2026/04/29 - Amazon Bedrock AgentCore Control - 12 new 12 updated api methods
Changes Adds batch evaluation for running evaluators against multiple agent sessions with server-side orchestration, AI-powered recommendations for optimizing system prompts and tool descriptions, and AB testing with controlled traffic splitting and statistical significance reporting
Retrieves detailed information about a specific gateway rule.
See also: AWS API Documentation
Request Syntax
client.get_gateway_rule(
gatewayIdentifier='string',
ruleId='string'
)
string
[REQUIRED]
The identifier of the gateway containing the rule.
string
[REQUIRED]
The unique identifier of the rule to retrieve.
dict
Response Syntax
{
'ruleId': 'string',
'gatewayArn': 'string',
'priority': 123,
'conditions': [
{
'matchPrincipals': {
'anyOf': [
{
'iamPrincipal': {
'arn': 'string',
'operator': 'StringEquals'|'StringLike'
}
},
]
},
'matchPaths': {
'anyOf': [
'string',
]
}
},
],
'actions': [
{
'configurationBundle': {
'staticOverride': {
'bundleArn': 'string',
'bundleVersion': 'string'
},
'weightedOverride': {
'trafficSplit': [
{
'name': 'string',
'weight': 123,
'configurationBundle': {
'bundleArn': 'string',
'bundleVersion': 'string'
},
'description': 'string',
'metadata': {
'string': 'string'
}
},
]
}
},
'routeToTarget': {
'staticRoute': {
'targetName': 'string'
},
'weightedRoute': {
'trafficSplit': [
{
'name': 'string',
'weight': 123,
'targetName': 'string',
'description': 'string',
'metadata': {
'string': 'string'
}
},
]
}
}
},
],
'description': 'string',
'createdAt': datetime(2015, 1, 1),
'status': 'CREATING'|'ACTIVE'|'UPDATING'|'DELETING',
'system': {
'managedBy': 'string'
},
'updatedAt': datetime(2015, 1, 1)
}
Response Structure
(dict) --
Create response excludes updatedAt (redundant on create). Get/Update responses include it via their own output structures.
ruleId (string) --
The unique identifier of the gateway rule.
gatewayArn (string) --
The Amazon Resource Name (ARN) of the gateway that the rule belongs to.
priority (integer) --
The priority of the rule. Rules are evaluated in order of priority, with lower numbers evaluated first.
conditions (list) --
The conditions that must be met for the rule to apply.
(dict) --
A condition that determines when a gateway rule applies. Conditions can match on principals or request paths.
matchPrincipals (dict) --
A condition that matches on the identity of the caller making the request.
anyOf (list) --
A list of principal entries. The condition is met if any of the entries match the caller's identity.
(dict) --
Union for principal matching. Currently supports IAM principal ARN glob matching. Extensible for future principal types (e.g., OAuth client ID).
iamPrincipal (dict) --
An IAM principal to match against, specified by ARN.
arn (string) --
The Amazon Resource Name (ARN) of the IAM principal. Supports user, role, and assumed-role ARNs. Wildcards can be used with the StringLike operator.
operator (string) --
The match operator. StringEquals requires an exact match. StringLike supports wildcard patterns using * and ?.
matchPaths (dict) --
A condition that matches on the request path.
anyOf (list) --
A list of path patterns. The condition is met if the request path matches any of the patterns.
(string) --
actions (list) --
The actions to take when the rule conditions are met.
(dict) --
An action to take when a gateway rule's conditions are met.
configurationBundle (dict) --
An action that applies a configuration bundle override to the request.
staticOverride (dict) --
A static configuration bundle override that applies a single bundle version to all matching requests.
bundleArn (string) --
The Amazon Resource Name (ARN) of the configuration bundle to apply.
bundleVersion (string) --
The version of the configuration bundle to apply.
weightedOverride (dict) --
A weighted configuration bundle override that splits traffic between multiple bundle versions based on configured weights.
trafficSplit (list) --
The traffic split entries defining how traffic is distributed between configuration bundle versions.
(dict) --
An entry in a traffic split configuration, defining a named variant with a weight and configuration bundle reference.
name (string) --
The name of this traffic split variant.
weight (integer) --
The percentage of traffic to route to this variant. Weights across all entries must sum to 100.
configurationBundle (dict) --
The configuration bundle reference for this variant.
bundleArn (string) --
The Amazon Resource Name (ARN) of the configuration bundle.
bundleVersion (string) --
The version of the configuration bundle.
description (string) --
The description of this traffic split variant.
metadata (dict) --
Key-value metadata associated with this traffic split variant.
(string) --
(string) --
routeToTarget (dict) --
An action that routes the request to a specific target.
staticRoute (dict) --
A static route that sends all matching requests to a single target.
targetName (string) --
The name of the target to route requests to.
weightedRoute (dict) --
A weighted route that splits traffic between multiple targets.
trafficSplit (list) --
The traffic split entries defining how traffic is distributed between targets.
(dict) --
An entry in a target traffic split configuration.
name (string) --
The name of this traffic split variant.
weight (integer) --
The percentage of traffic to route to this variant.
targetName (string) --
The name of the target to route traffic to.
description (string) --
The description of this traffic split variant.
metadata (dict) --
Key-value metadata associated with this traffic split variant.
(string) --
(string) --
description (string) --
The description of the gateway rule.
createdAt (datetime) --
The timestamp when the rule was created.
status (string) --
The current status of the rule.
system (dict) --
System-managed metadata for rules created by automated processes.
managedBy (string) --
The identifier of the system or process that manages this rule.
updatedAt (datetime) --
The timestamp when the rule was last updated.
Creates a new configuration bundle resource. A configuration bundle stores versioned component configurations for agent evaluation workflows.
See also: AWS API Documentation
Request Syntax
client.create_configuration_bundle(
clientToken='string',
bundleName='string',
description='string',
components={
'string': {
'configuration': {...}|[...]|123|123.4|'string'|True|None
}
},
branchName='string',
commitMessage='string',
createdBy={
'name': 'string',
'arn': 'string'
},
tags={
'string': 'string'
}
)
string
A unique, case-sensitive identifier to ensure that the API request completes no more than one time. If you don't specify this field, a value is randomly generated for you. If this token matches a previous request, the service ignores the request, but doesn't return an error. For more information, see Ensuring idempotency.
This field is autopopulated if not provided.
string
[REQUIRED]
The name for the configuration bundle. Names must be unique within your account.
string
The description for the configuration bundle.
dict
[REQUIRED]
A map of component identifiers to their configurations. Each component represents a configurable element within the bundle.
(string) --
(dict) --
The configuration for a component within a configuration bundle. The component type is inferred from the component identifier ARN.
configuration (:ref:`document<document>`) -- [REQUIRED]
The configuration values as a flexible JSON document.
string
The branch name for version tracking. Defaults to mainline if not specified.
string
A commit message describing the initial version of the configuration bundle.
dict
The source that created this version, including the source name and optional ARN.
name (string) -- [REQUIRED]
The name of the source (for example, user, optimization-job, or system).
arn (string) --
The Amazon Resource Name (ARN) of the source, if applicable (for example, a user ARN or optimization job ARN).
dict
A map of tag keys and values to assign to the configuration bundle. Tags enable you to categorize your resources in different ways, for example, by purpose, owner, or environment.
(string) --
(string) --
dict
Response Syntax
{
'bundleArn': 'string',
'bundleId': 'string',
'versionId': 'string',
'createdAt': datetime(2015, 1, 1)
}
Response Structure
(dict) --
bundleArn (string) --
The Amazon Resource Name (ARN) of the created configuration bundle.
bundleId (string) --
The unique identifier of the created configuration bundle.
versionId (string) --
The initial version identifier of the configuration bundle.
createdAt (datetime) --
The timestamp when the configuration bundle was created.
Lists all configuration bundles in the account.
See also: AWS API Documentation
Request Syntax
client.list_configuration_bundles(
nextToken='string',
maxResults=123
)
string
If the total number of results is greater than the maxResults value provided in the request, enter the token returned in the nextToken field in the response in this field to return the next batch of results.
integer
The maximum number of results to return in the response. If the total number of results is greater than this value, use the token returned in the response in the nextToken field when making another request to return the next batch of results.
dict
Response Syntax
{
'bundles': [
{
'bundleArn': 'string',
'bundleId': 'string',
'bundleName': 'string',
'description': 'string'
},
],
'nextToken': 'string'
}
Response Structure
(dict) --
bundles (list) --
The list of configuration bundle summaries.
(dict) --
Summary information about a configuration bundle.
bundleArn (string) --
The Amazon Resource Name (ARN) of the configuration bundle.
bundleId (string) --
The unique identifier of the configuration bundle.
bundleName (string) --
The name of the configuration bundle.
description (string) --
The description of the configuration bundle.
nextToken (string) --
If the total number of results is greater than the maxResults value provided in the request, use this token when making another request in the nextToken field to return the next batch of results.
Gets a specific version of a configuration bundle by its version identifier.
See also: AWS API Documentation
Request Syntax
client.get_configuration_bundle_version(
bundleId='string',
versionId='string'
)
string
[REQUIRED]
The unique identifier of the configuration bundle.
string
[REQUIRED]
The version identifier of the configuration bundle version to retrieve.
dict
Response Syntax
{
'bundleArn': 'string',
'bundleId': 'string',
'bundleName': 'string',
'description': 'string',
'versionId': 'string',
'components': {
'string': {
'configuration': {...}|[...]|123|123.4|'string'|True|None
}
},
'lineageMetadata': {
'parentVersionIds': [
'string',
],
'branchName': 'string',
'createdBy': {
'name': 'string',
'arn': 'string'
},
'commitMessage': 'string'
},
'createdAt': datetime(2015, 1, 1),
'versionCreatedAt': datetime(2015, 1, 1)
}
Response Structure
(dict) --
bundleArn (string) --
The Amazon Resource Name (ARN) of the configuration bundle.
bundleId (string) --
The unique identifier of the configuration bundle.
bundleName (string) --
The name of the configuration bundle.
description (string) --
The description of the configuration bundle.
versionId (string) --
The version identifier of this configuration bundle version.
components (dict) --
A map of component identifiers to their configurations for this version.
(string) --
(dict) --
The configuration for a component within a configuration bundle. The component type is inferred from the component identifier ARN.
configuration (:ref:`document<document>`) --
The configuration values as a flexible JSON document.
lineageMetadata (dict) --
The version lineage metadata, including parent versions, branch name, and creation source.
parentVersionIds (list) --
A list of parent version identifiers. Regular commits have 0-1 parents. Merge commits have 2 parents: the target branch parent and the source branch parent. The first parent represents the primary lineage.
(string) --
branchName (string) --
The branch name for this version. If not specified, inherits the parent's branch or defaults to mainline.
createdBy (dict) --
The source that created this version.
name (string) --
The name of the source (for example, user, optimization-job, or system).
arn (string) --
The Amazon Resource Name (ARN) of the source, if applicable (for example, a user ARN or optimization job ARN).
commitMessage (string) --
A commit message describing the changes in this version.
createdAt (datetime) --
The timestamp when the configuration bundle was created.
versionCreatedAt (datetime) --
The timestamp when this specific version was created.
Lists all versions of a configuration bundle, with optional filtering by branch name or creation source.
See also: AWS API Documentation
Request Syntax
client.list_configuration_bundle_versions(
bundleId='string',
nextToken='string',
maxResults=123,
filter={
'branchName': 'string',
'createdByName': 'string',
'latestPerBranch': True|False
}
)
string
[REQUIRED]
The unique identifier of the configuration bundle to list versions for.
string
If the total number of results is greater than the maxResults value provided in the request, enter the token returned in the nextToken field in the response in this field to return the next batch of results.
integer
The maximum number of results to return in the response. If the total number of results is greater than this value, use the token returned in the response in the nextToken field when making another request to return the next batch of results.
dict
An optional filter for listing versions, including branch name, creation source, and whether to return only the latest version per branch.
branchName (string) --
Filter by branch name.
createdByName (string) --
Filter by creation source name.
latestPerBranch (boolean) --
When true, returns only the latest version for each branch. When false or not specified, returns all versions. Can be combined with branchName to get the latest version for a specific branch.
dict
Response Syntax
{
'versions': [
{
'bundleArn': 'string',
'bundleId': 'string',
'versionId': 'string',
'lineageMetadata': {
'parentVersionIds': [
'string',
],
'branchName': 'string',
'createdBy': {
'name': 'string',
'arn': 'string'
},
'commitMessage': 'string'
},
'versionCreatedAt': datetime(2015, 1, 1)
},
],
'nextToken': 'string'
}
Response Structure
(dict) --
versions (list) --
The list of configuration bundle version summaries.
(dict) --
Summary information about a configuration bundle version.
bundleArn (string) --
The Amazon Resource Name (ARN) of the configuration bundle.
bundleId (string) --
The unique identifier of the configuration bundle.
versionId (string) --
The version identifier of this configuration bundle version.
lineageMetadata (dict) --
The version lineage metadata, including parent versions, branch name, and creation source.
parentVersionIds (list) --
A list of parent version identifiers. Regular commits have 0-1 parents. Merge commits have 2 parents: the target branch parent and the source branch parent. The first parent represents the primary lineage.
(string) --
branchName (string) --
The branch name for this version. If not specified, inherits the parent's branch or defaults to mainline.
createdBy (dict) --
The source that created this version.
name (string) --
The name of the source (for example, user, optimization-job, or system).
arn (string) --
The Amazon Resource Name (ARN) of the source, if applicable (for example, a user ARN or optimization job ARN).
commitMessage (string) --
A commit message describing the changes in this version.
versionCreatedAt (datetime) --
The timestamp when this version was created.
nextToken (string) --
If the total number of results is greater than the maxResults value provided in the request, use this token when making another request in the nextToken field to return the next batch of results.
Gets the latest version of a configuration bundle. By default, returns the latest version on the mainline branch. Use GetConfigurationBundleVersion to retrieve a specific historical version.
See also: AWS API Documentation
Request Syntax
client.get_configuration_bundle(
bundleId='string',
branchName='string'
)
string
[REQUIRED]
The unique identifier of the configuration bundle to retrieve.
string
The branch name to get the latest version from. If not specified, returns the latest version on the mainline branch.
dict
Response Syntax
{
'bundleArn': 'string',
'bundleId': 'string',
'bundleName': 'string',
'description': 'string',
'versionId': 'string',
'components': {
'string': {
'configuration': {...}|[...]|123|123.4|'string'|True|None
}
},
'lineageMetadata': {
'parentVersionIds': [
'string',
],
'branchName': 'string',
'createdBy': {
'name': 'string',
'arn': 'string'
},
'commitMessage': 'string'
},
'createdAt': datetime(2015, 1, 1),
'updatedAt': datetime(2015, 1, 1)
}
Response Structure
(dict) --
bundleArn (string) --
The Amazon Resource Name (ARN) of the configuration bundle.
bundleId (string) --
The unique identifier of the configuration bundle.
bundleName (string) --
The name of the configuration bundle.
description (string) --
The description of the configuration bundle.
versionId (string) --
The version identifier of this configuration bundle.
components (dict) --
A map of component identifiers to their configurations for this version.
(string) --
(dict) --
The configuration for a component within a configuration bundle. The component type is inferred from the component identifier ARN.
configuration (:ref:`document<document>`) --
The configuration values as a flexible JSON document.
lineageMetadata (dict) --
The version lineage metadata, including parent versions, branch name, and creation source.
parentVersionIds (list) --
A list of parent version identifiers. Regular commits have 0-1 parents. Merge commits have 2 parents: the target branch parent and the source branch parent. The first parent represents the primary lineage.
(string) --
branchName (string) --
The branch name for this version. If not specified, inherits the parent's branch or defaults to mainline.
createdBy (dict) --
The source that created this version.
name (string) --
The name of the source (for example, user, optimization-job, or system).
arn (string) --
The Amazon Resource Name (ARN) of the source, if applicable (for example, a user ARN or optimization job ARN).
commitMessage (string) --
A commit message describing the changes in this version.
createdAt (datetime) --
The timestamp when the configuration bundle was created.
updatedAt (datetime) --
The timestamp when the configuration bundle was last updated.
Creates a rule for a gateway. Rules define conditions and actions that control how requests are routed and processed through the gateway, including principal-based access control and path-based routing.
See also: AWS API Documentation
Request Syntax
client.create_gateway_rule(
gatewayIdentifier='string',
clientToken='string',
priority=123,
conditions=[
{
'matchPrincipals': {
'anyOf': [
{
'iamPrincipal': {
'arn': 'string',
'operator': 'StringEquals'|'StringLike'
}
},
]
},
'matchPaths': {
'anyOf': [
'string',
]
}
},
],
actions=[
{
'configurationBundle': {
'staticOverride': {
'bundleArn': 'string',
'bundleVersion': 'string'
},
'weightedOverride': {
'trafficSplit': [
{
'name': 'string',
'weight': 123,
'configurationBundle': {
'bundleArn': 'string',
'bundleVersion': 'string'
},
'description': 'string',
'metadata': {
'string': 'string'
}
},
]
}
},
'routeToTarget': {
'staticRoute': {
'targetName': 'string'
},
'weightedRoute': {
'trafficSplit': [
{
'name': 'string',
'weight': 123,
'targetName': 'string',
'description': 'string',
'metadata': {
'string': 'string'
}
},
]
}
}
},
],
description='string'
)
string
[REQUIRED]
The identifier of the gateway to create a rule for.
string
A unique, case-sensitive identifier to ensure that the API request completes no more than one time. If you don't specify this field, a value is randomly generated for you. If this token matches a previous request, the service ignores the request, but doesn't return an error. For more information, see Ensuring idempotency.
This field is autopopulated if not provided.
integer
[REQUIRED]
The priority of the rule. Rules are evaluated in order of priority, with lower numbers evaluated first. Must be between 1 and 1,000,000.
list
The conditions that must be met for the rule to apply. Conditions can match on principals (IAM ARNs) or request paths.
(dict) --
A condition that determines when a gateway rule applies. Conditions can match on principals or request paths.
matchPrincipals (dict) --
A condition that matches on the identity of the caller making the request.
anyOf (list) -- [REQUIRED]
A list of principal entries. The condition is met if any of the entries match the caller's identity.
(dict) --
Union for principal matching. Currently supports IAM principal ARN glob matching. Extensible for future principal types (e.g., OAuth client ID).
iamPrincipal (dict) --
An IAM principal to match against, specified by ARN.
arn (string) -- [REQUIRED]
The Amazon Resource Name (ARN) of the IAM principal. Supports user, role, and assumed-role ARNs. Wildcards can be used with the StringLike operator.
operator (string) --
The match operator. StringEquals requires an exact match. StringLike supports wildcard patterns using * and ?.
matchPaths (dict) --
A condition that matches on the request path.
anyOf (list) -- [REQUIRED]
A list of path patterns. The condition is met if the request path matches any of the patterns.
(string) --
list
[REQUIRED]
The actions to take when the rule conditions are met. Actions can route to a specific target or apply a configuration bundle override.
(dict) --
An action to take when a gateway rule's conditions are met.
configurationBundle (dict) --
An action that applies a configuration bundle override to the request.
staticOverride (dict) --
A static configuration bundle override that applies a single bundle version to all matching requests.
bundleArn (string) -- [REQUIRED]
The Amazon Resource Name (ARN) of the configuration bundle to apply.
bundleVersion (string) -- [REQUIRED]
The version of the configuration bundle to apply.
weightedOverride (dict) --
A weighted configuration bundle override that splits traffic between multiple bundle versions based on configured weights.
trafficSplit (list) -- [REQUIRED]
The traffic split entries defining how traffic is distributed between configuration bundle versions.
(dict) --
An entry in a traffic split configuration, defining a named variant with a weight and configuration bundle reference.
name (string) -- [REQUIRED]
The name of this traffic split variant.
weight (integer) -- [REQUIRED]
The percentage of traffic to route to this variant. Weights across all entries must sum to 100.
configurationBundle (dict) -- [REQUIRED]
The configuration bundle reference for this variant.
bundleArn (string) -- [REQUIRED]
The Amazon Resource Name (ARN) of the configuration bundle.
bundleVersion (string) -- [REQUIRED]
The version of the configuration bundle.
description (string) --
The description of this traffic split variant.
metadata (dict) --
Key-value metadata associated with this traffic split variant.
(string) --
(string) --
routeToTarget (dict) --
An action that routes the request to a specific target.
staticRoute (dict) --
A static route that sends all matching requests to a single target.
targetName (string) -- [REQUIRED]
The name of the target to route requests to.
weightedRoute (dict) --
A weighted route that splits traffic between multiple targets.
trafficSplit (list) -- [REQUIRED]
The traffic split entries defining how traffic is distributed between targets.
(dict) --
An entry in a target traffic split configuration.
name (string) -- [REQUIRED]
The name of this traffic split variant.
weight (integer) -- [REQUIRED]
The percentage of traffic to route to this variant.
targetName (string) -- [REQUIRED]
The name of the target to route traffic to.
description (string) --
The description of this traffic split variant.
metadata (dict) --
Key-value metadata associated with this traffic split variant.
(string) --
(string) --
string
The description of the gateway rule.
dict
Response Syntax
{
'ruleId': 'string',
'gatewayArn': 'string',
'priority': 123,
'conditions': [
{
'matchPrincipals': {
'anyOf': [
{
'iamPrincipal': {
'arn': 'string',
'operator': 'StringEquals'|'StringLike'
}
},
]
},
'matchPaths': {
'anyOf': [
'string',
]
}
},
],
'actions': [
{
'configurationBundle': {
'staticOverride': {
'bundleArn': 'string',
'bundleVersion': 'string'
},
'weightedOverride': {
'trafficSplit': [
{
'name': 'string',
'weight': 123,
'configurationBundle': {
'bundleArn': 'string',
'bundleVersion': 'string'
},
'description': 'string',
'metadata': {
'string': 'string'
}
},
]
}
},
'routeToTarget': {
'staticRoute': {
'targetName': 'string'
},
'weightedRoute': {
'trafficSplit': [
{
'name': 'string',
'weight': 123,
'targetName': 'string',
'description': 'string',
'metadata': {
'string': 'string'
}
},
]
}
}
},
],
'description': 'string',
'createdAt': datetime(2015, 1, 1),
'status': 'CREATING'|'ACTIVE'|'UPDATING'|'DELETING',
'system': {
'managedBy': 'string'
}
}
Response Structure
(dict) --
ruleId (string) --
The unique identifier of the gateway rule.
gatewayArn (string) --
The Amazon Resource Name (ARN) of the gateway that the rule belongs to.
priority (integer) --
The priority of the rule. Rules are evaluated in order of priority, with lower numbers evaluated first.
conditions (list) --
The conditions that must be met for the rule to apply.
(dict) --
A condition that determines when a gateway rule applies. Conditions can match on principals or request paths.
matchPrincipals (dict) --
A condition that matches on the identity of the caller making the request.
anyOf (list) --
A list of principal entries. The condition is met if any of the entries match the caller's identity.
(dict) --
Union for principal matching. Currently supports IAM principal ARN glob matching. Extensible for future principal types (e.g., OAuth client ID).
iamPrincipal (dict) --
An IAM principal to match against, specified by ARN.
arn (string) --
The Amazon Resource Name (ARN) of the IAM principal. Supports user, role, and assumed-role ARNs. Wildcards can be used with the StringLike operator.
operator (string) --
The match operator. StringEquals requires an exact match. StringLike supports wildcard patterns using * and ?.
matchPaths (dict) --
A condition that matches on the request path.
anyOf (list) --
A list of path patterns. The condition is met if the request path matches any of the patterns.
(string) --
actions (list) --
The actions to take when the rule conditions are met.
(dict) --
An action to take when a gateway rule's conditions are met.
configurationBundle (dict) --
An action that applies a configuration bundle override to the request.
staticOverride (dict) --
A static configuration bundle override that applies a single bundle version to all matching requests.
bundleArn (string) --
The Amazon Resource Name (ARN) of the configuration bundle to apply.
bundleVersion (string) --
The version of the configuration bundle to apply.
weightedOverride (dict) --
A weighted configuration bundle override that splits traffic between multiple bundle versions based on configured weights.
trafficSplit (list) --
The traffic split entries defining how traffic is distributed between configuration bundle versions.
(dict) --
An entry in a traffic split configuration, defining a named variant with a weight and configuration bundle reference.
name (string) --
The name of this traffic split variant.
weight (integer) --
The percentage of traffic to route to this variant. Weights across all entries must sum to 100.
configurationBundle (dict) --
The configuration bundle reference for this variant.
bundleArn (string) --
The Amazon Resource Name (ARN) of the configuration bundle.
bundleVersion (string) --
The version of the configuration bundle.
description (string) --
The description of this traffic split variant.
metadata (dict) --
Key-value metadata associated with this traffic split variant.
(string) --
(string) --
routeToTarget (dict) --
An action that routes the request to a specific target.
staticRoute (dict) --
A static route that sends all matching requests to a single target.
targetName (string) --
The name of the target to route requests to.
weightedRoute (dict) --
A weighted route that splits traffic between multiple targets.
trafficSplit (list) --
The traffic split entries defining how traffic is distributed between targets.
(dict) --
An entry in a target traffic split configuration.
name (string) --
The name of this traffic split variant.
weight (integer) --
The percentage of traffic to route to this variant.
targetName (string) --
The name of the target to route traffic to.
description (string) --
The description of this traffic split variant.
metadata (dict) --
Key-value metadata associated with this traffic split variant.
(string) --
(string) --
description (string) --
The description of the gateway rule.
createdAt (datetime) --
The timestamp when the rule was created.
status (string) --
The current status of the rule.
system (dict) --
System-managed metadata for rules created by automated processes.
managedBy (string) --
The identifier of the system or process that manages this rule.
Deletes a gateway rule.
See also: AWS API Documentation
Request Syntax
client.delete_gateway_rule(
gatewayIdentifier='string',
ruleId='string'
)
string
[REQUIRED]
The identifier of the gateway containing the rule.
string
[REQUIRED]
The unique identifier of the rule to delete.
dict
Response Syntax
{
'ruleId': 'string',
'status': 'CREATING'|'ACTIVE'|'UPDATING'|'DELETING'
}
Response Structure
(dict) --
ruleId (string) --
The unique identifier of the deleted rule.
status (string) --
The status of the rule deletion operation.
Deletes a configuration bundle and all of its versions.
