling enforcement.
ENFORCE - The policy engine evaluates actions against your policies and enforces decisions by allowing or denying agent operations. Test and validate policies in LOG_ONLY mode before enabling enforcement to avoid unintended denials or adversely affecting production traffic.
workloadIdentityDetails (dict) --
The workload identity details for the created gateway.
workloadIdentityArn (string) --
The ARN associated with the workload identity.
exceptionLevel (string) --
The level of detail in error messages returned when invoking the gateway.
If the value is DEBUG, granular exception messages are returned to help a user debug the gateway.
If the value is omitted, a generic error message is returned to the end user.
{'protocolConfiguration': {'mcp': {'sessionConfiguration': {'sessionTimeoutInSeconds': 'integer'},
'streamingConfiguration': {'enableResponseStreaming': 'boolean'}}}}
Retrieves information about a specific Gateway.
See also: AWS API Documentation
Request Syntax
client.get_gateway(
gatewayIdentifier='string'
)
string
[REQUIRED]
The identifier of the gateway to retrieve.
dict
Response Syntax
{
'gatewayArn': 'string',
'gatewayId': 'string',
'gatewayUrl': 'string',
'createdAt': datetime(2015, 1, 1),
'updatedAt': datetime(2015, 1, 1),
'status': 'CREATING'|'UPDATING'|'UPDATE_UNSUCCESSFUL'|'DELETING'|'READY'|'FAILED',
'statusReasons': [
'string',
],
'name': 'string',
'description': 'string',
'roleArn': 'string',
'protocolType': 'MCP',
'protocolConfiguration': {
'mcp': {
'supportedVersions': [
'string',
],
'instructions': 'string',
'searchType': 'SEMANTIC',
'sessionConfiguration': {
'sessionTimeoutInSeconds': 123
},
'streamingConfiguration': {
'enableResponseStreaming': True|False
}
}
},
'authorizerType': 'CUSTOM_JWT'|'AWS_IAM'|'NONE'|'AUTHENTICATE_ONLY',
'authorizerConfiguration': {
'customJWTAuthorizer': {
'discoveryUrl': 'string',
'allowedAudience': [
'string',
],
'allowedClients': [
'string',
],
'allowedScopes': [
'string',
],
'customClaims': [
{
'inboundTokenClaimName': 'string',
'inboundTokenClaimValueType': 'STRING'|'STRING_ARRAY',
'authorizingClaimMatchValue': {
'claimMatchValue': {
'matchValueString': 'string',
'matchValueStringList': [
'string',
]
},
'claimMatchOperator': 'EQUALS'|'CONTAINS'|'CONTAINS_ANY'
}
},
],
'privateEndpoint': {
'selfManagedLatticeResource': {
'resourceConfigurationIdentifier': 'string'
},
'managedVpcResource': {
'vpcIdentifier': 'string',
'subnetIds': [
'string',
],
'endpointIpAddressType': 'IPV4'|'IPV6',
'securityGroupIds': [
'string',
],
'tags': {
'string': 'string'
},
'routingDomain': 'string'
}
},
'privateEndpointOverrides': [
{
'domain': 'string',
'privateEndpoint': {
'selfManagedLatticeResource': {
'resourceConfigurationIdentifier': 'string'
},
'managedVpcResource': {
'vpcIdentifier': 'string',
'subnetIds': [
'string',
],
'endpointIpAddressType': 'IPV4'|'IPV6',
'securityGroupIds': [
'string',
],
'tags': {
'string': 'string'
},
'routingDomain': 'string'
}
}
},
]
}
},
'kmsKeyArn': 'string',
'interceptorConfigurations': [
{
'interceptor': {
'lambda': {
'arn': 'string'
}
},
'interceptionPoints': [
'REQUEST'|'RESPONSE',
],
'inputConfiguration': {
'passRequestHeaders': True|False
}
},
],
'policyEngineConfiguration': {
'arn': 'string',
'mode': 'LOG_ONLY'|'ENFORCE'
},
'workloadIdentityDetails': {
'workloadIdentityArn': 'string'
},
'exceptionLevel': 'DEBUG'
}
Response Structure
(dict) --
gatewayArn (string) --
The Amazon Resource Name (ARN) of the gateway.
gatewayId (string) --
The unique identifier of the gateway.
gatewayUrl (string) --
An endpoint for invoking gateway.
createdAt (datetime) --
The timestamp when the gateway was created.
updatedAt (datetime) --
The timestamp when the gateway was last updated.
status (string) --
The current status of the gateway.
statusReasons (list) --
The reasons for the current status of the gateway.
