Amazon Bedrock AgentCore Control

2026/07/08 - Amazon Bedrock AgentCore Control - 16 updated api methods

Changes  AgentCore Gateway now supports mapping allowed scopes to separate advertised scopes on the inbound authorizer.

CreateAgentRuntime (updated) Link ¶
Changes (request)
{'authorizerConfiguration': {'customJWTAuthorizer': {'advertisedScopeMapping': {'string': 'string'}}}}

Creates an Amazon Bedrock AgentCore Runtime.

See also: AWS API Documentation

Request Syntax

client.create_agent_runtime(
    agentRuntimeName='string',
    agentRuntimeArtifact={
        'containerConfiguration': {
            'containerUri': 'string'
        },
        'codeConfiguration': {
            'code': {
                's3': {
                    'bucket': 'string',
                    'prefix': 'string',
                    'versionId': 'string'
                }
            },
            'runtime': 'PYTHON_3_10'|'PYTHON_3_11'|'PYTHON_3_12'|'PYTHON_3_13'|'PYTHON_3_14'|'NODE_22',
            'entryPoint': [
                'string',
            ]
        }
    },
    roleArn='string',
    networkConfiguration={
        'networkMode': 'PUBLIC'|'VPC',
        'networkModeConfig': {
            'securityGroups': [
                'string',
            ],
            'subnets': [
                'string',
            ],
            'requireServiceS3Endpoint': True|False
        }
    },
    clientToken='string',
    description='string',
    authorizerConfiguration={
        'customJWTAuthorizer': {
            'discoveryUrl': 'string',
            'allowedAudience': [
                'string',
            ],
            'allowedClients': [
                'string',
            ],
            'allowedScopes': [
                'string',
            ],
            'advertisedScopeMapping': {
                'string': 'string'
            },
            'customClaims': [
                {
                    'inboundTokenClaimName': 'string',
                    'inboundTokenClaimValueType': 'STRING'|'STRING_ARRAY',
                    'authorizingClaimMatchValue': {
                        'claimMatchValue': {
                            'matchValueString': 'string',
                            'matchValueStringList': [
                                'string',
                            ]
                        },
                        'claimMatchOperator': 'EQUALS'|'CONTAINS'|'CONTAINS_ANY'
                    }
                },
            ],
            'privateEndpoint': {
                'selfManagedLatticeResource': {
                    'resourceConfigurationIdentifier': 'string'
                },
                'managedVpcResource': {
                    'vpcIdentifier': 'string',
                    'subnetIds': [
                        'string',
                    ],
                    'endpointIpAddressType': 'IPV4'|'IPV6',
                    'securityGroupIds': [
                        'string',
                    ],
                    'tags': {
                        'string': 'string'
                    },
                    'routingDomain': 'string'
                }
            },
            'privateEndpointOverrides': [
                {
                    'domain': 'string',
                    'privateEndpoint': {
                        'selfManagedLatticeResource': {
                            'resourceConfigurationIdentifier': 'string'
                        },
                        'managedVpcResource': {
                            'vpcIdentifier': 'string',
                            'subnetIds': [
                                'string',
                            ],
                            'endpointIpAddressType': 'IPV4'|'IPV6',
                            'securityGroupIds': [
                                'string',
                            ],
                            'tags': {
                                'string': 'string'
                            },
                            'routingDomain': 'string'
                        }
                    }
                },
            ],
            'allowedWorkloadConfiguration': {
                'hostingEnvironments': [
                    {
                        'arn': 'string'
                    },
                ],
                'workloadIdentities': [
                    'string',
                ]
            }
        }
    },
    requestHeaderConfiguration={
        'requestHeaderAllowlist': [
            'string',
        ]
    },
    protocolConfiguration={
        'serverProtocol': 'MCP'|'HTTP'|'A2A'|'AGUI'
    },
    lifecycleConfiguration={
        'idleRuntimeSessionTimeout': 123,
        'maxLifetime': 123
    },
    environmentVariables={
        'string': 'string'
    },
    filesystemConfigurations=[
        {
            'sessionStorage': {
                'mountPath': 'string'
            },
            's3FilesAccessPoint': {
                'accessPointArn': 'string',
                'mountPath': 'string'
            },
            'efsAccessPoint': {
                'accessPointArn': 'string',
                'mountPath': 'string'
            }
        },
    ],
    tags={
        'string': 'string'
    }
)
type agentRuntimeName:

string

param agentRuntimeName:

[REQUIRED]

The name of the AgentCore Runtime.

type agentRuntimeArtifact:

dict

param agentRuntimeArtifact:

[REQUIRED]

The artifact of the AgentCore Runtime.

  • containerConfiguration (dict) --

    The container configuration for the agent artifact.

    • containerUri (string) -- [REQUIRED]

      The ECR URI of the container.

  • codeConfiguration (dict) --

    The code configuration for the agent runtime artifact, including the source code location and execution settings.

    • code (dict) -- [REQUIRED]

      The source code location and configuration details.

      • s3 (dict) --

        The Amazon Amazon S3 object that contains the source code for the agent runtime.

        • bucket (string) -- [REQUIRED]

          The name of the Amazon S3 bucket. This bucket contains the stored data.

        • prefix (string) -- [REQUIRED]

          The prefix for objects in the Amazon S3 bucket. This prefix is added to the object keys to organize the data.

        • versionId (string) --

          The version ID of the Amazon Amazon S3 object. If not specified, the latest version of the object is used.

    • runtime (string) -- [REQUIRED]

      The runtime environment for executing the agent code. Specify the programming language and version to use for the agent runtime. For valid values, see the list of supported runtimes.

    • entryPoint (list) -- [REQUIRED]

      The entry point for the code execution, specifying the function or method that should be invoked when the code runs.

      • (string) --

type roleArn:

string

param roleArn:

[REQUIRED]

The IAM role ARN that provides permissions for the AgentCore Runtime.

type networkConfiguration:

dict

param networkConfiguration:

[REQUIRED]

The network configuration for the AgentCore Runtime.

  • networkMode (string) -- [REQUIRED]

    The network mode for the AgentCore Runtime.

  • networkModeConfig (dict) --

    The network mode configuration for the AgentCore Runtime.

    • securityGroups (list) -- [REQUIRED]

      The security groups associated with the VPC configuration.

      • (string) --

    • subnets (list) -- [REQUIRED]

      The subnets associated with the VPC configuration.

      • (string) --

    • requireServiceS3Endpoint (boolean) --

      Controls whether a service-managed Amazon S3 gateway endpoint is provisioned in the VPC network topology for the agent runtime. This gateway is used by Amazon Bedrock AgentCore Runtime to download code and container images during agent startup.

      Starting May 5, 2026, Amazon Bedrock AgentCore Runtime is gradually rolling out a change to how network isolation is configured for VPC mode agents. Agent runtimes created on or after this rollout will no longer include the service-managed Amazon S3 gateway. Instead, all network access, including to Amazon S3, is governed exclusively by your VPC configuration. This field cannot be set on agent runtimes created after the rollout. Passing this field in an UpdateAgentRuntime request for these agent runtimes returns a ValidationException.

      Agent runtimes created before the rollout are not affected and continue to operate with the service-managed Amazon S3 gateway. To enforce full VPC network isolation on these existing agent runtimes, set this field to false via the UpdateAgentRuntime API. Before opting out, ensure your VPC provides the Amazon S3 access required for agent startup. If this field is not specified or is set to true, the service-managed Amazon S3 gateway remains provisioned.

      This field is only supported in the UpdateAgentRuntime API for pre-rollout agent runtimes. Passing this field in a CreateAgentRuntime request returns a ValidationException.

type clientToken:

string

param clientToken:

A unique, case-sensitive identifier to ensure idempotency of the request.

This field is autopopulated if not provided.

type description:

string

param description:

The description of the AgentCore Runtime.

type authorizerConfiguration:

dict

param authorizerConfiguration:

The authorizer configuration for the AgentCore Runtime.

  • customJWTAuthorizer (dict) --

    The inbound JWT-based authorization, specifying how incoming requests should be authenticated.

    • discoveryUrl (string) -- [REQUIRED]

      This URL is used to fetch OpenID Connect configuration or authorization server metadata for validating incoming tokens.

    • allowedAudience (list) --

      Represents individual audience values that are validated in the incoming JWT token validation process.

      • (string) --

    • allowedClients (list) --

      Represents individual client IDs that are validated in the incoming JWT token validation process.

      • (string) --

    • allowedScopes (list) --

      An array of scopes that are allowed to access the token.

      • (string) --

    • advertisedScopeMapping (dict) --

      A map that associates each scope in allowedScopes with a corresponding advertised scope value. The advertised scope appears in OAuth protected resource metadata and WWW-Authenticate response headers. Use this parameter when the scope that clients request from your identity provider differs from the scope in the validated token. Each key is a scope from allowedScopes that the service uses for token validation. Each value is the corresponding scope that the service advertises to clients. Scopes without a mapping entry appear unchanged to clients.

      • (string) --

        • (string) --

    • customClaims (list) --

      An array of objects that define a custom claim validation name, value, and operation

      • (dict) --

        Defines the name of a custom claim field and rules for finding matches to authenticate its value.

        • inboundTokenClaimName (string) -- [REQUIRED]

          The name of the custom claim field to check.

        • inboundTokenClaimValueType (string) -- [REQUIRED]

          The data type of the claim value to check for.

          • Use STRING if you want to find an exact match to a string you define.

          • Use STRING_ARRAY if you want to fnd a match to at least one value in an array you define.

        • authorizingClaimMatchValue (dict) -- [REQUIRED]

          Defines the value or values to match for and the relationship of the match.

          • claimMatchValue (dict) -- [REQUIRED]

            The value or values to match for.

            • matchValueString (string) --

              The string value to match for.

            • matchValueStringList (list) --

              An array of strings to check for a match.

              • (string) --

          • claimMatchOperator (string) -- [REQUIRED]

            Defines the relationship between the claim field value and the value or values you're matching for.

    • privateEndpoint (dict) --

      The private endpoint configuration for a gateway target. Defines how the gateway connects to private resources in your VPC.

      • selfManagedLatticeResource (dict) --

        Configuration for connecting to a private resource using a self-managed VPC Lattice resource configuration.

        • resourceConfigurationIdentifier (string) --

          The ARN or ID of the VPC Lattice resource configuration.

      • managedVpcResource (dict) --

        Configuration for connecting to a private resource using a managed VPC Lattice resource. The gateway creates and manages the VPC Lattice resources on your behalf.

        • vpcIdentifier (string) -- [REQUIRED]

          The ID of the VPC that contains your private resource.

        • subnetIds (list) -- [REQUIRED]

          The subnet IDs within the VPC where the VPC Lattice resource gateway is placed.

          • (string) --

        • endpointIpAddressType (string) -- [REQUIRED]

          The IP address type for the resource configuration endpoint.

        • securityGroupIds (list) --

          The security group IDs to associate with the VPC Lattice resource gateway. If not specified, the default security group for the VPC is used.

          • (string) --

        • tags (dict) --

          Tags to apply to the managed VPC Lattice resource gateway.

          • (string) --

            • (string) --

        • routingDomain (string) --

          An intermediate domain to use as the resource configuration endpoint instead of the actual target domain. Use this when you want to route traffic through an intermediate component such as a VPC endpoint or internal load balancer. For more information, see xref:lattice-vpc-egress-routing-domain[Route traffic through an intermediate domain].

    • privateEndpointOverrides (list) --

      The private endpoint overrides for the custom JWT authorizer configuration.

      • (dict) --

        A mapping of a specific domain to a private endpoint for secure connectivity through a VPC Lattice resource configuration.

        • domain (string) -- [REQUIRED]

          The domain to override with a private endpoint.

        • privateEndpoint (dict) -- [REQUIRED]

          The private endpoint configuration for the specified domain.

          • selfManagedLatticeResource (dict) --

            Configuration for connecting to a private resource using a self-managed VPC Lattice resource configuration.

            • resourceConfigurationIdentifier (string) --

              The ARN or ID of the VPC Lattice resource configuration.

          • managedVpcResource (dict) --

            Configuration for connecting to a private resource using a managed VPC Lattice resource. The gateway creates and manages the VPC Lattice resources on your behalf.

            • vpcIdentifier (string) -- [REQUIRED]

              The ID of the VPC that contains your private resource.

            • subnetIds (list) -- [REQUIRED]

              The subnet IDs within the VPC where the VPC Lattice resource gateway is placed.

              • (string) --

            • endpointIpAddressType (string) -- [REQUIRED]

              The IP address type for the resource configuration endpoint.

            • securityGroupIds (list) --

              The security group IDs to associate with the VPC Lattice resource gateway. If not specified, the default security group for the VPC is used.

              • (string) --

            • tags (dict) --

              Tags to apply to the managed VPC Lattice resource gateway.

              • (string) --

                • (string) --

            • routingDomain (string) --

              An intermediate domain to use as the resource configuration endpoint instead of the actual target domain. Use this when you want to route traffic through an intermediate component such as a VPC endpoint or internal load balancer. For more information, see xref:lattice-vpc-egress-routing-domain[Route traffic through an intermediate domain].

    • allowedWorkloadConfiguration (dict) --

      The configuration that restricts which workloads in the request's identity chain are allowed to invoke the target, identified by their hosting environments and workload identities. At launch, this is supported only for AgentCore Runtime targets, and the allowed workloads are AgentCore Gateways.

      • hostingEnvironments (list) --

        The list of hosting environments whose workloads are allowed to invoke the target. At launch, the only supported hosting environment is AgentCore Gateway.

        • (dict) --

          A hosting environment whose workloads are allowed to invoke the target. At launch, the only supported hosting environment is AgentCore Gateway.

          • arn (string) -- [REQUIRED]

            The Amazon Resource Name (ARN) of the hosting environment.

      • workloadIdentities (list) --

        The list of workload identities that are allowed to invoke the target.

        • (string) --

type requestHeaderConfiguration:

dict

param requestHeaderConfiguration:

Configuration for HTTP request headers that will be passed through to the runtime.

  • requestHeaderAllowlist (list) --

    A list of HTTP request headers that are allowed to be passed through to the runtime.

    • (string) --

type protocolConfiguration:

dict

param protocolConfiguration:

The protocol configuration for an agent runtime. This structure defines how the agent runtime communicates with clients.

  • serverProtocol (string) -- [REQUIRED]

    The server protocol for the agent runtime. This field specifies which protocol the agent runtime uses to communicate with clients.

type lifecycleConfiguration:

dict

param lifecycleConfiguration:

The life cycle configuration for the AgentCore Runtime.

  • idleRuntimeSessionTimeout (integer) --

    Timeout in seconds for idle runtime sessions. When a session remains idle for this duration, it will be automatically terminated. Default: 900 seconds (15 minutes).

  • maxLifetime (integer) --

    Maximum lifetime for the instance in seconds. Once reached, instances will be automatically terminated and replaced. Default: 28800 seconds (8 hours).

type environmentVariables:

dict

param environmentVariables:

Environment variables to set in the AgentCore Runtime environment.

  • (string) --

    • (string) --

type filesystemConfigurations:

list

param filesystemConfigurations:

The filesystem configurations to mount into the AgentCore Runtime. Use filesystem configurations to provide persistent storage to your AgentCore Runtime sessions.

  • (dict) --

    Configuration for a filesystem that can be mounted into the AgentCore Runtime.

    • sessionStorage (dict) --

      Configuration for session storage. Session storage provides persistent storage that is preserved across AgentCore Runtime session invocations.

      • mountPath (string) -- [REQUIRED]

        The mount path for the session storage filesystem inside the AgentCore Runtime. The path must be under /mnt with exactly one subdirectory level (for example, /mnt/data).

    • s3FilesAccessPoint (dict) --

      Configuration for an Amazon S3 Files access point to mount into the AgentCore Runtime.

      • accessPointArn (string) -- [REQUIRED]

        The ARN of the S3 Files access point to mount into the AgentCore Runtime.

      • mountPath (string) -- [REQUIRED]

        The mount path for the S3 Files access point inside the AgentCore Runtime. The path must be under /mnt with exactly one subdirectory level (for example, /mnt/data).

    • efsAccessPoint (dict) --

      Configuration for an Amazon EFS access point to mount into the AgentCore Runtime.

      • accessPointArn (string) -- [REQUIRED]

        The ARN of the EFS access point to mount into the AgentCore Runtime.

      • mountPath (string) -- [REQUIRED]

        The mount path for the EFS access point inside the AgentCore Runtime. The path must be under /mnt with exactly one subdirectory level (for example, /mnt/data).

type tags:

dict

param tags:

A map of tag keys and values to assign to the agent runtime. Tags enable you to categorize your resources in different ways, for example, by purpose, owner, or environment.