See also: AWS API Documentation
Request Syntax
client.delete_configuration_bundle(
bundleId='string'
)
string
[REQUIRED]
The unique identifier of the configuration bundle to delete.
dict
Response Syntax
{
'bundleId': 'string',
'status': 'ACTIVE'|'CREATING'|'CREATE_FAILED'|'UPDATING'|'UPDATE_FAILED'|'DELETING'|'DELETE_FAILED'
}
Response Structure
(dict) --
bundleId (string) --
The unique identifier of the deleted configuration bundle.
status (string) --
The status of the configuration bundle deletion operation.
Lists all rules for a gateway.
See also: AWS API Documentation
Request Syntax
client.list_gateway_rules(
gatewayIdentifier='string',
maxResults=123,
nextToken='string'
)
string
[REQUIRED]
The identifier of the gateway to list rules for.
integer
The maximum number of results to return in the response. If the total number of results is greater than this value, use the token returned in the response in the nextToken field when making another request to return the next batch of results.
string
The pagination token from a previous request.
dict
Response Syntax
{
'gatewayRules': [
{
'ruleId': 'string',
'gatewayArn': 'string',
'priority': 123,
'conditions': [
{
'matchPrincipals': {
'anyOf': [
{
'iamPrincipal': {
'arn': 'string',
'operator': 'StringEquals'|'StringLike'
}
},
]
},
'matchPaths': {
'anyOf': [
'string',
]
}
},
],
'actions': [
{
'configurationBundle': {
'staticOverride': {
'bundleArn': 'string',
'bundleVersion': 'string'
},
'weightedOverride': {
'trafficSplit': [
{
'name': 'string',
'weight': 123,
'configurationBundle': {
'bundleArn': 'string',
'bundleVersion': 'string'
},
'description': 'string',
'metadata': {
'string': 'string'
}
},
]
}
},
'routeToTarget': {
'staticRoute': {
'targetName': 'string'
},
'weightedRoute': {
'trafficSplit': [
{
'name': 'string',
'weight': 123,
'targetName': 'string',
'description': 'string',
'metadata': {
'string': 'string'
}
},
]
}
}
},
],
'description': 'string',
'createdAt': datetime(2015, 1, 1),
'status': 'CREATING'|'ACTIVE'|'UPDATING'|'DELETING',
'system': {
'managedBy': 'string'
},
'updatedAt': datetime(2015, 1, 1)
},
],
'nextToken': 'string'
}
Response Structure
(dict) --
gatewayRules (list) --
The list of gateway rules.
(dict) --
Detailed information about a gateway rule.
ruleId (string) --
The unique identifier of the gateway rule.
gatewayArn (string) --
The Amazon Resource Name (ARN) of the gateway that the rule belongs to.
priority (integer) --
The priority of the rule. Rules are evaluated in order of priority, with lower numbers evaluated first.
conditions (list) --
The conditions that must be met for the rule to apply.
(dict) --
A condition that determines when a gateway rule applies. Conditions can match on principals or request paths.
matchPrincipals (dict) --
A condition that matches on the identity of the caller making the request.
anyOf (list) --
A list of principal entries. The condition is met if any of the entries match the caller's identity.
(dict) --
Union for principal matching. Currently supports IAM principal ARN glob matching. Extensible for future principal types (e.g., OAuth client ID).
iamPrincipal (dict) --
An IAM principal to match against, specified by ARN.
arn (string) --
The Amazon Resource Name (ARN) of the IAM principal. Supports user, role, and assumed-role ARNs. Wildcards can be used with the StringLike operator.
operator (string) --
The match operator. StringEquals requires an exact match. StringLike supports wildcard patterns using * and ?.
matchPaths (dict) --
A condition that matches on the request path.
anyOf (list) --
A list of path patterns. The condition is met if the request path matches any of the patterns.
(string) --
actions (list) --
The actions to take when the rule conditions are met.
(dict) --
An action to take when a gateway rule's conditions are met.
configurationBundle (dict) --
An action that applies a configuration bundle override to the request.
staticOverride (dict) --
A static configuration bundle override that applies a single bundle version to all matching requests.
bundleArn (string) --
The Amazon Resource Name (ARN) of the configuration bundle to apply.
bundleVersion (string) --
The version of the configuration bundle to apply.
weightedOverride (dict) --
A weighted configuration bundle override that splits traffic between multiple bundle versions based on configured weights.
trafficSplit (list) --
The traffic split entries defining how traffic is distributed between configuration bundle versions.
(dict) --
An entry in a traffic split configuration, defining a named variant with a weight and configuration bundle reference.
name (string) --
The name of this traffic split variant.
weight (integer) --
The percentage of traffic to route to this variant. Weights across all entries must sum to 100.
configurationBundle (dict) --
The configuration bundle reference for this variant.
bundleArn (string) --
The Amazon Resource Name (ARN) of the configuration bundle.
bundleVersion (string) --
The version of the configuration bundle.
description (string) --
The description of this traffic split variant.
metadata (dict) --
Key-value metadata associated with this traffic split variant.
(string) --
(string) --
routeToTarget (dict) --
An action that routes the request to a specific target.
staticRoute (dict) --
A static route that sends all matching requests to a single target.
targetName (string) --
The name of the target to route requests to.
weightedRoute (dict) --
A weighted route that splits traffic between multiple targets.
trafficSplit (list) --
The traffic split entries defining how traffic is distributed between targets.
(dict) --
An entry in a target traffic split configuration.
name (string) --
The name of this traffic split variant.
weight (integer) --
The percentage of traffic to route to this variant.
targetName (string) --
The name of the target to route traffic to.
description (string) --
The description of this traffic split variant.
metadata (dict) --
Key-value metadata associated with this traffic split variant.
(string) --
(string) --
description (string) --
The description of the gateway rule.
createdAt (datetime) --
The timestamp when the rule was created.
status (string) --
The current status of the rule.
system (dict) --
System-managed metadata for rules created by automated processes.
managedBy (string) --
The identifier of the system or process that manages this rule.
updatedAt (datetime) --
The timestamp when the rule was last updated.
nextToken (string) --
The pagination token to use in a subsequent request.
Updates a configuration bundle by creating a new version with the specified changes. Each update creates a new version in the version history.
See also: AWS API Documentation
Request Syntax
client.update_configuration_bundle(
clientToken='string',
bundleId='string',
bundleName='string',
description='string',
components={
'string': {
'configuration': {...}|[...]|123|123.4|'string'|True|None
}
},
parentVersionIds=[
'string',
],
branchName='string',
commitMessage='string',
createdBy={
'name': 'string',
'arn': 'string'
}
)
string
A unique, case-sensitive identifier to ensure that the API request completes no more than one time. If you don't specify this field, a value is randomly generated for you. If this token matches a previous request, the service ignores the request, but doesn't return an error. For more information, see Ensuring idempotency.
This field is autopopulated if not provided.
string
[REQUIRED]
The unique identifier of the configuration bundle to update.
string
The updated name for the configuration bundle.
string
The updated description for the configuration bundle.
dict
The updated component configurations. Creates a new version of the bundle.
(string) --
(dict) --
The configuration for a component within a configuration bundle. The component type is inferred from the component identifier ARN.
configuration (:ref:`document<document>`) -- [REQUIRED]
The configuration values as a flexible JSON document.
list
A list of parent version identifiers for lineage tracking. Regular commits have a single parent. Merge commits have two parents: the target branch parent and the source branch parent. If the branch already exists, the first parent must be the latest version on that branch.
(string) --
string
The branch name for this version. If not specified, inherits the parent's branch or defaults to mainline.
string
A commit message describing the changes in this version.
dict
The source that created this version, including the source name and optional ARN.
name (string) -- [REQUIRED]
The name of the source (for example, user, optimization-job, or system).
arn (string) --
The Amazon Resource Name (ARN) of the source, if applicable (for example, a user ARN or optimization job ARN).
dict
Response Syntax
{
'bundleArn': 'string',
'bundleId': 'string',
'versionId': 'string',
'updatedAt': datetime(2015, 1, 1)
}
Response Structure
(dict) --
bundleArn (string) --
The Amazon Resource Name (ARN) of the updated configuration bundle.
bundleId (string) --
The unique identifier of the updated configuration bundle.
versionId (string) --
The new version identifier created by this update.
updatedAt (datetime) --
The timestamp when the configuration bundle was updated.
Updates a gateway rule's priority, conditions, actions, or description.
See also: AWS API Documentation
Request Syntax
client.update_gateway_rule(
gatewayIdentifier='string',
ruleId='string',
priority=123,
conditions=[
{
'matchPrincipals': {
'anyOf': [
{
'iamPrincipal': {
'arn': 'string',
'operator': 'StringEquals'|'StringLike'
}
},
]
},
'matchPaths': {
'anyOf': [
'string',
]
}
},
],
actions=[
{
'configurationBundle': {
'staticOverride': {
'bundleArn': 'string',
'bundleVersion': 'string'
},
'weightedOverride': {
'trafficSplit': [
{
'name': 'string',
'weight': 123,
'configurationBundle': {
'bundleArn': 'string',
'bundleVersion': 'string'
},
'description': 'string',
'metadata': {
'string': 'string'
}
},
]
}
},
'routeToTarget': {
'staticRoute': {
'targetName': 'string'
},
'weightedRoute': {
'trafficSplit': [
{
'name': 'string',
'weight': 123,
'targetName': 'string',
'description': 'string',
'metadata': {
'string': 'string'
}
},
]
}
}
},
],
description='string'
)
string
[REQUIRED]
The identifier of the gateway containing the rule.
string
[REQUIRED]
The unique identifier of the rule to update.
integer
The updated priority of the rule.
list
The updated conditions for the rule.
(dict) --
A condition that determines when a gateway rule applies. Conditions can match on principals or request paths.
matchPrincipals (dict) --
A condition that matches on the identity of the caller making the request.
anyOf (list) -- [REQUIRED]
A list of principal entries. The condition is met if any of the entries match the caller's identity.
(dict) --
Union for principal matching. Currently supports IAM principal ARN glob matching. Extensible for future principal types (e.g., OAuth client ID).
iamPrincipal (dict) --
An IAM principal to match against, specified by ARN.
arn (string) -- [REQUIRED]
The Amazon Resource Name (ARN) of the IAM principal. Supports user, role, and assumed-role ARNs. Wildcards can be used with the StringLike operator.
operator (string) --
The match operator. StringEquals requires an exact match. StringLike supports wildcard patterns using * and ?.
matchPaths (dict) --
A condition that matches on the request path.
anyOf (list) -- [REQUIRED]
A list of path patterns. The condition is met if the request path matches any of the patterns.
(string) --
list
The updated actions for the rule.
(dict) --
An action to take when a gateway rule's conditions are met.
configurationBundle (dict) --
An action that applies a configuration bundle override to the request.
staticOverride (dict) --
A static configuration bundle override that applies a single bundle version to all matching requests.
bundleArn (string) -- [REQUIRED]
The Amazon Resource Name (ARN) of the configuration bundle to apply.
bundleVersion (string) -- [REQUIRED]
The version of the configuration bundle to apply.
weightedOverride (dict) --
A weighted configuration bundle override that splits traffic between multiple bundle versions based on configured weights.
trafficSplit (list) -- [REQUIRED]
The traffic split entries defining how traffic is distributed between configuration bundle versions.
(dict) --
An entry in a traffic split configuration, defining a named variant with a weight and configuration bundle reference.
name (string) -- [REQUIRED]
The name of this traffic split variant.
weight (integer) -- [REQUIRED]
The percentage of traffic to route to this variant. Weights across all entries must sum to 100.
configurationBundle (dict) -- [REQUIRED]
The configuration bundle reference for this variant.
bundleArn (string) -- [REQUIRED]
The Amazon Resource Name (ARN) of the configuration bundle.
bundleVersion (string) -- [REQUIRED]
The version of the configuration bundle.
description (string) --
The description of this traffic split variant.
metadata (dict) --
Key-value metadata associated with this traffic split variant.
(string) --
(string) --
routeToTarget (dict) --
An action that routes the request to a specific target.
staticRoute (dict) --
A static route that sends all matching requests to a single target.
targetName (string) -- [REQUIRED]
The name of the target to route requests to.
weightedRoute (dict) --
A weighted route that splits traffic between multiple targets.
trafficSplit (list) -- [REQUIRED]
The traffic split entries defining how traffic is distributed between targets.
(dict) --
An entry in a target traffic split configuration.
name (string) -- [REQUIRED]
The name of this traffic split variant.
weight (integer) -- [REQUIRED]
The percentage of traffic to route to this variant.
targetName (string) -- [REQUIRED]
The name of the target to route traffic to.
description (string) --
The description of this traffic split variant.
metadata (dict) --
Key-value metadata associated with this traffic split variant.
(string) --
(string) --
string
The updated description of the rule.
dict
Response Syntax
{
'ruleId': 'string',
'gatewayArn': 'string',
'priority': 123,
'conditions': [
{
'matchPrincipals': {
'anyOf': [
{
'iamPrincipal': {
'arn': 'string',
'operator': 'StringEquals'|'StringLike'
}
},
]
},
'matchPaths': {
'anyOf': [
'string',
]
}
},
],
'actions': [
{
'configurationBundle': {
'staticOverride': {
'bundleArn': 'string',
'bundleVersion': 'string'
},
'weightedOverride': {
'trafficSplit': [
{
'name': 'string',
'weight': 123,
'configurationBundle': {
'bundleArn': 'string',
'bundleVersion': 'string'
},
'description': 'string',
'metadata': {
'string': 'string'
}
},
]
}
},
'routeToTarget': {
'staticRoute': {
'targetName': 'string'
},
'weightedRoute': {
'trafficSplit': [
{
'name': 'string',
'weight': 123,
'targetName': 'string',
'description': 'string',
'metadata': {
'string': 'string'
}
},
]
}
}
},
],
'description': 'string',
'createdAt': datetime(2015, 1, 1),
'status': 'CREATING'|'ACTIVE'|'UPDATING'|'DELETING',
'system': {
'managedBy': 'string'
},
'updatedAt': datetime(2015, 1, 1)
}
Response Structure
(dict) --
Create response excludes updatedAt (redundant on create). Get/Update responses include it via their own output structures.
ruleId (string) --
The unique identifier of the gateway rule.
gatewayArn (string) --
The Amazon Resource Name (ARN) of the gateway that the rule belongs to.
priority (integer) --
The priority of the rule. Rules are evaluated in order of priority, with lower numbers evaluated first.
conditions (list) --
The conditions that must be met for the rule to apply.
(dict) --
A condition that determines when a gateway rule applies. Conditions can match on principals or request paths.
matchPrincipals (dict) --
A condition that matches on the identity of the caller making the request.
anyOf (list) --
A list of principal entries. The condition is met if any of the entries match the caller's identity.
(dict) --
Union for principal matching. Currently supports IAM principal ARN glob matching. Extensible for future principal types (e.g., OAuth client ID).
iamPrincipal (dict) --
An IAM principal to match against, specified by ARN.
arn (string) --
The Amazon Resource Name (ARN) of the IAM principal. Supports user, role, and assumed-role ARNs. Wildcards can be used with the StringLike operator.
operator (string) --
The match operator. StringEquals requires an exact match. StringLike supports wildcard patterns using * and ?.
matchPaths (dict) --
A condition that matches on the request path.
anyOf (list) --
A list of path patterns. The condition is met if the request path matches any of the patterns.
(string) --
actions (list) --
The actions to take when the rule conditions are met.
(dict) --
An action to take when a gateway rule's conditions are met.
configurationBundle (dict) --
An action that applies a configuration bundle override to the request.
staticOverride (dict) --
A static configuration bundle override that applies a single bundle version to all matching requests.
bundleArn (string) --
The Amazon Resource Name (ARN) of the configuration bundle to apply.
bundleVersion (string) --
The version of the configuration bundle to apply.
weightedOverride (dict) --
A weighted configuration bundle override that splits traffic between multiple bundle versions based on configured weights.
trafficSplit (list) --
The traffic split entries defining how traffic is distributed between configuration bundle versions.
(dict) --
An entry in a traffic split configuration, defining a named variant with a weight and configuration bundle reference.
name (string) --
The name of this traffic split variant.
weight (integer) --
The percentage of traffic to route to this variant. Weights across all entries must sum to 100.
configurationBundle (dict) --
The configuration bundle reference for this variant.
bundleArn (string) --
The Amazon Resource Name (ARN) of the configuration bundle.
bundleVersion (string) --
The version of the configuration bundle.
description (string) --
The description of this traffic split variant.
metadata (dict) --
Key-value metadata associated with this traffic split variant.
(string) --
(string) --
routeToTarget (dict) --
An action that routes the request to a specific target.
staticRoute (dict) --
A static route that sends all matching requests to a single target.
targetName (string) --
The name of the target to route requests to.
weightedRoute (dict) --
A weighted route that splits traffic between multiple targets.
trafficSplit (list) --
The traffic split entries defining how traffic is distributed between targets.
(dict) --
An entry in a target traffic split configuration.
name (string) --
The name of this traffic split variant.
weight (integer) --
The percentage of traffic to route to this variant.
targetName (string) --
The name of the target to route traffic to.
description (string) --
The description of this traffic split variant.
metadata (dict) --
Key-value metadata associated with this traffic split variant.
(string) --
(string) --
description (string) --
The description of the gateway rule.
createdAt (datetime) --
The timestamp when the rule was created.
status (string) --
The current status of the rule.
system (dict) --
System-managed metadata for rules created by automated processes.
managedBy (string) --
The identifier of the system or process that manages this rule.
updatedAt (datetime) --
The timestamp when the rule was last updated.
{'kmsKeyArn': 'string'}
Creates a custom evaluator for agent quality assessment. Custom evaluators can use either LLM-as-a-Judge configurations with user-defined prompts, rating scales, and model settings, or code-based configurations with customer-managed Lambda functions to evaluate agent performance at tool call, trace, or session levels.
See also: AWS API Documentation
Request Syntax
client.create_evaluator(
clientToken='string',
evaluatorName='string',
description='string',
evaluatorConfig={
'llmAsAJudge': {
'instructions': 'string',
'ratingScale': {
'numerical': [
{
'definition': 'string',
'value': 123.0,
'label': 'string'
},
],
'categorical': [
{
'definition': 'string',
'label': 'string'
},
]
},
'modelConfig': {
'bedrockEvaluatorModelConfig': {
'modelId': 'string',
'inferenceConfig': {
'maxTokens': 123,
'temperature': ...,
'topP': ...,
'stopSequences': [
'string',
]
},
'additionalModelRequestFields': {...}|[...]|123|123.4|'string'|True|None
}
}
},
'codeBased': {
'lambdaConfig': {
'lambdaArn': 'string',
'lambdaTimeoutInSeconds': 123
}
}
},
level='TOOL_CALL'|'TRACE'|'SESSION',
kmsKeyArn='string',
tags={
'string': 'string'
}
)
string
A unique, case-sensitive identifier to ensure that the API request completes no more than one time. If you don't specify this field, a value is randomly generated for you. If this token matches a previous request, the service ignores the request, but doesn't return an error. For more information, see Ensuring idempotency.
This field is autopopulated if not provided.
string
[REQUIRED]
The name of the evaluator. Must be unique within your account.
string
The description of the evaluator that explains its purpose and evaluation criteria.
dict
[REQUIRED]
The configuration for the evaluator. Specify either LLM-as-a-Judge settings with instructions, rating scale, and model configuration, or code-based settings with a customer-managed Lambda function.
llmAsAJudge (dict) --
The LLM-as-a-Judge configuration that uses a language model to evaluate agent performance based on custom instructions and rating scales.
instructions (string) -- [REQUIRED]
The evaluation instructions that guide the language model in assessing agent performance, including criteria and evaluation guidelines.
ratingScale (dict) -- [REQUIRED]
The rating scale that defines how the evaluator should score agent performance, either numerical or categorical.
numerical (list) --
The numerical rating scale with defined score values and descriptions for quantitative evaluation.
(dict) --
The definition of a numerical rating scale option that provides a numeric value with its description for evaluation scoring.
definition (string) -- [REQUIRED]
The description that explains what this numerical rating represents and when it should be used.
value (float) -- [REQUIRED]
The numerical value for this rating scale option.
label (string) -- [REQUIRED]
The label or name that describes this numerical rating option.
categorical (list) --
The categorical rating scale with named categories and definitions for qualitative evaluation.
(dict) --
The definition of a categorical rating scale option that provides a named category with its description for evaluation scoring.
definition (string) -- [REQUIRED]
The description that explains what this categorical rating represents and when it should be used.
label (string) -- [REQUIRED]
The label or name of this categorical rating option.
modelConfig (dict) -- [REQUIRED]
The model configuration that specifies which foundation model to use and how to configure it for evaluation.
bedrockEvaluatorModelConfig (dict) --
The Amazon Bedrock model configuration for evaluation.
modelId (string) -- [REQUIRED]
The identifier of the Amazon Bedrock model to use for evaluation. Must be a supported foundation model available in your region.
inferenceConfig (dict) --
The inference configuration parameters that control model behavior during evaluation, including temperature, token limits, and sampling settings.
maxTokens (integer) --
The maximum number of tokens to generate in the model response during evaluation.
temperature (float) --
The temperature value that controls randomness in the model's responses. Lower values produce more deterministic outputs.
topP (float) --
The top-p sampling parameter that controls the diversity of the model's responses by limiting the cumulative probability of token choices.
stopSequences (list) --
The list of sequences that will cause the model to stop generating tokens when encountered.
(string) --
additionalModelRequestFields (:ref:`document<document>`) --
Additional model-specific request fields to customize model behavior beyond the standard inference configuration.
codeBased (dict) --
Configuration for a code-based evaluator that uses a customer-managed Lambda function to programmatically assess agent performance.
lambdaConfig (dict) --
The Lambda function configuration for code-based evaluation.
lambdaArn (string) -- [REQUIRED]
The Amazon Resource Name (ARN) of the Lambda function that implements the evaluation logic.
lambdaTimeoutInSeconds (integer) --
The timeout in seconds for the Lambda function invocation. Defaults to 60. Must be between 1 and 300.
string
[REQUIRED]
The evaluation level that determines the scope of evaluation. Valid values are TOOL_CALL for individual tool invocations, TRACE for single request-response interactions, or SESSION for entire conversation sessions.
string
The Amazon Resource Name (ARN) of a customer managed KMS key to use for encrypting sensitive evaluator data, including instructions and rating scale. If you don't specify a KMS key, the evaluator data is encrypted with an Amazon Web Services owned key. Only symmetric encryption KMS keys are supported. For more information, see Encryption at rest for AgentCore Evaluations.
dict
A map of tag keys and values to assign to an AgentCore Evaluator. Tags enable you to categorize your resources in different ways, for example, by purpose, owner, or environment.
(string) --
(string) --
dict
Response Syntax
{
'evaluatorArn': 'string',
'evaluatorId': 'string',
'createdAt': datetime(2015, 1, 1),
'status': 'ACTIVE'|'CREATING'|'CREATE_FAILED'|'UPDATING'|'UPDATE_FAILED'|'DELETING'
}
Response Structure
(dict) --
evaluatorArn (string) --
The Amazon Resource Name (ARN) of the created evaluator.
evaluatorId (string) --
The unique identifier of the created evaluator.
createdAt (datetime) --
The timestamp when the evaluator was created.
status (string) --
The status of the evaluator creation operation.
{'authorizerType': {'AUTHENTICATE_ONLY'}}
Creates a gateway for Amazon Bedrock Agent. A gateway serves as an integration point between your agent and external services.
If you specify CUSTOM_JWT as the authorizerType, you must provide an authorizerConfiguration.
See also: AWS API Documentation
Request Syntax
client.create_gateway(
name='string',
description='string',
clientToken='string',
roleArn='string',
protocolType='MCP',
protocolConfiguration={
'mcp': {
'supportedVersions': [
'string',
],
'instructions': 'string',
'searchType': 'SEMANTIC'
}
},
authorizerType='CUSTOM_JWT'|'AWS_IAM'|'NONE'|'AUTHENTICATE_ONLY',
authorizerConfiguration={
'customJWTAuthorizer': {
'discoveryUrl': 'string',
'allowedAudience': [
'string',
],
'allowedClients': [
'string',
],
'allowedScopes': [
'string',
],
'customClaims': [
{
'inboundTokenClaimName': 'string',
'inboundTokenClaimValueType': 'STRING'|'STRING_ARRAY',
'authorizingClaimMatchValue': {
'claimMatchValue': {
'matchValueString': 'string',
'matchValueStringList': [
'string',
]
},
'claimMatchOperator': 'EQUALS'|'CONTAINS'|'CONTAINS_ANY'
}
},
],
'privateEndpoint': {
'selfManagedLatticeResource': {
'resourceConfigurationIdentifier': 'string'
},
'managedVpcResource': {
'vpcIdentifier': 'string',
'subnetIds': [
'string',
],
'endpointIpAddressType': 'IPV4'|'IPV6',
'securityGroupIds': [
'string',
],
'tags': {
'string': 'string'
},
'routingDomain': 'string'
}
},
'privateEndpointOverrides': [
{
'domain': 'string',
'privateEndpoint': {
'selfManagedLatticeResource': {
'resourceConfigurationIdentifier': 'string'
},
'managedVpcResource': {
'vpcIdentifier': 'string',
'subnetIds': [
'string',
],
'endpointIpAddressType': 'IPV4'|'IPV6',
'securityGroupIds': [
'string',
],
'tags': {
'string': 'string'
},
'routingDomain': 'string'
}
}
},
]
}
},
kmsKeyArn='string',
interceptorConfigurations=[
{
'interceptor': {
'lambda': {
'arn': 'string'
}
},
'interceptionPoints': [
'REQUEST'|'RESPONSE',
],
'inputConfiguration': {
'passRequestHeaders': True|False
}
},
],
policyEngineConfiguration={
'arn': 'string',
'mode': 'LOG_ONLY'|'ENFORCE'
},
exceptionLevel='DEBUG',
tags={
'string': 'string'
}
)
string
[REQUIRED]
The name of the gateway. The name must be unique within your account.
string
The description of the gateway.
string
A unique, case-sensitive identifier to ensure that the API request completes no more than one time. If you don't specify this field, a value is randomly generated for you. If this token matches a previous request, the service ignores the request, but doesn't return an error. For more information, see Ensuring idempotency.
This field is autopopulated if not provided.
string
[REQUIRED]
The Amazon Resource Name (ARN) of the IAM role that provides permissions for the gateway to access Amazon Web Services services.
string
The protocol type for the gateway.
dict
The configuration settings for the protocol specified in the protocolType parameter.
mcp (dict) --
The configuration for the Model Context Protocol (MCP). This protocol enables communication between Amazon Bedrock Agent and external tools.
supportedVersions (list) --
The supported versions of the Model Context Protocol. This field specifies which versions of the protocol the gateway can use.