(string) --
name (string) --
The name of the gateway.
description (string) --
The description of the gateway.
roleArn (string) --
The IAM role ARN that provides permissions for the gateway.
protocolType (string) --
Protocol applied to a gateway.
protocolConfiguration (dict) --
The configuration for a gateway protocol. This structure defines how the gateway communicates with external services.
mcp (dict) --
The configuration for the Model Context Protocol (MCP). This protocol enables communication between Amazon Bedrock Agent and external tools.
supportedVersions (list) --
The supported versions of the Model Context Protocol. This field specifies which versions of the protocol the gateway can use.
(string) --
instructions (string) --
The instructions for using the Model Context Protocol gateway. These instructions provide guidance on how to interact with the gateway.
searchType (string) --
The search type for the Model Context Protocol gateway. This field specifies how the gateway handles search operations.
sessionConfiguration (dict) --
The session configuration for the MCP gateway. This configuration controls session behavior, including session timeout settings.
sessionTimeoutInSeconds (integer) --
The session timeout in seconds. After this timeout, the session expires and subsequent requests to this session will receive an error. The minimum value is 900 seconds (15 minutes), the maximum value is 28800 seconds (8 hours), and the default value is 3600 seconds (1 hour).
streamingConfiguration (dict) --
The streaming configuration for the MCP gateway. This configuration controls whether response streaming is enabled for the gateway.
enableResponseStreaming (boolean) --
Indicates whether response streaming is enabled for the gateway. When set to true, the gateway streams responses from targets back to the client.
authorizerType (string) --
Authorizer type for the gateway.
authorizerConfiguration (dict) --
The authorizer configuration for the gateway.
customJWTAuthorizer (dict) --
The inbound JWT-based authorization, specifying how incoming requests should be authenticated.
discoveryUrl (string) --
This URL is used to fetch OpenID Connect configuration or authorization server metadata for validating incoming tokens.
allowedAudience (list) --
Represents individual audience values that are validated in the incoming JWT token validation process.
(string) --
allowedClients (list) --
Represents individual client IDs that are validated in the incoming JWT token validation process.
(string) --
allowedScopes (list) --
An array of scopes that are allowed to access the token.
(string) --
customClaims (list) --
An array of objects that define a custom claim validation name, value, and operation
(dict) --
Defines the name of a custom claim field and rules for finding matches to authenticate its value.
inboundTokenClaimName (string) --
The name of the custom claim field to check.
inboundTokenClaimValueType (string) --
The data type of the claim value to check for.
Use STRING if you want to find an exact match to a string you define.
Use STRING_ARRAY if you want to fnd a match to at least one value in an array you define.
authorizingClaimMatchValue (dict) --
Defines the value or values to match for and the relationship of the match.
claimMatchValue (dict) --
The value or values to match for.
matchValueString (string) --
The string value to match for.
matchValueStringList (list) --
An array of strings to check for a match.
(string) --
claimMatchOperator (string) --
Defines the relationship between the claim field value and the value or values you're matching for.
privateEndpoint (dict) --
The private endpoint configuration for a gateway target. Defines how the gateway connects to private resources in your VPC.
selfManagedLatticeResource (dict) --
Configuration for connecting to a private resource using a self-managed VPC Lattice resource configuration.
resourceConfigurationIdentifier (string) --
The ARN or ID of the VPC Lattice resource configuration.
managedVpcResource (dict) --
Configuration for connecting to a private resource using a managed VPC Lattice resource. The gateway creates and manages the VPC Lattice resources on your behalf.
vpcIdentifier (string) --
The ID of the VPC that contains your private resource.
subnetIds (list) --
The subnet IDs within the VPC where the VPC Lattice resource gateway is placed.
(string) --
endpointIpAddressType (string) --
The IP address type for the resource configuration endpoint.
securityGroupIds (list) --
The security group IDs to associate with the VPC Lattice resource gateway. If not specified, the default security group for the VPC is used.
(string) --
tags (dict) --
Tags to apply to the managed VPC Lattice resource gateway.
(string) --
(string) --
routingDomain (string) --
An intermediate domain to use as the resource configuration endpoint instead of the actual target domain. Use this when you want to route traffic through an intermediate component such as a VPC endpoint or internal load balancer. For more information, see xref:lattice-vpc-egress-routing-domain[Route traffic through an intermediate domain].
privateEndpointOverrides (list) --
A list of private endpoint overrides for the JWT authorizer. Each override maps a specific domain to a private endpoint, enabling secure connectivity through VPC Lattice resource configurations.