  • (string) --

    • (string) --

rtype:

dict

returns:

Response Syntax

{
    'agentRuntimeArn': 'string',
    'workloadIdentityDetails': {
        'workloadIdentityArn': 'string'
    },
    'agentRuntimeId': 'string',
    'agentRuntimeVersion': 'string',
    'createdAt': datetime(2015, 1, 1),
    'status': 'CREATING'|'CREATE_FAILED'|'UPDATING'|'UPDATE_FAILED'|'READY'|'DELETING'
}

Response Structure

  • (dict) --

    • agentRuntimeArn (string) --

      The Amazon Resource Name (ARN) of the AgentCore Runtime.

    • workloadIdentityDetails (dict) --

      The workload identity details for the AgentCore Runtime.

      • workloadIdentityArn (string) --

        The ARN associated with the workload identity.

    • agentRuntimeId (string) --

      The unique identifier of the AgentCore Runtime.

    • agentRuntimeVersion (string) --

      The version of the AgentCore Runtime.

    • createdAt (datetime) --

      The timestamp when the AgentCore Runtime was created.

    • status (string) --

      The current status of the AgentCore Runtime.

CreateGateway (updated) Link ¶
Changes (both)
{'authorizerConfiguration': {'customJWTAuthorizer': {'advertisedScopeMapping': {'string': 'string'}}}}

Creates a gateway for Amazon Bedrock Agent. A gateway serves as an integration point between your agent and external services.

If you specify CUSTOM_JWT as the authorizerType, you must provide an authorizerConfiguration.

See also: AWS API Documentation

Request Syntax

client.create_gateway(
    name='string',
    description='string',
    clientToken='string',
    roleArn='string',
    protocolType='MCP',
    protocolConfiguration={
        'mcp': {
            'supportedVersions': [
                'string',
            ],
            'instructions': 'string',
            'searchType': 'SEMANTIC',
            'sessionConfiguration': {
                'sessionTimeoutInSeconds': 123
            },
            'streamingConfiguration': {
                'enableResponseStreaming': True|False
            }
        }
    },
    authorizerType='CUSTOM_JWT'|'AWS_IAM'|'NONE'|'AUTHENTICATE_ONLY',
    authorizerConfiguration={
        'customJWTAuthorizer': {
            'discoveryUrl': 'string',
            'allowedAudience': [
                'string',
            ],
            'allowedClients': [
                'string',
            ],
            'allowedScopes': [
                'string',
            ],
            'advertisedScopeMapping': {
                'string': 'string'
            },
            'customClaims': [
                {
                    'inboundTokenClaimName': 'string',
                    'inboundTokenClaimValueType': 'STRING'|'STRING_ARRAY',
                    'authorizingClaimMatchValue': {
                        'claimMatchValue': {
                            'matchValueString': 'string',
                            'matchValueStringList': [
                                'string',
                            ]
                        },
                        'claimMatchOperator': 'EQUALS'|'CONTAINS'|'CONTAINS_ANY'
                    }
                },
            ],
            'privateEndpoint': {
                'selfManagedLatticeResource': {
                    'resourceConfigurationIdentifier': 'string'
                },
                'managedVpcResource': {
                    'vpcIdentifier': 'string',
                    'subnetIds': [
                        'string',
                    ],
                    'endpointIpAddressType': 'IPV4'|'IPV6',
                    'securityGroupIds': [
                        'string',
                    ],
                    'tags': {
                        'string': 'string'
                    },
                    'routingDomain': 'string'
                }
            },
            'privateEndpointOverrides': [
                {
                    'domain': 'string',
                    'privateEndpoint': {
                        'selfManagedLatticeResource': {
                            'resourceConfigurationIdentifier': 'string'
                        },
                        'managedVpcResource': {
                            'vpcIdentifier': 'string',
                            'subnetIds': [
                                'string',
                            ],
                            'endpointIpAddressType': 'IPV4'|'IPV6',
                            'securityGroupIds': [
                                'string',
                            ],
                            'tags': {
                                'string': 'string'
                            },
                            'routingDomain': 'string'
                        }
                    }
                },
            ],
            'allowedWorkloadConfiguration': {
                'hostingEnvironments': [
                    {
                        'arn': 'string'
                    },
                ],
                'workloadIdentities': [
                    'string',
                ]
            }
        }
    },
    kmsKeyArn='string',
    interceptorConfigurations=[
        {
            'interceptor': {
                'lambda': {
                    'arn': 'string'
                }
            },
            'interceptionPoints': [
                'REQUEST'|'RESPONSE',
            ],
            'inputConfiguration': {
                'passRequestHeaders': True|False,
                'payloadFilter': {
                    'exclude': [
                        {
                            'field': 'RESPONSE_BODY'
                        },
                    ]
                }
            }
        },
    ],
    policyEngineConfiguration={
        'arn': 'string',
        'mode': 'LOG_ONLY'|'ENFORCE'
    },
    exceptionLevel='DEBUG',
    tags={
        'string': 'string'
    }
)
type name:

string

param name:

[REQUIRED]

The name of the gateway. The name must be unique within your account.

type description:

string

param description:

The description of the gateway.

type clientToken:

string

param clientToken:

A unique, case-sensitive identifier to ensure that the API request completes no more than one time. If you don't specify this field, a value is randomly generated for you. If this token matches a previous request, the service ignores the request, but doesn't return an error. For more information, see Ensuring idempotency.

This field is autopopulated if not provided.

type roleArn:

string

param roleArn:

[REQUIRED]

The Amazon Resource Name (ARN) of the IAM role that provides permissions for the gateway to access Amazon Web Services services.

type protocolType:

string

param protocolType:

The protocol type for the gateway.

type protocolConfiguration:

dict

param protocolConfiguration:

The configuration settings for the protocol specified in the protocolType parameter.

  • mcp (dict) --

    The configuration for the Model Context Protocol (MCP). This protocol enables communication between Amazon Bedrock Agent and external tools.

    • supportedVersions (list) --

      The supported versions of the Model Context Protocol. This field specifies which versions of the protocol the gateway can use.

      • (string) --

    • instructions (string) --

      The instructions for using the Model Context Protocol gateway. These instructions provide guidance on how to interact with the gateway.

    • searchType (string) --

      The search type for the Model Context Protocol gateway. This field specifies how the gateway handles search operations.

    • sessionConfiguration (dict) --

      The session configuration for the MCP gateway. This configuration controls session behavior, including session timeout settings.

      • sessionTimeoutInSeconds (integer) --

        The session timeout in seconds. After this timeout, the session expires and subsequent requests to this session will receive an error. The minimum value is 900 seconds (15 minutes), the maximum value is 28800 seconds (8 hours), and the default value is 3600 seconds (1 hour).

    • streamingConfiguration (dict) --

      The streaming configuration for the MCP gateway. This configuration controls whether response streaming is enabled for the gateway.

      • enableResponseStreaming (boolean) --

        Indicates whether response streaming is enabled for the gateway. When set to true, the gateway streams responses from targets back to the client.

type authorizerType:

string

param authorizerType:

[REQUIRED]

The type of authorizer to use for the gateway.

  • CUSTOM_JWT - Authorize with a bearer token.

  • AWS_IAM - Authorize with your Amazon Web Services IAM credentials.

  • NONE - No authorization

type authorizerConfiguration:

dict

param authorizerConfiguration:

The authorizer configuration for the gateway. Required if authorizerType is CUSTOM_JWT.

  • customJWTAuthorizer (dict) --

    The inbound JWT-based authorization, specifying how incoming requests should be authenticated.

    • discoveryUrl (string) -- [REQUIRED]

      This URL is used to fetch OpenID Connect configuration or authorization server metadata for validating incoming tokens.

    • allowedAudience (list) --

      Represents individual audience values that are validated in the incoming JWT token validation process.

      • (string) --

    • allowedClients (list) --

      Represents individual client IDs that are validated in the incoming JWT token validation process.

      • (string) --

    • allowedScopes (list) --

      An array of scopes that are allowed to access the token.

      • (string) --

    • advertisedScopeMapping (dict) --

      A map that associates each scope in allowedScopes with a corresponding advertised scope value. The advertised scope appears in OAuth protected resource metadata and WWW-Authenticate response headers. Use this parameter when the scope that clients request from your identity provider differs from the scope in the validated token. Each key is a scope from allowedScopes that the service uses for token validation. Each value is the corresponding scope that the service advertises to clients. Scopes without a mapping entry appear unchanged to clients.

      • (string) --

        • (string) --

    • customClaims (list) --

      An array of objects that define a custom claim validation name, value, and operation

      • (dict) --

        Defines the name of a custom claim field and rules for finding matches to authenticate its value.

        • inboundTokenClaimName (string) -- [REQUIRED]

          The name of the custom claim field to check.

        • inboundTokenClaimValueType (string) -- [REQUIRED]

          The data type of the claim value to check for.

          • Use STRING if you want to find an exact match to a string you define.

          • Use STRING_ARRAY if you want to fnd a match to at least one value in an array you define.

        • authorizingClaimMatchValue (dict) -- [REQUIRED]

          Defines the value or values to match for and the relationship of the match.

          • claimMatchValue (dict) -- [REQUIRED]

            The value or values to match for.

            • matchValueString (string) --

              The string value to match for.

            • matchValueStringList (list) --

              An array of strings to check for a match.

              • (string) --

          • claimMatchOperator (string) -- [REQUIRED]

            Defines the relationship between the claim field value and the value or values you're matching for.

    • privateEndpoint (dict) --

      The private endpoint configuration for a gateway target. Defines how the gateway connects to private resources in your VPC.

      • selfManagedLatticeResource (dict) --

        Configuration for connecting to a private resource using a self-managed VPC Lattice resource configuration.

        • resourceConfigurationIdentifier (string) --

          The ARN or ID of the VPC Lattice resource configuration.

      • managedVpcResource (dict) --

        Configuration for connecting to a private resource using a managed VPC Lattice resource. The gateway creates and manages the VPC Lattice resources on your behalf.

        • vpcIdentifier (string) -- [REQUIRED]

          The ID of the VPC that contains your private resource.

        • subnetIds (list) -- [REQUIRED]

          The subnet IDs within the VPC where the VPC Lattice resource gateway is placed.

          • (string) --

        • endpointIpAddressType (string) -- [REQUIRED]

          The IP address type for the resource configuration endpoint.

        • securityGroupIds (list) --

          The security group IDs to associate with the VPC Lattice resource gateway. If not specified, the default security group for the VPC is used.

          • (string) --

        • tags (dict) --

          Tags to apply to the managed VPC Lattice resource gateway.

          • (string) --

            • (string) --

        • routingDomain (string) --

          An intermediate domain to use as the resource configuration endpoint instead of the actual target domain. Use this when you want to route traffic through an intermediate component such as a VPC endpoint or internal load balancer. For more information, see xref:lattice-vpc-egress-routing-domain[Route traffic through an intermediate domain].

    • privateEndpointOverrides (list) --

      The private endpoint overrides for the custom JWT authorizer configuration.

      • (dict) --

        A mapping of a specific domain to a private endpoint for secure connectivity through a VPC Lattice resource configuration.

        • domain (string) -- [REQUIRED]

          The domain to override with a private endpoint.

        • privateEndpoint (dict) -- [REQUIRED]

          The private endpoint configuration for the specified domain.

          • selfManagedLatticeResource (dict) --

            Configuration for connecting to a private resource using a self-managed VPC Lattice resource configuration.

            • resourceConfigurationIdentifier (string) --

              The ARN or ID of the VPC Lattice resource configuration.

          • managedVpcResource (dict) --

            Configuration for connecting to a private resource using a managed VPC Lattice resource. The gateway creates and manages the VPC Lattice resources on your behalf.

            • vpcIdentifier (string) -- [REQUIRED]

              The ID of the VPC that contains your private resource.

            • subnetIds (list) -- [REQUIRED]

              The subnet IDs within the VPC where the VPC Lattice resource gateway is placed.

              • (string) --

            • endpointIpAddressType (string) -- [REQUIRED]

              The IP address type for the resource configuration endpoint.

            • securityGroupIds (list) --

              The security group IDs to associate with the VPC Lattice resource gateway. If not specified, the default security group for the VPC is used.

              • (string) --

            • tags (dict) --

              Tags to apply to the managed VPC Lattice resource gateway.

              • (string) --

                • (string) --

            • routingDomain (string) --

              An intermediate domain to use as the resource configuration endpoint instead of the actual target domain. Use this when you want to route traffic through an intermediate component such as a VPC endpoint or internal load balancer. For more information, see xref:lattice-vpc-egress-routing-domain[Route traffic through an intermediate domain].

    • allowedWorkloadConfiguration (dict) --

      The configuration that restricts which workloads in the request's identity chain are allowed to invoke the target, identified by their hosting environments and workload identities. At launch, this is supported only for AgentCore Runtime targets, and the allowed workloads are AgentCore Gateways.

      • hostingEnvironments (list) --

        The list of hosting environments whose workloads are allowed to invoke the target. At launch, the only supported hosting environment is AgentCore Gateway.

        • (dict) --

          A hosting environment whose workloads are allowed to invoke the target. At launch, the only supported hosting environment is AgentCore Gateway.

          • arn (string) -- [REQUIRED]

            The Amazon Resource Name (ARN) of the hosting environment.

      • workloadIdentities (list) --

        The list of workload identities that are allowed to invoke the target.

        • (string) --

type kmsKeyArn:

string

param kmsKeyArn:

The Amazon Resource Name (ARN) of the KMS key used to encrypt data associated with the gateway.

type interceptorConfigurations:

list

param interceptorConfigurations:

A list of configuration settings for a gateway interceptor. Gateway interceptors allow custom code to be invoked during gateway invocations.

  • (dict) --

    The configuration for an interceptor on a gateway. This structure defines settings for an interceptor that will be invoked during the invocation of the gateway.

    • interceptor (dict) -- [REQUIRED]

      The infrastructure settings of an interceptor configuration. This structure defines how the interceptor can be invoked.

      • lambda (dict) --

        The details of the lambda function used for the interceptor.

        • arn (string) -- [REQUIRED]

          The arn of the lambda function to be invoked for the interceptor.

    • interceptionPoints (list) -- [REQUIRED]

      The supported points of interception. This field specifies which points during the gateway invocation to invoke the interceptor

      • (string) --

    • inputConfiguration (dict) --

      The configuration for the input of the interceptor. This field specifies how the input to the interceptor is constructed

      • passRequestHeaders (boolean) -- [REQUIRED]

        Indicates whether to pass request headers as input into the interceptor. When set to true, request headers will be passed.

      • payloadFilter (dict) --

        The filter that determines which parts of the request or response payload are passed as input to the interceptor.

        • exclude (list) -- [REQUIRED]

          The list of selectors that identify payload fields to exclude from the interceptor input.

          • (dict) --

            A selector that identifies a payload field to exclude from the interceptor input.

            • field (string) --

              The field to exclude from the interceptor input.

type policyEngineConfiguration:

dict

param policyEngineConfiguration:

The policy engine configuration for the gateway. A policy engine is a collection of policies that evaluates and authorizes agent tool calls. When associated with a gateway, the policy engine intercepts all agent requests and determines whether to allow or deny each action based on the defined policies.

  • arn (string) -- [REQUIRED]

    The ARN of the policy engine. The policy engine contains Cedar policies that define fine-grained authorization rules specifying who can perform what actions on which resources as agents interact through the gateway.

  • mode (string) -- [REQUIRED]

    The enforcement mode for the policy engine. Valid values include:

    • LOG_ONLY - The policy engine evaluates each action against your policies and adds traces on whether tool calls would be allowed or denied, but does not enforce the decision. Use this mode to test and validate policies before enabling enforcement.

    • ENFORCE - The policy engine evaluates actions against your policies and enforces decisions by allowing or denying agent operations. Test and validate policies in LOG_ONLY mode before enabling enforcement to avoid unintended denials or adversely affecting production traffic.

type exceptionLevel:

string

param exceptionLevel:

The level of detail in error messages returned when invoking the gateway.

  • If the value is DEBUG, granular exception messages are returned to help a user debug the gateway.

  • If the value is omitted, a generic error message is returned to the end user.

type tags:

dict

param tags:

A map of key-value pairs to associate with the gateway as metadata tags.