(string) --
instructions (string) --
The instructions for using the Model Context Protocol gateway. These instructions provide guidance on how to interact with the gateway.
searchType (string) --
The search type for the Model Context Protocol gateway. This field specifies how the gateway handles search operations.
string
[REQUIRED]
The type of authorizer to use for the gateway.
CUSTOM_JWT - Authorize with a bearer token.
AWS_IAM - Authorize with your Amazon Web Services IAM credentials.
NONE - No authorization
dict
The authorizer configuration for the gateway. Required if authorizerType is CUSTOM_JWT.
customJWTAuthorizer (dict) --
The inbound JWT-based authorization, specifying how incoming requests should be authenticated.
discoveryUrl (string) -- [REQUIRED]
This URL is used to fetch OpenID Connect configuration or authorization server metadata for validating incoming tokens.
allowedAudience (list) --
Represents individual audience values that are validated in the incoming JWT token validation process.
(string) --
allowedClients (list) --
Represents individual client IDs that are validated in the incoming JWT token validation process.
(string) --
allowedScopes (list) --
An array of scopes that are allowed to access the token.
(string) --
customClaims (list) --
An array of objects that define a custom claim validation name, value, and operation
(dict) --
Defines the name of a custom claim field and rules for finding matches to authenticate its value.
inboundTokenClaimName (string) -- [REQUIRED]
The name of the custom claim field to check.
inboundTokenClaimValueType (string) -- [REQUIRED]
The data type of the claim value to check for.
Use STRING if you want to find an exact match to a string you define.
Use STRING_ARRAY if you want to fnd a match to at least one value in an array you define.
authorizingClaimMatchValue (dict) -- [REQUIRED]
Defines the value or values to match for and the relationship of the match.
claimMatchValue (dict) -- [REQUIRED]
The value or values to match for.
matchValueString (string) --
The string value to match for.
matchValueStringList (list) --
An array of strings to check for a match.
(string) --
claimMatchOperator (string) -- [REQUIRED]
Defines the relationship between the claim field value and the value or values you're matching for.
privateEndpoint (dict) --
The private endpoint configuration for a gateway target. Defines how the gateway connects to private resources in your VPC.
selfManagedLatticeResource (dict) --
Configuration for connecting to a private resource using a self-managed VPC Lattice resource configuration.
resourceConfigurationIdentifier (string) --
The ARN or ID of the VPC Lattice resource configuration.
managedVpcResource (dict) --
Configuration for connecting to a private resource using a managed VPC Lattice resource. The gateway creates and manages the VPC Lattice resources on your behalf.
vpcIdentifier (string) -- [REQUIRED]
The ID of the VPC that contains your private resource.
subnetIds (list) -- [REQUIRED]
The subnet IDs within the VPC where the VPC Lattice resource gateway is placed.
(string) --
endpointIpAddressType (string) -- [REQUIRED]
The IP address type for the resource configuration endpoint.
securityGroupIds (list) --
The security group IDs to associate with the VPC Lattice resource gateway. If not specified, the default security group for the VPC is used.
(string) --
tags (dict) --
Tags to apply to the managed VPC Lattice resource gateway.
(string) --
(string) --
routingDomain (string) --
An intermediate publicly resolvable domain used as the VPC Lattice resource configuration endpoint. Required when your private endpoint uses a domain that is not publicly resolvable.
privateEndpointOverrides (list) --
A list of private endpoint overrides for the JWT authorizer. Each override maps a specific domain to a private endpoint, enabling secure connectivity through VPC Lattice resource configurations.
(dict) --
A mapping of a specific domain to a private endpoint for secure connectivity through a VPC Lattice resource configuration.
domain (string) -- [REQUIRED]
The domain to override with a private endpoint.
privateEndpoint (dict) -- [REQUIRED]
The private endpoint configuration for the specified domain.
selfManagedLatticeResource (dict) --
Configuration for connecting to a private resource using a self-managed VPC Lattice resource configuration.
resourceConfigurationIdentifier (string) --
The ARN or ID of the VPC Lattice resource configuration.
managedVpcResource (dict) --
Configuration for connecting to a private resource using a managed VPC Lattice resource. The gateway creates and manages the VPC Lattice resources on your behalf.
vpcIdentifier (string) -- [REQUIRED]
The ID of the VPC that contains your private resource.
subnetIds (list) -- [REQUIRED]
The subnet IDs within the VPC where the VPC Lattice resource gateway is placed.
(string) --
endpointIpAddressType (string) -- [REQUIRED]
The IP address type for the resource configuration endpoint.
securityGroupIds (list) --
The security group IDs to associate with the VPC Lattice resource gateway. If not specified, the default security group for the VPC is used.
(string) --
tags (dict) --
Tags to apply to the managed VPC Lattice resource gateway.
(string) --
(string) --
routingDomain (string) --
An intermediate publicly resolvable domain used as the VPC Lattice resource configuration endpoint. Required when your private endpoint uses a domain that is not publicly resolvable.
string
The Amazon Resource Name (ARN) of the KMS key used to encrypt data associated with the gateway.
list
A list of configuration settings for a gateway interceptor. Gateway interceptors allow custom code to be invoked during gateway invocations.
(dict) --
The configuration for an interceptor on a gateway. This structure defines settings for an interceptor that will be invoked during the invocation of the gateway.
interceptor (dict) -- [REQUIRED]
The infrastructure settings of an interceptor configuration. This structure defines how the interceptor can be invoked.
lambda (dict) --
The details of the lambda function used for the interceptor.
arn (string) -- [REQUIRED]
The arn of the lambda function to be invoked for the interceptor.
interceptionPoints (list) -- [REQUIRED]
The supported points of interception. This field specifies which points during the gateway invocation to invoke the interceptor
(string) --
inputConfiguration (dict) --
The configuration for the input of the interceptor. This field specifies how the input to the interceptor is constructed
passRequestHeaders (boolean) -- [REQUIRED]
Indicates whether to pass request headers as input into the interceptor. When set to true, request headers will be passed.
dict
The policy engine configuration for the gateway. A policy engine is a collection of policies that evaluates and authorizes agent tool calls. When associated with a gateway, the policy engine intercepts all agent requests and determines whether to allow or deny each action based on the defined policies.
arn (string) -- [REQUIRED]
The ARN of the policy engine. The policy engine contains Cedar policies that define fine-grained authorization rules specifying who can perform what actions on which resources as agents interact through the gateway.
mode (string) -- [REQUIRED]
The enforcement mode for the policy engine. Valid values include:
LOG_ONLY - The policy engine evaluates each action against your policies and adds traces on whether tool calls would be allowed or denied, but does not enforce the decision. Use this mode to test and validate policies before enabling enforcement.
ENFORCE - The policy engine evaluates actions against your policies and enforces decisions by allowing or denying agent operations. Test and validate policies in LOG_ONLY mode before enabling enforcement to avoid unintended denials or adversely affecting production traffic.
string
The level of detail in error messages returned when invoking the gateway.
If the value is DEBUG, granular exception messages are returned to help a user debug the gateway.
If the value is omitted, a generic error message is returned to the end user.
dict
A map of key-value pairs to associate with the gateway as metadata tags.
(string) --
(string) --
dict
Response Syntax
{
'gatewayArn': 'string',
'gatewayId': 'string',
'gatewayUrl': 'string',
'createdAt': datetime(2015, 1, 1),
'updatedAt': datetime(2015, 1, 1),
'status': 'CREATING'|'UPDATING'|'UPDATE_UNSUCCESSFUL'|'DELETING'|'READY'|'FAILED',
'statusReasons': [
'string',
],
'name': 'string',
'description': 'string',
'roleArn': 'string',
'protocolType': 'MCP',
'protocolConfiguration': {
'mcp': {
'supportedVersions': [
'string',
],
'instructions': 'string',
'searchType': 'SEMANTIC'
}
},
'authorizerType': 'CUSTOM_JWT'|'AWS_IAM'|'NONE'|'AUTHENTICATE_ONLY',
'authorizerConfiguration': {
'customJWTAuthorizer': {
'discoveryUrl': 'string',
'allowedAudience': [
'string',
],
'allowedClients': [
'string',
],
'allowedScopes': [
'string',
],
'customClaims': [
{
'inboundTokenClaimName': 'string',
'inboundTokenClaimValueType': 'STRING'|'STRING_ARRAY',
'authorizingClaimMatchValue': {
'claimMatchValue': {
'matchValueString': 'string',
'matchValueStringList': [
'string',
]
},
'claimMatchOperator': 'EQUALS'|'CONTAINS'|'CONTAINS_ANY'
}
},
],
'privateEndpoint': {
'selfManagedLatticeResource': {
'resourceConfigurationIdentifier': 'string'
},
'managedVpcResource': {
'vpcIdentifier': 'string',
'subnetIds': [
'string',
],
'endpointIpAddressType': 'IPV4'|'IPV6',
'securityGroupIds': [
'string',
],
'tags': {
'string': 'string'
},
'routingDomain': 'string'
}
},
'privateEndpointOverrides': [
{
'domain': 'string',
'privateEndpoint': {
'selfManagedLatticeResource': {
'resourceConfigurationIdentifier': 'string'
},
'managedVpcResource': {
'vpcIdentifier': 'string',
'subnetIds': [
'string',
],
'endpointIpAddressType': 'IPV4'|'IPV6',
'securityGroupIds': [
'string',
],
'tags': {
'string': 'string'
},
'routingDomain': 'string'
}
}
},
]
}
},
'kmsKeyArn': 'string',
'interceptorConfigurations': [
{
'interceptor': {
'lambda': {
'arn': 'string'
}
},
'interceptionPoints': [
'REQUEST'|'RESPONSE',
],
'inputConfiguration': {
'passRequestHeaders': True|False
}
},
],
'policyEngineConfiguration': {
'arn': 'string',
'mode': 'LOG_ONLY'|'ENFORCE'
},
'workloadIdentityDetails': {
'workloadIdentityArn': 'string'
},
'exceptionLevel': 'DEBUG'
}
Response Structure
(dict) --
gatewayArn (string) --
The Amazon Resource Name (ARN) of the created gateway.
gatewayId (string) --
The unique identifier of the created gateway.
gatewayUrl (string) --
The URL endpoint for the created gateway.
createdAt (datetime) --
The timestamp when the gateway was created.
updatedAt (datetime) --
The timestamp when the gateway was last updated.
status (string) --
The current status of the gateway.
statusReasons (list) --
The reasons for the current status of the gateway.
(string) --
name (string) --
The name of the gateway.
description (string) --
The description of the gateway.
roleArn (string) --
The Amazon Resource Name (ARN) of the IAM role associated with the gateway.
protocolType (string) --
The protocol type of the gateway.
protocolConfiguration (dict) --
The configuration settings for the protocol used by the gateway.
mcp (dict) --
The configuration for the Model Context Protocol (MCP). This protocol enables communication between Amazon Bedrock Agent and external tools.
supportedVersions (list) --
The supported versions of the Model Context Protocol. This field specifies which versions of the protocol the gateway can use.
(string) --
instructions (string) --
The instructions for using the Model Context Protocol gateway. These instructions provide guidance on how to interact with the gateway.
searchType (string) --
The search type for the Model Context Protocol gateway. This field specifies how the gateway handles search operations.
authorizerType (string) --
The type of authorizer used by the gateway.
authorizerConfiguration (dict) --
The authorizer configuration for the created gateway.
customJWTAuthorizer (dict) --
The inbound JWT-based authorization, specifying how incoming requests should be authenticated.
discoveryUrl (string) --
This URL is used to fetch OpenID Connect configuration or authorization server metadata for validating incoming tokens.
allowedAudience (list) --
Represents individual audience values that are validated in the incoming JWT token validation process.
(string) --
allowedClients (list) --
Represents individual client IDs that are validated in the incoming JWT token validation process.
(string) --
allowedScopes (list) --
An array of scopes that are allowed to access the token.
(string) --
customClaims (list) --
An array of objects that define a custom claim validation name, value, and operation
(dict) --
Defines the name of a custom claim field and rules for finding matches to authenticate its value.
inboundTokenClaimName (string) --
The name of the custom claim field to check.
inboundTokenClaimValueType (string) --
The data type of the claim value to check for.
Use STRING if you want to find an exact match to a string you define.
Use STRING_ARRAY if you want to fnd a match to at least one value in an array you define.
authorizingClaimMatchValue (dict) --
Defines the value or values to match for and the relationship of the match.
claimMatchValue (dict) --
The value or values to match for.
matchValueString (string) --
The string value to match for.
matchValueStringList (list) --
An array of strings to check for a match.
(string) --
claimMatchOperator (string) --
Defines the relationship between the claim field value and the value or values you're matching for.
privateEndpoint (dict) --
The private endpoint configuration for a gateway target. Defines how the gateway connects to private resources in your VPC.
selfManagedLatticeResource (dict) --
Configuration for connecting to a private resource using a self-managed VPC Lattice resource configuration.
resourceConfigurationIdentifier (string) --
The ARN or ID of the VPC Lattice resource configuration.
managedVpcResource (dict) --
Configuration for connecting to a private resource using a managed VPC Lattice resource. The gateway creates and manages the VPC Lattice resources on your behalf.
vpcIdentifier (string) --
The ID of the VPC that contains your private resource.
subnetIds (list) --
The subnet IDs within the VPC where the VPC Lattice resource gateway is placed.
(string) --
endpointIpAddressType (string) --
The IP address type for the resource configuration endpoint.
securityGroupIds (list) --
The security group IDs to associate with the VPC Lattice resource gateway. If not specified, the default security group for the VPC is used.
(string) --
tags (dict) --
Tags to apply to the managed VPC Lattice resource gateway.
(string) --
(string) --
routingDomain (string) --
An intermediate publicly resolvable domain used as the VPC Lattice resource configuration endpoint. Required when your private endpoint uses a domain that is not publicly resolvable.
privateEndpointOverrides (list) --
A list of private endpoint overrides for the JWT authorizer. Each override maps a specific domain to a private endpoint, enabling secure connectivity through VPC Lattice resource configurations.
(dict) --
A mapping of a specific domain to a private endpoint for secure connectivity through a VPC Lattice resource configuration.
domain (string) --
The domain to override with a private endpoint.
privateEndpoint (dict) --
The private endpoint configuration for the specified domain.
selfManagedLatticeResource (dict) --
Configuration for connecting to a private resource using a self-managed VPC Lattice resource configuration.
resourceConfigurationIdentifier (string) --
The ARN or ID of the VPC Lattice resource configuration.
managedVpcResource (dict) --
Configuration for connecting to a private resource using a managed VPC Lattice resource. The gateway creates and manages the VPC Lattice resources on your behalf.
vpcIdentifier (string) --
The ID of the VPC that contains your private resource.
subnetIds (list) --
The subnet IDs within the VPC where the VPC Lattice resource gateway is placed.
(string) --
endpointIpAddressType (string) --
The IP address type for the resource configuration endpoint.
securityGroupIds (list) --
The security group IDs to associate with the VPC Lattice resource gateway. If not specified, the default security group for the VPC is used.
(string) --
tags (dict) --
Tags to apply to the managed VPC Lattice resource gateway.
(string) --
(string) --
routingDomain (string) --
An intermediate publicly resolvable domain used as the VPC Lattice resource configuration endpoint. Required when your private endpoint uses a domain that is not publicly resolvable.
kmsKeyArn (string) --
The Amazon Resource Name (ARN) of the KMS key used to encrypt data associated with the gateway.
interceptorConfigurations (list) --
The list of interceptor configurations for the created gateway.
(dict) --
The configuration for an interceptor on a gateway. This structure defines settings for an interceptor that will be invoked during the invocation of the gateway.
interceptor (dict) --
The infrastructure settings of an interceptor configuration. This structure defines how the interceptor can be invoked.
lambda (dict) --
The details of the lambda function used for the interceptor.
arn (string) --
The arn of the lambda function to be invoked for the interceptor.
interceptionPoints (list) --
The supported points of interception. This field specifies which points during the gateway invocation to invoke the interceptor
(string) --
inputConfiguration (dict) --
The configuration for the input of the interceptor. This field specifies how the input to the interceptor is constructed
passRequestHeaders (boolean) --
Indicates whether to pass request headers as input into the interceptor. When set to true, request headers will be passed.
policyEngineConfiguration (dict) --
The policy engine configuration for the created gateway.
arn (string) --
The ARN of the policy engine. The policy engine contains Cedar policies that define fine-grained authorization rules specifying who can perform what actions on which resources as agents interact through the gateway.
mode (string) --
The enforcement mode for the policy engine. Valid values include:
LOG_ONLY - The policy engine evaluates each action against your policies and adds traces on whether tool calls would be allowed or denied, but does not enforce the decision. Use this mode to test and validate policies before enabling enforcement.
ENFORCE - The policy engine evaluates actions against your policies and enforces decisions by allowing or denying agent operations. Test and validate policies in LOG_ONLY mode before enabling enforcement to avoid unintended denials or adversely affecting production traffic.
workloadIdentityDetails (dict) --
The workload identity details for the created gateway.
workloadIdentityArn (string) --
The ARN associated with the workload identity.
exceptionLevel (string) --
The level of detail in error messages returned when invoking the gateway.
If the value is DEBUG, granular exception messages are returned to help a user debug the gateway.
If the value is omitted, a generic error message is returned to the end user.
{'credentialProviderConfigurations': {'credentialProviderType': {'CALLER_IAM_CREDENTIALS',
'JWT_PASSTHROUGH'}},
'targetConfiguration': {'http': {'agentcoreRuntime': {'arn': 'string',
'qualifier': 'string'}}}}
Response {'credentialProviderConfigurations': {'credentialProviderType': {'CALLER_IAM_CREDENTIALS',
'JWT_PASSTHROUGH'}},
'protocolType': 'MCP | HTTP',
'targetConfiguration': {'http': {'agentcoreRuntime': {'arn': 'string',
'qualifier': 'string'}}}}
Creates a target for a gateway. A target defines an endpoint that the gateway can connect to.
See also: AWS API Documentation
Request Syntax
client.create_gateway_target(
gatewayIdentifier='string',
name='string',
description='string',
clientToken='string',
targetConfiguration={
'mcp': {
'openApiSchema': {
's3': {
'uri': 'string',
'bucketOwnerAccountId': 'string'
},
'inlinePayload': 'string'
},
'smithyModel': {
's3': {
'uri': 'string',
'bucketOwnerAccountId': 'string'
},
'inlinePayload': 'string'
},
'lambda': {
'lambdaArn': 'string',
'toolSchema': {
's3': {
'uri': 'string',
'bucketOwnerAccountId': 'string'
},
'inlinePayload': [
{
'name': 'string',
'description': 'string',
'inputSchema': {
'type': 'string'|'number'|'object'|'array'|'boolean'|'integer',
'properties': {
'string': {'... recursive ...'}
},
'required': [
'string',
],
'items': {'... recursive ...'},
'description': 'string'
},
'outputSchema': {
'type': 'string'|'number'|'object'|'array'|'boolean'|'integer',
'properties': {
'string': {'... recursive ...'}
},
'required': [
'string',
],
'items': {'... recursive ...'},
'description': 'string'
}
},
]
}
},
'mcpServer': {
'endpoint': 'string',
'mcpToolSchema': {
's3': {
'uri': 'string',
'bucketOwnerAccountId': 'string'
},
'inlinePayload': 'string'
},
'listingMode': 'DEFAULT'|'DYNAMIC',
'resourcePriority': 123
},
'apiGateway': {
'restApiId': 'string',
'stage': 'string',
'apiGatewayToolConfiguration': {
'toolOverrides': [
{
'name': 'string',
'description': 'string',
'path': 'string',
'method': 'GET'|'DELETE'|'HEAD'|'OPTIONS'|'PATCH'|'PUT'|'POST'
},
],
'toolFilters': [
{
'filterPath': 'string',
'methods': [
'GET'|'DELETE'|'HEAD'|'OPTIONS'|'PATCH'|'PUT'|'POST',
]
},
]
}
}
},
'http': {
'agentcoreRuntime': {
'arn': 'string',
'qualifier': 'string'
}
}
},
credentialProviderConfigurations=[
{
'credentialProviderType': 'GATEWAY_IAM_ROLE'|'OAUTH'|'API_KEY'|'CALLER_IAM_CREDENTIALS'|'JWT_PASSTHROUGH',
'credentialProvider': {
'oauthCredentialProvider': {
'providerArn': 'string',
'scopes': [
'string',
],
'customParameters': {
'string': 'string'
},
'grantType': 'CLIENT_CREDENTIALS'|'AUTHORIZATION_CODE',
'defaultReturnUrl': 'string'
},
'apiKeyCredentialProvider': {
'providerArn': 'string',
'credentialParameterName': 'string',
'credentialPrefix': 'string',
'credentialLocation': 'HEADER'|'QUERY_PARAMETER'
},
'iamCredentialProvider': {
'service': 'string',
'region': 'string'
}
}
},
],
metadataConfiguration={
'allowedRequestHeaders': [
'string',
],
'allowedQueryParameters': [
'string',
],
'allowedResponseHeaders': [
'string',
]
},
privateEndpoint={
'selfManagedLatticeResource': {
'resourceConfigurationIdentifier': 'string'
},
'managedVpcResource': {
'vpcIdentifier': 'string',
'subnetIds': [
'string',
],
'endpointIpAddressType': 'IPV4'|'IPV6',
'securityGroupIds': [
'string',
],
'tags': {
'string': 'string'
},
'routingDomain': 'string'
}
}
)
string
[REQUIRED]
The identifier of the gateway to create a target for.
string
[REQUIRED]
The name of the gateway target. The name must be unique within the gateway.
string
The description of the gateway target.
string
A unique, case-sensitive identifier to ensure that the API request completes no more than one time. If you don't specify this field, a value is randomly generated for you. If this token matches a previous request, the service ignores the request, but doesn't return an error. For more information, see Ensuring idempotency.
This field is autopopulated if not provided.
dict
[REQUIRED]
The configuration settings for the target, including endpoint information and schema definitions.
mcp (dict) --
The Model Context Protocol (MCP) configuration for the target. This configuration defines how the gateway uses MCP to communicate with the target.
openApiSchema (dict) --
The OpenAPI schema for the Model Context Protocol target. This schema defines the API structure of the target.
s3 (dict) --
The Amazon S3 configuration for a gateway. This structure defines how the gateway accesses files in Amazon S3.
uri (string) --
The URI of the Amazon S3 object. This URI specifies the location of the object in Amazon S3.
bucketOwnerAccountId (string) --
The account ID of the Amazon S3 bucket owner. This ID is used for cross-account access to the bucket.
inlinePayload (string) --
The inline payload containing the API schema definition.
smithyModel (dict) --
The Smithy model for the Model Context Protocol target. This model defines the API structure of the target using the Smithy specification.
s3 (dict) --
The Amazon S3 configuration for a gateway. This structure defines how the gateway accesses files in Amazon S3.
uri (string) --
The URI of the Amazon S3 object. This URI specifies the location of the object in Amazon S3.
bucketOwnerAccountId (string) --
The account ID of the Amazon S3 bucket owner. This ID is used for cross-account access to the bucket.
inlinePayload (string) --
The inline payload containing the API schema definition.
lambda (dict) --
The Lambda configuration for the Model Context Protocol target. This configuration defines how the gateway uses a Lambda function to communicate with the target.
lambdaArn (string) -- [REQUIRED]
The Amazon Resource Name (ARN) of the Lambda function. This function is invoked by the gateway to communicate with the target.
toolSchema (dict) -- [REQUIRED]
The tool schema for the Lambda function. This schema defines the structure of the tools that the Lambda function provides.
s3 (dict) --
The Amazon S3 location of the tool schema. This location contains the schema definition file.
uri (string) --
The URI of the Amazon S3 object. This URI specifies the location of the object in Amazon S3.
bucketOwnerAccountId (string) --
The account ID of the Amazon S3 bucket owner. This ID is used for cross-account access to the bucket.
inlinePayload (list) --
The inline payload of the tool schema. This payload contains the schema definition directly in the request.
(dict) --
A tool definition for a gateway target. This structure defines a tool that the target exposes through the Model Context Protocol.
name (string) -- [REQUIRED]
The name of the tool. This name identifies the tool in the Model Context Protocol.
description (string) -- [REQUIRED]
The description of the tool. This description provides information about the purpose and usage of the tool.
inputSchema (dict) -- [REQUIRED]
The input schema for the tool. This schema defines the structure of the input that the tool accepts.
type (string) -- [REQUIRED]
The type of the schema definition. This field specifies the data type of the schema.
properties (dict) --
The properties of the schema definition. These properties define the fields in the schema.
(string) --
(dict) --
A schema definition for a gateway target. This structure defines the structure of the API that the target exposes.
required (list) --
The required fields in the schema definition. These fields must be provided when using the schema.
(string) --
items (dict) --
The items in the schema definition. This field is used for array types to define the structure of the array elements.
description (string) --
The description of the schema definition. This description provides information about the purpose and usage of the schema.
outputSchema (dict) --
The output schema for the tool. This schema defines the structure of the output that the tool produces.
type (string) -- [REQUIRED]
The type of the schema definition. This field specifies the data type of the schema.
properties (dict) --
The properties of the schema definition. These properties define the fields in the schema.
(string) --
(dict) --
A schema definition for a gateway target. This structure defines the structure of the API that the target exposes.
required (list) --
The required fields in the schema definition. These fields must be provided when using the schema.
(string) --
items (dict) --
The items in the schema definition. This field is used for array types to define the structure of the array elements.
description (string) --
The description of the schema definition. This description provides information about the purpose and usage of the schema.
mcpServer (dict) --
The MCP server specified as the gateway target.
endpoint (string) -- [REQUIRED]
The endpoint for the MCP server target configuration.
mcpToolSchema (dict) --
The tool schema configuration for the MCP server target. Supported only when the credential provider is configured with an authorization code grant type. Dynamic tool discovery/synchronization will be disabled when target is configured with mcpToolSchema.
s3 (dict) --
The Amazon S3 location of the tool schema. This location contains the schema definition file.
uri (string) --
The URI of the Amazon S3 object. This URI specifies the location of the object in Amazon S3.
bucketOwnerAccountId (string) --
The account ID of the Amazon S3 bucket owner. This ID is used for cross-account access to the bucket.
inlinePayload (string) --
The inline payload containing the MCP tool schema definition.
listingMode (string) --
The listing mode for the MCP server target configuration. MCP resources for default targets are cached at the control plane for faster access. MCP resources for dynamic targets will be dynamically retrieved when listing tools.
resourcePriority (integer) --
Priority for resolving MCP server targets with shared resource URIs. Lower values take precedence. Defaults to 1000 when not set.
apiGateway (dict) --
The configuration for an Amazon API Gateway target.
restApiId (string) -- [REQUIRED]
The ID of the API Gateway REST API.
stage (string) -- [REQUIRED]
The ID of the stage of the REST API to add as a target.
apiGatewayToolConfiguration (dict) -- [REQUIRED]
The configuration for defining REST API tool filters and overrides for the gateway target.
toolOverrides (list) --
A list of explicit tool definitions with optional custom names and descriptions.