(dict) --
A mapping of a specific domain to a private endpoint for secure connectivity through a VPC Lattice resource configuration.
domain (string) --
The domain to override with a private endpoint.
privateEndpoint (dict) --
The private endpoint configuration for the specified domain.
selfManagedLatticeResource (dict) --
Configuration for connecting to a private resource using a self-managed VPC Lattice resource configuration.
resourceConfigurationIdentifier (string) --
The ARN or ID of the VPC Lattice resource configuration.
managedVpcResource (dict) --
Configuration for connecting to a private resource using a managed VPC Lattice resource. The gateway creates and manages the VPC Lattice resources on your behalf.
vpcIdentifier (string) --
The ID of the VPC that contains your private resource.
subnetIds (list) --
The subnet IDs within the VPC where the VPC Lattice resource gateway is placed.
(string) --
endpointIpAddressType (string) --
The IP address type for the resource configuration endpoint.
securityGroupIds (list) --
The security group IDs to associate with the VPC Lattice resource gateway. If not specified, the default security group for the VPC is used.
(string) --
tags (dict) --
Tags to apply to the managed VPC Lattice resource gateway.
(string) --
(string) --
routingDomain (string) --
An intermediate domain to use as the resource configuration endpoint instead of the actual target domain. Use this when you want to route traffic through an intermediate component such as a VPC endpoint or internal load balancer. For more information, see xref:lattice-vpc-egress-routing-domain[Route traffic through an intermediate domain].
kmsKeyArn (string) --
The Amazon Resource Name (ARN) of the KMS key used to encrypt the gateway.
interceptorConfigurations (list) --
The interceptors configured on the gateway.
(dict) --
The configuration for an interceptor on a gateway. This structure defines settings for an interceptor that will be invoked during the invocation of the gateway.
interceptor (dict) --
The infrastructure settings of an interceptor configuration. This structure defines how the interceptor can be invoked.
lambda (dict) --
The details of the lambda function used for the interceptor.
arn (string) --
The arn of the lambda function to be invoked for the interceptor.
interceptionPoints (list) --
The supported points of interception. This field specifies which points during the gateway invocation to invoke the interceptor
(string) --
inputConfiguration (dict) --
The configuration for the input of the interceptor. This field specifies how the input to the interceptor is constructed
passRequestHeaders (boolean) --
Indicates whether to pass request headers as input into the interceptor. When set to true, request headers will be passed.
policyEngineConfiguration (dict) --
The policy engine configuration for the gateway.
arn (string) --
The ARN of the policy engine. The policy engine contains Cedar policies that define fine-grained authorization rules specifying who can perform what actions on which resources as agents interact through the gateway.
mode (string) --
The enforcement mode for the policy engine. Valid values include:
LOG_ONLY - The policy engine evaluates each action against your policies and adds traces on whether tool calls would be allowed or denied, but does not enforce the decision. Use this mode to test and validate policies before enabling enforcement.
ENFORCE - The policy engine evaluates actions against your policies and enforces decisions by allowing or denying agent operations. Test and validate policies in LOG_ONLY mode before enabling enforcement to avoid unintended denials or adversely affecting production traffic.
workloadIdentityDetails (dict) --
The workload identity details for the gateway.
workloadIdentityArn (string) --
The ARN associated with the workload identity.
exceptionLevel (string) --
The level of detail in error messages returned when invoking the gateway.
If the value is DEBUG, granular exception messages are returned to help a user debug the gateway.
If the value is omitted, a generic error message is returned to the end user.
{'protocolConfiguration': {'mcp': {'sessionConfiguration': {'sessionTimeoutInSeconds': 'integer'},
'streamingConfiguration': {'enableResponseStreaming': 'boolean'}}}}
Updates an existing gateway.