  • (string) --

    • (string) --

rtype:

dict

returns:

Response Syntax

{
    'gatewayArn': 'string',
    'gatewayId': 'string',
    'gatewayUrl': 'string',
    'createdAt': datetime(2015, 1, 1),
    'updatedAt': datetime(2015, 1, 1),
    'status': 'CREATING'|'UPDATING'|'UPDATE_UNSUCCESSFUL'|'DELETING'|'READY'|'FAILED',
    'statusReasons': [
        'string',
    ],
    'name': 'string',
    'description': 'string',
    'roleArn': 'string',
    'protocolType': 'MCP',
    'protocolConfiguration': {
        'mcp': {
            'supportedVersions': [
                'string',
            ],
            'instructions': 'string',
            'searchType': 'SEMANTIC',
            'sessionConfiguration': {
                'sessionTimeoutInSeconds': 123
            },
            'streamingConfiguration': {
                'enableResponseStreaming': True|False
            }
        }
    },
    'authorizerType': 'CUSTOM_JWT'|'AWS_IAM'|'NONE'|'AUTHENTICATE_ONLY',
    'authorizerConfiguration': {
        'customJWTAuthorizer': {
            'discoveryUrl': 'string',
            'allowedAudience': [
                'string',
            ],
            'allowedClients': [
                'string',
            ],
            'allowedScopes': [
                'string',
            ],
            'advertisedScopeMapping': {
                'string': 'string'
            },
            'customClaims': [
                {
                    'inboundTokenClaimName': 'string',
                    'inboundTokenClaimValueType': 'STRING'|'STRING_ARRAY',
                    'authorizingClaimMatchValue': {
                        'claimMatchValue': {
                            'matchValueString': 'string',
                            'matchValueStringList': [
                                'string',
                            ]
                        },
                        'claimMatchOperator': 'EQUALS'|'CONTAINS'|'CONTAINS_ANY'
                    }
                },
            ],
            'privateEndpoint': {
                'selfManagedLatticeResource': {
                    'resourceConfigurationIdentifier': 'string'
                },
                'managedVpcResource': {
                    'vpcIdentifier': 'string',
                    'subnetIds': [
                        'string',
                    ],
                    'endpointIpAddressType': 'IPV4'|'IPV6',
                    'securityGroupIds': [
                        'string',
                    ],
                    'tags': {
                        'string': 'string'
                    },
                    'routingDomain': 'string'
                }
            },
            'privateEndpointOverrides': [
                {
                    'domain': 'string',
                    'privateEndpoint': {
                        'selfManagedLatticeResource': {
                            'resourceConfigurationIdentifier': 'string'
                        },
                        'managedVpcResource': {
                            'vpcIdentifier': 'string',
                            'subnetIds': [
                                'string',
                            ],
                            'endpointIpAddressType': 'IPV4'|'IPV6',
                            'securityGroupIds': [
                                'string',
                            ],
                            'tags': {
                                'string': 'string'
                            },
                            'routingDomain': 'string'
                        }
                    }
                },
            ],
            'allowedWorkloadConfiguration': {
                'hostingEnvironments': [
                    {
                        'arn': 'string'
                    },
                ],
                'workloadIdentities': [
                    'string',
                ]
            }
        }
    },
    'kmsKeyArn': 'string',
    'customTransformConfiguration': {
        'lambda': {
            'arn': 'string'
        }
    },
    'interceptorConfigurations': [
        {
            'interceptor': {
                'lambda': {
                    'arn': 'string'
                }
            },
            'interceptionPoints': [
                'REQUEST'|'RESPONSE',
            ],
            'inputConfiguration': {
                'passRequestHeaders': True|False,
                'payloadFilter': {
                    'exclude': [
                        {
                            'field': 'RESPONSE_BODY'
                        },
                    ]
                }
            }
        },
    ],
    'policyEngineConfiguration': {
        'arn': 'string',
        'mode': 'LOG_ONLY'|'ENFORCE'
    },
    'workloadIdentityDetails': {
        'workloadIdentityArn': 'string'
    },
    'exceptionLevel': 'DEBUG',
    'webAclArn': 'string',
    'wafConfiguration': {
        'failureMode': 'FAIL_CLOSE'|'FAIL_OPEN'
    }
}

Response Structure

  • (dict) --

    • gatewayArn (string) --

      The Amazon Resource Name (ARN) of the created gateway.

    • gatewayId (string) --

      The unique identifier of the created gateway.

    • gatewayUrl (string) --

      The URL endpoint for the created gateway.

    • createdAt (datetime) --

      The timestamp when the gateway was created.

    • updatedAt (datetime) --

      The timestamp when the gateway was last updated.

    • status (string) --

      The current status of the gateway.

    • statusReasons (list) --

      The reasons for the current status of the gateway.

      • (string) --

    • name (string) --

      The name of the gateway.

    • description (string) --

      The description of the gateway.

    • roleArn (string) --

      The Amazon Resource Name (ARN) of the IAM role associated with the gateway.

    • protocolType (string) --

      The protocol type of the gateway.

    • protocolConfiguration (dict) --

      The configuration settings for the protocol used by the gateway.

      • mcp (dict) --

        The configuration for the Model Context Protocol (MCP). This protocol enables communication between Amazon Bedrock Agent and external tools.

        • supportedVersions (list) --

          The supported versions of the Model Context Protocol. This field specifies which versions of the protocol the gateway can use.

          • (string) --

        • instructions (string) --

          The instructions for using the Model Context Protocol gateway. These instructions provide guidance on how to interact with the gateway.

        • searchType (string) --

          The search type for the Model Context Protocol gateway. This field specifies how the gateway handles search operations.

        • sessionConfiguration (dict) --

          The session configuration for the MCP gateway. This configuration controls session behavior, including session timeout settings.

          • sessionTimeoutInSeconds (integer) --

            The session timeout in seconds. After this timeout, the session expires and subsequent requests to this session will receive an error. The minimum value is 900 seconds (15 minutes), the maximum value is 28800 seconds (8 hours), and the default value is 3600 seconds (1 hour).

        • streamingConfiguration (dict) --

          The streaming configuration for the MCP gateway. This configuration controls whether response streaming is enabled for the gateway.

          • enableResponseStreaming (boolean) --

            Indicates whether response streaming is enabled for the gateway. When set to true, the gateway streams responses from targets back to the client.

    • authorizerType (string) --

      The type of authorizer used by the gateway.

    • authorizerConfiguration (dict) --

      The authorizer configuration for the created gateway.

      • customJWTAuthorizer (dict) --

        The inbound JWT-based authorization, specifying how incoming requests should be authenticated.

        • discoveryUrl (string) --

          This URL is used to fetch OpenID Connect configuration or authorization server metadata for validating incoming tokens.

        • allowedAudience (list) --

          Represents individual audience values that are validated in the incoming JWT token validation process.

          • (string) --

        • allowedClients (list) --

          Represents individual client IDs that are validated in the incoming JWT token validation process.

          • (string) --

        • allowedScopes (list) --

          An array of scopes that are allowed to access the token.

          • (string) --

        • advertisedScopeMapping (dict) --

          A map that associates each scope in allowedScopes with a corresponding advertised scope value. The advertised scope appears in OAuth protected resource metadata and WWW-Authenticate response headers. Use this parameter when the scope that clients request from your identity provider differs from the scope in the validated token. Each key is a scope from allowedScopes that the service uses for token validation. Each value is the corresponding scope that the service advertises to clients. Scopes without a mapping entry appear unchanged to clients.

          • (string) --

            • (string) --

        • customClaims (list) --

          An array of objects that define a custom claim validation name, value, and operation

          • (dict) --

            Defines the name of a custom claim field and rules for finding matches to authenticate its value.

            • inboundTokenClaimName (string) --

              The name of the custom claim field to check.

            • inboundTokenClaimValueType (string) --

              The data type of the claim value to check for.

              • Use STRING if you want to find an exact match to a string you define.

              • Use STRING_ARRAY if you want to fnd a match to at least one value in an array you define.

            • authorizingClaimMatchValue (dict) --

              Defines the value or values to match for and the relationship of the match.

              • claimMatchValue (dict) --

                The value or values to match for.

                • matchValueString (string) --

                  The string value to match for.

                • matchValueStringList (list) --

                  An array of strings to check for a match.

                  • (string) --

              • claimMatchOperator (string) --

                Defines the relationship between the claim field value and the value or values you're matching for.

        • privateEndpoint (dict) --

          The private endpoint configuration for a gateway target. Defines how the gateway connects to private resources in your VPC.

          • selfManagedLatticeResource (dict) --

            Configuration for connecting to a private resource using a self-managed VPC Lattice resource configuration.

            • resourceConfigurationIdentifier (string) --

              The ARN or ID of the VPC Lattice resource configuration.

          • managedVpcResource (dict) --

            Configuration for connecting to a private resource using a managed VPC Lattice resource. The gateway creates and manages the VPC Lattice resources on your behalf.

            • vpcIdentifier (string) --

              The ID of the VPC that contains your private resource.

            • subnetIds (list) --

              The subnet IDs within the VPC where the VPC Lattice resource gateway is placed.

              • (string) --

            • endpointIpAddressType (string) --

              The IP address type for the resource configuration endpoint.

            • securityGroupIds (list) --

              The security group IDs to associate with the VPC Lattice resource gateway. If not specified, the default security group for the VPC is used.

              • (string) --

            • tags (dict) --

              Tags to apply to the managed VPC Lattice resource gateway.

              • (string) --

                • (string) --

            • routingDomain (string) --

              An intermediate domain to use as the resource configuration endpoint instead of the actual target domain. Use this when you want to route traffic through an intermediate component such as a VPC endpoint or internal load balancer. For more information, see xref:lattice-vpc-egress-routing-domain[Route traffic through an intermediate domain].

        • privateEndpointOverrides (list) --

          The private endpoint overrides for the custom JWT authorizer configuration.

          • (dict) --

            A mapping of a specific domain to a private endpoint for secure connectivity through a VPC Lattice resource configuration.

            • domain (string) --

              The domain to override with a private endpoint.

            • privateEndpoint (dict) --

              The private endpoint configuration for the specified domain.

              • selfManagedLatticeResource (dict) --

                Configuration for connecting to a private resource using a self-managed VPC Lattice resource configuration.

                • resourceConfigurationIdentifier (string) --

                  The ARN or ID of the VPC Lattice resource configuration.

              • managedVpcResource (dict) --

                Configuration for connecting to a private resource using a managed VPC Lattice resource. The gateway creates and manages the VPC Lattice resources on your behalf.

                • vpcIdentifier (string) --

                  The ID of the VPC that contains your private resource.

                • subnetIds (list) --

                  The subnet IDs within the VPC where the VPC Lattice resource gateway is placed.

                  • (string) --

                • endpointIpAddressType (string) --

                  The IP address type for the resource configuration endpoint.

                • securityGroupIds (list) --

                  The security group IDs to associate with the VPC Lattice resource gateway. If not specified, the default security group for the VPC is used.

                  • (string) --

                • tags (dict) --

                  Tags to apply to the managed VPC Lattice resource gateway.

                  • (string) --

                    • (string) --

                • routingDomain (string) --

                  An intermediate domain to use as the resource configuration endpoint instead of the actual target domain. Use this when you want to route traffic through an intermediate component such as a VPC endpoint or internal load balancer. For more information, see xref:lattice-vpc-egress-routing-domain[Route traffic through an intermediate domain].

        • allowedWorkloadConfiguration (dict) --

          The configuration that restricts which workloads in the request's identity chain are allowed to invoke the target, identified by their hosting environments and workload identities. At launch, this is supported only for AgentCore Runtime targets, and the allowed workloads are AgentCore Gateways.

          • hostingEnvironments (list) --

            The list of hosting environments whose workloads are allowed to invoke the target. At launch, the only supported hosting environment is AgentCore Gateway.

            • (dict) --

              A hosting environment whose workloads are allowed to invoke the target. At launch, the only supported hosting environment is AgentCore Gateway.

              • arn (string) --

                The Amazon Resource Name (ARN) of the hosting environment.

          • workloadIdentities (list) --

            The list of workload identities that are allowed to invoke the target.

            • (string) --

    • kmsKeyArn (string) --

      The Amazon Resource Name (ARN) of the KMS key used to encrypt data associated with the gateway.

    • customTransformConfiguration (dict) --

      The custom transformation configuration for the gateway. This configuration defines how the gateway transforms requests and responses.

      • lambda (dict) --

        The Lambda configuration for custom transformations. This configuration defines how the gateway uses a Lambda function to transform data.

        • arn (string) --

          The Amazon Resource Name (ARN) of the Lambda function. This function is invoked by the gateway to transform data.

    • interceptorConfigurations (list) --

      The list of interceptor configurations for the created gateway.

      • (dict) --

        The configuration for an interceptor on a gateway. This structure defines settings for an interceptor that will be invoked during the invocation of the gateway.

        • interceptor (dict) --

          The infrastructure settings of an interceptor configuration. This structure defines how the interceptor can be invoked.

          • lambda (dict) --

            The details of the lambda function used for the interceptor.

            • arn (string) --

              The arn of the lambda function to be invoked for the interceptor.

        • interceptionPoints (list) --

          The supported points of interception. This field specifies which points during the gateway invocation to invoke the interceptor

          • (string) --

        • inputConfiguration (dict) --

          The configuration for the input of the interceptor. This field specifies how the input to the interceptor is constructed

          • passRequestHeaders (boolean) --

            Indicates whether to pass request headers as input into the interceptor. When set to true, request headers will be passed.

          • payloadFilter (dict) --

            The filter that determines which parts of the request or response payload are passed as input to the interceptor.

            • exclude (list) --

              The list of selectors that identify payload fields to exclude from the interceptor input.

              • (dict) --

                A selector that identifies a payload field to exclude from the interceptor input.

                • field (string) --

                  The field to exclude from the interceptor input.

    • policyEngineConfiguration (dict) --

      The policy engine configuration for the created gateway.

      • arn (string) --

        The ARN of the policy engine. The policy engine contains Cedar policies that define fine-grained authorization rules specifying who can perform what actions on which resources as agents interact through the gateway.

      • mode (string) --

        The enforcement mode for the policy engine. Valid values include:

        • LOG_ONLY - The policy engine evaluates each action against your policies and adds traces on whether tool calls would be allowed or denied, but does not enforce the decision. Use this mode to test and validate policies before enabling enforcement.

        • ENFORCE - The policy engine evaluates actions against your policies and enforces decisions by allowing or denying agent operations. Test and validate policies in LOG_ONLY mode before enabling enforcement to avoid unintended denials or adversely affecting production traffic.

    • workloadIdentityDetails (dict) --

      The workload identity details for the created gateway.

      • workloadIdentityArn (string) --

        The ARN associated with the workload identity.

    • exceptionLevel (string) --

      The level of detail in error messages returned when invoking the gateway.

      • If the value is DEBUG, granular exception messages are returned to help a user debug the gateway.

      • If the value is omitted, a generic error message is returned to the end user.

    • webAclArn (string) --

      The Amazon Resource Name (ARN) of the Amazon Web Services WAF web ACL associated with the gateway.

    • wafConfiguration (dict) --

      The Amazon Web Services WAF configuration for the gateway.

      • failureMode (string) --

        The failure mode that determines how the gateway handles requests when Amazon Web Services WAF is unreachable or times out. Valid values include:

        • FAIL_CLOSE - The gateway blocks requests when Amazon Web Services WAF cannot be evaluated.

        • FAIL_OPEN - The gateway allows requests when Amazon Web Services WAF cannot be evaluated.

CreateHarness (updated) Link ¶
Changes (request, response)
Request
{'authorizerConfiguration': {'customJWTAuthorizer': {'advertisedScopeMapping': {'string': 'string'}}}}
Response
{'harness': {'authorizerConfiguration': {'customJWTAuthorizer': {'advertisedScopeMapping': {'string': 'string'}}}}}

Operation to create a harness.