(dict) --
Settings to override configurations for a tool.
name (string) -- [REQUIRED]
The name of tool. Identifies the tool in the Model Context Protocol.
description (string) --
The description of the tool. Provides information about the purpose and usage of the tool. If not provided, uses the description from the API's OpenAPI specification.
path (string) -- [REQUIRED]
Resource path in the REST API (e.g., /pets). Must explicitly match an existing path in the REST API.
method (string) -- [REQUIRED]
The HTTP method to expose for the specified path.
toolFilters (list) -- [REQUIRED]
A list of path and method patterns to expose as tools using metadata from the REST API's OpenAPI specification.
(dict) --
Specifies which operations from an API Gateway REST API are exposed as tools. Tool names and descriptions are derived from the operationId and description fields in the API's exported OpenAPI specification.
filterPath (string) -- [REQUIRED]
Resource path to match in the REST API. Supports exact paths (for example, /pets) or wildcard paths (for example, /pets/* to match all paths under /pets). Must match existing paths in the REST API.
methods (list) -- [REQUIRED]
The methods to filter for.
(string) --
http (dict) --
The HTTP target configuration. Use this to route gateway requests to an HTTP-based endpoint such as an AgentCore Runtime.
agentcoreRuntime (dict) --
The AgentCore Runtime target configuration for HTTP-based communication with an agent runtime.
arn (string) -- [REQUIRED]
The Amazon Resource Name (ARN) of the AgentCore Runtime to route requests to.
qualifier (string) --
The qualifier for the agent runtime, used to target a specific endpoint version. If not specified, the default endpoint is used.
list
The credential provider configurations for the target. These configurations specify how the gateway authenticates with the target endpoint.
(dict) --
The configuration for a credential provider. This structure defines how the gateway authenticates with the target endpoint.
credentialProviderType (string) -- [REQUIRED]
The type of credential provider. This field specifies which authentication method the gateway uses.
credentialProvider (dict) --
The credential provider. This field contains the specific configuration for the credential provider type.
oauthCredentialProvider (dict) --
The OAuth credential provider. This provider uses OAuth authentication to access the target endpoint.
providerArn (string) -- [REQUIRED]
The Amazon Resource Name (ARN) of the OAuth credential provider. This ARN identifies the provider in Amazon Web Services.
scopes (list) -- [REQUIRED]
The OAuth scopes for the credential provider. These scopes define the level of access requested from the OAuth provider.
(string) --
customParameters (dict) --
The custom parameters for the OAuth credential provider. These parameters provide additional configuration for the OAuth authentication process.
(string) --
(string) --
grantType (string) --
Specifies the kind of credentials to use for authorization:
CLIENT_CREDENTIALS - Authorization with a client ID and secret.
AUTHORIZATION_CODE - Authorization with a token that is specific to an individual end user.
defaultReturnUrl (string) --
The URL where the end user's browser is redirected after obtaining the authorization code. Generally points to the customer's application.
apiKeyCredentialProvider (dict) --
The API key credential provider. This provider uses an API key to authenticate with the target endpoint.
providerArn (string) -- [REQUIRED]
The Amazon Resource Name (ARN) of the API key credential provider. This ARN identifies the provider in Amazon Web Services.
credentialParameterName (string) --
The name of the credential parameter for the API key. This parameter name is used when sending the API key to the target endpoint.
credentialPrefix (string) --
The prefix for the API key credential. This prefix is added to the API key when sending it to the target endpoint.
credentialLocation (string) --
The location of the API key credential. This field specifies where in the request the API key should be placed.
iamCredentialProvider (dict) --
The IAM credential provider. This provider uses IAM authentication with SigV4 signing to access the target endpoint.
service (string) -- [REQUIRED]
The target Amazon Web Services service name used for SigV4 signing. This value identifies the service that the gateway authenticates with when making requests to the target endpoint.
region (string) --
The Amazon Web Services Region used for SigV4 signing. If not specified, defaults to the gateway's Region.
dict
Optional configuration for HTTP header and query parameter propagation to and from the gateway target.
allowedRequestHeaders (list) --
A list of HTTP headers that are allowed to be propagated from incoming client requests to the target.
(string) --
allowedQueryParameters (list) --
A list of URL query parameters that are allowed to be propagated from incoming gateway URL to the target.
(string) --
allowedResponseHeaders (list) --
A list of HTTP headers that are allowed to be propagated from the target response back to the client.
(string) --
dict
The private endpoint configuration for the gateway target. Use this to connect the gateway to private resources in your VPC.
selfManagedLatticeResource (dict) --
Configuration for connecting to a private resource using a self-managed VPC Lattice resource configuration.
resourceConfigurationIdentifier (string) --
The ARN or ID of the VPC Lattice resource configuration.
managedVpcResource (dict) --
Configuration for connecting to a private resource using a managed VPC Lattice resource. The gateway creates and manages the VPC Lattice resources on your behalf.
vpcIdentifier (string) -- [REQUIRED]
The ID of the VPC that contains your private resource.
subnetIds (list) -- [REQUIRED]
The subnet IDs within the VPC where the VPC Lattice resource gateway is placed.
(string) --
endpointIpAddressType (string) -- [REQUIRED]
The IP address type for the resource configuration endpoint.
securityGroupIds (list) --
The security group IDs to associate with the VPC Lattice resource gateway. If not specified, the default security group for the VPC is used.
(string) --
tags (dict) --
Tags to apply to the managed VPC Lattice resource gateway.
(string) --
(string) --
routingDomain (string) --
An intermediate publicly resolvable domain used as the VPC Lattice resource configuration endpoint. Required when your private endpoint uses a domain that is not publicly resolvable.
dict
Response Syntax
{
'gatewayArn': 'string',
'targetId': 'string',
'createdAt': datetime(2015, 1, 1),
'updatedAt': datetime(2015, 1, 1),
'status': 'CREATING'|'UPDATING'|'UPDATE_UNSUCCESSFUL'|'DELETING'|'READY'|'FAILED'|'SYNCHRONIZING'|'SYNCHRONIZE_UNSUCCESSFUL'|'CREATE_PENDING_AUTH'|'UPDATE_PENDING_AUTH'|'SYNCHRONIZE_PENDING_AUTH',
'statusReasons': [
'string',
],
'name': 'string',
'description': 'string',
'targetConfiguration': {
'mcp': {
'openApiSchema': {
's3': {
'uri': 'string',
'bucketOwnerAccountId': 'string'
},
'inlinePayload': 'string'
},
'smithyModel': {
's3': {
'uri': 'string',
'bucketOwnerAccountId': 'string'
},
'inlinePayload': 'string'
},
'lambda': {
'lambdaArn': 'string',
'toolSchema': {
's3': {
'uri': 'string',
'bucketOwnerAccountId': 'string'
},
'inlinePayload': [
{
'name': 'string',
'description': 'string',
'inputSchema': {
'type': 'string'|'number'|'object'|'array'|'boolean'|'integer',
'properties': {
'string': {'... recursive ...'}
},
'required': [
'string',
],
'items': {'... recursive ...'},
'description': 'string'
},
'outputSchema': {
'type': 'string'|'number'|'object'|'array'|'boolean'|'integer',
'properties': {
'string': {'... recursive ...'}
},
'required': [
'string',
],
'items': {'... recursive ...'},
'description': 'string'
}
},
]
}
},
'mcpServer': {
'endpoint': 'string',
'mcpToolSchema': {
's3': {
'uri': 'string',
'bucketOwnerAccountId': 'string'
},
'inlinePayload': 'string'
},
'listingMode': 'DEFAULT'|'DYNAMIC',
'resourcePriority': 123
},
'apiGateway': {
'restApiId': 'string',
'stage': 'string',
'apiGatewayToolConfiguration': {
'toolOverrides': [
{
'name': 'string',
'description': 'string',
'path': 'string',
'method': 'GET'|'DELETE'|'HEAD'|'OPTIONS'|'PATCH'|'PUT'|'POST'
},
],
'toolFilters': [
{
'filterPath': 'string',
'methods': [
'GET'|'DELETE'|'HEAD'|'OPTIONS'|'PATCH'|'PUT'|'POST',
]
},
]
}
}
},
'http': {
'agentcoreRuntime': {
'arn': 'string',
'qualifier': 'string'
}
}
},
'credentialProviderConfigurations': [
{
'credentialProviderType': 'GATEWAY_IAM_ROLE'|'OAUTH'|'API_KEY'|'CALLER_IAM_CREDENTIALS'|'JWT_PASSTHROUGH',
'credentialProvider': {
'oauthCredentialProvider': {
'providerArn': 'string',
'scopes': [
'string',
],
'customParameters': {
'string': 'string'
},
'grantType': 'CLIENT_CREDENTIALS'|'AUTHORIZATION_CODE',
'defaultReturnUrl': 'string'
},
'apiKeyCredentialProvider': {
'providerArn': 'string',
'credentialParameterName': 'string',
'credentialPrefix': 'string',
'credentialLocation': 'HEADER'|'QUERY_PARAMETER'
},
'iamCredentialProvider': {
'service': 'string',
'region': 'string'
}
}
},
],
'lastSynchronizedAt': datetime(2015, 1, 1),
'metadataConfiguration': {
'allowedRequestHeaders': [
'string',
],
'allowedQueryParameters': [
'string',
],
'allowedResponseHeaders': [
'string',
]
},
'privateEndpoint': {
'selfManagedLatticeResource': {
'resourceConfigurationIdentifier': 'string'
},
'managedVpcResource': {
'vpcIdentifier': 'string',
'subnetIds': [
'string',
],
'endpointIpAddressType': 'IPV4'|'IPV6',
'securityGroupIds': [
'string',
],
'tags': {
'string': 'string'
},
'routingDomain': 'string'
}
},
'privateEndpointManagedResources': [
{
'domain': 'string',
'resourceGatewayArn': 'string',
'resourceAssociationArn': 'string'
},
],
'authorizationData': {
'oauth2': {
'authorizationUrl': 'string',
'userId': 'string'
}
},
'protocolType': 'MCP'|'HTTP'
}
Response Structure
(dict) --
gatewayArn (string) --
The Amazon Resource Name (ARN) of the gateway.
targetId (string) --
The unique identifier of the created target.
createdAt (datetime) --
The timestamp when the target was created.
updatedAt (datetime) --
The timestamp when the target was last updated.
status (string) --
The current status of the target.
statusReasons (list) --
The reasons for the current status of the target.
(string) --
name (string) --
The name of the target.
description (string) --
The description of the target.
targetConfiguration (dict) --
The configuration settings for the target.
mcp (dict) --
The Model Context Protocol (MCP) configuration for the target. This configuration defines how the gateway uses MCP to communicate with the target.
openApiSchema (dict) --
The OpenAPI schema for the Model Context Protocol target. This schema defines the API structure of the target.
s3 (dict) --
The Amazon S3 configuration for a gateway. This structure defines how the gateway accesses files in Amazon S3.
uri (string) --
The URI of the Amazon S3 object. This URI specifies the location of the object in Amazon S3.
bucketOwnerAccountId (string) --
The account ID of the Amazon S3 bucket owner. This ID is used for cross-account access to the bucket.
inlinePayload (string) --
The inline payload containing the API schema definition.
smithyModel (dict) --
The Smithy model for the Model Context Protocol target. This model defines the API structure of the target using the Smithy specification.
s3 (dict) --
The Amazon S3 configuration for a gateway. This structure defines how the gateway accesses files in Amazon S3.
uri (string) --
The URI of the Amazon S3 object. This URI specifies the location of the object in Amazon S3.
bucketOwnerAccountId (string) --
The account ID of the Amazon S3 bucket owner. This ID is used for cross-account access to the bucket.
inlinePayload (string) --
The inline payload containing the API schema definition.
lambda (dict) --
The Lambda configuration for the Model Context Protocol target. This configuration defines how the gateway uses a Lambda function to communicate with the target.
lambdaArn (string) --
The Amazon Resource Name (ARN) of the Lambda function. This function is invoked by the gateway to communicate with the target.
toolSchema (dict) --
The tool schema for the Lambda function. This schema defines the structure of the tools that the Lambda function provides.
s3 (dict) --
The Amazon S3 location of the tool schema. This location contains the schema definition file.
uri (string) --
The URI of the Amazon S3 object. This URI specifies the location of the object in Amazon S3.
bucketOwnerAccountId (string) --
The account ID of the Amazon S3 bucket owner. This ID is used for cross-account access to the bucket.
inlinePayload (list) --
The inline payload of the tool schema. This payload contains the schema definition directly in the request.
(dict) --
A tool definition for a gateway target. This structure defines a tool that the target exposes through the Model Context Protocol.
name (string) --
The name of the tool. This name identifies the tool in the Model Context Protocol.
description (string) --
The description of the tool. This description provides information about the purpose and usage of the tool.
inputSchema (dict) --
The input schema for the tool. This schema defines the structure of the input that the tool accepts.
type (string) --
The type of the schema definition. This field specifies the data type of the schema.
properties (dict) --
The properties of the schema definition. These properties define the fields in the schema.
(string) --
(dict) --
A schema definition for a gateway target. This structure defines the structure of the API that the target exposes.
required (list) --
The required fields in the schema definition. These fields must be provided when using the schema.
(string) --
items (dict) --
The items in the schema definition. This field is used for array types to define the structure of the array elements.
description (string) --
The description of the schema definition. This description provides information about the purpose and usage of the schema.
outputSchema (dict) --
The output schema for the tool. This schema defines the structure of the output that the tool produces.
type (string) --
The type of the schema definition. This field specifies the data type of the schema.
properties (dict) --
The properties of the schema definition. These properties define the fields in the schema.
(string) --
(dict) --
A schema definition for a gateway target. This structure defines the structure of the API that the target exposes.
required (list) --
The required fields in the schema definition. These fields must be provided when using the schema.
(string) --
items (dict) --
The items in the schema definition. This field is used for array types to define the structure of the array elements.
description (string) --
The description of the schema definition. This description provides information about the purpose and usage of the schema.
mcpServer (dict) --
The MCP server specified as the gateway target.
endpoint (string) --
The endpoint for the MCP server target configuration.
mcpToolSchema (dict) --
The tool schema configuration for the MCP server target. Supported only when the credential provider is configured with an authorization code grant type. Dynamic tool discovery/synchronization will be disabled when target is configured with mcpToolSchema.
s3 (dict) --
The Amazon S3 location of the tool schema. This location contains the schema definition file.
uri (string) --
The URI of the Amazon S3 object. This URI specifies the location of the object in Amazon S3.
bucketOwnerAccountId (string) --
The account ID of the Amazon S3 bucket owner. This ID is used for cross-account access to the bucket.
inlinePayload (string) --
The inline payload containing the MCP tool schema definition.
listingMode (string) --
The listing mode for the MCP server target configuration. MCP resources for default targets are cached at the control plane for faster access. MCP resources for dynamic targets will be dynamically retrieved when listing tools.
resourcePriority (integer) --
Priority for resolving MCP server targets with shared resource URIs. Lower values take precedence. Defaults to 1000 when not set.
apiGateway (dict) --
The configuration for an Amazon API Gateway target.
restApiId (string) --
The ID of the API Gateway REST API.
stage (string) --
The ID of the stage of the REST API to add as a target.
apiGatewayToolConfiguration (dict) --
The configuration for defining REST API tool filters and overrides for the gateway target.
toolOverrides (list) --
A list of explicit tool definitions with optional custom names and descriptions.
(dict) --
Settings to override configurations for a tool.
name (string) --
The name of tool. Identifies the tool in the Model Context Protocol.
description (string) --
The description of the tool. Provides information about the purpose and usage of the tool. If not provided, uses the description from the API's OpenAPI specification.
path (string) --
Resource path in the REST API (e.g., /pets). Must explicitly match an existing path in the REST API.
method (string) --
The HTTP method to expose for the specified path.
toolFilters (list) --
A list of path and method patterns to expose as tools using metadata from the REST API's OpenAPI specification.
(dict) --
Specifies which operations from an API Gateway REST API are exposed as tools. Tool names and descriptions are derived from the operationId and description fields in the API's exported OpenAPI specification.
filterPath (string) --
Resource path to match in the REST API. Supports exact paths (for example, /pets) or wildcard paths (for example, /pets/* to match all paths under /pets). Must match existing paths in the REST API.
methods (list) --
The methods to filter for.
(string) --
http (dict) --
The HTTP target configuration. Use this to route gateway requests to an HTTP-based endpoint such as an AgentCore Runtime.
agentcoreRuntime (dict) --
The AgentCore Runtime target configuration for HTTP-based communication with an agent runtime.
arn (string) --
The Amazon Resource Name (ARN) of the AgentCore Runtime to route requests to.
qualifier (string) --
The qualifier for the agent runtime, used to target a specific endpoint version. If not specified, the default endpoint is used.
credentialProviderConfigurations (list) --
The credential provider configurations for the target.
(dict) --
The configuration for a credential provider. This structure defines how the gateway authenticates with the target endpoint.
credentialProviderType (string) --
The type of credential provider. This field specifies which authentication method the gateway uses.
credentialProvider (dict) --
The credential provider. This field contains the specific configuration for the credential provider type.
oauthCredentialProvider (dict) --
The OAuth credential provider. This provider uses OAuth authentication to access the target endpoint.
providerArn (string) --
The Amazon Resource Name (ARN) of the OAuth credential provider. This ARN identifies the provider in Amazon Web Services.
scopes (list) --
The OAuth scopes for the credential provider. These scopes define the level of access requested from the OAuth provider.
(string) --
customParameters (dict) --
The custom parameters for the OAuth credential provider. These parameters provide additional configuration for the OAuth authentication process.
(string) --
(string) --
grantType (string) --
Specifies the kind of credentials to use for authorization:
CLIENT_CREDENTIALS - Authorization with a client ID and secret.
AUTHORIZATION_CODE - Authorization with a token that is specific to an individual end user.
defaultReturnUrl (string) --
The URL where the end user's browser is redirected after obtaining the authorization code. Generally points to the customer's application.
apiKeyCredentialProvider (dict) --
The API key credential provider. This provider uses an API key to authenticate with the target endpoint.
providerArn (string) --
The Amazon Resource Name (ARN) of the API key credential provider. This ARN identifies the provider in Amazon Web Services.
credentialParameterName (string) --
The name of the credential parameter for the API key. This parameter name is used when sending the API key to the target endpoint.
credentialPrefix (string) --
The prefix for the API key credential. This prefix is added to the API key when sending it to the target endpoint.
credentialLocation (string) --
The location of the API key credential. This field specifies where in the request the API key should be placed.
iamCredentialProvider (dict) --
The IAM credential provider. This provider uses IAM authentication with SigV4 signing to access the target endpoint.
service (string) --
The target Amazon Web Services service name used for SigV4 signing. This value identifies the service that the gateway authenticates with when making requests to the target endpoint.
region (string) --
The Amazon Web Services Region used for SigV4 signing. If not specified, defaults to the gateway's Region.
lastSynchronizedAt (datetime) --
The last synchronization of the target.
metadataConfiguration (dict) --
The metadata configuration that was applied to the created gateway target.
allowedRequestHeaders (list) --
A list of HTTP headers that are allowed to be propagated from incoming client requests to the target.
(string) --
allowedQueryParameters (list) --
A list of URL query parameters that are allowed to be propagated from incoming gateway URL to the target.
(string) --
allowedResponseHeaders (list) --
A list of HTTP headers that are allowed to be propagated from the target response back to the client.
(string) --
privateEndpoint (dict) --
The private endpoint configuration for the gateway target.
selfManagedLatticeResource (dict) --
Configuration for connecting to a private resource using a self-managed VPC Lattice resource configuration.
resourceConfigurationIdentifier (string) --
The ARN or ID of the VPC Lattice resource configuration.
managedVpcResource (dict) --
Configuration for connecting to a private resource using a managed VPC Lattice resource. The gateway creates and manages the VPC Lattice resources on your behalf.
vpcIdentifier (string) --
The ID of the VPC that contains your private resource.
subnetIds (list) --
The subnet IDs within the VPC where the VPC Lattice resource gateway is placed.
(string) --
endpointIpAddressType (string) --
The IP address type for the resource configuration endpoint.
securityGroupIds (list) --
The security group IDs to associate with the VPC Lattice resource gateway. If not specified, the default security group for the VPC is used.
(string) --
tags (dict) --
Tags to apply to the managed VPC Lattice resource gateway.
(string) --
(string) --
routingDomain (string) --
An intermediate publicly resolvable domain used as the VPC Lattice resource configuration endpoint. Required when your private endpoint uses a domain that is not publicly resolvable.
privateEndpointManagedResources (list) --
The managed resources created by the gateway for private endpoint connectivity.
(dict) --
Details of a resource created and managed by the gateway for private endpoint connectivity.
domain (string) --
The domain associated with this managed resource.
resourceGatewayArn (string) --
The ARN of the VPC Lattice resource gateway created in your account.
resourceAssociationArn (string) --
The ARN of the service network resource association.
authorizationData (dict) --
OAuth2 authorization data for the created gateway target. This data is returned when a target is configured with a credential provider with authorization code grant type and requires user federation.
oauth2 (dict) --
OAuth2 authorization data for the gateway target.
authorizationUrl (string) --
The URL to initiate the authorization process. This URL is provided when the OAuth2 access token requires user authorization.
userId (string) --
The user identifier associated with the OAuth2 authorization session that is defined by AgentCore Gateway.
protocolType (string) --
The protocol type of the created gateway target.
{'includedData': 'ALL_DATA | METADATA_ONLY'}
Response {'kmsKeyArn': 'string'}
Retrieves detailed information about an evaluator, including its configuration, status, and metadata. Works with both built-in and custom evaluators.
See also: AWS API Documentation
Request Syntax
client.get_evaluator(
evaluatorId='string',
includedData='ALL_DATA'|'METADATA_ONLY'
)
string
[REQUIRED]
The unique identifier of the evaluator to retrieve. Can be a built-in evaluator ID (e.g., Builtin.Helpfulness) or a custom evaluator ID.
string
Controls which data is returned in the response. ALL_DATA (default) returns the full evaluator including decrypted instructions and rating scale. For evaluators encrypted with a customer managed KMS key, this requires kms:Decrypt permission on the key. METADATA_ONLY returns evaluator metadata and model configuration without instructions or rating scale, and does not require any KMS permissions.
dict
Response Syntax
{
'evaluatorArn': 'string',
'evaluatorId': 'string',
'evaluatorName': 'string',
'description': 'string',
'evaluatorConfig': {
'llmAsAJudge': {
'instructions': 'string',
'ratingScale': {
'numerical': [
{
'definition': 'string',
'value': 123.0,
'label': 'string'
},
],
'categorical': [
{
'definition': 'string',
'label': 'string'
},
]
},
'modelConfig': {
'bedrockEvaluatorModelConfig': {
'modelId': 'string',
'inferenceConfig': {
'maxTokens': 123,
'temperature': ...,
'topP': ...,
'stopSequences': [
'string',
]
},
'additionalModelRequestFields': {...}|[...]|123|123.4|'string'|True|None
}
}
},
'codeBased': {
'lambdaConfig': {
'lambdaArn': 'string',
'lambdaTimeoutInSeconds': 123
}
}
},
'level': 'TOOL_CALL'|'TRACE'|'SESSION',
'status': 'ACTIVE'|'CREATING'|'CREATE_FAILED'|'UPDATING'|'UPDATE_FAILED'|'DELETING',
'createdAt': datetime(2015, 1, 1),
'updatedAt': datetime(2015, 1, 1),
'lockedForModification': True|False,
'kmsKeyArn': 'string'
}
Response Structure
(dict) --
evaluatorArn (string) --
The Amazon Resource Name (ARN) of the evaluator.
evaluatorId (string) --
The unique identifier of the evaluator.
evaluatorName (string) --
The name of the evaluator.
description (string) --
The description of the evaluator.
evaluatorConfig (dict) --
The configuration of the evaluator, including LLM-as-a-Judge or code-based settings.
llmAsAJudge (dict) --
The LLM-as-a-Judge configuration that uses a language model to evaluate agent performance based on custom instructions and rating scales.
instructions (string) --
The evaluation instructions that guide the language model in assessing agent performance, including criteria and evaluation guidelines.
ratingScale (dict) --
The rating scale that defines how the evaluator should score agent performance, either numerical or categorical.
numerical (list) --
The numerical rating scale with defined score values and descriptions for quantitative evaluation.
(dict) --
The definition of a numerical rating scale option that provides a numeric value with its description for evaluation scoring.
definition (string) --
The description that explains what this numerical rating represents and when it should be used.
value (float) --
The numerical value for this rating scale option.
label (string) --
The label or name that describes this numerical rating option.
categorical (list) --
The categorical rating scale with named categories and definitions for qualitative evaluation.
(dict) --
The definition of a categorical rating scale option that provides a named category with its description for evaluation scoring.
definition (string) --
The description that explains what this categorical rating represents and when it should be used.
label (string) --
The label or name of this categorical rating option.
modelConfig (dict) --
The model configuration that specifies which foundation model to use and how to configure it for evaluation.
bedrockEvaluatorModelConfig (dict) --
The Amazon Bedrock model configuration for evaluation.
modelId (string) --
The identifier of the Amazon Bedrock model to use for evaluation. Must be a supported foundation model available in your region.
inferenceConfig (dict) --
The inference configuration parameters that control model behavior during evaluation, including temperature, token limits, and sampling settings.
maxTokens (integer) --
The maximum number of tokens to generate in the model response during evaluation.
temperature (float) --
The temperature value that controls randomness in the model's responses. Lower values produce more deterministic outputs.
topP (float) --
The top-p sampling parameter that controls the diversity of the model's responses by limiting the cumulative probability of token choices.
stopSequences (list) --
The list of sequences that will cause the model to stop generating tokens when encountered.