See also: AWS API Documentation
Request Syntax
client.update_gateway(
gatewayIdentifier='string',
name='string',
description='string',
roleArn='string',
protocolType='MCP',
protocolConfiguration={
'mcp': {
'supportedVersions': [
'string',
],
'instructions': 'string',
'searchType': 'SEMANTIC',
'sessionConfiguration': {
'sessionTimeoutInSeconds': 123
},
'streamingConfiguration': {
'enableResponseStreaming': True|False
}
}
},
authorizerType='CUSTOM_JWT'|'AWS_IAM'|'NONE'|'AUTHENTICATE_ONLY',
authorizerConfiguration={
'customJWTAuthorizer': {
'discoveryUrl': 'string',
'allowedAudience': [
'string',
],
'allowedClients': [
'string',
],
'allowedScopes': [
'string',
],
'customClaims': [
{
'inboundTokenClaimName': 'string',
'inboundTokenClaimValueType': 'STRING'|'STRING_ARRAY',
'authorizingClaimMatchValue': {
'claimMatchValue': {
'matchValueString': 'string',
'matchValueStringList': [
'string',
]
},
'claimMatchOperator': 'EQUALS'|'CONTAINS'|'CONTAINS_ANY'
}
},
],
'privateEndpoint': {
'selfManagedLatticeResource': {
'resourceConfigurationIdentifier': 'string'
},
'managedVpcResource': {
'vpcIdentifier': 'string',
'subnetIds': [
'string',
],
'endpointIpAddressType': 'IPV4'|'IPV6',
'securityGroupIds': [
'string',
],
'tags': {
'string': 'string'
},
'routingDomain': 'string'
}
},
'privateEndpointOverrides': [
{
'domain': 'string',
'privateEndpoint': {
'selfManagedLatticeResource': {
'resourceConfigurationIdentifier': 'string'
},
'managedVpcResource': {
'vpcIdentifier': 'string',
'subnetIds': [
'string',
],
'endpointIpAddressType': 'IPV4'|'IPV6',
'securityGroupIds': [
'string',
],
'tags': {
'string': 'string'
},
'routingDomain': 'string'
}
}
},
]
}
},
kmsKeyArn='string',
interceptorConfigurations=[
{
'interceptor': {
'lambda': {
'arn': 'string'
}
},
'interceptionPoints': [
'REQUEST'|'RESPONSE',
],
'inputConfiguration': {
'passRequestHeaders': True|False
}
},
],
policyEngineConfiguration={
'arn': 'string',
'mode': 'LOG_ONLY'|'ENFORCE'
},
exceptionLevel='DEBUG'
)
string
[REQUIRED]
The identifier of the gateway to update.
string
[REQUIRED]
The name of the gateway. This name must be the same as the one when the gateway was created.
string
The updated description for the gateway.
string
[REQUIRED]
The updated IAM role ARN that provides permissions for the gateway.
string
The updated protocol type for the gateway.
dict
The configuration for a gateway protocol. This structure defines how the gateway communicates with external services.
mcp (dict) --
The configuration for the Model Context Protocol (MCP). This protocol enables communication between Amazon Bedrock Agent and external tools.
supportedVersions (list) --
The supported versions of the Model Context Protocol. This field specifies which versions of the protocol the gateway can use.
(string) --
instructions (string) --
The instructions for using the Model Context Protocol gateway. These instructions provide guidance on how to interact with the gateway.
searchType (string) --
The search type for the Model Context Protocol gateway. This field specifies how the gateway handles search operations.
sessionConfiguration (dict) --
The session configuration for the MCP gateway. This configuration controls session behavior, including session timeout settings.
sessionTimeoutInSeconds (integer) --
The session timeout in seconds. After this timeout, the session expires and subsequent requests to this session will receive an error. The minimum value is 900 seconds (15 minutes), the maximum value is 28800 seconds (8 hours), and the default value is 3600 seconds (1 hour).
streamingConfiguration (dict) --
The streaming configuration for the MCP gateway. This configuration controls whether response streaming is enabled for the gateway.
enableResponseStreaming (boolean) --
Indicates whether response streaming is enabled for the gateway. When set to true, the gateway streams responses from targets back to the client.
string
[REQUIRED]
The updated authorizer type for the gateway.
dict
The updated authorizer configuration for the gateway.
customJWTAuthorizer (dict) --
The inbound JWT-based authorization, specifying how incoming requests should be authenticated.
discoveryUrl (string) -- [REQUIRED]
This URL is used to fetch OpenID Connect configuration or authorization server metadata for validating incoming tokens.
allowedAudience (list) --
Represents individual audience values that are validated in the incoming JWT token validation process.
(string) --
allowedClients (list) --
Represents individual client IDs that are validated in the incoming JWT token validation process.
(string) --
allowedScopes (list) --
An array of scopes that are allowed to access the token.