See also: AWS API Documentation

Request Syntax

client.create_harness(
    harnessName='string',
    clientToken='string',
    executionRoleArn='string',
    environment={
        'agentCoreRuntimeEnvironment': {
            'lifecycleConfiguration': {
                'idleRuntimeSessionTimeout': 123,
                'maxLifetime': 123
            },
            'networkConfiguration': {
                'networkMode': 'PUBLIC'|'VPC',
                'networkModeConfig': {
                    'securityGroups': [
                        'string',
                    ],
                    'subnets': [
                        'string',
                    ],
                    'requireServiceS3Endpoint': True|False
                }
            },
            'filesystemConfigurations': [
                {
                    'sessionStorage': {
                        'mountPath': 'string'
                    },
                    's3FilesAccessPoint': {
                        'accessPointArn': 'string',
                        'mountPath': 'string'
                    },
                    'efsAccessPoint': {
                        'accessPointArn': 'string',
                        'mountPath': 'string'
                    }
                },
            ]
        }
    },
    environmentArtifact={
        'containerConfiguration': {
            'containerUri': 'string'
        }
    },
    environmentVariables={
        'string': 'string'
    },
    authorizerConfiguration={
        'customJWTAuthorizer': {
            'discoveryUrl': 'string',
            'allowedAudience': [
                'string',
            ],
            'allowedClients': [
                'string',
            ],
            'allowedScopes': [
                'string',
            ],
            'advertisedScopeMapping': {
                'string': 'string'
            },
            'customClaims': [
                {
                    'inboundTokenClaimName': 'string',
                    'inboundTokenClaimValueType': 'STRING'|'STRING_ARRAY',
                    'authorizingClaimMatchValue': {
                        'claimMatchValue': {
                            'matchValueString': 'string',
                            'matchValueStringList': [
                                'string',
                            ]
                        },
                        'claimMatchOperator': 'EQUALS'|'CONTAINS'|'CONTAINS_ANY'
                    }
                },
            ],
            'privateEndpoint': {
                'selfManagedLatticeResource': {
                    'resourceConfigurationIdentifier': 'string'
                },
                'managedVpcResource': {
                    'vpcIdentifier': 'string',
                    'subnetIds': [
                        'string',
                    ],
                    'endpointIpAddressType': 'IPV4'|'IPV6',
                    'securityGroupIds': [
                        'string',
                    ],
                    'tags': {
                        'string': 'string'
                    },
                    'routingDomain': 'string'
                }
            },
            'privateEndpointOverrides': [
                {
                    'domain': 'string',
                    'privateEndpoint': {
                        'selfManagedLatticeResource': {
                            'resourceConfigurationIdentifier': 'string'
                        },
                        'managedVpcResource': {
                            'vpcIdentifier': 'string',
                            'subnetIds': [
                                'string',
                            ],
                            'endpointIpAddressType': 'IPV4'|'IPV6',
                            'securityGroupIds': [
                                'string',
                            ],
                            'tags': {
                                'string': 'string'
                            },
                            'routingDomain': 'string'
                        }
                    }
                },
            ],
            'allowedWorkloadConfiguration': {
                'hostingEnvironments': [
                    {
                        'arn': 'string'
                    },
                ],
                'workloadIdentities': [
                    'string',
                ]
            }
        }
    },
    model={
        'bedrockModelConfig': {
            'modelId': 'string',
            'maxTokens': 123,
            'temperature': ...,
            'topP': ...,
            'apiFormat': 'converse_stream'|'responses'|'chat_completions',
            'additionalParams': {...}|[...]|123|123.4|'string'|True|None
        },
        'openAiModelConfig': {
            'modelId': 'string',
            'apiKeyArn': 'string',
            'maxTokens': 123,
            'temperature': ...,
            'topP': ...,
            'apiFormat': 'chat_completions'|'responses',
            'additionalParams': {...}|[...]|123|123.4|'string'|True|None
        },
        'geminiModelConfig': {
            'modelId': 'string',
            'apiKeyArn': 'string',
            'maxTokens': 123,
            'temperature': ...,
            'topP': ...,
            'topK': 123
        },
        'liteLlmModelConfig': {
            'modelId': 'string',
            'apiKeyArn': 'string',
            'apiBase': 'string',
            'maxTokens': 123,
            'temperature': ...,
            'topP': ...,
            'additionalParams': {...}|[...]|123|123.4|'string'|True|None
        }
    },
    systemPrompt=[
        {
            'text': 'string'
        },
    ],
    tools=[
        {
            'type': 'remote_mcp'|'agentcore_browser'|'agentcore_gateway'|'inline_function'|'agentcore_code_interpreter',
            'name': 'string',
            'config': {
                'remoteMcp': {
                    'url': 'string',
                    'headers': {
                        'string': 'string'
                    }
                },
                'agentCoreBrowser': {
                    'browserArn': 'string'
                },
                'agentCoreGateway': {
                    'gatewayArn': 'string',
                    'outboundAuth': {
                        'awsIam': {}
                        ,
                        'none': {}
                        ,
                        'oauth': {
                            'providerArn': 'string',
                            'scopes': [
                                'string',
                            ],
                            'customParameters': {
                                'string': 'string'
                            },
                            'grantType': 'CLIENT_CREDENTIALS'|'AUTHORIZATION_CODE'|'TOKEN_EXCHANGE',
                            'defaultReturnUrl': 'string'
                        }
                    }
                },
                'inlineFunction': {
                    'description': 'string',
                    'inputSchema': {...}|[...]|123|123.4|'string'|True|None
                },
                'agentCoreCodeInterpreter': {
                    'codeInterpreterArn': 'string'
                }
            }
        },
    ],
    skills=[
        {
            'path': 'string',
            's3': {
                'uri': 'string'
            },
            'git': {
                'url': 'string',
                'path': 'string',
                'auth': {
                    'credentialArn': 'string',
                    'username': 'string'
                }
            },
            'awsSkills': {
                'paths': [
                    'string',
                ]
            }
        },
    ],
    allowedTools=[
        'string',
    ],
    memory={
        'agentCoreMemoryConfiguration': {
            'arn': 'string',
            'actorId': 'string',
            'messagesCount': 123,
            'retrievalConfig': {
                'string': {
                    'topK': 123,
                    'relevanceScore': ...,
                    'strategyId': 'string'
                }
            }
        },
        'managedMemoryConfiguration': {
            'arn': 'string',
            'strategies': [
                'SEMANTIC'|'SUMMARIZATION'|'USER_PREFERENCE'|'EPISODIC',
            ],
            'eventExpiryDuration': 123,
            'encryptionKeyArn': 'string'
        },
        'disabled': {}

    },
    truncation={
        'strategy': 'sliding_window'|'summarization'|'none',
        'config': {
            'slidingWindow': {
                'messagesCount': 123
            },
            'summarization': {
                'summaryRatio': ...,
                'preserveRecentMessages': 123,
                'summarizationSystemPrompt': 'string'
            }
        }
    },
    maxIterations=123,
    maxTokens=123,
    timeoutSeconds=123,
    tags={
        'string': 'string'
    }
)
type harnessName:

string

param harnessName:

[REQUIRED]

The name of the harness. Must start with a letter and contain only alphanumeric characters and underscores.

type clientToken:

string

param clientToken:

A unique, case-sensitive identifier to ensure idempotency of the request.

This field is autopopulated if not provided.

type executionRoleArn:

string

param executionRoleArn:

[REQUIRED]

The ARN of the IAM role that the harness assumes when running. This role must have permissions for the services the agent needs to access, such as Amazon Bedrock for model invocation.

type environment:

dict

param environment:

The compute environment configuration for the harness, including network and lifecycle settings.

  • agentCoreRuntimeEnvironment (dict) --

    The AgentCore Runtime environment configuration.

    • lifecycleConfiguration (dict) --

      LifecycleConfiguration lets you manage the lifecycle of runtime sessions and resources in AgentCore Runtime. This configuration helps optimize resource utilization by automatically cleaning up idle sessions and preventing long-running instances from consuming resources indefinitely.

      • idleRuntimeSessionTimeout (integer) --

        Timeout in seconds for idle runtime sessions. When a session remains idle for this duration, it will be automatically terminated. Default: 900 seconds (15 minutes).

      • maxLifetime (integer) --

        Maximum lifetime for the instance in seconds. Once reached, instances will be automatically terminated and replaced. Default: 28800 seconds (8 hours).

    • networkConfiguration (dict) --

      SecurityConfig for the Agent.

      • networkMode (string) -- [REQUIRED]

        The network mode for the AgentCore Runtime.

      • networkModeConfig (dict) --

        The network mode configuration for the AgentCore Runtime.

        • securityGroups (list) -- [REQUIRED]

          The security groups associated with the VPC configuration.

          • (string) --

        • subnets (list) -- [REQUIRED]

          The subnets associated with the VPC configuration.

          • (string) --

        • requireServiceS3Endpoint (boolean) --

          Controls whether a service-managed Amazon S3 gateway endpoint is provisioned in the VPC network topology for the agent runtime. This gateway is used by Amazon Bedrock AgentCore Runtime to download code and container images during agent startup.

          Starting May 5, 2026, Amazon Bedrock AgentCore Runtime is gradually rolling out a change to how network isolation is configured for VPC mode agents. Agent runtimes created on or after this rollout will no longer include the service-managed Amazon S3 gateway. Instead, all network access, including to Amazon S3, is governed exclusively by your VPC configuration. This field cannot be set on agent runtimes created after the rollout. Passing this field in an UpdateAgentRuntime request for these agent runtimes returns a ValidationException.

          Agent runtimes created before the rollout are not affected and continue to operate with the service-managed Amazon S3 gateway. To enforce full VPC network isolation on these existing agent runtimes, set this field to false via the UpdateAgentRuntime API. Before opting out, ensure your VPC provides the Amazon S3 access required for agent startup. If this field is not specified or is set to true, the service-managed Amazon S3 gateway remains provisioned.

          This field is only supported in the UpdateAgentRuntime API for pre-rollout agent runtimes. Passing this field in a CreateAgentRuntime request returns a ValidationException.

    • filesystemConfigurations (list) --

      The filesystem configurations for the runtime environment.

      • (dict) --

        Configuration for a filesystem that can be mounted into the AgentCore Runtime.

        • sessionStorage (dict) --

          Configuration for session storage. Session storage provides persistent storage that is preserved across AgentCore Runtime session invocations.

          • mountPath (string) -- [REQUIRED]

            The mount path for the session storage filesystem inside the AgentCore Runtime. The path must be under /mnt with exactly one subdirectory level (for example, /mnt/data).

        • s3FilesAccessPoint (dict) --

          Configuration for an Amazon S3 Files access point to mount into the AgentCore Runtime.

          • accessPointArn (string) -- [REQUIRED]

            The ARN of the S3 Files access point to mount into the AgentCore Runtime.

          • mountPath (string) -- [REQUIRED]

            The mount path for the S3 Files access point inside the AgentCore Runtime. The path must be under /mnt with exactly one subdirectory level (for example, /mnt/data).

        • efsAccessPoint (dict) --

          Configuration for an Amazon EFS access point to mount into the AgentCore Runtime.

          • accessPointArn (string) -- [REQUIRED]

            The ARN of the EFS access point to mount into the AgentCore Runtime.

          • mountPath (string) -- [REQUIRED]

            The mount path for the EFS access point inside the AgentCore Runtime. The path must be under /mnt with exactly one subdirectory level (for example, /mnt/data).

type environmentArtifact:

dict

param environmentArtifact:

The environment artifact for the harness, such as a custom container image containing additional dependencies.

  • containerConfiguration (dict) --

    Representation of a container configuration.

    • containerUri (string) -- [REQUIRED]

      The ECR URI of the container.

type environmentVariables:

dict

param environmentVariables:

Environment variables to set in the harness runtime environment.

  • (string) --

    • (string) --

type authorizerConfiguration:

dict

param authorizerConfiguration:

Represents inbound authorization configuration options used to authenticate incoming requests.

  • customJWTAuthorizer (dict) --

    The inbound JWT-based authorization, specifying how incoming requests should be authenticated.

    • discoveryUrl (string) -- [REQUIRED]

      This URL is used to fetch OpenID Connect configuration or authorization server metadata for validating incoming tokens.

    • allowedAudience (list) --

      Represents individual audience values that are validated in the incoming JWT token validation process.

      • (string) --

    • allowedClients (list) --

      Represents individual client IDs that are validated in the incoming JWT token validation process.

      • (string) --

    • allowedScopes (list) --

      An array of scopes that are allowed to access the token.

      • (string) --

    • advertisedScopeMapping (dict) --

      A map that associates each scope in allowedScopes with a corresponding advertised scope value. The advertised scope appears in OAuth protected resource metadata and WWW-Authenticate response headers. Use this parameter when the scope that clients request from your identity provider differs from the scope in the validated token. Each key is a scope from allowedScopes that the service uses for token validation. Each value is the corresponding scope that the service advertises to clients. Scopes without a mapping entry appear unchanged to clients.

      • (string) --

        • (string) --

    • customClaims (list) --

      An array of objects that define a custom claim validation name, value, and operation

      • (dict) --

        Defines the name of a custom claim field and rules for finding matches to authenticate its value.

        • inboundTokenClaimName (string) -- [REQUIRED]

          The name of the custom claim field to check.

        • inboundTokenClaimValueType (string) -- [REQUIRED]

          The data type of the claim value to check for.

          • Use STRING if you want to find an exact match to a string you define.

          • Use STRING_ARRAY if you want to fnd a match to at least one value in an array you define.

        • authorizingClaimMatchValue (dict) -- [REQUIRED]

          Defines the value or values to match for and the relationship of the match.

          • claimMatchValue (dict) -- [REQUIRED]

            The value or values to match for.

            • matchValueString (string) --

              The string value to match for.

            • matchValueStringList (list) --

              An array of strings to check for a match.

              • (string) --

          • claimMatchOperator (string) -- [REQUIRED]

            Defines the relationship between the claim field value and the value or values you're matching for.

    • privateEndpoint (dict) --

      The private endpoint configuration for a gateway target. Defines how the gateway connects to private resources in your VPC.

      • selfManagedLatticeResource (dict) --

        Configuration for connecting to a private resource using a self-managed VPC Lattice resource configuration.

        • resourceConfigurationIdentifier (string) --

          The ARN or ID of the VPC Lattice resource configuration.

      • managedVpcResource (dict) --

        Configuration for connecting to a private resource using a managed VPC Lattice resource. The gateway creates and manages the VPC Lattice resources on your behalf.

        • vpcIdentifier (string) -- [REQUIRED]

          The ID of the VPC that contains your private resource.

        • subnetIds (list) -- [REQUIRED]

          The subnet IDs within the VPC where the VPC Lattice resource gateway is placed.

          • (string) --

        • endpointIpAddressType (string) -- [REQUIRED]

          The IP address type for the resource configuration endpoint.

        • securityGroupIds (list) --

          The security group IDs to associate with the VPC Lattice resource gateway. If not specified, the default security group for the VPC is used.

          • (string) --

        • tags (dict) --

          Tags to apply to the managed VPC Lattice resource gateway.

          • (string) --

            • (string) --

        • routingDomain (string) --

          An intermediate domain to use as the resource configuration endpoint instead of the actual target domain. Use this when you want to route traffic through an intermediate component such as a VPC endpoint or internal load balancer. For more information, see xref:lattice-vpc-egress-routing-domain[Route traffic through an intermediate domain].

    • privateEndpointOverrides (list) --

      The private endpoint overrides for the custom JWT authorizer configuration.

      • (dict) --

        A mapping of a specific domain to a private endpoint for secure connectivity through a VPC Lattice resource configuration.

        • domain (string) -- [REQUIRED]

          The domain to override with a private endpoint.

        • privateEndpoint (dict) -- [REQUIRED]

          The private endpoint configuration for the specified domain.

          • selfManagedLatticeResource (dict) --

            Configuration for connecting to a private resource using a self-managed VPC Lattice resource configuration.

            • resourceConfigurationIdentifier (string) --

              The ARN or ID of the VPC Lattice resource configuration.

          • managedVpcResource (dict) --

            Configuration for connecting to a private resource using a managed VPC Lattice resource. The gateway creates and manages the VPC Lattice resources on your behalf.

            • vpcIdentifier (string) -- [REQUIRED]

              The ID of the VPC that contains your private resource.

            • subnetIds (list) -- [REQUIRED]

              The subnet IDs within the VPC where the VPC Lattice resource gateway is placed.

              • (string) --

            • endpointIpAddressType (string) -- [REQUIRED]

              The IP address type for the resource configuration endpoint.

            • securityGroupIds (list) --

              The security group IDs to associate with the VPC Lattice resource gateway. If not specified, the default security group for the VPC is used.

              • (string) --

            • tags (dict) --

              Tags to apply to the managed VPC Lattice resource gateway.

              • (string) --

                • (string) --

            • routingDomain (string) --

              An intermediate domain to use as the resource configuration endpoint instead of the actual target domain. Use this when you want to route traffic through an intermediate component such as a VPC endpoint or internal load balancer. For more information, see xref:lattice-vpc-egress-routing-domain[Route traffic through an intermediate domain].

    • allowedWorkloadConfiguration (dict) --

      The configuration that restricts which workloads in the request's identity chain are allowed to invoke the target, identified by their hosting environments and workload identities. At launch, this is supported only for AgentCore Runtime targets, and the allowed workloads are AgentCore Gateways.

      • hostingEnvironments (list) --

        The list of hosting environments whose workloads are allowed to invoke the target. At launch, the only supported hosting environment is AgentCore Gateway.

        • (dict) --

          A hosting environment whose workloads are allowed to invoke the target. At launch, the only supported hosting environment is AgentCore Gateway.