(string) --
additionalModelRequestFields (:ref:`document<document>`) --
Additional model-specific request fields to customize model behavior beyond the standard inference configuration.
codeBased (dict) --
Configuration for a code-based evaluator that uses a customer-managed Lambda function to programmatically assess agent performance.
lambdaConfig (dict) --
The Lambda function configuration for code-based evaluation.
lambdaArn (string) --
The Amazon Resource Name (ARN) of the Lambda function that implements the evaluation logic.
lambdaTimeoutInSeconds (integer) --
The timeout in seconds for the Lambda function invocation. Defaults to 60. Must be between 1 and 300.
level (string) --
The evaluation level ( TOOL_CALL, TRACE, or SESSION) that determines the scope of evaluation.
status (string) --
The current status of the evaluator.
createdAt (datetime) --
The timestamp when the evaluator was created.
updatedAt (datetime) --
The timestamp when the evaluator was last updated.
lockedForModification (boolean) --
Whether the evaluator is locked for modification due to being referenced by active online evaluation configurations.
kmsKeyArn (string) --
The Amazon Resource Name (ARN) of the customer managed KMS key used to encrypt the evaluator's sensitive data. This field is only present for evaluators encrypted with a customer managed key.
{'authorizerType': {'AUTHENTICATE_ONLY'}}
Retrieves information about a specific Gateway.
See also: AWS API Documentation
Request Syntax
client.get_gateway(
gatewayIdentifier='string'
)
string
[REQUIRED]
The identifier of the gateway to retrieve.
dict
Response Syntax
{
'gatewayArn': 'string',
'gatewayId': 'string',
'gatewayUrl': 'string',
'createdAt': datetime(2015, 1, 1),
'updatedAt': datetime(2015, 1, 1),
'status': 'CREATING'|'UPDATING'|'UPDATE_UNSUCCESSFUL'|'DELETING'|'READY'|'FAILED',
'statusReasons': [
'string',
],
'name': 'string',
'description': 'string',
'roleArn': 'string',
'protocolType': 'MCP',
'protocolConfiguration': {
'mcp': {
'supportedVersions': [
'string',
],
'instructions': 'string',
'searchType': 'SEMANTIC'
}
},
'authorizerType': 'CUSTOM_JWT'|'AWS_IAM'|'NONE'|'AUTHENTICATE_ONLY',
'authorizerConfiguration': {
'customJWTAuthorizer': {
'discoveryUrl': 'string',
'allowedAudience': [
'string',
],
'allowedClients': [
'string',
],
'allowedScopes': [
'string',
],
'customClaims': [
{
'inboundTokenClaimName': 'string',
'inboundTokenClaimValueType': 'STRING'|'STRING_ARRAY',
'authorizingClaimMatchValue': {
'claimMatchValue': {
'matchValueString': 'string',
'matchValueStringList': [
'string',
]
},
'claimMatchOperator': 'EQUALS'|'CONTAINS'|'CONTAINS_ANY'
}
},
],
'privateEndpoint': {
'selfManagedLatticeResource': {
'resourceConfigurationIdentifier': 'string'
},
'managedVpcResource': {
'vpcIdentifier': 'string',
'subnetIds': [
'string',
],
'endpointIpAddressType': 'IPV4'|'IPV6',
'securityGroupIds': [
'string',
],
'tags': {
'string': 'string'
},
'routingDomain': 'string'
}
},
'privateEndpointOverrides': [
{
'domain': 'string',
'privateEndpoint': {
'selfManagedLatticeResource': {
'resourceConfigurationIdentifier': 'string'
},
'managedVpcResource': {
'vpcIdentifier': 'string',
'subnetIds': [
'string',
],
'endpointIpAddressType': 'IPV4'|'IPV6',
'securityGroupIds': [
'string',
],
'tags': {
'string': 'string'
},
'routingDomain': 'string'
}
}
},
]
}
},
'kmsKeyArn': 'string',
'interceptorConfigurations': [
{
'interceptor': {
'lambda': {
'arn': 'string'
}
},
'interceptionPoints': [
'REQUEST'|'RESPONSE',
],
'inputConfiguration': {
'passRequestHeaders': True|False
}
},
],
'policyEngineConfiguration': {
'arn': 'string',
'mode': 'LOG_ONLY'|'ENFORCE'
},
'workloadIdentityDetails': {
'workloadIdentityArn': 'string'
},
'exceptionLevel': 'DEBUG'
}
Response Structure
(dict) --
gatewayArn (string) --
The Amazon Resource Name (ARN) of the gateway.
gatewayId (string) --
The unique identifier of the gateway.
gatewayUrl (string) --
An endpoint for invoking gateway.
createdAt (datetime) --
The timestamp when the gateway was created.
updatedAt (datetime) --
The timestamp when the gateway was last updated.
status (string) --
The current status of the gateway.
statusReasons (list) --
The reasons for the current status of the gateway.
(string) --
name (string) --
The name of the gateway.
description (string) --
The description of the gateway.
roleArn (string) --
The IAM role ARN that provides permissions for the gateway.
protocolType (string) --
Protocol applied to a gateway.
protocolConfiguration (dict) --
The configuration for a gateway protocol. This structure defines how the gateway communicates with external services.
mcp (dict) --
The configuration for the Model Context Protocol (MCP). This protocol enables communication between Amazon Bedrock Agent and external tools.
supportedVersions (list) --
The supported versions of the Model Context Protocol. This field specifies which versions of the protocol the gateway can use.
(string) --
instructions (string) --
The instructions for using the Model Context Protocol gateway. These instructions provide guidance on how to interact with the gateway.
searchType (string) --
The search type for the Model Context Protocol gateway. This field specifies how the gateway handles search operations.
authorizerType (string) --
Authorizer type for the gateway.
authorizerConfiguration (dict) --
The authorizer configuration for the gateway.
customJWTAuthorizer (dict) --
The inbound JWT-based authorization, specifying how incoming requests should be authenticated.
discoveryUrl (string) --
This URL is used to fetch OpenID Connect configuration or authorization server metadata for validating incoming tokens.
allowedAudience (list) --
Represents individual audience values that are validated in the incoming JWT token validation process.
(string) --
allowedClients (list) --
Represents individual client IDs that are validated in the incoming JWT token validation process.
(string) --
allowedScopes (list) --
An array of scopes that are allowed to access the token.
(string) --
customClaims (list) --
An array of objects that define a custom claim validation name, value, and operation
(dict) --
Defines the name of a custom claim field and rules for finding matches to authenticate its value.
inboundTokenClaimName (string) --
The name of the custom claim field to check.
inboundTokenClaimValueType (string) --
The data type of the claim value to check for.
Use STRING if you want to find an exact match to a string you define.
Use STRING_ARRAY if you want to fnd a match to at least one value in an array you define.
authorizingClaimMatchValue (dict) --
Defines the value or values to match for and the relationship of the match.
claimMatchValue (dict) --
The value or values to match for.
matchValueString (string) --
The string value to match for.
matchValueStringList (list) --
An array of strings to check for a match.
(string) --
claimMatchOperator (string) --
Defines the relationship between the claim field value and the value or values you're matching for.
privateEndpoint (dict) --
The private endpoint configuration for a gateway target. Defines how the gateway connects to private resources in your VPC.
selfManagedLatticeResource (dict) --
Configuration for connecting to a private resource using a self-managed VPC Lattice resource configuration.
resourceConfigurationIdentifier (string) --
The ARN or ID of the VPC Lattice resource configuration.
managedVpcResource (dict) --
Configuration for connecting to a private resource using a managed VPC Lattice resource. The gateway creates and manages the VPC Lattice resources on your behalf.
vpcIdentifier (string) --
The ID of the VPC that contains your private resource.
subnetIds (list) --
The subnet IDs within the VPC where the VPC Lattice resource gateway is placed.
(string) --
endpointIpAddressType (string) --
The IP address type for the resource configuration endpoint.
securityGroupIds (list) --
The security group IDs to associate with the VPC Lattice resource gateway. If not specified, the default security group for the VPC is used.
(string) --
tags (dict) --
Tags to apply to the managed VPC Lattice resource gateway.
(string) --
(string) --
routingDomain (string) --
An intermediate publicly resolvable domain used as the VPC Lattice resource configuration endpoint. Required when your private endpoint uses a domain that is not publicly resolvable.
privateEndpointOverrides (list) --
A list of private endpoint overrides for the JWT authorizer. Each override maps a specific domain to a private endpoint, enabling secure connectivity through VPC Lattice resource configurations.
(dict) --
A mapping of a specific domain to a private endpoint for secure connectivity through a VPC Lattice resource configuration.
domain (string) --
The domain to override with a private endpoint.
privateEndpoint (dict) --
The private endpoint configuration for the specified domain.
selfManagedLatticeResource (dict) --
Configuration for connecting to a private resource using a self-managed VPC Lattice resource configuration.
resourceConfigurationIdentifier (string) --
The ARN or ID of the VPC Lattice resource configuration.
managedVpcResource (dict) --
Configuration for connecting to a private resource using a managed VPC Lattice resource. The gateway creates and manages the VPC Lattice resources on your behalf.
vpcIdentifier (string) --
The ID of the VPC that contains your private resource.
subnetIds (list) --
The subnet IDs within the VPC where the VPC Lattice resource gateway is placed.
(string) --
endpointIpAddressType (string) --
The IP address type for the resource configuration endpoint.
securityGroupIds (list) --
The security group IDs to associate with the VPC Lattice resource gateway. If not specified, the default security group for the VPC is used.
(string) --
tags (dict) --
Tags to apply to the managed VPC Lattice resource gateway.
(string) --
(string) --
routingDomain (string) --
An intermediate publicly resolvable domain used as the VPC Lattice resource configuration endpoint. Required when your private endpoint uses a domain that is not publicly resolvable.
kmsKeyArn (string) --
The Amazon Resource Name (ARN) of the KMS key used to encrypt the gateway.
interceptorConfigurations (list) --
The interceptors configured on the gateway.
(dict) --
The configuration for an interceptor on a gateway. This structure defines settings for an interceptor that will be invoked during the invocation of the gateway.
interceptor (dict) --
The infrastructure settings of an interceptor configuration. This structure defines how the interceptor can be invoked.
lambda (dict) --
The details of the lambda function used for the interceptor.
arn (string) --
The arn of the lambda function to be invoked for the interceptor.
interceptionPoints (list) --
The supported points of interception. This field specifies which points during the gateway invocation to invoke the interceptor
(string) --
inputConfiguration (dict) --
The configuration for the input of the interceptor. This field specifies how the input to the interceptor is constructed
passRequestHeaders (boolean) --
Indicates whether to pass request headers as input into the interceptor. When set to true, request headers will be passed.
policyEngineConfiguration (dict) --
The policy engine configuration for the gateway.
arn (string) --
The ARN of the policy engine. The policy engine contains Cedar policies that define fine-grained authorization rules specifying who can perform what actions on which resources as agents interact through the gateway.
mode (string) --
The enforcement mode for the policy engine. Valid values include:
LOG_ONLY - The policy engine evaluates each action against your policies and adds traces on whether tool calls would be allowed or denied, but does not enforce the decision. Use this mode to test and validate policies before enabling enforcement.
ENFORCE - The policy engine evaluates actions against your policies and enforces decisions by allowing or denying agent operations. Test and validate policies in LOG_ONLY mode before enabling enforcement to avoid unintended denials or adversely affecting production traffic.
workloadIdentityDetails (dict) --
The workload identity details for the gateway.
workloadIdentityArn (string) --
The ARN associated with the workload identity.
exceptionLevel (string) --
The level of detail in error messages returned when invoking the gateway.
If the value is DEBUG, granular exception messages are returned to help a user debug the gateway.
If the value is omitted, a generic error message is returned to the end user.
{'credentialProviderConfigurations': {'credentialProviderType': {'CALLER_IAM_CREDENTIALS',
'JWT_PASSTHROUGH'}},
'protocolType': 'MCP | HTTP',
'targetConfiguration': {'http': {'agentcoreRuntime': {'arn': 'string',
'qualifier': 'string'}}}}
Retrieves information about a specific gateway target.
See also: AWS API Documentation
Request Syntax
client.get_gateway_target(
gatewayIdentifier='string',
targetId='string'
)
string
[REQUIRED]
The identifier of the gateway that contains the target.
string
[REQUIRED]
The unique identifier of the target to retrieve.
dict
Response Syntax
{
'gatewayArn': 'string',
'targetId': 'string',
'createdAt': datetime(2015, 1, 1),
'updatedAt': datetime(2015, 1, 1),
'status': 'CREATING'|'UPDATING'|'UPDATE_UNSUCCESSFUL'|'DELETING'|'READY'|'FAILED'|'SYNCHRONIZING'|'SYNCHRONIZE_UNSUCCESSFUL'|'CREATE_PENDING_AUTH'|'UPDATE_PENDING_AUTH'|'SYNCHRONIZE_PENDING_AUTH',
'statusReasons': [
'string',
],
'name': 'string',
'description': 'string',
'targetConfiguration': {
'mcp': {
'openApiSchema': {
's3': {
'uri': 'string',
'bucketOwnerAccountId': 'string'
},
'inlinePayload': 'string'
},
'smithyModel': {
's3': {
'uri': 'string',
'bucketOwnerAccountId': 'string'
},
'inlinePayload': 'string'
},
'lambda': {
'lambdaArn': 'string',
'toolSchema': {
's3': {
'uri': 'string',
'bucketOwnerAccountId': 'string'
},
'inlinePayload': [
{
'name': 'string',
'description': 'string',
'inputSchema': {
'type': 'string'|'number'|'object'|'array'|'boolean'|'integer',
'properties': {
'string': {'... recursive ...'}
},
'required': [
'string',
],
'items': {'... recursive ...'},
'description': 'string'
},
'outputSchema': {
'type': 'string'|'number'|'object'|'array'|'boolean'|'integer',
'properties': {
'string': {'... recursive ...'}
},
'required': [
'string',
],
'items': {'... recursive ...'},
'description': 'string'
}
},
]
}
},
'mcpServer': {
'endpoint': 'string',
'mcpToolSchema': {
's3': {
'uri': 'string',
'bucketOwnerAccountId': 'string'
},
'inlinePayload': 'string'
},
'listingMode': 'DEFAULT'|'DYNAMIC',
'resourcePriority': 123
},
'apiGateway': {
'restApiId': 'string',
'stage': 'string',
'apiGatewayToolConfiguration': {
'toolOverrides': [
{
'name': 'string',
'description': 'string',
'path': 'string',
'method': 'GET'|'DELETE'|'HEAD'|'OPTIONS'|'PATCH'|'PUT'|'POST'
},
],
'toolFilters': [
{
'filterPath': 'string',
'methods': [
'GET'|'DELETE'|'HEAD'|'OPTIONS'|'PATCH'|'PUT'|'POST',
]
},
]
}
}
},
'http': {
'agentcoreRuntime': {
'arn': 'string',
'qualifier': 'string'
}
}
},
'credentialProviderConfigurations': [
{
'credentialProviderType': 'GATEWAY_IAM_ROLE'|'OAUTH'|'API_KEY'|'CALLER_IAM_CREDENTIALS'|'JWT_PASSTHROUGH',
'credentialProvider': {
'oauthCredentialProvider': {
'providerArn': 'string',
'scopes': [
'string',
],
'customParameters': {
'string': 'string'
},
'grantType': 'CLIENT_CREDENTIALS'|'AUTHORIZATION_CODE',
'defaultReturnUrl': 'string'
},
'apiKeyCredentialProvider': {
'providerArn': 'string',
'credentialParameterName': 'string',
'credentialPrefix': 'string',
'credentialLocation': 'HEADER'|'QUERY_PARAMETER'
},
'iamCredentialProvider': {
'service': 'string',
'region': 'string'
}
}
},
],
'lastSynchronizedAt': datetime(2015, 1, 1),
'metadataConfiguration': {
'allowedRequestHeaders': [
'string',
],
'allowedQueryParameters': [
'string',
],
'allowedResponseHeaders': [
'string',
]
},
'privateEndpoint': {
'selfManagedLatticeResource': {
'resourceConfigurationIdentifier': 'string'
},
'managedVpcResource': {
'vpcIdentifier': 'string',
'subnetIds': [
'string',
],
'endpointIpAddressType': 'IPV4'|'IPV6',
'securityGroupIds': [
'string',
],
'tags': {
'string': 'string'
},
'routingDomain': 'string'
}
},
'privateEndpointManagedResources': [
{
'domain': 'string',
'resourceGatewayArn': 'string',
'resourceAssociationArn': 'string'
},
],
'authorizationData': {
'oauth2': {
'authorizationUrl': 'string',
'userId': 'string'
}
},
'protocolType': 'MCP'|'HTTP'
}
Response Structure
(dict) --
gatewayArn (string) --
The Amazon Resource Name (ARN) of the gateway.
targetId (string) --
The unique identifier of the gateway target.
createdAt (datetime) --
The timestamp when the gateway target was created.
updatedAt (datetime) --
The timestamp when the gateway target was last updated.
status (string) --
The current status of the gateway target.
statusReasons (list) --
The reasons for the current status of the gateway target.
(string) --
name (string) --
The name of the gateway target.
description (string) --
The description of the gateway target.
targetConfiguration (dict) --
The configuration for a gateway target. This structure defines how the gateway connects to and interacts with the target endpoint.
mcp (dict) --
The Model Context Protocol (MCP) configuration for the target. This configuration defines how the gateway uses MCP to communicate with the target.
openApiSchema (dict) --
The OpenAPI schema for the Model Context Protocol target. This schema defines the API structure of the target.
s3 (dict) --
The Amazon S3 configuration for a gateway. This structure defines how the gateway accesses files in Amazon S3.
uri (string) --
The URI of the Amazon S3 object. This URI specifies the location of the object in Amazon S3.
bucketOwnerAccountId (string) --
The account ID of the Amazon S3 bucket owner. This ID is used for cross-account access to the bucket.
inlinePayload (string) --
The inline payload containing the API schema definition.
smithyModel (dict) --
The Smithy model for the Model Context Protocol target. This model defines the API structure of the target using the Smithy specification.
s3 (dict) --
The Amazon S3 configuration for a gateway. This structure defines how the gateway accesses files in Amazon S3.
uri (string) --
The URI of the Amazon S3 object. This URI specifies the location of the object in Amazon S3.
bucketOwnerAccountId (string) --
The account ID of the Amazon S3 bucket owner. This ID is used for cross-account access to the bucket.
inlinePayload (string) --
The inline payload containing the API schema definition.
lambda (dict) --
The Lambda configuration for the Model Context Protocol target. This configuration defines how the gateway uses a Lambda function to communicate with the target.
lambdaArn (string) --
The Amazon Resource Name (ARN) of the Lambda function. This function is invoked by the gateway to communicate with the target.
toolSchema (dict) --
The tool schema for the Lambda function. This schema defines the structure of the tools that the Lambda function provides.
s3 (dict) --
The Amazon S3 location of the tool schema. This location contains the schema definition file.
uri (string) --
The URI of the Amazon S3 object. This URI specifies the location of the object in Amazon S3.
bucketOwnerAccountId (string) --
The account ID of the Amazon S3 bucket owner. This ID is used for cross-account access to the bucket.
inlinePayload (list) --
The inline payload of the tool schema. This payload contains the schema definition directly in the request.
(dict) --
A tool definition for a gateway target. This structure defines a tool that the target exposes through the Model Context Protocol.
name (string) --
The name of the tool. This name identifies the tool in the Model Context Protocol.
description (string) --
The description of the tool. This description provides information about the purpose and usage of the tool.
inputSchema (dict) --
The input schema for the tool. This schema defines the structure of the input that the tool accepts.
type (string) --
The type of the schema definition. This field specifies the data type of the schema.
properties (dict) --
The properties of the schema definition. These properties define the fields in the schema.
(string) --
(dict) --
A schema definition for a gateway target. This structure defines the structure of the API that the target exposes.
required (list) --
The required fields in the schema definition. These fields must be provided when using the schema.
(string) --
items (dict) --
The items in the schema definition. This field is used for array types to define the structure of the array elements.
description (string) --
The description of the schema definition. This description provides information about the purpose and usage of the schema.
outputSchema (dict) --
The output schema for the tool. This schema defines the structure of the output that the tool produces.
type (string) --
The type of the schema definition. This field specifies the data type of the schema.
properties (dict) --
The properties of the schema definition. These properties define the fields in the schema.
(string) --
(dict) --
A schema definition for a gateway target. This structure defines the structure of the API that the target exposes.
required (list) --
The required fields in the schema definition. These fields must be provided when using the schema.
(string) --
items (dict) --
The items in the schema definition. This field is used for array types to define the structure of the array elements.
description (string) --
The description of the schema definition. This description provides information about the purpose and usage of the schema.
mcpServer (dict) --
The MCP server specified as the gateway target.
endpoint (string) --
The endpoint for the MCP server target configuration.
mcpToolSchema (dict) --
The tool schema configuration for the MCP server target. Supported only when the credential provider is configured with an authorization code grant type. Dynamic tool discovery/synchronization will be disabled when target is configured with mcpToolSchema.
s3 (dict) --
The Amazon S3 location of the tool schema. This location contains the schema definition file.
uri (string) --
The URI of the Amazon S3 object. This URI specifies the location of the object in Amazon S3.
bucketOwnerAccountId (string) --
The account ID of the Amazon S3 bucket owner. This ID is used for cross-account access to the bucket.
inlinePayload (string) --
The inline payload containing the MCP tool schema definition.
listingMode (string) --
The listing mode for the MCP server target configuration. MCP resources for default targets are cached at the control plane for faster access. MCP resources for dynamic targets will be dynamically retrieved when listing tools.
resourcePriority (integer) --
Priority for resolving MCP server targets with shared resource URIs. Lower values take precedence. Defaults to 1000 when not set.
apiGateway (dict) --
The configuration for an Amazon API Gateway target.
restApiId (string) --
The ID of the API Gateway REST API.
stage (string) --
The ID of the stage of the REST API to add as a target.
apiGatewayToolConfiguration (dict) --
The configuration for defining REST API tool filters and overrides for the gateway target.
toolOverrides (list) --
A list of explicit tool definitions with optional custom names and descriptions.
(dict) --
Settings to override configurations for a tool.
name (string) --
The name of tool. Identifies the tool in the Model Context Protocol.
description (string) --
The description of the tool. Provides information about the purpose and usage of the tool. If not provided, uses the description from the API's OpenAPI specification.
path (string) --
Resource path in the REST API (e.g., /pets). Must explicitly match an existing path in the REST API.
method (string) --
The HTTP method to expose for the specified path.
toolFilters (list) --
A list of path and method patterns to expose as tools using metadata from the REST API's OpenAPI specification.
(dict) --
Specifies which operations from an API Gateway REST API are exposed as tools. Tool names and descriptions are derived from the operationId and description fields in the API's exported OpenAPI specification.
filterPath (string) --
Resource path to match in the REST API. Supports exact paths (for example, /pets) or wildcard paths (for example, /pets/* to match all paths under /pets). Must match existing paths in the REST API.
methods (list) --
The methods to filter for.
(string) --
http (dict) --
The HTTP target configuration. Use this to route gateway requests to an HTTP-based endpoint such as an AgentCore Runtime.
agentcoreRuntime (dict) --
The AgentCore Runtime target configuration for HTTP-based communication with an agent runtime.
arn (string) --
The Amazon Resource Name (ARN) of the AgentCore Runtime to route requests to.
qualifier (string) --
The qualifier for the agent runtime, used to target a specific endpoint version. If not specified, the default endpoint is used.
credentialProviderConfigurations (list) --
The credential provider configurations for the gateway target.
(dict) --
The configuration for a credential provider. This structure defines how the gateway authenticates with the target endpoint.
credentialProviderType (string) --
The type of credential provider. This field specifies which authentication method the gateway uses.
credentialProvider (dict) --
The credential provider. This field contains the specific configuration for the credential provider type.
oauthCredentialProvider (dict) --
The OAuth credential provider. This provider uses OAuth authentication to access the target endpoint.
providerArn (string) --
The Amazon Resource Name (ARN) of the OAuth credential provider. This ARN identifies the provider in Amazon Web Services.
scopes (list) --
The OAuth scopes for the credential provider. These scopes define the level of access requested from the OAuth provider.
(string) --
customParameters (dict) --
The custom parameters for the OAuth credential provider. These parameters provide additional configuration for the OAuth authentication process.
(string) --
(string) --
grantType (string) --
Specifies the kind of credentials to use for authorization:
CLIENT_CREDENTIALS - Authorization with a client ID and secret.
AUTHORIZATION_CODE - Authorization with a token that is specific to an individual end user.
defaultReturnUrl (string) --
The URL where the end user's browser is redirected after obtaining the authorization code. Generally points to the customer's application.
apiKeyCredentialProvider (dict) --
The API key credential provider. This provider uses an API key to authenticate with the target endpoint.
providerArn (string) --
The Amazon Resource Name (ARN) of the API key credential provider. This ARN identifies the provider in Amazon Web Services.
credentialParameterName (string) --
The name of the credential parameter for the API key. This parameter name is used when sending the API key to the target endpoint.
credentialPrefix (string) --
The prefix for the API key credential. This prefix is added to the API key when sending it to the target endpoint.
credentialLocation (string) --
The location of the API key credential. This field specifies where in the request the API key should be placed.
iamCredentialProvider (dict) --
The IAM credential provider. This provider uses IAM authentication with SigV4 signing to access the target endpoint.
service (string) --
The target Amazon Web Services service name used for SigV4 signing. This value identifies the service that the gateway authenticates with when making requests to the target endpoint.
region (string) --
The Amazon Web Services Region used for SigV4 signing. If not specified, defaults to the gateway's Region.
lastSynchronizedAt (datetime) --
The last synchronization of the target.
metadataConfiguration (dict) --
The metadata configuration for HTTP header and query parameter propagation for the retrieved gateway target.
allowedRequestHeaders (list) --
A list of HTTP headers that are allowed to be propagated from incoming client requests to the target.
(string) --
allowedQueryParameters (list) --
A list of URL query parameters that are allowed to be propagated from incoming gateway URL to the target.
(string) --
allowedResponseHeaders (list) --
A list of HTTP headers that are allowed to be propagated from the target response back to the client.
(string) --
privateEndpoint (dict) --
The private endpoint configuration for the gateway target.
selfManagedLatticeResource (dict) --
Configuration for connecting to a private resource using a self-managed VPC Lattice resource configuration.
resourceConfigurationIdentifier (string) --
The ARN or ID of the VPC Lattice resource configuration.
managedVpcResource (dict) --
Configuration for connecting to a private resource using a managed VPC Lattice resource. The gateway creates and manages the VPC Lattice resources on your behalf.
vpcIdentifier (string) --
The ID of the VPC that contains your private resource.
subnetIds (list) --
The subnet IDs within the VPC where the VPC Lattice resource gateway is placed.