(string) --
customClaims (list) --
An array of objects that define a custom claim validation name, value, and operation
(dict) --
Defines the name of a custom claim field and rules for finding matches to authenticate its value.
inboundTokenClaimName (string) -- [REQUIRED]
The name of the custom claim field to check.
inboundTokenClaimValueType (string) -- [REQUIRED]
The data type of the claim value to check for.
Use STRING if you want to find an exact match to a string you define.
Use STRING_ARRAY if you want to fnd a match to at least one value in an array you define.
authorizingClaimMatchValue (dict) -- [REQUIRED]
Defines the value or values to match for and the relationship of the match.
claimMatchValue (dict) -- [REQUIRED]
The value or values to match for.
matchValueString (string) --
The string value to match for.
matchValueStringList (list) --
An array of strings to check for a match.
(string) --
claimMatchOperator (string) -- [REQUIRED]
Defines the relationship between the claim field value and the value or values you're matching for.
privateEndpoint (dict) --
The private endpoint configuration for a gateway target. Defines how the gateway connects to private resources in your VPC.
selfManagedLatticeResource (dict) --
Configuration for connecting to a private resource using a self-managed VPC Lattice resource configuration.
resourceConfigurationIdentifier (string) --
The ARN or ID of the VPC Lattice resource configuration.
managedVpcResource (dict) --
Configuration for connecting to a private resource using a managed VPC Lattice resource. The gateway creates and manages the VPC Lattice resources on your behalf.
vpcIdentifier (string) -- [REQUIRED]
The ID of the VPC that contains your private resource.
subnetIds (list) -- [REQUIRED]
The subnet IDs within the VPC where the VPC Lattice resource gateway is placed.
(string) --
endpointIpAddressType (string) -- [REQUIRED]
The IP address type for the resource configuration endpoint.
securityGroupIds (list) --
The security group IDs to associate with the VPC Lattice resource gateway. If not specified, the default security group for the VPC is used.
(string) --
tags (dict) --
Tags to apply to the managed VPC Lattice resource gateway.
(string) --
(string) --
routingDomain (string) --
An intermediate domain to use as the resource configuration endpoint instead of the actual target domain. Use this when you want to route traffic through an intermediate component such as a VPC endpoint or internal load balancer. For more information, see xref:lattice-vpc-egress-routing-domain[Route traffic through an intermediate domain].
privateEndpointOverrides (list) --
A list of private endpoint overrides for the JWT authorizer. Each override maps a specific domain to a private endpoint, enabling secure connectivity through VPC Lattice resource configurations.
(dict) --
A mapping of a specific domain to a private endpoint for secure connectivity through a VPC Lattice resource configuration.
domain (string) -- [REQUIRED]
The domain to override with a private endpoint.
privateEndpoint (dict) -- [REQUIRED]
The private endpoint configuration for the specified domain.
selfManagedLatticeResource (dict) --
Configuration for connecting to a private resource using a self-managed VPC Lattice resource configuration.
resourceConfigurationIdentifier (string) --
The ARN or ID of the VPC Lattice resource configuration.
managedVpcResource (dict) --
Configuration for connecting to a private resource using a managed VPC Lattice resource. The gateway creates and manages the VPC Lattice resources on your behalf.
vpcIdentifier (string) -- [REQUIRED]
The ID of the VPC that contains your private resource.
subnetIds (list) -- [REQUIRED]
The subnet IDs within the VPC where the VPC Lattice resource gateway is placed.
(string) --
endpointIpAddressType (string) -- [REQUIRED]
The IP address type for the resource configuration endpoint.
securityGroupIds (list) --
The security group IDs to associate with the VPC Lattice resource gateway. If not specified, the default security group for the VPC is used.
(string) --
tags (dict) --
Tags to apply to the managed VPC Lattice resource gateway.
(string) --
(string) --
routingDomain (string) --
An intermediate domain to use as the resource configuration endpoint instead of the actual target domain. Use this when you want to route traffic through an intermediate component such as a VPC endpoint or internal load balancer. For more information, see xref:lattice-vpc-egress-routing-domain[Route traffic through an intermediate domain].
string
The updated ARN of the KMS key used to encrypt the gateway.
list
The updated interceptor configurations for the gateway.