          • arn (string) -- [REQUIRED]

            The Amazon Resource Name (ARN) of the hosting environment.

      • workloadIdentities (list) --

        The list of workload identities that are allowed to invoke the target.

        • (string) --

type model:

dict

param model:

The model configuration for the harness. Supports Amazon Bedrock, OpenAI, and Google Gemini model providers.

  • bedrockModelConfig (dict) --

    Configuration for an Amazon Bedrock model.

    • modelId (string) -- [REQUIRED]

      The Bedrock model ID.

    • maxTokens (integer) --

      The maximum number of tokens to allow in the generated response per model call.

    • temperature (float) --

      The temperature to set when calling the model.

    • topP (float) --

      The topP set when calling the model.

    • apiFormat (string) --

      The API format to use when calling the Bedrock provider.

    • additionalParams (:ref:`document<document>`) --

      Provider-specific parameters passed through to the model provider unchanged.

  • openAiModelConfig (dict) --

    Configuration for an OpenAI model.

    • modelId (string) -- [REQUIRED]

      The OpenAI model ID.

    • apiKeyArn (string) -- [REQUIRED]

      The ARN of your OpenAI API key on AgentCore Identity.

    • maxTokens (integer) --

      The maximum number of tokens to allow in the generated response per model call.

    • temperature (float) --

      The temperature to set when calling the model.

    • topP (float) --

      The topP set when calling the model.

    • apiFormat (string) --

      The API format to use when calling the OpenAI provider.

    • additionalParams (:ref:`document<document>`) --

      Provider-specific parameters passed through to the model provider unchanged.

  • geminiModelConfig (dict) --

    Configuration for a Google Gemini model.

    • modelId (string) -- [REQUIRED]

      The Gemini model ID.

    • apiKeyArn (string) -- [REQUIRED]

      The ARN of your Gemini API key on AgentCore Identity.

    • maxTokens (integer) --

      The maximum number of tokens to allow in the generated response per model call.

    • temperature (float) --

      The temperature to set when calling the model.

    • topP (float) --

      The topP set when calling the model.

    • topK (integer) --

      The topK set when calling the model.

  • liteLlmModelConfig (dict) --

    The LiteLLM model configuration for connecting to third-party model providers.

    • modelId (string) -- [REQUIRED]

      The LiteLLM model identifier (e.g., "anthropic/claude-3-sonnet").

    • apiKeyArn (string) --

      The ARN of the API key in AgentCore Identity for authenticating with the model provider.

    • apiBase (string) --

      The base URL for the model provider's API endpoint.

    • maxTokens (integer) --

      The maximum number of tokens to allow in the generated response per iteration.

    • temperature (float) --

      The temperature to set when calling the model.

    • topP (float) --

      The topP set when calling the model.

    • additionalParams (:ref:`document<document>`) --

      Provider-specific parameters passed through to the model provider unchanged.

type systemPrompt:

list

param systemPrompt:

The system prompt that defines the agent's behavior and instructions.

  • (dict) --

    A content block in the system prompt.

    • text (string) --

      The text content of the system prompt block.

type tools:

list

param tools:

The tools available to the agent, such as remote MCP servers, AgentCore Gateway, AgentCore Browser, Code Interpreter, or inline functions.

  • (dict) --

    A tool available to the agent loop.

    • type (string) -- [REQUIRED]

      The type of tool.

    • name (string) --

      Unique name for the tool. If not provided, a name will be inferred or generated.

    • config (dict) --

      Tool-specific configuration.

      • remoteMcp (dict) --

        Configuration for remote MCP server.

        • url (string) -- [REQUIRED]

          URL of the MCP endpoint.

        • headers (dict) --

          Custom headers to include when connecting to the remote MCP server.

          • (string) --

            The key of an HTTP header.

            • (string) --

              The value of an HTTP header.

      • agentCoreBrowser (dict) --

        Configuration for AgentCore Browser.

        • browserArn (string) --

          If not populated, the built-in Browser ARN is used.

      • agentCoreGateway (dict) --

        Configuration for AgentCore Gateway.

        • gatewayArn (string) -- [REQUIRED]

          The ARN of the desired AgentCore Gateway.

        • outboundAuth (dict) --

          How harness authenticates to this Gateway. Defaults to AWS_IAM (SigV4) if omitted.

          • awsIam (dict) --

            SigV4-sign requests using the agent's execution role.

          • none (dict) --

            No authentication.

          • oauth (dict) --

            Use OAuth credentials for outbound authentication to the gateway.

            • providerArn (string) -- [REQUIRED]

              The Amazon Resource Name (ARN) of the OAuth credential provider. This ARN identifies the provider in Amazon Web Services.

            • scopes (list) -- [REQUIRED]

              The OAuth scopes for the credential provider. These scopes define the level of access requested from the OAuth provider.

              • (string) --

            • customParameters (dict) --

              The custom parameters for the OAuth credential provider. These parameters provide additional configuration for the OAuth authentication process.

              • (string) --

                • (string) --

            • grantType (string) --

              Specifies the kind of credentials to use for authorization:

              • CLIENT_CREDENTIALS - Authorization with a client ID and secret.

              • AUTHORIZATION_CODE - Authorization with a token that is specific to an individual end user.

              • TOKEN_EXCHANGE - Authorization using on-behalf-of token exchange. An inbound user token is exchanged for a downstream access token scoped to the target audience.

            • defaultReturnUrl (string) --

              The URL where the end user's browser is redirected after obtaining the authorization code. Generally points to the customer's application.

      • inlineFunction (dict) --

        Configuration for an inline function tool.

        • description (string) -- [REQUIRED]

          Description of what the tool does, provided to the model.

        • inputSchema (:ref:`document<document>`) -- [REQUIRED]

          JSON Schema describing the tool's input parameters.

      • agentCoreCodeInterpreter (dict) --

        Configuration for AgentCore Code Interpreter.

        • codeInterpreterArn (string) --

          If not populated, the built-in Code Interpreter ARN is used.

type skills:

list

param skills:

The skills available to the agent. Skills are bundles of files that the agent can pull into its context on demand.

  • (dict) --

    A skill available to the agent.

    • path (string) --

      The filesystem path to the skill definition.

    • s3 (dict) --

      An S3 source containing the skill.

      • uri (string) -- [REQUIRED]

        The S3 URI pointing to the skill directory (e.g., s3://bucket/skills/my-skill/).

    • git (dict) --

      A git repository containing the skill.

      • url (string) -- [REQUIRED]

        The HTTPS URL of the git repository.

      • path (string) --

        Subdirectory within the repository containing the skill.

      • auth (dict) --

        Authentication configuration for private repositories.

        • credentialArn (string) -- [REQUIRED]

          The ARN of the credential in AgentCore Identity containing the password or personal access token.

        • username (string) --

          Username for authentication. Defaults to 'oauth2' if not specified.

    • awsSkills (dict) --

      AWS Skills baked into the harness's underlying Runtime.

      • paths (list) --

        Optionally filter allowed skills with glob syntax, e.g., ['core-skills/*'].

        • (string) --

type allowedTools:

list

param allowedTools:

The tools that the agent is allowed to use. Supports glob patterns such as * for all tools, @builtin for all built-in tools, or @serverName/toolName for specific MCP server tools.

  • (string) --

type memory:

dict

param memory:

The AgentCore Memory configuration for persisting conversation context across sessions.

  • agentCoreMemoryConfiguration (dict) --

    The AgentCore Memory configuration.

    • arn (string) -- [REQUIRED]

      The ARN of the AgentCore Memory resource.

    • actorId (string) --

      The actor ID for memory operations.

    • messagesCount (integer) --

      The number of messages to retrieve from memory.

    • retrievalConfig (dict) --

      The retrieval configuration for long-term memory, mapping namespace path templates to retrieval settings.

      • (string) --

        • (dict) --

          Configuration for memory retrieval within a namespace.

          • topK (integer) --

            The maximum number of memory entries to retrieve.

          • relevanceScore (float) --

            The minimum relevance score for retrieved memories.

          • strategyId (string) --

            The ID of the retrieval strategy to use.

  • managedMemoryConfiguration (dict) --

    Harness creates and manages a memory resource in the customer's account.

    • arn (string) --

      The ARN of the managed AgentCore Memory resource. Read-only on Get, ignored on Create/Update input.

    • strategies (list) --

      Strategy types to enable. Defaults to [SEMANTIC, SUMMARIZATION].

      • (string) --

    • eventExpiryDuration (integer) --

      Event retention in days. Defaults to 30.

    • encryptionKeyArn (string) --

      Customer-managed KMS key. Defaults to AWS-owned key. Not updatable after creation.

  • disabled (dict) --

    Explicitly opt out of memory.

type truncation:

dict

param truncation:

The truncation configuration for managing conversation context when it exceeds model limits.

  • strategy (string) -- [REQUIRED]

    The truncation strategy to use.

  • config (dict) --

    The strategy-specific configuration.

    • slidingWindow (dict) --

      Configuration for sliding window truncation.

      • messagesCount (integer) --

        The number of recent messages to retain in the context window.

    • summarization (dict) --

      Configuration for summarization-based truncation.

      • summaryRatio (float) --

        The ratio of content to summarize.

      • preserveRecentMessages (integer) --

        The number of recent messages to preserve without summarization.

      • summarizationSystemPrompt (string) --

        The system prompt used for generating summaries.

type maxIterations:

integer

param maxIterations:

The maximum number of iterations the agent loop can execute per invocation.

type maxTokens:

integer

param maxTokens:

The maximum total number of output tokens the agent can generate across all model calls within a single invocation.

type timeoutSeconds:

integer

param timeoutSeconds:

The maximum duration in seconds for the agent loop execution per invocation.

type tags:

dict

param tags:

Tags to apply to the harness resource.

  • (string) --

    • (string) --

rtype:

dict

returns:

Response Syntax

{
    'harness': {
        'harnessId': 'string',
        'harnessName': 'string',
        'arn': 'string',
        'status': 'CREATING'|'CREATE_FAILED'|'UPDATING'|'UPDATE_FAILED'|'READY'|'DELETING'|'DELETE_FAILED',
        'harnessVersion': 'string',
        'executionRoleArn': 'string',
        'createdAt': datetime(2015, 1, 1),
        'updatedAt': datetime(2015, 1, 1),
        'model': {
            'bedrockModelConfig': {
                'modelId': 'string',
                'maxTokens': 123,
                'temperature': ...,
                'topP': ...,
                'apiFormat': 'converse_stream'|'responses'|'chat_completions',
                'additionalParams': {...}|[...]|123|123.4|'string'|True|None
            },
            'openAiModelConfig': {
                'modelId': 'string',
                'apiKeyArn': 'string',
                'maxTokens': 123,
                'temperature': ...,
                'topP': ...,
                'apiFormat': 'chat_completions'|'responses',
                'additionalParams': {...}|[...]|123|123.4|'string'|True|None
            },
            'geminiModelConfig': {
                'modelId': 'string',
                'apiKeyArn': 'string',
                'maxTokens': 123,
                'temperature': ...,
                'topP': ...,
                'topK': 123
            },
            'liteLlmModelConfig': {
                'modelId': 'string',
                'apiKeyArn': 'string',
                'apiBase': 'string',
                'maxTokens': 123,
                'temperature': ...,
                'topP': ...,
                'additionalParams': {...}|[...]|123|123.4|'string'|True|None
            }
        },
        'systemPrompt': [
            {
                'text': 'string'
            },
        ],
        'tools': [
            {
                'type': 'remote_mcp'|'agentcore_browser'|'agentcore_gateway'|'inline_function'|'agentcore_code_interpreter',
                'name': 'string',
                'config': {
                    'remoteMcp': {
                        'url': 'string',
                        'headers': {
                            'string': 'string'
                        }
                    },
                    'agentCoreBrowser': {
                        'browserArn': 'string'
                    },
                    'agentCoreGateway': {
                        'gatewayArn': 'string',
                        'outboundAuth': {
                            'awsIam': {},
                            'none': {},
                            'oauth': {
                                'providerArn': 'string',
                                'scopes': [
                                    'string',
                                ],
                                'customParameters': {
                                    'string': 'string'
                                },
                                'grantType': 'CLIENT_CREDENTIALS'|'AUTHORIZATION_CODE'|'TOKEN_EXCHANGE',
                                'defaultReturnUrl': 'string'
                            }
                        }
                    },
                    'inlineFunction': {
                        'description': 'string',
                        'inputSchema': {...}|[...]|123|123.4|'string'|True|None
                    },
                    'agentCoreCodeInterpreter': {
                        'codeInterpreterArn': 'string'
                    }
                }
            },
        ],
        'skills': [
            {
                'path': 'string',
                's3': {
                    'uri': 'string'
                },
                'git': {
                    'url': 'string',
                    'path': 'string',
                    'auth': {
                        'credentialArn': 'string',
                        'username': 'string'
                    }
                },
                'awsSkills': {
                    'paths': [
                        'string',
                    ]
                }
            },
        ],
        'allowedTools': [
            'string',
        ],
        'truncation': {
            'strategy': 'sliding_window'|'summarization'|'none',
            'config': {
                'slidingWindow': {
                    'messagesCount': 123
                },
                'summarization': {
                    'summaryRatio': ...,
                    'preserveRecentMessages': 123,
                    'summarizationSystemPrompt': 'string'
                }
            }
        },
        'environment': {
            'agentCoreRuntimeEnvironment': {
                'agentRuntimeArn': 'string',
                'agentRuntimeName': 'string',
                'agentRuntimeId': 'string',
                'lifecycleConfiguration': {
                    'idleRuntimeSessionTimeout': 123,
                    'maxLifetime': 123
                },
                'networkConfiguration': {
                    'networkMode': 'PUBLIC'|'VPC',
                    'networkModeConfig': {
                        'securityGroups': [
                            'string',
                        ],
                        'subnets': [
                            'string',
                        ],
                        'requireServiceS3Endpoint': True|False
                    }
                },
                'filesystemConfigurations': [
                    {
                        'sessionStorage': {
                            'mountPath': 'string'
                        },
                        's3FilesAccessPoint': {
                            'accessPointArn': 'string',
                            'mountPath': 'string'
                        },
                        'efsAccessPoint': {
                            'accessPointArn': 'string',
                            'mountPath': 'string'
                        }
                    },
                ]
            }
        },
        'environmentArtifact': {
            'containerConfiguration': {
                'containerUri': 'string'
            }
        },
        'environmentVariables': {
            'string': 'string'
        },
        'authorizerConfiguration': {
            'customJWTAuthorizer': {
                'discoveryUrl': 'string',
                'allowedAudience': [
                    'string',
                ],
                'allowedClients': [
                    'string',
                ],
                'allowedScopes': [
                    'string',
                ],
                'advertisedScopeMapping': {
                    'string': 'string'
                },
                'customClaims': [
                    {
                        'inboundTokenClaimName': 'string',
                        'inboundTokenClaimValueType': 'STRING'|'STRING_ARRAY',
                        'authorizingClaimMatchValue': {
                            'claimMatchValue': {
                                'matchValueString': 'string',
                                'matchValueStringList': [
                                    'string',
                                ]
                            },
                            'claimMatchOperator': 'EQUALS'|'CONTAINS'|'CONTAINS_ANY'
                        }
                    },
                ],
                'privateEndpoint': {
                    'selfManagedLatticeResource': {
                        'resourceConfigurationIdentifier': 'string'
                    },
                    'managedVpcResource': {
                        'vpcIdentifier': 'string',
                        'subnetIds': [
                            'string',
                        ],
                        'endpointIpAddressType': 'IPV4'|'IPV6',
                        'securityGroupIds': [
                            'string',
                        ],
                        'tags': {
                            'string': 'string'
                        },
                        'routingDomain': 'string'
                    }
                },
                'privateEndpointOverrides': [
                    {
                        'domain': 'string',
                        'privateEndpoint': {
                            'selfManagedLatticeResource': {
                                'resourceConfigurationIdentifier': 'string'
                            },
                            'managedVpcResource': {
                                'vpcIdentifier': 'string',
                                'subnetIds': [
                                    'string',
                                ],
                                'endpointIpAddressType': 'IPV4'|'IPV6',
                                'securityGroupIds': [
                                    'string',
                                ],
                                'tags': {
                                    'string': 'string'
                                },
                                'routingDomain': 'string'
                            }
                        }
                    },
                ],
                'allowedWorkloadConfiguration': {
                    'hostingEnvironments': [
                        {
                            'arn': 'string'
                        },
                    ],
                    'workloadIdentities': [
                        'string',
                    ]
                }
            }
        },
        'memory': {
            'agentCoreMemoryConfiguration': {
                'arn': 'string',
                'actorId': 'string',
                'messagesCount': 123,
                'retrievalConfig': {
                    'string': {
                        'topK': 123,
                        'relevanceScore': ...,
                        'strategyId': 'string'
                    }
                }
            },
            'managedMemoryConfiguration': {
                'arn': 'string',
                'strategies': [
                    'SEMANTIC'|'SUMMARIZATION'|'USER_PREFERENCE'|'EPISODIC',
                ],
                'eventExpiryDuration': 123,
                'encryptionKeyArn': 'string'
            },
            'disabled': {}
        },
        'maxIterations': 123,
        'maxTokens': 123,
        'timeoutSeconds': 123,
        'failureReason': 'string'
    }
}

Response Structure

  • (dict) --

    • harness (dict) --

      The harness that was created.