(string) --
endpointIpAddressType (string) --
The IP address type for the resource configuration endpoint.
securityGroupIds (list) --
The security group IDs to associate with the VPC Lattice resource gateway. If not specified, the default security group for the VPC is used.
(string) --
tags (dict) --
Tags to apply to the managed VPC Lattice resource gateway.
(string) --
(string) --
routingDomain (string) --
An intermediate publicly resolvable domain used as the VPC Lattice resource configuration endpoint. Required when your private endpoint uses a domain that is not publicly resolvable.
privateEndpointManagedResources (list) --
The managed resources created by the gateway for private endpoint connectivity.
(dict) --
Details of a resource created and managed by the gateway for private endpoint connectivity.
domain (string) --
The domain associated with this managed resource.
resourceGatewayArn (string) --
The ARN of the VPC Lattice resource gateway created in your account.
resourceAssociationArn (string) --
The ARN of the service network resource association.
authorizationData (dict) --
OAuth2 authorization data for the gateway target. This data is returned when a target is configured with a credential provider with authorization code grant type and requires user federation.
oauth2 (dict) --
OAuth2 authorization data for the gateway target.
authorizationUrl (string) --
The URL to initiate the authorization process. This URL is provided when the OAuth2 access token requires user authorization.
userId (string) --
The user identifier associated with the OAuth2 authorization session that is defined by AgentCore Gateway.
protocolType (string) --
The protocol type of the gateway target.
{'evaluators': {'kmsKeyArn': 'string'}}
Lists all available evaluators, including both builtin evaluators provided by the service and custom evaluators created by the user.
See also: AWS API Documentation
Request Syntax
client.list_evaluators(
nextToken='string',
maxResults=123
)
string
The pagination token from a previous request to retrieve the next page of results.
integer
The maximum number of evaluators to return in a single response.
dict
Response Syntax
{
'evaluators': [
{
'evaluatorArn': 'string',
'evaluatorId': 'string',
'evaluatorName': 'string',
'description': 'string',
'evaluatorType': 'Builtin'|'Custom'|'CustomCode',
'level': 'TOOL_CALL'|'TRACE'|'SESSION',
'status': 'ACTIVE'|'CREATING'|'CREATE_FAILED'|'UPDATING'|'UPDATE_FAILED'|'DELETING',
'createdAt': datetime(2015, 1, 1),
'updatedAt': datetime(2015, 1, 1),
'lockedForModification': True|False,
'kmsKeyArn': 'string'
},
],
'nextToken': 'string'
}
Response Structure
(dict) --
evaluators (list) --
The list of evaluator summaries containing basic information about each evaluator.
(dict) --
The summary information about an evaluator, including basic metadata and status information.
evaluatorArn (string) --
The Amazon Resource Name (ARN) of the evaluator.
evaluatorId (string) --
The unique identifier of the evaluator.
evaluatorName (string) --
The name of the evaluator.
description (string) --
The description of the evaluator.
evaluatorType (string) --
The type of evaluator, indicating whether it is a built-in evaluator provided by the service or a custom evaluator created by the user.
level (string) --
The evaluation level ( TOOL_CALL, TRACE, or SESSION) that determines the scope of evaluation.
status (string) --
The current status of the evaluator.
createdAt (datetime) --
The timestamp when the evaluator was created.
updatedAt (datetime) --
The timestamp when the evaluator was last updated.
lockedForModification (boolean) --
Whether the evaluator is locked for modification due to being referenced by active online evaluation configurations.
kmsKeyArn (string) --
The Amazon Resource Name (ARN) of the customer managed KMS key used to encrypt the evaluator's sensitive data. This field is only present for evaluators encrypted with a customer managed key.
nextToken (string) --
The pagination token to use in a subsequent request to retrieve the next page of results.
{'items': {'authorizerType': {'AUTHENTICATE_ONLY'}}}
Lists all gateways in the account.
See also: AWS API Documentation
Request Syntax
client.list_gateways(
maxResults=123,
nextToken='string'
)
integer
The maximum number of results to return in the response. If the total number of results is greater than this value, use the token returned in the response in the nextToken field when making another request to return the next batch of results.
string
If the total number of results is greater than the maxResults value provided in the request, enter the token returned in the nextToken field in the response in this field to return the next batch of results.
dict
Response Syntax
{
'items': [
{
'gatewayId': 'string',
'name': 'string',
'status': 'CREATING'|'UPDATING'|'UPDATE_UNSUCCESSFUL'|'DELETING'|'READY'|'FAILED',
'description': 'string',
'createdAt': datetime(2015, 1, 1),
'updatedAt': datetime(2015, 1, 1),
'authorizerType': 'CUSTOM_JWT'|'AWS_IAM'|'NONE'|'AUTHENTICATE_ONLY',
'protocolType': 'MCP'
},
],
'nextToken': 'string'
}
Response Structure
(dict) --
items (list) --
The list of gateway summaries.
(dict) --
Contains summary information about a gateway.
gatewayId (string) --
The unique identifier of the gateway.
name (string) --
The name of the gateway.
status (string) --
The current status of the gateway.
description (string) --
The description of the gateway.
createdAt (datetime) --
The timestamp when the gateway was created.
updatedAt (datetime) --
The timestamp when the gateway was last updated.
authorizerType (string) --
The type of authorizer used by the gateway.
protocolType (string) --
The protocol type used by the gateway.
nextToken (string) --
If the total number of results is greater than the maxResults value provided in the request, use this token when making another request in the nextToken field to return the next batch of results.
{'targets': {'credentialProviderConfigurations': {'credentialProviderType': {'CALLER_IAM_CREDENTIALS',
'JWT_PASSTHROUGH'}},
'protocolType': 'MCP | HTTP',
'targetConfiguration': {'http': {'agentcoreRuntime': {'arn': 'string',
'qualifier': 'string'}}}}}
Synchronizes the gateway targets by fetching the latest tool definitions from the target endpoints.
You cannot synchronize a target that is in a pending authorization state ( CREATE_PENDING_AUTH, UPDATE_PENDING_AUTH, or SYNCHRONIZE_PENDING_AUTH). Wait for the authorization to complete or fail before synchronizing.
You cannot synchronize a target that has a static tool schema ( mcpToolSchema) configured. Remove the static schema through an UpdateGatewayTarget call to enable dynamic tool synchronization.
See also: AWS API Documentation
Request Syntax
client.synchronize_gateway_targets(
gatewayIdentifier='string',
targetIdList=[
'string',
]
)
string
[REQUIRED]
The gateway Identifier.
list
[REQUIRED]
The target ID list.
(string) --
dict
Response Syntax
{
'targets': [
{
'gatewayArn': 'string',
'targetId': 'string',
'createdAt': datetime(2015, 1, 1),
'updatedAt': datetime(2015, 1, 1),
'status': 'CREATING'|'UPDATING'|'UPDATE_UNSUCCESSFUL'|'DELETING'|'READY'|'FAILED'|'SYNCHRONIZING'|'SYNCHRONIZE_UNSUCCESSFUL'|'CREATE_PENDING_AUTH'|'UPDATE_PENDING_AUTH'|'SYNCHRONIZE_PENDING_AUTH',
'statusReasons': [
'string',
],
'name': 'string',
'description': 'string',
'targetConfiguration': {
'mcp': {
'openApiSchema': {
's3': {
'uri': 'string',
'bucketOwnerAccountId': 'string'
},
'inlinePayload': 'string'
},
'smithyModel': {
's3': {
'uri': 'string',
'bucketOwnerAccountId': 'string'
},
'inlinePayload': 'string'
},
'lambda': {
'lambdaArn': 'string',
'toolSchema': {
's3': {
'uri': 'string',
'bucketOwnerAccountId': 'string'
},
'inlinePayload': [
{
'name': 'string',
'description': 'string',
'inputSchema': {
'type': 'string'|'number'|'object'|'array'|'boolean'|'integer',
'properties': {
'string': {'... recursive ...'}
},
'required': [
'string',
],
'items': {'... recursive ...'},
'description': 'string'
},
'outputSchema': {
'type': 'string'|'number'|'object'|'array'|'boolean'|'integer',
'properties': {
'string': {'... recursive ...'}
},
'required': [
'string',
],
'items': {'... recursive ...'},
'description': 'string'
}
},
]
}
},
'mcpServer': {
'endpoint': 'string',
'mcpToolSchema': {
's3': {
'uri': 'string',
'bucketOwnerAccountId': 'string'
},
'inlinePayload': 'string'
},
'listingMode': 'DEFAULT'|'DYNAMIC',
'resourcePriority': 123
},
'apiGateway': {
'restApiId': 'string',
'stage': 'string',
'apiGatewayToolConfiguration': {
'toolOverrides': [
{
'name': 'string',
'description': 'string',
'path': 'string',
'method': 'GET'|'DELETE'|'HEAD'|'OPTIONS'|'PATCH'|'PUT'|'POST'
},
],
'toolFilters': [
{
'filterPath': 'string',
'methods': [
'GET'|'DELETE'|'HEAD'|'OPTIONS'|'PATCH'|'PUT'|'POST',
]
},
]
}
}
},
'http': {
'agentcoreRuntime': {
'arn': 'string',
'qualifier': 'string'
}
}
},
'credentialProviderConfigurations': [
{
'credentialProviderType': 'GATEWAY_IAM_ROLE'|'OAUTH'|'API_KEY'|'CALLER_IAM_CREDENTIALS'|'JWT_PASSTHROUGH',
'credentialProvider': {
'oauthCredentialProvider': {
'providerArn': 'string',
'scopes': [
'string',
],
'customParameters': {
'string': 'string'
},
'grantType': 'CLIENT_CREDENTIALS'|'AUTHORIZATION_CODE',
'defaultReturnUrl': 'string'
},
'apiKeyCredentialProvider': {
'providerArn': 'string',
'credentialParameterName': 'string',
'credentialPrefix': 'string',
'credentialLocation': 'HEADER'|'QUERY_PARAMETER'
},
'iamCredentialProvider': {
'service': 'string',
'region': 'string'
}
}
},
],
'lastSynchronizedAt': datetime(2015, 1, 1),
'metadataConfiguration': {
'allowedRequestHeaders': [
'string',
],
'allowedQueryParameters': [
'string',
],
'allowedResponseHeaders': [
'string',
]
},
'privateEndpoint': {
'selfManagedLatticeResource': {
'resourceConfigurationIdentifier': 'string'
},
'managedVpcResource': {
'vpcIdentifier': 'string',
'subnetIds': [
'string',
],
'endpointIpAddressType': 'IPV4'|'IPV6',
'securityGroupIds': [
'string',
],
'tags': {
'string': 'string'
},
'routingDomain': 'string'
}
},
'privateEndpointManagedResources': [
{
'domain': 'string',
'resourceGatewayArn': 'string',
'resourceAssociationArn': 'string'
},
],
'authorizationData': {
'oauth2': {
'authorizationUrl': 'string',
'userId': 'string'
}
},
'protocolType': 'MCP'|'HTTP'
},
]
}
Response Structure
(dict) --
targets (list) --
The gateway targets for synchronization.
(dict) --
The gateway target.
gatewayArn (string) --
The Amazon Resource Name (ARN) of the gateway target.
targetId (string) --
The target ID.
createdAt (datetime) --
The date and time at which the target was created.
updatedAt (datetime) --
The date and time at which the target was updated.
status (string) --
The status of the gateway target.
statusReasons (list) --
The status reasons for the target status.
(string) --
name (string) --
The name of the gateway target.
description (string) --
The description for the gateway target.
targetConfiguration (dict) --
The configuration for a gateway target. This structure defines how the gateway connects to and interacts with the target endpoint.
mcp (dict) --
The Model Context Protocol (MCP) configuration for the target. This configuration defines how the gateway uses MCP to communicate with the target.
openApiSchema (dict) --
The OpenAPI schema for the Model Context Protocol target. This schema defines the API structure of the target.
s3 (dict) --
The Amazon S3 configuration for a gateway. This structure defines how the gateway accesses files in Amazon S3.
uri (string) --
The URI of the Amazon S3 object. This URI specifies the location of the object in Amazon S3.
bucketOwnerAccountId (string) --
The account ID of the Amazon S3 bucket owner. This ID is used for cross-account access to the bucket.
inlinePayload (string) --
The inline payload containing the API schema definition.
smithyModel (dict) --
The Smithy model for the Model Context Protocol target. This model defines the API structure of the target using the Smithy specification.
s3 (dict) --
The Amazon S3 configuration for a gateway. This structure defines how the gateway accesses files in Amazon S3.
uri (string) --
The URI of the Amazon S3 object. This URI specifies the location of the object in Amazon S3.
bucketOwnerAccountId (string) --
The account ID of the Amazon S3 bucket owner. This ID is used for cross-account access to the bucket.
inlinePayload (string) --
The inline payload containing the API schema definition.
lambda (dict) --
The Lambda configuration for the Model Context Protocol target. This configuration defines how the gateway uses a Lambda function to communicate with the target.
lambdaArn (string) --
The Amazon Resource Name (ARN) of the Lambda function. This function is invoked by the gateway to communicate with the target.
toolSchema (dict) --
The tool schema for the Lambda function. This schema defines the structure of the tools that the Lambda function provides.
s3 (dict) --
The Amazon S3 location of the tool schema. This location contains the schema definition file.
uri (string) --
The URI of the Amazon S3 object. This URI specifies the location of the object in Amazon S3.
bucketOwnerAccountId (string) --
The account ID of the Amazon S3 bucket owner. This ID is used for cross-account access to the bucket.
inlinePayload (list) --
The inline payload of the tool schema. This payload contains the schema definition directly in the request.
(dict) --
A tool definition for a gateway target. This structure defines a tool that the target exposes through the Model Context Protocol.
name (string) --
The name of the tool. This name identifies the tool in the Model Context Protocol.
description (string) --
The description of the tool. This description provides information about the purpose and usage of the tool.
inputSchema (dict) --
The input schema for the tool. This schema defines the structure of the input that the tool accepts.
type (string) --
The type of the schema definition. This field specifies the data type of the schema.
properties (dict) --
The properties of the schema definition. These properties define the fields in the schema.
(string) --
(dict) --
A schema definition for a gateway target. This structure defines the structure of the API that the target exposes.
required (list) --
The required fields in the schema definition. These fields must be provided when using the schema.
(string) --
items (dict) --
The items in the schema definition. This field is used for array types to define the structure of the array elements.
description (string) --
The description of the schema definition. This description provides information about the purpose and usage of the schema.
outputSchema (dict) --
The output schema for the tool. This schema defines the structure of the output that the tool produces.
type (string) --
The type of the schema definition. This field specifies the data type of the schema.
properties (dict) --
The properties of the schema definition. These properties define the fields in the schema.
(string) --
(dict) --
A schema definition for a gateway target. This structure defines the structure of the API that the target exposes.
required (list) --
The required fields in the schema definition. These fields must be provided when using the schema.
(string) --
items (dict) --
The items in the schema definition. This field is used for array types to define the structure of the array elements.
description (string) --
The description of the schema definition. This description provides information about the purpose and usage of the schema.
mcpServer (dict) --
The MCP server specified as the gateway target.
endpoint (string) --
The endpoint for the MCP server target configuration.
mcpToolSchema (dict) --
The tool schema configuration for the MCP server target. Supported only when the credential provider is configured with an authorization code grant type. Dynamic tool discovery/synchronization will be disabled when target is configured with mcpToolSchema.
s3 (dict) --
The Amazon S3 location of the tool schema. This location contains the schema definition file.
uri (string) --
The URI of the Amazon S3 object. This URI specifies the location of the object in Amazon S3.
bucketOwnerAccountId (string) --
The account ID of the Amazon S3 bucket owner. This ID is used for cross-account access to the bucket.
inlinePayload (string) --
The inline payload containing the MCP tool schema definition.
listingMode (string) --
The listing mode for the MCP server target configuration. MCP resources for default targets are cached at the control plane for faster access. MCP resources for dynamic targets will be dynamically retrieved when listing tools.
resourcePriority (integer) --
Priority for resolving MCP server targets with shared resource URIs. Lower values take precedence. Defaults to 1000 when not set.
apiGateway (dict) --
The configuration for an Amazon API Gateway target.
restApiId (string) --
The ID of the API Gateway REST API.
stage (string) --
The ID of the stage of the REST API to add as a target.
apiGatewayToolConfiguration (dict) --
The configuration for defining REST API tool filters and overrides for the gateway target.
toolOverrides (list) --
A list of explicit tool definitions with optional custom names and descriptions.
(dict) --
Settings to override configurations for a tool.
name (string) --
The name of tool. Identifies the tool in the Model Context Protocol.
description (string) --
The description of the tool. Provides information about the purpose and usage of the tool. If not provided, uses the description from the API's OpenAPI specification.
path (string) --
Resource path in the REST API (e.g., /pets). Must explicitly match an existing path in the REST API.
method (string) --
The HTTP method to expose for the specified path.
toolFilters (list) --
A list of path and method patterns to expose as tools using metadata from the REST API's OpenAPI specification.
(dict) --
Specifies which operations from an API Gateway REST API are exposed as tools. Tool names and descriptions are derived from the operationId and description fields in the API's exported OpenAPI specification.
filterPath (string) --
Resource path to match in the REST API. Supports exact paths (for example, /pets) or wildcard paths (for example, /pets/* to match all paths under /pets). Must match existing paths in the REST API.
methods (list) --
The methods to filter for.
(string) --
http (dict) --
The HTTP target configuration. Use this to route gateway requests to an HTTP-based endpoint such as an AgentCore Runtime.
agentcoreRuntime (dict) --
The AgentCore Runtime target configuration for HTTP-based communication with an agent runtime.
arn (string) --
The Amazon Resource Name (ARN) of the AgentCore Runtime to route requests to.
qualifier (string) --
The qualifier for the agent runtime, used to target a specific endpoint version. If not specified, the default endpoint is used.
credentialProviderConfigurations (list) --
The provider configurations.
(dict) --
The configuration for a credential provider. This structure defines how the gateway authenticates with the target endpoint.
credentialProviderType (string) --
The type of credential provider. This field specifies which authentication method the gateway uses.
credentialProvider (dict) --
The credential provider. This field contains the specific configuration for the credential provider type.
oauthCredentialProvider (dict) --
The OAuth credential provider. This provider uses OAuth authentication to access the target endpoint.
providerArn (string) --
The Amazon Resource Name (ARN) of the OAuth credential provider. This ARN identifies the provider in Amazon Web Services.
scopes (list) --
The OAuth scopes for the credential provider. These scopes define the level of access requested from the OAuth provider.
(string) --
customParameters (dict) --
The custom parameters for the OAuth credential provider. These parameters provide additional configuration for the OAuth authentication process.
(string) --
(string) --
grantType (string) --
Specifies the kind of credentials to use for authorization:
CLIENT_CREDENTIALS - Authorization with a client ID and secret.
AUTHORIZATION_CODE - Authorization with a token that is specific to an individual end user.
defaultReturnUrl (string) --
The URL where the end user's browser is redirected after obtaining the authorization code. Generally points to the customer's application.
apiKeyCredentialProvider (dict) --
The API key credential provider. This provider uses an API key to authenticate with the target endpoint.
providerArn (string) --
The Amazon Resource Name (ARN) of the API key credential provider. This ARN identifies the provider in Amazon Web Services.
credentialParameterName (string) --
The name of the credential parameter for the API key. This parameter name is used when sending the API key to the target endpoint.
credentialPrefix (string) --
The prefix for the API key credential. This prefix is added to the API key when sending it to the target endpoint.
credentialLocation (string) --
The location of the API key credential. This field specifies where in the request the API key should be placed.
iamCredentialProvider (dict) --
The IAM credential provider. This provider uses IAM authentication with SigV4 signing to access the target endpoint.
service (string) --
The target Amazon Web Services service name used for SigV4 signing. This value identifies the service that the gateway authenticates with when making requests to the target endpoint.
region (string) --
The Amazon Web Services Region used for SigV4 signing. If not specified, defaults to the gateway's Region.
lastSynchronizedAt (datetime) --
The last synchronization time.
metadataConfiguration (dict) --
The metadata configuration for HTTP header and query parameter propagation to and from this gateway target.
allowedRequestHeaders (list) --
A list of HTTP headers that are allowed to be propagated from incoming client requests to the target.
(string) --
allowedQueryParameters (list) --
A list of URL query parameters that are allowed to be propagated from incoming gateway URL to the target.
(string) --
allowedResponseHeaders (list) --
A list of HTTP headers that are allowed to be propagated from the target response back to the client.
(string) --
privateEndpoint (dict) --
The private endpoint configuration for a gateway target. Defines how the gateway connects to private resources in your VPC.
selfManagedLatticeResource (dict) --
Configuration for connecting to a private resource using a self-managed VPC Lattice resource configuration.
resourceConfigurationIdentifier (string) --
The ARN or ID of the VPC Lattice resource configuration.
managedVpcResource (dict) --
Configuration for connecting to a private resource using a managed VPC Lattice resource. The gateway creates and manages the VPC Lattice resources on your behalf.
vpcIdentifier (string) --
The ID of the VPC that contains your private resource.
subnetIds (list) --
The subnet IDs within the VPC where the VPC Lattice resource gateway is placed.
(string) --
endpointIpAddressType (string) --
The IP address type for the resource configuration endpoint.
securityGroupIds (list) --
The security group IDs to associate with the VPC Lattice resource gateway. If not specified, the default security group for the VPC is used.
(string) --
tags (dict) --
Tags to apply to the managed VPC Lattice resource gateway.
(string) --
(string) --
routingDomain (string) --
An intermediate publicly resolvable domain used as the VPC Lattice resource configuration endpoint. Required when your private endpoint uses a domain that is not publicly resolvable.
privateEndpointManagedResources (list) --
A list of managed resources created by the gateway for private endpoint connectivity. These resources are created in your account when you use a managed VPC Lattice resource configuration.
(dict) --
Details of a resource created and managed by the gateway for private endpoint connectivity.
domain (string) --
The domain associated with this managed resource.
resourceGatewayArn (string) --
The ARN of the VPC Lattice resource gateway created in your account.
resourceAssociationArn (string) --
The ARN of the service network resource association.
authorizationData (dict) --
OAuth2 authorization data for the gateway target. This data is returned when a target is configured with a credential provider with authorization code grant type and requires user federation.
oauth2 (dict) --
OAuth2 authorization data for the gateway target.
authorizationUrl (string) --
The URL to initiate the authorization process. This URL is provided when the OAuth2 access token requires user authorization.
userId (string) --
The user identifier associated with the OAuth2 authorization session that is defined by AgentCore Gateway.
protocolType (string) --
The protocol type of the gateway target.
{'kmsKeyArn': 'string'}
Updates a custom evaluator's configuration, description, or evaluation level. Built-in evaluators cannot be updated. The evaluator must not be locked for modification.
See also: AWS API Documentation
Request Syntax
client.update_evaluator(
clientToken='string',
evaluatorId='string',
description='string',
evaluatorConfig={
'llmAsAJudge': {
'instructions': 'string',
'ratingScale': {
'numerical': [
{
'definition': 'string',
'value': 123.0,
'label': 'string'
},
],
'categorical': [
{
'definition': 'string',
'label': 'string'
},
]
},
'modelConfig': {
'bedrockEvaluatorModelConfig': {
'modelId': 'string',
'inferenceConfig': {
'maxTokens': 123,
'temperature': ...,
'topP': ...,
'stopSequences': [
'string',
]
},
'additionalModelRequestFields': {...}|[...]|123|123.4|'string'|True|None
}
}
},
'codeBased': {
'lambdaConfig': {
'lambdaArn': 'string',
'lambdaTimeoutInSeconds': 123
}
}
},
level='TOOL_CALL'|'TRACE'|'SESSION',
kmsKeyArn='string'
)
string
A unique, case-sensitive identifier to ensure that the API request completes no more than one time. If you don't specify this field, a value is randomly generated for you. If this token matches a previous request, the service ignores the request, but doesn't return an error. For more information, see Ensuring idempotency.
This field is autopopulated if not provided.
string
[REQUIRED]
The unique identifier of the evaluator to update.
string
The updated description of the evaluator.
dict
The updated configuration for the evaluator. Specify either LLM-as-a-Judge settings with instructions, rating scale, and model configuration, or code-based settings with a customer-managed Lambda function.
llmAsAJudge (dict) --
The LLM-as-a-Judge configuration that uses a language model to evaluate agent performance based on custom instructions and rating scales.
instructions (string) -- [REQUIRED]
The evaluation instructions that guide the language model in assessing agent performance, including criteria and evaluation guidelines.
ratingScale (dict) -- [REQUIRED]
The rating scale that defines how the evaluator should score agent performance, either numerical or categorical.
numerical (list) --
The numerical rating scale with defined score values and descriptions for quantitative evaluation.
(dict) --
The definition of a numerical rating scale option that provides a numeric value with its description for evaluation scoring.
definition (string) -- [REQUIRED]
The description that explains what this numerical rating represents and when it should be used.
value (float) -- [REQUIRED]
The numerical value for this rating scale option.
label (string) -- [REQUIRED]
The label or name that describes this numerical rating option.
categorical (list) --
The categorical rating scale with named categories and definitions for qualitative evaluation.
(dict) --
The definition of a categorical rating scale option that provides a named category with its description for evaluation scoring.
definition (string) -- [REQUIRED]
The description that explains what this categorical rating represents and when it should be used.
label (string) -- [REQUIRED]
The label or name of this categorical rating option.
modelConfig (dict) -- [REQUIRED]
The model configuration that specifies which foundation model to use and how to configure it for evaluation.
bedrockEvaluatorModelConfig (dict) --
The Amazon Bedrock model configuration for evaluation.
modelId (string) -- [REQUIRED]
The identifier of the Amazon Bedrock model to use for evaluation. Must be a supported foundation model available in your region.
inferenceConfig (dict) --
The inference configuration parameters that control model behavior during evaluation, including temperature, token limits, and sampling settings.
maxTokens (integer) --
The maximum number of tokens to generate in the model response during evaluation.
temperature (float) --
The temperature value that controls randomness in the model's responses. Lower values produce more deterministic outputs.
topP (float) --
The top-p sampling parameter that controls the diversity of the model's responses by limiting the cumulative probability of token choices.
stopSequences (list) --
The list of sequences that will cause the model to stop generating tokens when encountered.