(dict) --
The configuration for an interceptor on a gateway. This structure defines settings for an interceptor that will be invoked during the invocation of the gateway.
interceptor (dict) -- [REQUIRED]
The infrastructure settings of an interceptor configuration. This structure defines how the interceptor can be invoked.
lambda (dict) --
The details of the lambda function used for the interceptor.
arn (string) -- [REQUIRED]
The arn of the lambda function to be invoked for the interceptor.
interceptionPoints (list) -- [REQUIRED]
The supported points of interception. This field specifies which points during the gateway invocation to invoke the interceptor
(string) --
inputConfiguration (dict) --
The configuration for the input of the interceptor. This field specifies how the input to the interceptor is constructed
passRequestHeaders (boolean) -- [REQUIRED]
Indicates whether to pass request headers as input into the interceptor. When set to true, request headers will be passed.
dict
The updated policy engine configuration for the gateway. A policy engine is a collection of policies that evaluates and authorizes agent tool calls. When associated with a gateway, the policy engine intercepts all agent requests and determines whether to allow or deny each action based on the defined policies.
arn (string) -- [REQUIRED]
The ARN of the policy engine. The policy engine contains Cedar policies that define fine-grained authorization rules specifying who can perform what actions on which resources as agents interact through the gateway.
mode (string) -- [REQUIRED]
The enforcement mode for the policy engine. Valid values include:
LOG_ONLY - The policy engine evaluates each action against your policies and adds traces on whether tool calls would be allowed or denied, but does not enforce the decision. Use this mode to test and validate policies before enabling enforcement.
ENFORCE - The policy engine evaluates actions against your policies and enforces decisions by allowing or denying agent operations. Test and validate policies in LOG_ONLY mode before enabling enforcement to avoid unintended denials or adversely affecting production traffic.
string
The level of detail in error messages returned when invoking the gateway.
If the value is DEBUG, granular exception messages are returned to help a user debug the gateway.
If the value is omitted, a generic error message is returned to the end user.
dict
Response Syntax
{
'gatewayArn': 'string',
'gatewayId': 'string',
'gatewayUrl': 'string',
'createdAt': datetime(2015, 1, 1),
'updatedAt': datetime(2015, 1, 1),
'status': 'CREATING'|'UPDATING'|'UPDATE_UNSUCCESSFUL'|'DELETING'|'READY'|'FAILED',
'statusReasons': [
'string',
],
'name': 'string',
'description': 'string',
'roleArn': 'string',
'protocolType': 'MCP',
'protocolConfiguration': {
'mcp': {
'supportedVersions': [
'string',
],
'instructions': 'string',
'searchType': 'SEMANTIC',
'sessionConfiguration': {
'sessionTimeoutInSeconds': 123
},
'streamingConfiguration': {
'enableResponseStreaming': True|False
}
}
},
'authorizerType': 'CUSTOM_JWT'|'AWS_IAM'|'NONE'|'AUTHENTICATE_ONLY',
'authorizerConfiguration': {
'customJWTAuthorizer': {
'discoveryUrl': 'string',
'allowedAudience': [
'string',
],
'allowedClients': [
'string',
],
'allowedScopes': [
'string',
],
'customClaims': [
{
'inboundTokenClaimName': 'string',
'inboundTokenClaimValueType': 'STRING'|'STRING_ARRAY',
'authorizingClaimMatchValue': {
'claimMatchValue': {
'matchValueString': 'string',
'matchValueStringList': [
'string',
]
},
'claimMatchOperator': 'EQUALS'|'CONTAINS'|'CONTAINS_ANY'
}
},
],
'privateEndpoint': {
'selfManagedLatticeResource': {
'resourceConfigurationIdentifier': 'string'
},
'managedVpcResource': {
'vpcIdentifier': 'string',
'subnetIds': [
'string',
],
'endpointIpAddressType': 'IPV4'|'IPV6',
'securityGroupIds': [
'string',
],
'tags': {
'string': 'string'
},
'routingDomain': 'string'
}
},
'privateEndpointOverrides': [
{
'domain': 'string',
'privateEndpoint': {
'selfManagedLatticeResource': {
'resourceConfigurationIdentifier': 'string'
},
'managedVpcResource': {
'vpcIdentifier': 'string',
'subnetIds': [
'string',
],
'endpointIpAddressType': 'IPV4'|'IPV6',
'securityGroupIds': [
'string',
],
'tags': {
'string': 'string'
},
'routingDomain': 'string'
}
}
},
]
}
},
'kmsKeyArn': 'string',
'interceptorConfigurations': [
{
'interceptor': {
'lambda': {
'arn': 'string'
}
},
'interceptionPoints': [
'REQUEST'|'RESPONSE',
],
'inputConfiguration': {
'passRequestHeaders': True|False
}
},
],
'policyEngineConfiguration': {
'arn': 'string',
'mode': 'LOG_ONLY'|'ENFORCE'
},
'workloadIdentityDetails': {
'workloadIdentityArn': 'string'
},
'exceptionLevel': 'DEBUG'
}
Response Structure
(dict) --
gatewayArn (string) --
The Amazon Resource Name (ARN) of the updated gateway.