      • harnessId (string) --

        The ID of the harness.

      • harnessName (string) --

        The name of the harness.

      • arn (string) --

        The ARN of the harness.

      • status (string) --

        The status of the harness.

      • harnessVersion (string) --

        The version of the harness. Incremented on every successful UpdateHarness.

      • executionRoleArn (string) --

        IAM role the harness assumes when running.

      • createdAt (datetime) --

        The createdAt time of the harness.

      • updatedAt (datetime) --

        The updatedAt time of the harness.

      • model (dict) --

        The configuration of the default model used by the Harness.

        • bedrockModelConfig (dict) --

          Configuration for an Amazon Bedrock model.

          • modelId (string) --

            The Bedrock model ID.

          • maxTokens (integer) --

            The maximum number of tokens to allow in the generated response per model call.

          • temperature (float) --

            The temperature to set when calling the model.

          • topP (float) --

            The topP set when calling the model.

          • apiFormat (string) --

            The API format to use when calling the Bedrock provider.

          • additionalParams (:ref:`document<document>`) --

            Provider-specific parameters passed through to the model provider unchanged.

        • openAiModelConfig (dict) --

          Configuration for an OpenAI model.

          • modelId (string) --

            The OpenAI model ID.

          • apiKeyArn (string) --

            The ARN of your OpenAI API key on AgentCore Identity.

          • maxTokens (integer) --

            The maximum number of tokens to allow in the generated response per model call.

          • temperature (float) --

            The temperature to set when calling the model.

          • topP (float) --

            The topP set when calling the model.

          • apiFormat (string) --

            The API format to use when calling the OpenAI provider.

          • additionalParams (:ref:`document<document>`) --

            Provider-specific parameters passed through to the model provider unchanged.

        • geminiModelConfig (dict) --

          Configuration for a Google Gemini model.

          • modelId (string) --

            The Gemini model ID.

          • apiKeyArn (string) --

            The ARN of your Gemini API key on AgentCore Identity.

          • maxTokens (integer) --

            The maximum number of tokens to allow in the generated response per model call.

          • temperature (float) --

            The temperature to set when calling the model.

          • topP (float) --

            The topP set when calling the model.

          • topK (integer) --

            The topK set when calling the model.

        • liteLlmModelConfig (dict) --

          The LiteLLM model configuration for connecting to third-party model providers.

          • modelId (string) --

            The LiteLLM model identifier (e.g., "anthropic/claude-3-sonnet").

          • apiKeyArn (string) --

            The ARN of the API key in AgentCore Identity for authenticating with the model provider.

          • apiBase (string) --

            The base URL for the model provider's API endpoint.

          • maxTokens (integer) --

            The maximum number of tokens to allow in the generated response per iteration.

          • temperature (float) --

            The temperature to set when calling the model.

          • topP (float) --

            The topP set when calling the model.

          • additionalParams (:ref:`document<document>`) --

            Provider-specific parameters passed through to the model provider unchanged.

      • systemPrompt (list) --

        The system prompt of the harness.

        • (dict) --

          A content block in the system prompt.

          • text (string) --

            The text content of the system prompt block.

      • tools (list) --

        The tools of the harness.

        • (dict) --

          A tool available to the agent loop.

          • type (string) --

            The type of tool.

          • name (string) --

            Unique name for the tool. If not provided, a name will be inferred or generated.

          • config (dict) --

            Tool-specific configuration.

            • remoteMcp (dict) --

              Configuration for remote MCP server.

              • url (string) --

                URL of the MCP endpoint.

              • headers (dict) --

                Custom headers to include when connecting to the remote MCP server.

                • (string) --

                  The key of an HTTP header.

                  • (string) --

                    The value of an HTTP header.

            • agentCoreBrowser (dict) --

              Configuration for AgentCore Browser.

              • browserArn (string) --

                If not populated, the built-in Browser ARN is used.

            • agentCoreGateway (dict) --

              Configuration for AgentCore Gateway.

              • gatewayArn (string) --

                The ARN of the desired AgentCore Gateway.

              • outboundAuth (dict) --

                How harness authenticates to this Gateway. Defaults to AWS_IAM (SigV4) if omitted.

                • awsIam (dict) --

                  SigV4-sign requests using the agent's execution role.

                • none (dict) --

                  No authentication.

                • oauth (dict) --

                  Use OAuth credentials for outbound authentication to the gateway.

                  • providerArn (string) --

                    The Amazon Resource Name (ARN) of the OAuth credential provider. This ARN identifies the provider in Amazon Web Services.

                  • scopes (list) --

                    The OAuth scopes for the credential provider. These scopes define the level of access requested from the OAuth provider.

                    • (string) --

                  • customParameters (dict) --

                    The custom parameters for the OAuth credential provider. These parameters provide additional configuration for the OAuth authentication process.

                    • (string) --

                      • (string) --

                  • grantType (string) --

                    Specifies the kind of credentials to use for authorization:

                    • CLIENT_CREDENTIALS - Authorization with a client ID and secret.

                    • AUTHORIZATION_CODE - Authorization with a token that is specific to an individual end user.

                    • TOKEN_EXCHANGE - Authorization using on-behalf-of token exchange. An inbound user token is exchanged for a downstream access token scoped to the target audience.

                  • defaultReturnUrl (string) --

                    The URL where the end user's browser is redirected after obtaining the authorization code. Generally points to the customer's application.

            • inlineFunction (dict) --

              Configuration for an inline function tool.

              • description (string) --

                Description of what the tool does, provided to the model.

              • inputSchema (:ref:`document<document>`) --

                JSON Schema describing the tool's input parameters.

            • agentCoreCodeInterpreter (dict) --

              Configuration for AgentCore Code Interpreter.

              • codeInterpreterArn (string) --

                If not populated, the built-in Code Interpreter ARN is used.

      • skills (list) --

        The skills of the harness.

        • (dict) --

          A skill available to the agent.

          • path (string) --

            The filesystem path to the skill definition.

          • s3 (dict) --

            An S3 source containing the skill.

            • uri (string) --

              The S3 URI pointing to the skill directory (e.g., s3://bucket/skills/my-skill/).

          • git (dict) --

            A git repository containing the skill.

            • url (string) --

              The HTTPS URL of the git repository.

            • path (string) --

              Subdirectory within the repository containing the skill.

            • auth (dict) --

              Authentication configuration for private repositories.

              • credentialArn (string) --

                The ARN of the credential in AgentCore Identity containing the password or personal access token.

              • username (string) --

                Username for authentication. Defaults to 'oauth2' if not specified.

          • awsSkills (dict) --

            AWS Skills baked into the harness's underlying Runtime.

            • paths (list) --

              Optionally filter allowed skills with glob syntax, e.g., ['core-skills/*'].

              • (string) --

      • allowedTools (list) --

        The allowed tools of the harness. All tools are allowed by default.

        • (string) --

      • truncation (dict) --

        Configuration for truncating model context.

        • strategy (string) --

          The truncation strategy to use.

        • config (dict) --

          The strategy-specific configuration.

          • slidingWindow (dict) --

            Configuration for sliding window truncation.

            • messagesCount (integer) --

              The number of recent messages to retain in the context window.

          • summarization (dict) --

            Configuration for summarization-based truncation.

            • summaryRatio (float) --

              The ratio of content to summarize.

            • preserveRecentMessages (integer) --

              The number of recent messages to preserve without summarization.

            • summarizationSystemPrompt (string) --

              The system prompt used for generating summaries.

      • environment (dict) --

        The compute environment on which the Harness runs.

        • agentCoreRuntimeEnvironment (dict) --

          The AgentCore Runtime environment configuration.

          • agentRuntimeArn (string) --

            The ARN of the underlying AgentCore Runtime.

          • agentRuntimeName (string) --

            The name of the underlying AgentCore Runtime.

          • agentRuntimeId (string) --

            The ID of the underlying AgentCore Runtime.

          • lifecycleConfiguration (dict) --

            LifecycleConfiguration lets you manage the lifecycle of runtime sessions and resources in AgentCore Runtime. This configuration helps optimize resource utilization by automatically cleaning up idle sessions and preventing long-running instances from consuming resources indefinitely.

            • idleRuntimeSessionTimeout (integer) --

              Timeout in seconds for idle runtime sessions. When a session remains idle for this duration, it will be automatically terminated. Default: 900 seconds (15 minutes).

            • maxLifetime (integer) --

              Maximum lifetime for the instance in seconds. Once reached, instances will be automatically terminated and replaced. Default: 28800 seconds (8 hours).

          • networkConfiguration (dict) --

            SecurityConfig for the Agent.

            • networkMode (string) --

              The network mode for the AgentCore Runtime.

            • networkModeConfig (dict) --

              The network mode configuration for the AgentCore Runtime.

              • securityGroups (list) --

                The security groups associated with the VPC configuration.

                • (string) --

              • subnets (list) --

                The subnets associated with the VPC configuration.

                • (string) --

              • requireServiceS3Endpoint (boolean) --

                Controls whether a service-managed Amazon S3 gateway endpoint is provisioned in the VPC network topology for the agent runtime. This gateway is used by Amazon Bedrock AgentCore Runtime to download code and container images during agent startup.

                Starting May 5, 2026, Amazon Bedrock AgentCore Runtime is gradually rolling out a change to how network isolation is configured for VPC mode agents. Agent runtimes created on or after this rollout will no longer include the service-managed Amazon S3 gateway. Instead, all network access, including to Amazon S3, is governed exclusively by your VPC configuration. This field cannot be set on agent runtimes created after the rollout. Passing this field in an UpdateAgentRuntime request for these agent runtimes returns a ValidationException.

                Agent runtimes created before the rollout are not affected and continue to operate with the service-managed Amazon S3 gateway. To enforce full VPC network isolation on these existing agent runtimes, set this field to false via the UpdateAgentRuntime API. Before opting out, ensure your VPC provides the Amazon S3 access required for agent startup. If this field is not specified or is set to true, the service-managed Amazon S3 gateway remains provisioned.

                This field is only supported in the UpdateAgentRuntime API for pre-rollout agent runtimes. Passing this field in a CreateAgentRuntime request returns a ValidationException.

          • filesystemConfigurations (list) --

            The filesystem configurations for the runtime environment.

            • (dict) --

              Configuration for a filesystem that can be mounted into the AgentCore Runtime.

              • sessionStorage (dict) --

                Configuration for session storage. Session storage provides persistent storage that is preserved across AgentCore Runtime session invocations.

                • mountPath (string) --

                  The mount path for the session storage filesystem inside the AgentCore Runtime. The path must be under /mnt with exactly one subdirectory level (for example, /mnt/data).

              • s3FilesAccessPoint (dict) --

                Configuration for an Amazon S3 Files access point to mount into the AgentCore Runtime.

                • accessPointArn (string) --

                  The ARN of the S3 Files access point to mount into the AgentCore Runtime.

                • mountPath (string) --

                  The mount path for the S3 Files access point inside the AgentCore Runtime. The path must be under /mnt with exactly one subdirectory level (for example, /mnt/data).

              • efsAccessPoint (dict) --

                Configuration for an Amazon EFS access point to mount into the AgentCore Runtime.

                • accessPointArn (string) --

                  The ARN of the EFS access point to mount into the AgentCore Runtime.

                • mountPath (string) --

                  The mount path for the EFS access point inside the AgentCore Runtime. The path must be under /mnt with exactly one subdirectory level (for example, /mnt/data).

      • environmentArtifact (dict) --

        The environment artifact (e.g., container) in which the Harness operates.

        • containerConfiguration (dict) --

          Representation of a container configuration.

          • containerUri (string) --

            The ECR URI of the container.

      • environmentVariables (dict) --

        Environment variables exposed in the environment in which the harness operates.

        • (string) --

          • (string) --

      • authorizerConfiguration (dict) --

        Represents inbound authorization configuration options used to authenticate incoming requests.

        • customJWTAuthorizer (dict) --

          The inbound JWT-based authorization, specifying how incoming requests should be authenticated.

          • discoveryUrl (string) --

            This URL is used to fetch OpenID Connect configuration or authorization server metadata for validating incoming tokens.

          • allowedAudience (list) --

            Represents individual audience values that are validated in the incoming JWT token validation process.

            • (string) --

          • allowedClients (list) --

            Represents individual client IDs that are validated in the incoming JWT token validation process.

            • (string) --

          • allowedScopes (list) --

            An array of scopes that are allowed to access the token.

            • (string) --

          • advertisedScopeMapping (dict) --

            A map that associates each scope in allowedScopes with a corresponding advertised scope value. The advertised scope appears in OAuth protected resource metadata and WWW-Authenticate response headers. Use this parameter when the scope that clients request from your identity provider differs from the scope in the validated token. Each key is a scope from allowedScopes that the service uses for token validation. Each value is the corresponding scope that the service advertises to clients. Scopes without a mapping entry appear unchanged to clients.

            • (string) --

              • (string) --

          • customClaims (list) --

            An array of objects that define a custom claim validation name, value, and operation

            • (dict) --

              Defines the name of a custom claim field and rules for finding matches to authenticate its value.

              • inboundTokenClaimName (string) --

                The name of the custom claim field to check.

              • inboundTokenClaimValueType (string) --

                The data type of the claim value to check for.

                • Use STRING if you want to find an exact match to a string you define.

                • Use STRING_ARRAY if you want to fnd a match to at least one value in an array you define.

              • authorizingClaimMatchValue (dict) --

                Defines the value or values to match for and the relationship of the match.

                • claimMatchValue (dict) --

                  The value or values to match for.

                  • matchValueString (string) --

                    The string value to match for.

                  • matchValueStringList (list) --

                    An array of strings to check for a match.

                    • (string) --

                • claimMatchOperator (string) --

                  Defines the relationship between the claim field value and the value or values you're matching for.

          • privateEndpoint (dict) --

            The private endpoint configuration for a gateway target. Defines how the gateway connects to private resources in your VPC.

            • selfManagedLatticeResource (dict) --

              Configuration for connecting to a private resource using a self-managed VPC Lattice resource configuration.

              • resourceConfigurationIdentifier (string) --

                The ARN or ID of the VPC Lattice resource configuration.

            • managedVpcResource (dict) --

              Configuration for connecting to a private resource using a managed VPC Lattice resource. The gateway creates and manages the VPC Lattice resources on your behalf.

              • vpcIdentifier (string) --

                The ID of the VPC that contains your private resource.

              • subnetIds (list) --

                The subnet IDs within the VPC where the VPC Lattice resource gateway is placed.

                • (string) --

              • endpointIpAddressType (string) --

                The IP address type for the resource configuration endpoint.

              • securityGroupIds (list) --

                The security group IDs to associate with the VPC Lattice resource gateway. If not specified, the default security group for the VPC is used.

                • (string) --

              • tags (dict) --

                Tags to apply to the managed VPC Lattice resource gateway.

                • (string) --

                  • (string) --

              • routingDomain (string) --

                An intermediate domain to use as the resource configuration endpoint instead of the actual target domain. Use this when you want to route traffic through an intermediate component such as a VPC endpoint or internal load balancer. For more information, see xref:lattice-vpc-egress-routing-domain[Route traffic through an intermediate domain].

          • privateEndpointOverrides (list) --

            The private endpoint overrides for the custom JWT authorizer configuration.

            • (dict) --

              A mapping of a specific domain to a private endpoint for secure connectivity through a VPC Lattice resource configuration.

              • domain (string) --

                The domain to override with a private endpoint.

              • privateEndpoint (dict) --

                The private endpoint configuration for the specified domain.

                • selfManagedLatticeResource (dict) --

                  Configuration for connecting to a private resource using a self-managed VPC Lattice resource configuration.

                  • resourceConfigurationIdentifier (string) --

                    The ARN or ID of the VPC Lattice resource configuration.

                • managedVpcResource (dict) --

                  Configuration for connecting to a private resource using a managed VPC Lattice resource. The gateway creates and manages the VPC Lattice resources on your behalf.