(string) --
additionalModelRequestFields (:ref:`document<document>`) --
Additional model-specific request fields to customize model behavior beyond the standard inference configuration.
codeBased (dict) --
Configuration for a code-based evaluator that uses a customer-managed Lambda function to programmatically assess agent performance.
lambdaConfig (dict) --
The Lambda function configuration for code-based evaluation.
lambdaArn (string) -- [REQUIRED]
The Amazon Resource Name (ARN) of the Lambda function that implements the evaluation logic.
lambdaTimeoutInSeconds (integer) --
The timeout in seconds for the Lambda function invocation. Defaults to 60. Must be between 1 and 300.
string
The updated evaluation level ( TOOL_CALL, TRACE, or SESSION) that determines the scope of evaluation.
string
The Amazon Resource Name (ARN) of a customer managed KMS key to use for encrypting sensitive evaluator data. Specify a new key ARN to rotate the encryption key, or specify a key ARN to add encryption to an evaluator that was previously created without one. When you rotate to a new key, the service decrypts the existing data with the old key and re-encrypts it with the new key. Only symmetric encryption KMS keys are supported. For more information, see Encryption at rest for AgentCore Evaluations.
dict
Response Syntax
{
'evaluatorArn': 'string',
'evaluatorId': 'string',
'updatedAt': datetime(2015, 1, 1),
'status': 'ACTIVE'|'CREATING'|'CREATE_FAILED'|'UPDATING'|'UPDATE_FAILED'|'DELETING'
}
Response Structure
(dict) --
evaluatorArn (string) --
The Amazon Resource Name (ARN) of the updated evaluator.
evaluatorId (string) --
The unique identifier of the updated evaluator.
updatedAt (datetime) --
The timestamp when the evaluator was last updated.
status (string) --
The status of the evaluator update operation.
{'authorizerType': {'AUTHENTICATE_ONLY'}}
Updates an existing gateway.
See also: AWS API Documentation
Request Syntax
client.update_gateway(
gatewayIdentifier='string',
name='string',
description='string',
roleArn='string',
protocolType='MCP',
protocolConfiguration={
'mcp': {
'supportedVersions': [
'string',
],
'instructions': 'string',
'searchType': 'SEMANTIC'
}
},
authorizerType='CUSTOM_JWT'|'AWS_IAM'|'NONE'|'AUTHENTICATE_ONLY',
authorizerConfiguration={
'customJWTAuthorizer': {
'discoveryUrl': 'string',
'allowedAudience': [
'string',
],
'allowedClients': [
'string',
],
'allowedScopes': [
'string',
],
'customClaims': [
{
'inboundTokenClaimName': 'string',
'inboundTokenClaimValueType': 'STRING'|'STRING_ARRAY',
'authorizingClaimMatchValue': {
'claimMatchValue': {
'matchValueString': 'string',
'matchValueStringList': [
'string',
]
},
'claimMatchOperator': 'EQUALS'|'CONTAINS'|'CONTAINS_ANY'
}
},
],
'privateEndpoint': {
'selfManagedLatticeResource': {
'resourceConfigurationIdentifier': 'string'
},
'managedVpcResource': {
'vpcIdentifier': 'string',
'subnetIds': [
'string',
],
'endpointIpAddressType': 'IPV4'|'IPV6',
'securityGroupIds': [
'string',
],
'tags': {
'string': 'string'
},
'routingDomain': 'string'
}
},
'privateEndpointOverrides': [
{
'domain': 'string',
'privateEndpoint': {
'selfManagedLatticeResource': {
'resourceConfigurationIdentifier': 'string'
},
'managedVpcResource': {
'vpcIdentifier': 'string',
'subnetIds': [
'string',
],
'endpointIpAddressType': 'IPV4'|'IPV6',
'securityGroupIds': [
'string',
],
'tags': {
'string': 'string'
},
'routingDomain': 'string'
}
}
},
]
}
},
kmsKeyArn='string',
interceptorConfigurations=[
{
'interceptor': {
'lambda': {
'arn': 'string'
}
},
'interceptionPoints': [
'REQUEST'|'RESPONSE',
],
'inputConfiguration': {
'passRequestHeaders': True|False
}
},
],
policyEngineConfiguration={
'arn': 'string',
'mode': 'LOG_ONLY'|'ENFORCE'
},
exceptionLevel='DEBUG'
)
string
[REQUIRED]
The identifier of the gateway to update.
string
[REQUIRED]
The name of the gateway. This name must be the same as the one when the gateway was created.
string
The updated description for the gateway.
string
[REQUIRED]
The updated IAM role ARN that provides permissions for the gateway.
string
The updated protocol type for the gateway.
dict
The configuration for a gateway protocol. This structure defines how the gateway communicates with external services.
mcp (dict) --
The configuration for the Model Context Protocol (MCP). This protocol enables communication between Amazon Bedrock Agent and external tools.
supportedVersions (list) --
The supported versions of the Model Context Protocol. This field specifies which versions of the protocol the gateway can use.
(string) --
instructions (string) --
The instructions for using the Model Context Protocol gateway. These instructions provide guidance on how to interact with the gateway.
searchType (string) --
The search type for the Model Context Protocol gateway. This field specifies how the gateway handles search operations.
string
[REQUIRED]
The updated authorizer type for the gateway.
dict
The updated authorizer configuration for the gateway.
customJWTAuthorizer (dict) --
The inbound JWT-based authorization, specifying how incoming requests should be authenticated.
discoveryUrl (string) -- [REQUIRED]
This URL is used to fetch OpenID Connect configuration or authorization server metadata for validating incoming tokens.
allowedAudience (list) --
Represents individual audience values that are validated in the incoming JWT token validation process.
(string) --
allowedClients (list) --
Represents individual client IDs that are validated in the incoming JWT token validation process.
(string) --
allowedScopes (list) --
An array of scopes that are allowed to access the token.
(string) --
customClaims (list) --
An array of objects that define a custom claim validation name, value, and operation
(dict) --
Defines the name of a custom claim field and rules for finding matches to authenticate its value.
inboundTokenClaimName (string) -- [REQUIRED]
The name of the custom claim field to check.
inboundTokenClaimValueType (string) -- [REQUIRED]
The data type of the claim value to check for.
Use STRING if you want to find an exact match to a string you define.
Use STRING_ARRAY if you want to fnd a match to at least one value in an array you define.
authorizingClaimMatchValue (dict) -- [REQUIRED]
Defines the value or values to match for and the relationship of the match.
claimMatchValue (dict) -- [REQUIRED]
The value or values to match for.
matchValueString (string) --
The string value to match for.
matchValueStringList (list) --
An array of strings to check for a match.
(string) --
claimMatchOperator (string) -- [REQUIRED]
Defines the relationship between the claim field value and the value or values you're matching for.
privateEndpoint (dict) --
The private endpoint configuration for a gateway target. Defines how the gateway connects to private resources in your VPC.
selfManagedLatticeResource (dict) --
Configuration for connecting to a private resource using a self-managed VPC Lattice resource configuration.
resourceConfigurationIdentifier (string) --
The ARN or ID of the VPC Lattice resource configuration.
managedVpcResource (dict) --
Configuration for connecting to a private resource using a managed VPC Lattice resource. The gateway creates and manages the VPC Lattice resources on your behalf.
vpcIdentifier (string) -- [REQUIRED]
The ID of the VPC that contains your private resource.
subnetIds (list) -- [REQUIRED]
The subnet IDs within the VPC where the VPC Lattice resource gateway is placed.
(string) --
endpointIpAddressType (string) -- [REQUIRED]
The IP address type for the resource configuration endpoint.
securityGroupIds (list) --
The security group IDs to associate with the VPC Lattice resource gateway. If not specified, the default security group for the VPC is used.
(string) --
tags (dict) --
Tags to apply to the managed VPC Lattice resource gateway.
(string) --
(string) --
routingDomain (string) --
An intermediate publicly resolvable domain used as the VPC Lattice resource configuration endpoint. Required when your private endpoint uses a domain that is not publicly resolvable.
privateEndpointOverrides (list) --
A list of private endpoint overrides for the JWT authorizer. Each override maps a specific domain to a private endpoint, enabling secure connectivity through VPC Lattice resource configurations.
(dict) --
A mapping of a specific domain to a private endpoint for secure connectivity through a VPC Lattice resource configuration.
domain (string) -- [REQUIRED]
The domain to override with a private endpoint.
privateEndpoint (dict) -- [REQUIRED]
The private endpoint configuration for the specified domain.
selfManagedLatticeResource (dict) --
Configuration for connecting to a private resource using a self-managed VPC Lattice resource configuration.
resourceConfigurationIdentifier (string) --
The ARN or ID of the VPC Lattice resource configuration.
managedVpcResource (dict) --
Configuration for connecting to a private resource using a managed VPC Lattice resource. The gateway creates and manages the VPC Lattice resources on your behalf.
vpcIdentifier (string) -- [REQUIRED]
The ID of the VPC that contains your private resource.
subnetIds (list) -- [REQUIRED]
The subnet IDs within the VPC where the VPC Lattice resource gateway is placed.
(string) --
endpointIpAddressType (string) -- [REQUIRED]
The IP address type for the resource configuration endpoint.
securityGroupIds (list) --
The security group IDs to associate with the VPC Lattice resource gateway. If not specified, the default security group for the VPC is used.
(string) --
tags (dict) --
Tags to apply to the managed VPC Lattice resource gateway.
(string) --
(string) --
routingDomain (string) --
An intermediate publicly resolvable domain used as the VPC Lattice resource configuration endpoint. Required when your private endpoint uses a domain that is not publicly resolvable.
string
The updated ARN of the KMS key used to encrypt the gateway.
list
The updated interceptor configurations for the gateway.
(dict) --
The configuration for an interceptor on a gateway. This structure defines settings for an interceptor that will be invoked during the invocation of the gateway.
interceptor (dict) -- [REQUIRED]
The infrastructure settings of an interceptor configuration. This structure defines how the interceptor can be invoked.
lambda (dict) --
The details of the lambda function used for the interceptor.
arn (string) -- [REQUIRED]
The arn of the lambda function to be invoked for the interceptor.
interceptionPoints (list) -- [REQUIRED]
The supported points of interception. This field specifies which points during the gateway invocation to invoke the interceptor
(string) --
inputConfiguration (dict) --
The configuration for the input of the interceptor. This field specifies how the input to the interceptor is constructed
passRequestHeaders (boolean) -- [REQUIRED]
Indicates whether to pass request headers as input into the interceptor. When set to true, request headers will be passed.
dict
The updated policy engine configuration for the gateway. A policy engine is a collection of policies that evaluates and authorizes agent tool calls. When associated with a gateway, the policy engine intercepts all agent requests and determines whether to allow or deny each action based on the defined policies.
arn (string) -- [REQUIRED]
The ARN of the policy engine. The policy engine contains Cedar policies that define fine-grained authorization rules specifying who can perform what actions on which resources as agents interact through the gateway.
mode (string) -- [REQUIRED]
The enforcement mode for the policy engine. Valid values include:
LOG_ONLY - The policy engine evaluates each action against your policies and adds traces on whether tool calls would be allowed or denied, but does not enforce the decision. Use this mode to test and validate policies before enabling enforcement.
ENFORCE - The policy engine evaluates actions against your policies and enforces decisions by allowing or denying agent operations. Test and validate policies in LOG_ONLY mode before enabling enforcement to avoid unintended denials or adversely affecting production traffic.
string
The level of detail in error messages returned when invoking the gateway.
If the value is DEBUG, granular exception messages are returned to help a user debug the gateway.
If the value is omitted, a generic error message is returned to the end user.
dict
Response Syntax
{
'gatewayArn': 'string',
'gatewayId': 'string',
'gatewayUrl': 'string',
'createdAt': datetime(2015, 1, 1),
'updatedAt': datetime(2015, 1, 1),
'status': 'CREATING'|'UPDATING'|'UPDATE_UNSUCCESSFUL'|'DELETING'|'READY'|'FAILED',
'statusReasons': [
'string',
],
'name': 'string',
'description': 'string',
'roleArn': 'string',
'protocolType': 'MCP',
'protocolConfiguration': {
'mcp': {
'supportedVersions': [
'string',
],
'instructions': 'string',
'searchType': 'SEMANTIC'
}
},
'authorizerType': 'CUSTOM_JWT'|'AWS_IAM'|'NONE'|'AUTHENTICATE_ONLY',
'authorizerConfiguration': {
'customJWTAuthorizer': {
'discoveryUrl': 'string',
'allowedAudience': [
'string',
],
'allowedClients': [
'string',
],
'allowedScopes': [
'string',
],
'customClaims': [
{
'inboundTokenClaimName': 'string',
'inboundTokenClaimValueType': 'STRING'|'STRING_ARRAY',
'authorizingClaimMatchValue': {
'claimMatchValue': {
'matchValueString': 'string',
'matchValueStringList': [
'string',
]
},
'claimMatchOperator': 'EQUALS'|'CONTAINS'|'CONTAINS_ANY'
}
},
],
'privateEndpoint': {
'selfManagedLatticeResource': {
'resourceConfigurationIdentifier': 'string'
},
'managedVpcResource': {
'vpcIdentifier': 'string',
'subnetIds': [
'string',
],
'endpointIpAddressType': 'IPV4'|'IPV6',
'securityGroupIds': [
'string',
],
'tags': {
'string': 'string'
},
'routingDomain': 'string'
}
},
'privateEndpointOverrides': [
{
'domain': 'string',
'privateEndpoint': {
'selfManagedLatticeResource': {
'resourceConfigurationIdentifier': 'string'
},
'managedVpcResource': {
'vpcIdentifier': 'string',
'subnetIds': [
'string',
],
'endpointIpAddressType': 'IPV4'|'IPV6',
'securityGroupIds': [
'string',
],
'tags': {
'string': 'string'
},
'routingDomain': 'string'
}
}
},
]
}
},
'kmsKeyArn': 'string',
'interceptorConfigurations': [
{
'interceptor': {
'lambda': {
'arn': 'string'
}
},
'interceptionPoints': [
'REQUEST'|'RESPONSE',
],
'inputConfiguration': {
'passRequestHeaders': True|False
}
},
],
'policyEngineConfiguration': {
'arn': 'string',
'mode': 'LOG_ONLY'|'ENFORCE'
},
'workloadIdentityDetails': {
'workloadIdentityArn': 'string'
},
'exceptionLevel': 'DEBUG'
}
Response Structure
(dict) --
gatewayArn (string) --
The Amazon Resource Name (ARN) of the updated gateway.
gatewayId (string) --
The unique identifier of the updated gateway.
gatewayUrl (string) --
An endpoint for invoking the updated gateway.
createdAt (datetime) --
The timestamp when the gateway was created.
updatedAt (datetime) --
The timestamp when the gateway was last updated.
status (string) --
The current status of the updated gateway.
statusReasons (list) --
The reasons for the current status of the updated gateway.
(string) --
name (string) --
The name of the gateway.
description (string) --
The updated description of the gateway.
roleArn (string) --
The updated IAM role ARN that provides permissions for the gateway.
protocolType (string) --
The updated protocol type for the gateway.
protocolConfiguration (dict) --
The configuration for a gateway protocol. This structure defines how the gateway communicates with external services.
mcp (dict) --
The configuration for the Model Context Protocol (MCP). This protocol enables communication between Amazon Bedrock Agent and external tools.
supportedVersions (list) --
The supported versions of the Model Context Protocol. This field specifies which versions of the protocol the gateway can use.
(string) --
instructions (string) --
The instructions for using the Model Context Protocol gateway. These instructions provide guidance on how to interact with the gateway.
searchType (string) --
The search type for the Model Context Protocol gateway. This field specifies how the gateway handles search operations.
authorizerType (string) --
The updated authorizer type for the gateway.
authorizerConfiguration (dict) --
The updated authorizer configuration for the gateway.
customJWTAuthorizer (dict) --
The inbound JWT-based authorization, specifying how incoming requests should be authenticated.
discoveryUrl (string) --
This URL is used to fetch OpenID Connect configuration or authorization server metadata for validating incoming tokens.
allowedAudience (list) --
Represents individual audience values that are validated in the incoming JWT token validation process.
(string) --
allowedClients (list) --
Represents individual client IDs that are validated in the incoming JWT token validation process.
(string) --
allowedScopes (list) --
An array of scopes that are allowed to access the token.
(string) --
customClaims (list) --
An array of objects that define a custom claim validation name, value, and operation
(dict) --
Defines the name of a custom claim field and rules for finding matches to authenticate its value.
inboundTokenClaimName (string) --
The name of the custom claim field to check.
inboundTokenClaimValueType (string) --
The data type of the claim value to check for.
Use STRING if you want to find an exact match to a string you define.
Use STRING_ARRAY if you want to fnd a match to at least one value in an array you define.
authorizingClaimMatchValue (dict) --
Defines the value or values to match for and the relationship of the match.
claimMatchValue (dict) --
The value or values to match for.
matchValueString (string) --
The string value to match for.
matchValueStringList (list) --
An array of strings to check for a match.
(string) --
claimMatchOperator (string) --
Defines the relationship between the claim field value and the value or values you're matching for.
privateEndpoint (dict) --
The private endpoint configuration for a gateway target. Defines how the gateway connects to private resources in your VPC.
selfManagedLatticeResource (dict) --
Configuration for connecting to a private resource using a self-managed VPC Lattice resource configuration.
resourceConfigurationIdentifier (string) --
The ARN or ID of the VPC Lattice resource configuration.
managedVpcResource (dict) --
Configuration for connecting to a private resource using a managed VPC Lattice resource. The gateway creates and manages the VPC Lattice resources on your behalf.
vpcIdentifier (string) --
The ID of the VPC that contains your private resource.
subnetIds (list) --
The subnet IDs within the VPC where the VPC Lattice resource gateway is placed.
(string) --
endpointIpAddressType (string) --
The IP address type for the resource configuration endpoint.
securityGroupIds (list) --
The security group IDs to associate with the VPC Lattice resource gateway. If not specified, the default security group for the VPC is used.
(string) --
tags (dict) --
Tags to apply to the managed VPC Lattice resource gateway.
(string) --
(string) --
routingDomain (string) --
An intermediate publicly resolvable domain used as the VPC Lattice resource configuration endpoint. Required when your private endpoint uses a domain that is not publicly resolvable.
privateEndpointOverrides (list) --
A list of private endpoint overrides for the JWT authorizer. Each override maps a specific domain to a private endpoint, enabling secure connectivity through VPC Lattice resource configurations.
(dict) --
A mapping of a specific domain to a private endpoint for secure connectivity through a VPC Lattice resource configuration.
domain (string) --
The domain to override with a private endpoint.
privateEndpoint (dict) --
The private endpoint configuration for the specified domain.
selfManagedLatticeResource (dict) --
Configuration for connecting to a private resource using a self-managed VPC Lattice resource configuration.
resourceConfigurationIdentifier (string) --
The ARN or ID of the VPC Lattice resource configuration.
managedVpcResource (dict) --
Configuration for connecting to a private resource using a managed VPC Lattice resource. The gateway creates and manages the VPC Lattice resources on your behalf.
vpcIdentifier (string) --
The ID of the VPC that contains your private resource.
subnetIds (list) --
The subnet IDs within the VPC where the VPC Lattice resource gateway is placed.
(string) --
endpointIpAddressType (string) --
The IP address type for the resource configuration endpoint.
securityGroupIds (list) --
The security group IDs to associate with the VPC Lattice resource gateway. If not specified, the default security group for the VPC is used.
(string) --
tags (dict) --
Tags to apply to the managed VPC Lattice resource gateway.
(string) --
(string) --
routingDomain (string) --
An intermediate publicly resolvable domain used as the VPC Lattice resource configuration endpoint. Required when your private endpoint uses a domain that is not publicly resolvable.
kmsKeyArn (string) --
The updated ARN of the KMS key used to encrypt the gateway.
interceptorConfigurations (list) --
The updated interceptor configurations for the gateway.
(dict) --
The configuration for an interceptor on a gateway. This structure defines settings for an interceptor that will be invoked during the invocation of the gateway.
interceptor (dict) --
The infrastructure settings of an interceptor configuration. This structure defines how the interceptor can be invoked.
lambda (dict) --
The details of the lambda function used for the interceptor.
arn (string) --
The arn of the lambda function to be invoked for the interceptor.
interceptionPoints (list) --
The supported points of interception. This field specifies which points during the gateway invocation to invoke the interceptor
(string) --
inputConfiguration (dict) --
The configuration for the input of the interceptor. This field specifies how the input to the interceptor is constructed
passRequestHeaders (boolean) --
Indicates whether to pass request headers as input into the interceptor. When set to true, request headers will be passed.
policyEngineConfiguration (dict) --
The updated policy engine configuration for the gateway.
arn (string) --
The ARN of the policy engine. The policy engine contains Cedar policies that define fine-grained authorization rules specifying who can perform what actions on which resources as agents interact through the gateway.
mode (string) --
The enforcement mode for the policy engine. Valid values include:
LOG_ONLY - The policy engine evaluates each action against your policies and adds traces on whether tool calls would be allowed or denied, but does not enforce the decision. Use this mode to test and validate policies before enabling enforcement.
ENFORCE - The policy engine evaluates actions against your policies and enforces decisions by allowing or denying agent operations. Test and validate policies in LOG_ONLY mode before enabling enforcement to avoid unintended denials or adversely affecting production traffic.
workloadIdentityDetails (dict) --
The workload identity details for the updated gateway.
workloadIdentityArn (string) --
The ARN associated with the workload identity.
exceptionLevel (string) --
The level of detail in error messages returned when invoking the gateway.
If the value is DEBUG, granular exception messages are returned to help a user debug the gateway.
If the value is omitted, a generic error message is returned to the end user.
{'credentialProviderConfigurations': {'credentialProviderType': {'CALLER_IAM_CREDENTIALS',
'JWT_PASSTHROUGH'}},
'targetConfiguration': {'http': {'agentcoreRuntime': {'arn': 'string',
'qualifier': 'string'}}}}
Response {'credentialProviderConfigurations': {'credentialProviderType': {'CALLER_IAM_CREDENTIALS',
'JWT_PASSTHROUGH'}},
'protocolType': 'MCP | HTTP',
'targetConfiguration': {'http': {'agentcoreRuntime': {'arn': 'string',
'qualifier': 'string'}}}}
Updates an existing gateway target.
You cannot update a target that is in a pending authorization state ( CREATE_PENDING_AUTH, UPDATE_PENDING_AUTH, or SYNCHRONIZE_PENDING_AUTH). Wait for the authorization to complete or fail before updating the target.
See also: AWS API Documentation
Request Syntax
client.update_gateway_target(
gatewayIdentifier='string',
targetId='string',
name='string',
description='string',
targetConfiguration={
'mcp': {
'openApiSchema': {
's3': {
'uri': 'string',
'bucketOwnerAccountId': 'string'
},
'inlinePayload': 'string'
},
'smithyModel': {
's3': {
'uri': 'string',
'bucketOwnerAccountId': 'string'
},
'inlinePayload': 'string'
},
'lambda': {
'lambdaArn': 'string',
'toolSchema': {
's3': {
'uri': 'string',
'bucketOwnerAccountId': 'string'
},
'inlinePayload': [
{
'name': 'string',
'description': 'string',
'inputSchema': {
'type': 'string'|'number'|'object'|'array'|'boolean'|'integer',
'properties': {
'string': {'... recursive ...'}
},
'required': [
'string',
],
'items': {'... recursive ...'},
'description': 'string'
},
'outputSchema': {
'type': 'string'|'number'|'object'|'array'|'boolean'|'integer',
'properties': {
'string': {'... recursive ...'}
},
'required': [
'string',
],
'items': {'... recursive ...'},
'description': 'string'
}
},
]
}
},
'mcpServer': {
'endpoint': 'string',
'mcpToolSchema': {
's3': {
'uri': 'string',
'bucketOwnerAccountId': 'string'
},
'inlinePayload': 'string'
},
'listingMode': 'DEFAULT'|'DYNAMIC',
'resourcePriority': 123
},
'apiGateway': {
'restApiId': 'string',
'stage': 'string',
'apiGatewayToolConfiguration': {
'toolOverrides': [
{
'name': 'string',
'description': 'string',
'path': 'string',
'method': 'GET'|'DELETE'|'HEAD'|'OPTIONS'|'PATCH'|'PUT'|'POST'
},
],
'toolFilters': [
{
'filterPath': 'string',
'methods': [
'GET'|'DELETE'|'HEAD'|'OPTIONS'|'PATCH'|'PUT'|'POST',
]
},
]
}
}
},
'http': {
'agentcoreRuntime': {
'arn': 'string',
'qualifier': 'string'
}
}
},
credentialProviderConfigurations=[
{
'credentialProviderType': 'GATEWAY_IAM_ROLE'|'OAUTH'|'API_KEY'|'CALLER_IAM_CREDENTIALS'|'JWT_PASSTHROUGH',
'credentialProvider': {
'oauthCredentialProvider': {
'providerArn': 'string',
'scopes': [
'string',
],
'customParameters': {
'string': 'string'
},
'grantType': 'CLIENT_CREDENTIALS'|'AUTHORIZATION_CODE',
'defaultReturnUrl': 'string'
},
'apiKeyCredentialProvider': {
'providerArn': 'string',
'credentialParameterName': 'string',
'credentialPrefix': 'string',
'credentialLocation': 'HEADER'|'QUERY_PARAMETER'
},
'iamCredentialProvider': {
'service': 'string',
'region': 'string'
}
}
},
],
metadataConfiguration={
'allowedRequestHeaders': [
'string',
],
'allowedQueryParameters': [
'string',
],
'allowedResponseHeaders': [
'string',
]
},
privateEndpoint={
'selfManagedLatticeResource': {
'resourceConfigurationIdentifier': 'string'
},
'managedVpcResource': {
'vpcIdentifier': 'string',
'subnetIds': [
'string',
],
'endpointIpAddressType': 'IPV4'|'IPV6',
'securityGroupIds': [
'string',
],
'tags': {
'string': 'string'
},
'routingDomain': 'string'
}
}
)
string
[REQUIRED]
The unique identifier of the gateway associated with the target.
string
[REQUIRED]
The unique identifier of the gateway target to update.
string
[REQUIRED]
The updated name for the gateway target.
string
The updated description for the gateway target.
dict
[REQUIRED]
The configuration for a gateway target. This structure defines how the gateway connects to and interacts with the target endpoint.
mcp (dict) --
The Model Context Protocol (MCP) configuration for the target. This configuration defines how the gateway uses MCP to communicate with the target.
openApiSchema (dict) --
The OpenAPI schema for the Model Context Protocol target. This schema defines the API structure of the target.
s3 (dict) --
The Amazon S3 configuration for a gateway. This structure defines how the gateway accesses files in Amazon S3.
uri (string) --
The URI of the Amazon S3 object. This URI specifies the location of the object in Amazon S3.
bucketOwnerAccountId (string) --
The account ID of the Amazon S3 bucket owner. This ID is used for cross-account access to the bucket.
inlinePayload (string) --
The inline payload containing the API schema definition.
smithyModel (dict) --
The Smithy model for the Model Context Protocol target. This model defines the API structure of the target using the Smithy specification.
s3 (dict) --
The Amazon S3 configuration for a gateway. This structure defines how the gateway accesses files in Amazon S3.
uri (string) --
The URI of the Amazon S3 object. This URI specifies the location of the object in Amazon S3.
bucketOwnerAccountId (string) --
The account ID of the Amazon S3 bucket owner. This ID is used for cross-account access to the bucket.
inlinePayload (string) --
The inline payload containing the API schema definition.
lambda (dict) --
The Lambda configuration for the Model Context Protocol target. This configuration defines how the gateway uses a Lambda function to communicate with the target.
lambdaArn (string) -- [REQUIRED]
The Amazon Resource Name (ARN) of the Lambda function. This function is invoked by the gateway to communicate with the target.
toolSchema (dict) -- [REQUIRED]
The tool schema for the Lambda function. This schema defines the structure of the tools that the Lambda function provides.
s3 (dict) --
The Amazon S3 location of the tool schema. This location contains the schema definition file.
uri (string) --
The URI of the Amazon S3 object. This URI specifies the location of the object in Amazon S3.
bucketOwnerAccountId (string) --
The account ID of the Amazon S3 bucket owner. This ID is used for cross-account access to the bucket.
inlinePayload (list) --
The inline payload of the tool schema. This payload contains the schema definition directly in the request.