gatewayId (string) --
The unique identifier of the updated gateway.
gatewayUrl (string) --
An endpoint for invoking the updated gateway.
createdAt (datetime) --
The timestamp when the gateway was created.
updatedAt (datetime) --
The timestamp when the gateway was last updated.
status (string) --
The current status of the updated gateway.
statusReasons (list) --
The reasons for the current status of the updated gateway.
(string) --
name (string) --
The name of the gateway.
description (string) --
The updated description of the gateway.
roleArn (string) --
The updated IAM role ARN that provides permissions for the gateway.
protocolType (string) --
The updated protocol type for the gateway.
protocolConfiguration (dict) --
The configuration for a gateway protocol. This structure defines how the gateway communicates with external services.
mcp (dict) --
The configuration for the Model Context Protocol (MCP). This protocol enables communication between Amazon Bedrock Agent and external tools.
supportedVersions (list) --
The supported versions of the Model Context Protocol. This field specifies which versions of the protocol the gateway can use.
(string) --
instructions (string) --
The instructions for using the Model Context Protocol gateway. These instructions provide guidance on how to interact with the gateway.
searchType (string) --
The search type for the Model Context Protocol gateway. This field specifies how the gateway handles search operations.
sessionConfiguration (dict) --
The session configuration for the MCP gateway. This configuration controls session behavior, including session timeout settings.
sessionTimeoutInSeconds (integer) --
The session timeout in seconds. After this timeout, the session expires and subsequent requests to this session will receive an error. The minimum value is 900 seconds (15 minutes), the maximum value is 28800 seconds (8 hours), and the default value is 3600 seconds (1 hour).
streamingConfiguration (dict) --
The streaming configuration for the MCP gateway. This configuration controls whether response streaming is enabled for the gateway.
enableResponseStreaming (boolean) --
Indicates whether response streaming is enabled for the gateway. When set to true, the gateway streams responses from targets back to the client.
authorizerType (string) --
The updated authorizer type for the gateway.
authorizerConfiguration (dict) --
The updated authorizer configuration for the gateway.
customJWTAuthorizer (dict) --
The inbound JWT-based authorization, specifying how incoming requests should be authenticated.
discoveryUrl (string) --
This URL is used to fetch OpenID Connect configuration or authorization server metadata for validating incoming tokens.
allowedAudience (list) --
Represents individual audience values that are validated in the incoming JWT token validation process.
(string) --
allowedClients (list) --
Represents individual client IDs that are validated in the incoming JWT token validation process.
(string) --
allowedScopes (list) --
An array of scopes that are allowed to access the token.
(string) --
customClaims (list) --
An array of objects that define a custom claim validation name, value, and operation
(dict) --
Defines the name of a custom claim field and rules for finding matches to authenticate its value.
inboundTokenClaimName (string) --
The name of the custom claim field to check.
inboundTokenClaimValueType (string) --
The data type of the claim value to check for.
Use STRING if you want to find an exact match to a string you define.
Use STRING_ARRAY if you want to fnd a match to at least one value in an array you define.
authorizingClaimMatchValue (dict) --
Defines the value or values to match for and the relationship of the match.
claimMatchValue (dict) --
The value or values to match for.
matchValueString (string) --
The string value to match for.
matchValueStringList (list) --
An array of strings to check for a match.
(string) --
claimMatchOperator (string) --
Defines the relationship between the claim field value and the value or values you're matching for.
privateEndpoint (dict) --
The private endpoint configuration for a gateway target. Defines how the gateway connects to private resources in your VPC.
selfManagedLatticeResource (dict) --
Configuration for connecting to a private resource using a self-managed VPC Lattice resource configuration.
resourceConfigurationIdentifier (string) --
The ARN or ID of the VPC Lattice resource configuration.
managedVpcResource (dict) --
Configuration for connecting to a private resource using a managed VPC Lattice resource. The gateway creates and manages the VPC Lattice resources on your behalf.
vpcIdentifier (string) --
The ID of the VPC that contains your private resource.
subnetIds (list) --
The subnet IDs within the VPC where the VPC Lattice resource gateway is placed.