                  • vpcIdentifier (string) --

                    The ID of the VPC that contains your private resource.

                  • subnetIds (list) --

                    The subnet IDs within the VPC where the VPC Lattice resource gateway is placed.

                    • (string) --

                  • endpointIpAddressType (string) --

                    The IP address type for the resource configuration endpoint.

                  • securityGroupIds (list) --

                    The security group IDs to associate with the VPC Lattice resource gateway. If not specified, the default security group for the VPC is used.

                    • (string) --

                  • tags (dict) --

                    Tags to apply to the managed VPC Lattice resource gateway.

                    • (string) --

                      • (string) --

                  • routingDomain (string) --

                    An intermediate domain to use as the resource configuration endpoint instead of the actual target domain. Use this when you want to route traffic through an intermediate component such as a VPC endpoint or internal load balancer. For more information, see xref:lattice-vpc-egress-routing-domain[Route traffic through an intermediate domain].

          • allowedWorkloadConfiguration (dict) --

            The configuration that restricts which workloads in the request's identity chain are allowed to invoke the target, identified by their hosting environments and workload identities. At launch, this is supported only for AgentCore Runtime targets, and the allowed workloads are AgentCore Gateways.

            • hostingEnvironments (list) --

              The list of hosting environments whose workloads are allowed to invoke the target. At launch, the only supported hosting environment is AgentCore Gateway.

              • (dict) --

                A hosting environment whose workloads are allowed to invoke the target. At launch, the only supported hosting environment is AgentCore Gateway.

                • arn (string) --

                  The Amazon Resource Name (ARN) of the hosting environment.

            • workloadIdentities (list) --

              The list of workload identities that are allowed to invoke the target.

              • (string) --

      • memory (dict) --

        AgentCore Memory instance configuration for short and long term memory.

        • agentCoreMemoryConfiguration (dict) --

          The AgentCore Memory configuration.

          • arn (string) --

            The ARN of the AgentCore Memory resource.

          • actorId (string) --

            The actor ID for memory operations.

          • messagesCount (integer) --

            The number of messages to retrieve from memory.

          • retrievalConfig (dict) --

            The retrieval configuration for long-term memory, mapping namespace path templates to retrieval settings.

            • (string) --

              • (dict) --

                Configuration for memory retrieval within a namespace.

                • topK (integer) --

                  The maximum number of memory entries to retrieve.

                • relevanceScore (float) --

                  The minimum relevance score for retrieved memories.

                • strategyId (string) --

                  The ID of the retrieval strategy to use.

        • managedMemoryConfiguration (dict) --

          Harness creates and manages a memory resource in the customer's account.

          • arn (string) --

            The ARN of the managed AgentCore Memory resource. Read-only on Get, ignored on Create/Update input.

          • strategies (list) --

            Strategy types to enable. Defaults to [SEMANTIC, SUMMARIZATION].

            • (string) --

          • eventExpiryDuration (integer) --

            Event retention in days. Defaults to 30.

          • encryptionKeyArn (string) --

            Customer-managed KMS key. Defaults to AWS-owned key. Not updatable after creation.

        • disabled (dict) --

          Explicitly opt out of memory.

      • maxIterations (integer) --

        The maximum number of iterations in the agent loop allowed before exiting per invocation.

      • maxTokens (integer) --

        The maximum total number of output tokens the agent can generate across all model calls within a single invocation.

      • timeoutSeconds (integer) --

        The maximum duration per invocation.

      • failureReason (string) --

        Reason why create or update operations fail.

CreatePaymentManager (updated) Link ¶
Changes (both)
{'authorizerConfiguration': {'customJWTAuthorizer': {'advertisedScopeMapping': {'string': 'string'}}}}

Creates a new payment manager in your Amazon Web Services account. A payment manager serves as the top-level resource for managing payment processing capabilities, including payment connectors that integrate with supported payment providers.

If you specify CUSTOM_JWT as the authorizerType, you must provide an authorizerConfiguration.

See also: AWS API Documentation

Request Syntax

client.create_payment_manager(
    name='string',
    description='string',
    authorizerType='CUSTOM_JWT'|'AWS_IAM',
    authorizerConfiguration={
        'customJWTAuthorizer': {
            'discoveryUrl': 'string',
            'allowedAudience': [
                'string',
            ],
            'allowedClients': [
                'string',
            ],
            'allowedScopes': [
                'string',
            ],
            'advertisedScopeMapping': {
                'string': 'string'
            },
            'customClaims': [
                {
                    'inboundTokenClaimName': 'string',
                    'inboundTokenClaimValueType': 'STRING'|'STRING_ARRAY',
                    'authorizingClaimMatchValue': {
                        'claimMatchValue': {
                            'matchValueString': 'string',
                            'matchValueStringList': [
                                'string',
                            ]
                        },
                        'claimMatchOperator': 'EQUALS'|'CONTAINS'|'CONTAINS_ANY'
                    }
                },
            ],
            'privateEndpoint': {
                'selfManagedLatticeResource': {
                    'resourceConfigurationIdentifier': 'string'
                },
                'managedVpcResource': {
                    'vpcIdentifier': 'string',
                    'subnetIds': [
                        'string',
                    ],
                    'endpointIpAddressType': 'IPV4'|'IPV6',
                    'securityGroupIds': [
                        'string',
                    ],
                    'tags': {
                        'string': 'string'
                    },
                    'routingDomain': 'string'
                }
            },
            'privateEndpointOverrides': [
                {
                    'domain': 'string',
                    'privateEndpoint': {
                        'selfManagedLatticeResource': {
                            'resourceConfigurationIdentifier': 'string'
                        },
                        'managedVpcResource': {
                            'vpcIdentifier': 'string',
                            'subnetIds': [
                                'string',
                            ],
                            'endpointIpAddressType': 'IPV4'|'IPV6',
                            'securityGroupIds': [
                                'string',
                            ],
                            'tags': {
                                'string': 'string'
                            },
                            'routingDomain': 'string'
                        }
                    }
                },
            ],
            'allowedWorkloadConfiguration': {
                'hostingEnvironments': [
                    {
                        'arn': 'string'
                    },
                ],
                'workloadIdentities': [
                    'string',
                ]
            }
        }
    },
    roleArn='string',
    clientToken='string',
    tags={
        'string': 'string'
    }
)
type name:

string

param name:

[REQUIRED]

The name of the payment manager.

type description:

string

param description:

A description of the payment manager.

type authorizerType:

string

param authorizerType:

[REQUIRED]

The type of authorizer to use for the payment manager.

  • CUSTOM_JWT - Authorize with a bearer token.

  • AWS_IAM - Authorize with your Amazon Web Services IAM credentials.

type authorizerConfiguration:

dict

param authorizerConfiguration:

The authorizer configuration for the payment manager.

  • customJWTAuthorizer (dict) --

    The inbound JWT-based authorization, specifying how incoming requests should be authenticated.

    • discoveryUrl (string) -- [REQUIRED]

      This URL is used to fetch OpenID Connect configuration or authorization server metadata for validating incoming tokens.

    • allowedAudience (list) --

      Represents individual audience values that are validated in the incoming JWT token validation process.

      • (string) --

    • allowedClients (list) --

      Represents individual client IDs that are validated in the incoming JWT token validation process.

      • (string) --

    • allowedScopes (list) --

      An array of scopes that are allowed to access the token.

      • (string) --

    • advertisedScopeMapping (dict) --

      A map that associates each scope in allowedScopes with a corresponding advertised scope value. The advertised scope appears in OAuth protected resource metadata and WWW-Authenticate response headers. Use this parameter when the scope that clients request from your identity provider differs from the scope in the validated token. Each key is a scope from allowedScopes that the service uses for token validation. Each value is the corresponding scope that the service advertises to clients. Scopes without a mapping entry appear unchanged to clients.

      • (string) --

        • (string) --

    • customClaims (list) --

      An array of objects that define a custom claim validation name, value, and operation

      • (dict) --

        Defines the name of a custom claim field and rules for finding matches to authenticate its value.

        • inboundTokenClaimName (string) -- [REQUIRED]

          The name of the custom claim field to check.

        • inboundTokenClaimValueType (string) -- [REQUIRED]

          The data type of the claim value to check for.

          • Use STRING if you want to find an exact match to a string you define.

          • Use STRING_ARRAY if you want to fnd a match to at least one value in an array you define.

        • authorizingClaimMatchValue (dict) -- [REQUIRED]

          Defines the value or values to match for and the relationship of the match.

          • claimMatchValue (dict) -- [REQUIRED]

            The value or values to match for.

            • matchValueString (string) --

              The string value to match for.

            • matchValueStringList (list) --

              An array of strings to check for a match.

              • (string) --

          • claimMatchOperator (string) -- [REQUIRED]

            Defines the relationship between the claim field value and the value or values you're matching for.

    • privateEndpoint (dict) --

      The private endpoint configuration for a gateway target. Defines how the gateway connects to private resources in your VPC.

      • selfManagedLatticeResource (dict) --

        Configuration for connecting to a private resource using a self-managed VPC Lattice resource configuration.

        • resourceConfigurationIdentifier (string) --

          The ARN or ID of the VPC Lattice resource configuration.

      • managedVpcResource (dict) --

        Configuration for connecting to a private resource using a managed VPC Lattice resource. The gateway creates and manages the VPC Lattice resources on your behalf.

        • vpcIdentifier (string) -- [REQUIRED]

          The ID of the VPC that contains your private resource.

        • subnetIds (list) -- [REQUIRED]

          The subnet IDs within the VPC where the VPC Lattice resource gateway is placed.

          • (string) --

        • endpointIpAddressType (string) -- [REQUIRED]

          The IP address type for the resource configuration endpoint.

        • securityGroupIds (list) --

          The security group IDs to associate with the VPC Lattice resource gateway. If not specified, the default security group for the VPC is used.

          • (string) --

        • tags (dict) --

          Tags to apply to the managed VPC Lattice resource gateway.

          • (string) --

            • (string) --

        • routingDomain (string) --

          An intermediate domain to use as the resource configuration endpoint instead of the actual target domain. Use this when you want to route traffic through an intermediate component such as a VPC endpoint or internal load balancer. For more information, see xref:lattice-vpc-egress-routing-domain[Route traffic through an intermediate domain].

    • privateEndpointOverrides (list) --

      The private endpoint overrides for the custom JWT authorizer configuration.

      • (dict) --

        A mapping of a specific domain to a private endpoint for secure connectivity through a VPC Lattice resource configuration.

        • domain (string) -- [REQUIRED]

          The domain to override with a private endpoint.

        • privateEndpoint (dict) -- [REQUIRED]

          The private endpoint configuration for the specified domain.

          • selfManagedLatticeResource (dict) --

            Configuration for connecting to a private resource using a self-managed VPC Lattice resource configuration.

            • resourceConfigurationIdentifier (string) --

              The ARN or ID of the VPC Lattice resource configuration.

          • managedVpcResource (dict) --

            Configuration for connecting to a private resource using a managed VPC Lattice resource. The gateway creates and manages the VPC Lattice resources on your behalf.

            • vpcIdentifier (string) -- [REQUIRED]

              The ID of the VPC that contains your private resource.

            • subnetIds (list) -- [REQUIRED]

              The subnet IDs within the VPC where the VPC Lattice resource gateway is placed.

              • (string) --

            • endpointIpAddressType (string) -- [REQUIRED]

              The IP address type for the resource configuration endpoint.

            • securityGroupIds (list) --

              The security group IDs to associate with the VPC Lattice resource gateway. If not specified, the default security group for the VPC is used.

              • (string) --

            • tags (dict) --

              Tags to apply to the managed VPC Lattice resource gateway.

              • (string) --

                • (string) --

            • routingDomain (string) --

              An intermediate domain to use as the resource configuration endpoint instead of the actual target domain. Use this when you want to route traffic through an intermediate component such as a VPC endpoint or internal load balancer. For more information, see xref:lattice-vpc-egress-routing-domain[Route traffic through an intermediate domain].

    • allowedWorkloadConfiguration (dict) --

      The configuration that restricts which workloads in the request's identity chain are allowed to invoke the target, identified by their hosting environments and workload identities. At launch, this is supported only for AgentCore Runtime targets, and the allowed workloads are AgentCore Gateways.

      • hostingEnvironments (list) --

        The list of hosting environments whose workloads are allowed to invoke the target. At launch, the only supported hosting environment is AgentCore Gateway.

        • (dict) --

          A hosting environment whose workloads are allowed to invoke the target. At launch, the only supported hosting environment is AgentCore Gateway.

          • arn (string) -- [REQUIRED]

            The Amazon Resource Name (ARN) of the hosting environment.

      • workloadIdentities (list) --

        The list of workload identities that are allowed to invoke the target.

        • (string) --

type roleArn:

string

param roleArn:

[REQUIRED]

The Amazon Resource Name (ARN) of the IAM role that the payment manager assumes to access resources on your behalf.

type clientToken:

string

param clientToken:

A unique, case-sensitive identifier to ensure that the API request completes no more than one time. If you don't specify this field, a value is randomly generated for you. If this token matches a previous request, the service ignores the request, but doesn't return an error. For more information, see Ensuring idempotency.

This field is autopopulated if not provided.

type tags:

dict

param tags:

A map of tag keys and values to assign to the payment manager.

  • (string) --

    • (string) --

rtype:

dict

returns:

Response Syntax

{
    'paymentManagerArn': 'string',
    'paymentManagerId': 'string',
    'name': 'string',
    'authorizerType': 'CUSTOM_JWT'|'AWS_IAM',
    'authorizerConfiguration': {
        'customJWTAuthorizer': {
            'discoveryUrl': 'string',
            'allowedAudience': [
                'string',
            ],
            'allowedClients': [
                'string',
            ],
            'allowedScopes': [
                'string',
            ],
            'advertisedScopeMapping': {
                'string': 'string'
            },
            'customClaims': [
                {
                    'inboundTokenClaimName': 'string',
                    'inboundTokenClaimValueType': 'STRING'|'STRING_ARRAY',
                    'authorizingClaimMatchValue': {
                        'claimMatchValue': {
                            'matchValueString': 'string',
                            'matchValueStringList': [
                                'string',
                            ]
                        },
                        'claimMatchOperator': 'EQUALS'|'CONTAINS'|'CONTAINS_ANY'
                    }
                },
            ],
            'privateEndpoint': {
                'selfManagedLatticeResource': {
                    'resourceConfigurationIdentifier': 'string'
                },
                'managedVpcResource': {
                    'vpcIdentifier': 'string',
                    'subnetIds': [
                        'string',
                    ],
                    'endpointIpAddressType': 'IPV4'|'IPV6',
                    'securityGroupIds': [
                        'string',
                    ],
                    'tags': {
                        'string': 'string'
                    },
                    'routingDomain': 'string'
                }
            },
            'privateEndpointOverrides': [
                {
                    'domain': 'string',
                    'privateEndpoint': {
                        'selfManagedLatticeResource': {
                            'resourceConfigurationIdentifier': 'string'
                        },
                        'managedVpcResource': {
                            'vpcIdentifier': 'string',
                            'subnetIds': [
                                'string',
                            ],
                            'endpointIpAddressType': 'IPV4'|'IPV6',
                            'securityGroupIds': [
                                'string',
                            ],
                            'tags': {
                                'string': 'string'
                            },
                            'routingDomain': 'string'
                        }
                    }
                },
            ],
            'allowedWorkloadConfiguration': {
                'hostingEnvironments': [
                    {
                        'arn': 'string'
                    },
                ],
                'workloadIdentities': [
                    'string',
                ]
            }
        }
    },
    'roleArn': 'string',
    'workloadIdentityDetails': {
        'workloadIdentityArn': 'string'
    },
    'createdAt': datetime(2015, 1, 1),
    'status': 'CREATING'|'UPDATING'|'DELETING'|'READY'|'CREATE_FAILED'|'UPDATE_FAILED'|'DELETE_FAILED',
    'tags': {
        'string': 'string'
    }
}

Response Structure

  • (dict) --

    • paymentManagerArn (string) --

      The Amazon Resource Name (ARN) of the created payment manager.

    • paymentManagerId (string) --

      The unique identifier of the created payment manager.

    • name (string) --

      The name of the created payment manager.

    • authorizerType (string) --

      The type of authorizer for the created payment manager.

    • authorizerConfiguration (dict) --

      Represents inbound authorization configuration options used to authenticate incoming requests.

      • customJWTAuthorizer (dict) --

        The inbound JWT-based authorization, specifying how incoming requests should be authenticated.

        • discoveryUrl (string) --

          This URL is used to fetch OpenID Connect configuration or authorization server metadata for validating incoming tokens.