(dict) --
A tool definition for a gateway target. This structure defines a tool that the target exposes through the Model Context Protocol.
name (string) -- [REQUIRED]
The name of the tool. This name identifies the tool in the Model Context Protocol.
description (string) -- [REQUIRED]
The description of the tool. This description provides information about the purpose and usage of the tool.
inputSchema (dict) -- [REQUIRED]
The input schema for the tool. This schema defines the structure of the input that the tool accepts.
type (string) -- [REQUIRED]
The type of the schema definition. This field specifies the data type of the schema.
properties (dict) --
The properties of the schema definition. These properties define the fields in the schema.
(string) --
(dict) --
A schema definition for a gateway target. This structure defines the structure of the API that the target exposes.
required (list) --
The required fields in the schema definition. These fields must be provided when using the schema.
(string) --
items (dict) --
The items in the schema definition. This field is used for array types to define the structure of the array elements.
description (string) --
The description of the schema definition. This description provides information about the purpose and usage of the schema.
outputSchema (dict) --
The output schema for the tool. This schema defines the structure of the output that the tool produces.
type (string) -- [REQUIRED]
The type of the schema definition. This field specifies the data type of the schema.
properties (dict) --
The properties of the schema definition. These properties define the fields in the schema.
(string) --
(dict) --
A schema definition for a gateway target. This structure defines the structure of the API that the target exposes.
required (list) --
The required fields in the schema definition. These fields must be provided when using the schema.
(string) --
items (dict) --
The items in the schema definition. This field is used for array types to define the structure of the array elements.
description (string) --
The description of the schema definition. This description provides information about the purpose and usage of the schema.
mcpServer (dict) --
The MCP server specified as the gateway target.
endpoint (string) -- [REQUIRED]
The endpoint for the MCP server target configuration.
mcpToolSchema (dict) --
The tool schema configuration for the MCP server target. Supported only when the credential provider is configured with an authorization code grant type. Dynamic tool discovery/synchronization will be disabled when target is configured with mcpToolSchema.
s3 (dict) --
The Amazon S3 location of the tool schema. This location contains the schema definition file.
uri (string) --
The URI of the Amazon S3 object. This URI specifies the location of the object in Amazon S3.
bucketOwnerAccountId (string) --
The account ID of the Amazon S3 bucket owner. This ID is used for cross-account access to the bucket.
inlinePayload (string) --
The inline payload containing the MCP tool schema definition.
listingMode (string) --
The listing mode for the MCP server target configuration. MCP resources for default targets are cached at the control plane for faster access. MCP resources for dynamic targets will be dynamically retrieved when listing tools.
resourcePriority (integer) --
Priority for resolving MCP server targets with shared resource URIs. Lower values take precedence. Defaults to 1000 when not set.
apiGateway (dict) --
The configuration for an Amazon API Gateway target.
restApiId (string) -- [REQUIRED]
The ID of the API Gateway REST API.
stage (string) -- [REQUIRED]
The ID of the stage of the REST API to add as a target.
apiGatewayToolConfiguration (dict) -- [REQUIRED]
The configuration for defining REST API tool filters and overrides for the gateway target.
toolOverrides (list) --
A list of explicit tool definitions with optional custom names and descriptions.
(dict) --
Settings to override configurations for a tool.
name (string) -- [REQUIRED]
The name of tool. Identifies the tool in the Model Context Protocol.
description (string) --
The description of the tool. Provides information about the purpose and usage of the tool. If not provided, uses the description from the API's OpenAPI specification.
path (string) -- [REQUIRED]
Resource path in the REST API (e.g., /pets). Must explicitly match an existing path in the REST API.
method (string) -- [REQUIRED]
The HTTP method to expose for the specified path.
toolFilters (list) -- [REQUIRED]
A list of path and method patterns to expose as tools using metadata from the REST API's OpenAPI specification.
(dict) --
Specifies which operations from an API Gateway REST API are exposed as tools. Tool names and descriptions are derived from the operationId and description fields in the API's exported OpenAPI specification.
filterPath (string) -- [REQUIRED]
Resource path to match in the REST API. Supports exact paths (for example, /pets) or wildcard paths (for example, /pets/* to match all paths under /pets). Must match existing paths in the REST API.
methods (list) -- [REQUIRED]
The methods to filter for.
(string) --
http (dict) --
The HTTP target configuration. Use this to route gateway requests to an HTTP-based endpoint such as an AgentCore Runtime.
agentcoreRuntime (dict) --
The AgentCore Runtime target configuration for HTTP-based communication with an agent runtime.
arn (string) -- [REQUIRED]
The Amazon Resource Name (ARN) of the AgentCore Runtime to route requests to.
qualifier (string) --
The qualifier for the agent runtime, used to target a specific endpoint version. If not specified, the default endpoint is used.
list
The updated credential provider configurations for the gateway target.
(dict) --
The configuration for a credential provider. This structure defines how the gateway authenticates with the target endpoint.
credentialProviderType (string) -- [REQUIRED]
The type of credential provider. This field specifies which authentication method the gateway uses.
credentialProvider (dict) --
The credential provider. This field contains the specific configuration for the credential provider type.
oauthCredentialProvider (dict) --
The OAuth credential provider. This provider uses OAuth authentication to access the target endpoint.
providerArn (string) -- [REQUIRED]
The Amazon Resource Name (ARN) of the OAuth credential provider. This ARN identifies the provider in Amazon Web Services.
scopes (list) -- [REQUIRED]
The OAuth scopes for the credential provider. These scopes define the level of access requested from the OAuth provider.
(string) --
customParameters (dict) --
The custom parameters for the OAuth credential provider. These parameters provide additional configuration for the OAuth authentication process.
(string) --
(string) --
grantType (string) --
Specifies the kind of credentials to use for authorization:
CLIENT_CREDENTIALS - Authorization with a client ID and secret.
AUTHORIZATION_CODE - Authorization with a token that is specific to an individual end user.
defaultReturnUrl (string) --
The URL where the end user's browser is redirected after obtaining the authorization code. Generally points to the customer's application.
apiKeyCredentialProvider (dict) --
The API key credential provider. This provider uses an API key to authenticate with the target endpoint.
providerArn (string) -- [REQUIRED]
The Amazon Resource Name (ARN) of the API key credential provider. This ARN identifies the provider in Amazon Web Services.
credentialParameterName (string) --
The name of the credential parameter for the API key. This parameter name is used when sending the API key to the target endpoint.
credentialPrefix (string) --
The prefix for the API key credential. This prefix is added to the API key when sending it to the target endpoint.
credentialLocation (string) --
The location of the API key credential. This field specifies where in the request the API key should be placed.
iamCredentialProvider (dict) --
The IAM credential provider. This provider uses IAM authentication with SigV4 signing to access the target endpoint.
service (string) -- [REQUIRED]
The target Amazon Web Services service name used for SigV4 signing. This value identifies the service that the gateway authenticates with when making requests to the target endpoint.
region (string) --
The Amazon Web Services Region used for SigV4 signing. If not specified, defaults to the gateway's Region.
dict
Configuration for HTTP header and query parameter propagation to the gateway target.
allowedRequestHeaders (list) --
A list of HTTP headers that are allowed to be propagated from incoming client requests to the target.
(string) --
allowedQueryParameters (list) --
A list of URL query parameters that are allowed to be propagated from incoming gateway URL to the target.
(string) --
allowedResponseHeaders (list) --
A list of HTTP headers that are allowed to be propagated from the target response back to the client.
(string) --
dict
The private endpoint configuration for the gateway target. Use this to connect the gateway to private resources in your VPC.
selfManagedLatticeResource (dict) --
Configuration for connecting to a private resource using a self-managed VPC Lattice resource configuration.
resourceConfigurationIdentifier (string) --
The ARN or ID of the VPC Lattice resource configuration.
managedVpcResource (dict) --
Configuration for connecting to a private resource using a managed VPC Lattice resource. The gateway creates and manages the VPC Lattice resources on your behalf.
vpcIdentifier (string) -- [REQUIRED]
The ID of the VPC that contains your private resource.
subnetIds (list) -- [REQUIRED]
The subnet IDs within the VPC where the VPC Lattice resource gateway is placed.
(string) --
endpointIpAddressType (string) -- [REQUIRED]
The IP address type for the resource configuration endpoint.
securityGroupIds (list) --
The security group IDs to associate with the VPC Lattice resource gateway. If not specified, the default security group for the VPC is used.
(string) --
tags (dict) --
Tags to apply to the managed VPC Lattice resource gateway.
(string) --
(string) --
routingDomain (string) --
An intermediate publicly resolvable domain used as the VPC Lattice resource configuration endpoint. Required when your private endpoint uses a domain that is not publicly resolvable.
dict
Response Syntax
{
'gatewayArn': 'string',
'targetId': 'string',
'createdAt': datetime(2015, 1, 1),
'updatedAt': datetime(2015, 1, 1),
'status': 'CREATING'|'UPDATING'|'UPDATE_UNSUCCESSFUL'|'DELETING'|'READY'|'FAILED'|'SYNCHRONIZING'|'SYNCHRONIZE_UNSUCCESSFUL'|'CREATE_PENDING_AUTH'|'UPDATE_PENDING_AUTH'|'SYNCHRONIZE_PENDING_AUTH',
'statusReasons': [
'string',
],
'name': 'string',
'description': 'string',
'targetConfiguration': {
'mcp': {
'openApiSchema': {
's3': {
'uri': 'string',
'bucketOwnerAccountId': 'string'
},
'inlinePayload': 'string'
},
'smithyModel': {
's3': {
'uri': 'string',
'bucketOwnerAccountId': 'string'
},
'inlinePayload': 'string'
},
'lambda': {
'lambdaArn': 'string',
'toolSchema': {
's3': {
'uri': 'string',
'bucketOwnerAccountId': 'string'
},
'inlinePayload': [
{
'name': 'string',
'description': 'string',
'inputSchema': {
'type': 'string'|'number'|'object'|'array'|'boolean'|'integer',
'properties': {
'string': {'... recursive ...'}
},
'required': [
'string',
],
'items': {'... recursive ...'},
'description': 'string'
},
'outputSchema': {
'type': 'string'|'number'|'object'|'array'|'boolean'|'integer',
'properties': {
'string': {'... recursive ...'}
},
'required': [
'string',
],
'items': {'... recursive ...'},
'description': 'string'
}
},
]
}
},
'mcpServer': {
'endpoint': 'string',
'mcpToolSchema': {
's3': {
'uri': 'string',
'bucketOwnerAccountId': 'string'
},
'inlinePayload': 'string'
},
'listingMode': 'DEFAULT'|'DYNAMIC',
'resourcePriority': 123
},
'apiGateway': {
'restApiId': 'string',
'stage': 'string',
'apiGatewayToolConfiguration': {
'toolOverrides': [
{
'name': 'string',
'description': 'string',
'path': 'string',
'method': 'GET'|'DELETE'|'HEAD'|'OPTIONS'|'PATCH'|'PUT'|'POST'
},
],
'toolFilters': [
{
'filterPath': 'string',
'methods': [
'GET'|'DELETE'|'HEAD'|'OPTIONS'|'PATCH'|'PUT'|'POST',
]
},
]
}
}
},
'http': {
'agentcoreRuntime': {
'arn': 'string',
'qualifier': 'string'
}
}
},
'credentialProviderConfigurations': [
{
'credentialProviderType': 'GATEWAY_IAM_ROLE'|'OAUTH'|'API_KEY'|'CALLER_IAM_CREDENTIALS'|'JWT_PASSTHROUGH',
'credentialProvider': {
'oauthCredentialProvider': {
'providerArn': 'string',
'scopes': [
'string',
],
'customParameters': {
'string': 'string'
},
'grantType': 'CLIENT_CREDENTIALS'|'AUTHORIZATION_CODE',
'defaultReturnUrl': 'string'
},
'apiKeyCredentialProvider': {
'providerArn': 'string',
'credentialParameterName': 'string',
'credentialPrefix': 'string',
'credentialLocation': 'HEADER'|'QUERY_PARAMETER'
},
'iamCredentialProvider': {
'service': 'string',
'region': 'string'
}
}
},
],
'lastSynchronizedAt': datetime(2015, 1, 1),
'metadataConfiguration': {
'allowedRequestHeaders': [
'string',
],
'allowedQueryParameters': [
'string',
],
'allowedResponseHeaders': [
'string',
]
},
'privateEndpoint': {
'selfManagedLatticeResource': {
'resourceConfigurationIdentifier': 'string'
},
'managedVpcResource': {
'vpcIdentifier': 'string',
'subnetIds': [
'string',
],
'endpointIpAddressType': 'IPV4'|'IPV6',
'securityGroupIds': [
'string',
],
'tags': {
'string': 'string'
},
'routingDomain': 'string'
}
},
'privateEndpointManagedResources': [
{
'domain': 'string',
'resourceGatewayArn': 'string',
'resourceAssociationArn': 'string'
},
],
'authorizationData': {
'oauth2': {
'authorizationUrl': 'string',
'userId': 'string'
}
},
'protocolType': 'MCP'|'HTTP'
}
Response Structure
(dict) --
gatewayArn (string) --
The Amazon Resource Name (ARN) of the gateway.
targetId (string) --
The unique identifier of the updated gateway target.
createdAt (datetime) --
The timestamp when the gateway target was created.
updatedAt (datetime) --
The timestamp when the gateway target was last updated.
status (string) --
The current status of the updated gateway target.
statusReasons (list) --
The reasons for the current status of the updated gateway target.
(string) --
name (string) --
The updated name of the gateway target.
description (string) --
The updated description of the gateway target.
targetConfiguration (dict) --
The configuration for a gateway target. This structure defines how the gateway connects to and interacts with the target endpoint.
mcp (dict) --
The Model Context Protocol (MCP) configuration for the target. This configuration defines how the gateway uses MCP to communicate with the target.
openApiSchema (dict) --
The OpenAPI schema for the Model Context Protocol target. This schema defines the API structure of the target.
s3 (dict) --
The Amazon S3 configuration for a gateway. This structure defines how the gateway accesses files in Amazon S3.
uri (string) --
The URI of the Amazon S3 object. This URI specifies the location of the object in Amazon S3.
bucketOwnerAccountId (string) --
The account ID of the Amazon S3 bucket owner. This ID is used for cross-account access to the bucket.
inlinePayload (string) --
The inline payload containing the API schema definition.
smithyModel (dict) --
The Smithy model for the Model Context Protocol target. This model defines the API structure of the target using the Smithy specification.
s3 (dict) --
The Amazon S3 configuration for a gateway. This structure defines how the gateway accesses files in Amazon S3.
uri (string) --
The URI of the Amazon S3 object. This URI specifies the location of the object in Amazon S3.
bucketOwnerAccountId (string) --
The account ID of the Amazon S3 bucket owner. This ID is used for cross-account access to the bucket.
inlinePayload (string) --
The inline payload containing the API schema definition.
lambda (dict) --
The Lambda configuration for the Model Context Protocol target. This configuration defines how the gateway uses a Lambda function to communicate with the target.
lambdaArn (string) --
The Amazon Resource Name (ARN) of the Lambda function. This function is invoked by the gateway to communicate with the target.
toolSchema (dict) --
The tool schema for the Lambda function. This schema defines the structure of the tools that the Lambda function provides.
s3 (dict) --
The Amazon S3 location of the tool schema. This location contains the schema definition file.
uri (string) --
The URI of the Amazon S3 object. This URI specifies the location of the object in Amazon S3.
bucketOwnerAccountId (string) --
The account ID of the Amazon S3 bucket owner. This ID is used for cross-account access to the bucket.
inlinePayload (list) --
The inline payload of the tool schema. This payload contains the schema definition directly in the request.
(dict) --
A tool definition for a gateway target. This structure defines a tool that the target exposes through the Model Context Protocol.
name (string) --
The name of the tool. This name identifies the tool in the Model Context Protocol.
description (string) --
The description of the tool. This description provides information about the purpose and usage of the tool.
inputSchema (dict) --
The input schema for the tool. This schema defines the structure of the input that the tool accepts.
type (string) --
The type of the schema definition. This field specifies the data type of the schema.
properties (dict) --
The properties of the schema definition. These properties define the fields in the schema.
(string) --
(dict) --
A schema definition for a gateway target. This structure defines the structure of the API that the target exposes.
required (list) --
The required fields in the schema definition. These fields must be provided when using the schema.
(string) --
items (dict) --
The items in the schema definition. This field is used for array types to define the structure of the array elements.
description (string) --
The description of the schema definition. This description provides information about the purpose and usage of the schema.
outputSchema (dict) --
The output schema for the tool. This schema defines the structure of the output that the tool produces.
type (string) --
The type of the schema definition. This field specifies the data type of the schema.
properties (dict) --
The properties of the schema definition. These properties define the fields in the schema.
(string) --
(dict) --
A schema definition for a gateway target. This structure defines the structure of the API that the target exposes.
required (list) --
The required fields in the schema definition. These fields must be provided when using the schema.
(string) --
items (dict) --
The items in the schema definition. This field is used for array types to define the structure of the array elements.
description (string) --
The description of the schema definition. This description provides information about the purpose and usage of the schema.
mcpServer (dict) --
The MCP server specified as the gateway target.
endpoint (string) --
The endpoint for the MCP server target configuration.
mcpToolSchema (dict) --
The tool schema configuration for the MCP server target. Supported only when the credential provider is configured with an authorization code grant type. Dynamic tool discovery/synchronization will be disabled when target is configured with mcpToolSchema.
s3 (dict) --
The Amazon S3 location of the tool schema. This location contains the schema definition file.
uri (string) --
The URI of the Amazon S3 object. This URI specifies the location of the object in Amazon S3.
bucketOwnerAccountId (string) --
The account ID of the Amazon S3 bucket owner. This ID is used for cross-account access to the bucket.
inlinePayload (string) --
The inline payload containing the MCP tool schema definition.
listingMode (string) --
The listing mode for the MCP server target configuration. MCP resources for default targets are cached at the control plane for faster access. MCP resources for dynamic targets will be dynamically retrieved when listing tools.
resourcePriority (integer) --
Priority for resolving MCP server targets with shared resource URIs. Lower values take precedence. Defaults to 1000 when not set.
apiGateway (dict) --
The configuration for an Amazon API Gateway target.
restApiId (string) --
The ID of the API Gateway REST API.
stage (string) --
The ID of the stage of the REST API to add as a target.
apiGatewayToolConfiguration (dict) --
The configuration for defining REST API tool filters and overrides for the gateway target.
toolOverrides (list) --
A list of explicit tool definitions with optional custom names and descriptions.
(dict) --
Settings to override configurations for a tool.
name (string) --
The name of tool. Identifies the tool in the Model Context Protocol.
description (string) --
The description of the tool. Provides information about the purpose and usage of the tool. If not provided, uses the description from the API's OpenAPI specification.
path (string) --
Resource path in the REST API (e.g., /pets). Must explicitly match an existing path in the REST API.
method (string) --
The HTTP method to expose for the specified path.
toolFilters (list) --
A list of path and method patterns to expose as tools using metadata from the REST API's OpenAPI specification.
(dict) --
Specifies which operations from an API Gateway REST API are exposed as tools. Tool names and descriptions are derived from the operationId and description fields in the API's exported OpenAPI specification.
filterPath (string) --
Resource path to match in the REST API. Supports exact paths (for example, /pets) or wildcard paths (for example, /pets/* to match all paths under /pets). Must match existing paths in the REST API.
methods (list) --
The methods to filter for.
(string) --
http (dict) --
The HTTP target configuration. Use this to route gateway requests to an HTTP-based endpoint such as an AgentCore Runtime.
agentcoreRuntime (dict) --
The AgentCore Runtime target configuration for HTTP-based communication with an agent runtime.
arn (string) --
The Amazon Resource Name (ARN) of the AgentCore Runtime to route requests to.
qualifier (string) --
The qualifier for the agent runtime, used to target a specific endpoint version. If not specified, the default endpoint is used.
credentialProviderConfigurations (list) --
The updated credential provider configurations for the gateway target.
(dict) --
The configuration for a credential provider. This structure defines how the gateway authenticates with the target endpoint.
credentialProviderType (string) --
The type of credential provider. This field specifies which authentication method the gateway uses.
credentialProvider (dict) --
The credential provider. This field contains the specific configuration for the credential provider type.
oauthCredentialProvider (dict) --
The OAuth credential provider. This provider uses OAuth authentication to access the target endpoint.
providerArn (string) --
The Amazon Resource Name (ARN) of the OAuth credential provider. This ARN identifies the provider in Amazon Web Services.
scopes (list) --
The OAuth scopes for the credential provider. These scopes define the level of access requested from the OAuth provider.
(string) --
customParameters (dict) --
The custom parameters for the OAuth credential provider. These parameters provide additional configuration for the OAuth authentication process.
(string) --
(string) --
grantType (string) --
Specifies the kind of credentials to use for authorization:
CLIENT_CREDENTIALS - Authorization with a client ID and secret.
AUTHORIZATION_CODE - Authorization with a token that is specific to an individual end user.
defaultReturnUrl (string) --
The URL where the end user's browser is redirected after obtaining the authorization code. Generally points to the customer's application.
apiKeyCredentialProvider (dict) --
The API key credential provider. This provider uses an API key to authenticate with the target endpoint.
providerArn (string) --
The Amazon Resource Name (ARN) of the API key credential provider. This ARN identifies the provider in Amazon Web Services.
credentialParameterName (string) --
The name of the credential parameter for the API key. This parameter name is used when sending the API key to the target endpoint.
credentialPrefix (string) --
The prefix for the API key credential. This prefix is added to the API key when sending it to the target endpoint.
credentialLocation (string) --
The location of the API key credential. This field specifies where in the request the API key should be placed.
iamCredentialProvider (dict) --
The IAM credential provider. This provider uses IAM authentication with SigV4 signing to access the target endpoint.
service (string) --
The target Amazon Web Services service name used for SigV4 signing. This value identifies the service that the gateway authenticates with when making requests to the target endpoint.
region (string) --
The Amazon Web Services Region used for SigV4 signing. If not specified, defaults to the gateway's Region.
lastSynchronizedAt (datetime) --
The date and time at which the targets were last synchronized.
metadataConfiguration (dict) --
The metadata configuration that was applied to the gateway target.
allowedRequestHeaders (list) --
A list of HTTP headers that are allowed to be propagated from incoming client requests to the target.
(string) --
allowedQueryParameters (list) --
A list of URL query parameters that are allowed to be propagated from incoming gateway URL to the target.
(string) --
allowedResponseHeaders (list) --
A list of HTTP headers that are allowed to be propagated from the target response back to the client.
(string) --
privateEndpoint (dict) --
The private endpoint configuration for the gateway target.
selfManagedLatticeResource (dict) --
Configuration for connecting to a private resource using a self-managed VPC Lattice resource configuration.
resourceConfigurationIdentifier (string) --
The ARN or ID of the VPC Lattice resource configuration.
managedVpcResource (dict) --
Configuration for connecting to a private resource using a managed VPC Lattice resource. The gateway creates and manages the VPC Lattice resources on your behalf.
vpcIdentifier (string) --
The ID of the VPC that contains your private resource.
subnetIds (list) --
The subnet IDs within the VPC where the VPC Lattice resource gateway is placed.
(string) --
endpointIpAddressType (string) --
The IP address type for the resource configuration endpoint.
securityGroupIds (list) --
The security group IDs to associate with the VPC Lattice resource gateway. If not specified, the default security group for the VPC is used.
(string) --
tags (dict) --
Tags to apply to the managed VPC Lattice resource gateway.
(string) --
(string) --
routingDomain (string) --
An intermediate publicly resolvable domain used as the VPC Lattice resource configuration endpoint. Required when your private endpoint uses a domain that is not publicly resolvable.
privateEndpointManagedResources (list) --
The managed resources created by the gateway for private endpoint connectivity.
(dict) --
Details of a resource created and managed by the gateway for private endpoint connectivity.
domain (string) --
The domain associated with this managed resource.
resourceGatewayArn (string) --
The ARN of the VPC Lattice resource gateway created in your account.
resourceAssociationArn (string) --
The ARN of the service network resource association.
authorizationData (dict) --
OAuth2 authorization data for the updated gateway target. This data is returned when a target is configured with a credential provider with authorization code grant type and requires user federation.
oauth2 (dict) --
OAuth2 authorization data for the gateway target.
authorizationUrl (string) --
The URL to initiate the authorization process. This URL is provided when the OAuth2 access token requires user authorization.
userId (string) --
The user identifier associated with the OAuth2 authorization session that is defined by AgentCore Gateway.
protocolType (string) --
The protocol type of the updated gateway target.