(string) --
endpointIpAddressType (string) --
The IP address type for the resource configuration endpoint.
securityGroupIds (list) --
The security group IDs to associate with the VPC Lattice resource gateway. If not specified, the default security group for the VPC is used.
(string) --
tags (dict) --
Tags to apply to the managed VPC Lattice resource gateway.
(string) --
(string) --
routingDomain (string) --
An intermediate domain to use as the resource configuration endpoint instead of the actual target domain. Use this when you want to route traffic through an intermediate component such as a VPC endpoint or internal load balancer. For more information, see xref:lattice-vpc-egress-routing-domain[Route traffic through an intermediate domain].
privateEndpointOverrides (list) --
A list of private endpoint overrides for the JWT authorizer. Each override maps a specific domain to a private endpoint, enabling secure connectivity through VPC Lattice resource configurations.
(dict) --
A mapping of a specific domain to a private endpoint for secure connectivity through a VPC Lattice resource configuration.
domain (string) --
The domain to override with a private endpoint.
privateEndpoint (dict) --
The private endpoint configuration for the specified domain.
selfManagedLatticeResource (dict) --
Configuration for connecting to a private resource using a self-managed VPC Lattice resource configuration.
resourceConfigurationIdentifier (string) --
The ARN or ID of the VPC Lattice resource configuration.
managedVpcResource (dict) --
Configuration for connecting to a private resource using a managed VPC Lattice resource. The gateway creates and manages the VPC Lattice resources on your behalf.
vpcIdentifier (string) --
The ID of the VPC that contains your private resource.
subnetIds (list) --
The subnet IDs within the VPC where the VPC Lattice resource gateway is placed.
(string) --
endpointIpAddressType (string) --
The IP address type for the resource configuration endpoint.
securityGroupIds (list) --
The security group IDs to associate with the VPC Lattice resource gateway. If not specified, the default security group for the VPC is used.
(string) --
tags (dict) --
Tags to apply to the managed VPC Lattice resource gateway.
(string) --
(string) --
routingDomain (string) --
An intermediate domain to use as the resource configuration endpoint instead of the actual target domain. Use this when you want to route traffic through an intermediate component such as a VPC endpoint or internal load balancer. For more information, see xref:lattice-vpc-egress-routing-domain[Route traffic through an intermediate domain].
kmsKeyArn (string) --
The updated ARN of the KMS key used to encrypt the gateway.
interceptorConfigurations (list) --
The updated interceptor configurations for the gateway.
(dict) --
The configuration for an interceptor on a gateway. This structure defines settings for an interceptor that will be invoked during the invocation of the gateway.
interceptor (dict) --
The infrastructure settings of an interceptor configuration. This structure defines how the interceptor can be invoked.
lambda (dict) --
The details of the lambda function used for the interceptor.
arn (string) --
The arn of the lambda function to be invoked for the interceptor.
interceptionPoints (list) --
The supported points of interception. This field specifies which points during the gateway invocation to invoke the interceptor
(string) --
inputConfiguration (dict) --
The configuration for the input of the interceptor. This field specifies how the input to the interceptor is constructed
passRequestHeaders (boolean) --
Indicates whether to pass request headers as input into the interceptor. When set to true, request headers will be passed.
policyEngineConfiguration (dict) --
The updated policy engine configuration for the gateway.
arn (string) --
The ARN of the policy engine. The policy engine contains Cedar policies that define fine-grained authorization rules specifying who can perform what actions on which resources as agents interact through the gateway.
mode (string) --
The enforcement mode for the policy engine. Valid values include:
LOG_ONLY - The policy engine evaluates each action against your policies and adds traces on whether tool calls would be allowed or denied, but does not enforce the decision. Use this mode to test and validate policies before enabling enforcement.
ENFORCE - The policy engine evaluates actions against your policies and enforces decisions by allowing or denying agent operations. Test and validate policies in LOG_ONLY mode before enabling enforcement to avoid unintended denials or adversely affecting production traffic.
workloadIdentityDetails (dict) --
The workload identity details for the updated gateway.
workloadIdentityArn (string) --
The ARN associated with the workload identity.
exceptionLevel (string) --
The level of detail in error messages returned when invoking the gateway.
If the value is DEBUG, granular exception messages are returned to help a user debug the gateway.
If the value is omitted, a generic error message is returned to the end user.