        • allowedAudience (list) --

          Represents individual audience values that are validated in the incoming JWT token validation process.

          • (string) --

        • allowedClients (list) --

          Represents individual client IDs that are validated in the incoming JWT token validation process.

          • (string) --

        • allowedScopes (list) --

          An array of scopes that are allowed to access the token.

          • (string) --

        • advertisedScopeMapping (dict) --

          A map that associates each scope in allowedScopes with a corresponding advertised scope value. The advertised scope appears in OAuth protected resource metadata and WWW-Authenticate response headers. Use this parameter when the scope that clients request from your identity provider differs from the scope in the validated token. Each key is a scope from allowedScopes that the service uses for token validation. Each value is the corresponding scope that the service advertises to clients. Scopes without a mapping entry appear unchanged to clients.

          • (string) --

            • (string) --

        • customClaims (list) --

          An array of objects that define a custom claim validation name, value, and operation

          • (dict) --

            Defines the name of a custom claim field and rules for finding matches to authenticate its value.

            • inboundTokenClaimName (string) --

              The name of the custom claim field to check.

            • inboundTokenClaimValueType (string) --

              The data type of the claim value to check for.

              • Use STRING if you want to find an exact match to a string you define.

              • Use STRING_ARRAY if you want to fnd a match to at least one value in an array you define.

            • authorizingClaimMatchValue (dict) --

              Defines the value or values to match for and the relationship of the match.

              • claimMatchValue (dict) --

                The value or values to match for.

                • matchValueString (string) --

                  The string value to match for.

                • matchValueStringList (list) --

                  An array of strings to check for a match.

                  • (string) --

              • claimMatchOperator (string) --

                Defines the relationship between the claim field value and the value or values you're matching for.

        • privateEndpoint (dict) --

          The private endpoint configuration for a gateway target. Defines how the gateway connects to private resources in your VPC.

          • selfManagedLatticeResource (dict) --

            Configuration for connecting to a private resource using a self-managed VPC Lattice resource configuration.

            • resourceConfigurationIdentifier (string) --

              The ARN or ID of the VPC Lattice resource configuration.

          • managedVpcResource (dict) --

            Configuration for connecting to a private resource using a managed VPC Lattice resource. The gateway creates and manages the VPC Lattice resources on your behalf.

            • vpcIdentifier (string) --

              The ID of the VPC that contains your private resource.

            • subnetIds (list) --

              The subnet IDs within the VPC where the VPC Lattice resource gateway is placed.

              • (string) --

            • endpointIpAddressType (string) --

              The IP address type for the resource configuration endpoint.

            • securityGroupIds (list) --

              The security group IDs to associate with the VPC Lattice resource gateway. If not specified, the default security group for the VPC is used.

              • (string) --

            • tags (dict) --

              Tags to apply to the managed VPC Lattice resource gateway.

              • (string) --

                • (string) --

            • routingDomain (string) --

              An intermediate domain to use as the resource configuration endpoint instead of the actual target domain. Use this when you want to route traffic through an intermediate component such as a VPC endpoint or internal load balancer. For more information, see xref:lattice-vpc-egress-routing-domain[Route traffic through an intermediate domain].

        • privateEndpointOverrides (list) --

          The private endpoint overrides for the custom JWT authorizer configuration.

          • (dict) --

            A mapping of a specific domain to a private endpoint for secure connectivity through a VPC Lattice resource configuration.

            • domain (string) --

              The domain to override with a private endpoint.

            • privateEndpoint (dict) --

              The private endpoint configuration for the specified domain.

              • selfManagedLatticeResource (dict) --

                Configuration for connecting to a private resource using a self-managed VPC Lattice resource configuration.

                • resourceConfigurationIdentifier (string) --

                  The ARN or ID of the VPC Lattice resource configuration.

              • managedVpcResource (dict) --

                Configuration for connecting to a private resource using a managed VPC Lattice resource. The gateway creates and manages the VPC Lattice resources on your behalf.

                • vpcIdentifier (string) --

                  The ID of the VPC that contains your private resource.

                • subnetIds (list) --

                  The subnet IDs within the VPC where the VPC Lattice resource gateway is placed.

                  • (string) --

                • endpointIpAddressType (string) --

                  The IP address type for the resource configuration endpoint.

                • securityGroupIds (list) --

                  The security group IDs to associate with the VPC Lattice resource gateway. If not specified, the default security group for the VPC is used.

                  • (string) --

                • tags (dict) --

                  Tags to apply to the managed VPC Lattice resource gateway.

                  • (string) --

                    • (string) --

                • routingDomain (string) --

                  An intermediate domain to use as the resource configuration endpoint instead of the actual target domain. Use this when you want to route traffic through an intermediate component such as a VPC endpoint or internal load balancer. For more information, see xref:lattice-vpc-egress-routing-domain[Route traffic through an intermediate domain].

        • allowedWorkloadConfiguration (dict) --

          The configuration that restricts which workloads in the request's identity chain are allowed to invoke the target, identified by their hosting environments and workload identities. At launch, this is supported only for AgentCore Runtime targets, and the allowed workloads are AgentCore Gateways.

          • hostingEnvironments (list) --

            The list of hosting environments whose workloads are allowed to invoke the target. At launch, the only supported hosting environment is AgentCore Gateway.

            • (dict) --

              A hosting environment whose workloads are allowed to invoke the target. At launch, the only supported hosting environment is AgentCore Gateway.

              • arn (string) --

                The Amazon Resource Name (ARN) of the hosting environment.

          • workloadIdentities (list) --

            The list of workload identities that are allowed to invoke the target.

            • (string) --

    • roleArn (string) --

      The Amazon Resource Name (ARN) of the IAM role associated with the created payment manager.

    • workloadIdentityDetails (dict) --

      The information about the workload identity.

      • workloadIdentityArn (string) --

        The ARN associated with the workload identity.

    • createdAt (datetime) --

      The timestamp when the payment manager was created.

    • status (string) --

      The current status of the payment manager. Possible values include CREATING, READY, UPDATING, DELETING, CREATE_FAILED, UPDATE_FAILED, and DELETE_FAILED.

    • tags (dict) --

      The tags associated with the created payment manager.

      • (string) --

        • (string) --

CreateRegistry (updated) Link ¶
Changes (request)
{'authorizerConfiguration': {'customJWTAuthorizer': {'advertisedScopeMapping': {'string': 'string'}}}}

Creates a new registry in your Amazon Web Services account. A registry serves as a centralized catalog for organizing and managing registry records, including MCP servers, A2A agents, agent skills, and custom resource types.

If you specify CUSTOM_JWT as the authorizerType, you must provide an authorizerConfiguration.

See also: AWS API Documentation

Request Syntax

client.create_registry(
    name='string',
    description='string',
    authorizerType='CUSTOM_JWT'|'AWS_IAM',
    authorizerConfiguration={
        'customJWTAuthorizer': {
            'discoveryUrl': 'string',
            'allowedAudience': [
                'string',
            ],
            'allowedClients': [
                'string',
            ],
            'allowedScopes': [
                'string',
            ],
            'advertisedScopeMapping': {
                'string': 'string'
            },
            'customClaims': [
                {
                    'inboundTokenClaimName': 'string',
                    'inboundTokenClaimValueType': 'STRING'|'STRING_ARRAY',
                    'authorizingClaimMatchValue': {
                        'claimMatchValue': {
                            'matchValueString': 'string',
                            'matchValueStringList': [
                                'string',
                            ]
                        },
                        'claimMatchOperator': 'EQUALS'|'CONTAINS'|'CONTAINS_ANY'
                    }
                },
            ],
            'privateEndpoint': {
                'selfManagedLatticeResource': {
                    'resourceConfigurationIdentifier': 'string'
                },
                'managedVpcResource': {
                    'vpcIdentifier': 'string',
                    'subnetIds': [
                        'string',
                    ],
                    'endpointIpAddressType': 'IPV4'|'IPV6',
                    'securityGroupIds': [
                        'string',
                    ],
                    'tags': {
                        'string': 'string'
                    },
                    'routingDomain': 'string'
                }
            },
            'privateEndpointOverrides': [
                {
                    'domain': 'string',
                    'privateEndpoint': {
                        'selfManagedLatticeResource': {
                            'resourceConfigurationIdentifier': 'string'
                        },
                        'managedVpcResource': {
                            'vpcIdentifier': 'string',
                            'subnetIds': [
                                'string',
                            ],
                            'endpointIpAddressType': 'IPV4'|'IPV6',
                            'securityGroupIds': [
                                'string',
                            ],
                            'tags': {
                                'string': 'string'
                            },
                            'routingDomain': 'string'
                        }
                    }
                },
            ],
            'allowedWorkloadConfiguration': {
                'hostingEnvironments': [
                    {
                        'arn': 'string'
                    },
                ],
                'workloadIdentities': [
                    'string',
                ]
            }
        }
    },
    clientToken='string',
    approvalConfiguration={
        'autoApproval': True|False
    }
)
type name:

string

param name:

[REQUIRED]

The name of the registry. The name must be unique within your account and can contain alphanumeric characters and underscores.

type description:

string

param description:

A description of the registry.

type authorizerType:

string

param authorizerType:

The type of authorizer to use for the registry. This controls the authorization method for the Search and Invoke APIs used by consumers, and does not affect the standard CRUDL APIs for registry and registry record management used by administrators.

  • CUSTOM_JWT - Authorize with a bearer token.

  • AWS_IAM - Authorize with your Amazon Web Services IAM credentials.

type authorizerConfiguration:

dict

param authorizerConfiguration:

The authorizer configuration for the registry. Required if authorizerType is CUSTOM_JWT. For details, see the AuthorizerConfiguration data type.

  • customJWTAuthorizer (dict) --

    The inbound JWT-based authorization, specifying how incoming requests should be authenticated.

    • discoveryUrl (string) -- [REQUIRED]

      This URL is used to fetch OpenID Connect configuration or authorization server metadata for validating incoming tokens.

    • allowedAudience (list) --

      Represents individual audience values that are validated in the incoming JWT token validation process.

      • (string) --

    • allowedClients (list) --

      Represents individual client IDs that are validated in the incoming JWT token validation process.

      • (string) --

    • allowedScopes (list) --

      An array of scopes that are allowed to access the token.

      • (string) --

    • advertisedScopeMapping (dict) --

      A map that associates each scope in allowedScopes with a corresponding advertised scope value. The advertised scope appears in OAuth protected resource metadata and WWW-Authenticate response headers. Use this parameter when the scope that clients request from your identity provider differs from the scope in the validated token. Each key is a scope from allowedScopes that the service uses for token validation. Each value is the corresponding scope that the service advertises to clients. Scopes without a mapping entry appear unchanged to clients.

      • (string) --

        • (string) --

    • customClaims (list) --

      An array of objects that define a custom claim validation name, value, and operation

      • (dict) --

        Defines the name of a custom claim field and rules for finding matches to authenticate its value.

        • inboundTokenClaimName (string) -- [REQUIRED]

          The name of the custom claim field to check.

        • inboundTokenClaimValueType (string) -- [REQUIRED]

          The data type of the claim value to check for.

          • Use STRING if you want to find an exact match to a string you define.

          • Use STRING_ARRAY if you want to fnd a match to at least one value in an array you define.

        • authorizingClaimMatchValue (dict) -- [REQUIRED]

          Defines the value or values to match for and the relationship of the match.

          • claimMatchValue (dict) -- [REQUIRED]

            The value or values to match for.

            • matchValueString (string) --

              The string value to match for.

            • matchValueStringList (list) --

              An array of strings to check for a match.

              • (string) --

          • claimMatchOperator (string) -- [REQUIRED]

            Defines the relationship between the claim field value and the value or values you're matching for.

    • privateEndpoint (dict) --

      The private endpoint configuration for a gateway target. Defines how the gateway connects to private resources in your VPC.

      • selfManagedLatticeResource (dict) --

        Configuration for connecting to a private resource using a self-managed VPC Lattice resource configuration.

        • resourceConfigurationIdentifier (string) --

          The ARN or ID of the VPC Lattice resource configuration.

      • managedVpcResource (dict) --

        Configuration for connecting to a private resource using a managed VPC Lattice resource. The gateway creates and manages the VPC Lattice resources on your behalf.

        • vpcIdentifier (string) -- [REQUIRED]

          The ID of the VPC that contains your private resource.

        • subnetIds (list) -- [REQUIRED]

          The subnet IDs within the VPC where the VPC Lattice resource gateway is placed.

          • (string) --

        • endpointIpAddressType (string) -- [REQUIRED]

          The IP address type for the resource configuration endpoint.

        • securityGroupIds (list) --

          The security group IDs to associate with the VPC Lattice resource gateway. If not specified, the default security group for the VPC is used.

          • (string) --

        • tags (dict) --

          Tags to apply to the managed VPC Lattice resource gateway.

          • (string) --

            • (string) --

        • routingDomain (string) --

          An intermediate domain to use as the resource configuration endpoint instead of the actual target domain. Use this when you want to route traffic through an intermediate component such as a VPC endpoint or internal load balancer. For more information, see xref:lattice-vpc-egress-routing-domain[Route traffic through an intermediate domain].

    • privateEndpointOverrides (list) --

      The private endpoint overrides for the custom JWT authorizer configuration.

      • (dict) --

        A mapping of a specific domain to a private endpoint for secure connectivity through a VPC Lattice resource configuration.

        • domain (string) -- [REQUIRED]

          The domain to override with a private endpoint.

        • privateEndpoint (dict) -- [REQUIRED]

          The private endpoint configuration for the specified domain.

          • selfManagedLatticeResource (dict) --

            Configuration for connecting to a private resource using a self-managed VPC Lattice resource configuration.

            • resourceConfigurationIdentifier (string) --

              The ARN or ID of the VPC Lattice resource configuration.

          • managedVpcResource (dict) --

            Configuration for connecting to a private resource using a managed VPC Lattice resource. The gateway creates and manages the VPC Lattice resources on your behalf.

            • vpcIdentifier (string) -- [REQUIRED]

              The ID of the VPC that contains your private resource.

            • subnetIds (list) -- [REQUIRED]

              The subnet IDs within the VPC where the VPC Lattice resource gateway is placed.

              • (string) --

            • endpointIpAddressType (string) -- [REQUIRED]

              The IP address type for the resource configuration endpoint.

            • securityGroupIds (list) --

              The security group IDs to associate with the VPC Lattice resource gateway. If not specified, the default security group for the VPC is used.

              • (string) --

            • tags (dict) --

              Tags to apply to the managed VPC Lattice resource gateway.

              • (string) --

                • (string) --

            • routingDomain (string) --

              An intermediate domain to use as the resource configuration endpoint instead of the actual target domain. Use this when you want to route traffic through an intermediate component such as a VPC endpoint or internal load balancer. For more information, see xref:lattice-vpc-egress-routing-domain[Route traffic through an intermediate domain].

    • allowedWorkloadConfiguration (dict) --

      The configuration that restricts which workloads in the request's identity chain are allowed to invoke the target, identified by their hosting environments and workload identities. At launch, this is supported only for AgentCore Runtime targets, and the allowed workloads are AgentCore Gateways.

      • hostingEnvironments (list) --

        The list of hosting environments whose workloads are allowed to invoke the target. At launch, the only supported hosting environment is AgentCore Gateway.

        • (dict) --

          A hosting environment whose workloads are allowed to invoke the target. At launch, the only supported hosting environment is AgentCore Gateway.

          • arn (string) -- [REQUIRED]

            The Amazon Resource Name (ARN) of the hosting environment.

      • workloadIdentities (list) --

        The list of workload identities that are allowed to invoke the target.

        • (string) --

type clientToken:

string

param clientToken:

A unique, case-sensitive identifier to ensure that the API request completes no more than one time. If you don't specify this field, a value is randomly generated for you. If this token matches a previous request, the service ignores the request, but doesn't return an error. For more information, see Ensuring idempotency.

This field is autopopulated if not provided.

type approvalConfiguration:

dict

param approvalConfiguration:

The approval configuration for registry records. Controls whether records require explicit approval before becoming active. See the ApprovalConfiguration data type for supported configuration options.

  • autoApproval (boolean) --

    Whether registry records are auto-approved. When set to true, records are automatically approved upon creation. When set to false (the default), records require explicit approval for security purposes.

rtype:

dict

returns:

Response Syntax

{
    'registryArn': 'string'
}

Response Structure

  • (dict) --

    • registryArn (string) --

      The Amazon Resource Name (ARN) of the created registry.

DeleteHarness (updated) Link ¶
Changes (response)
{'harness': {'authorizerConfiguration': {'customJWTAuthorizer': {'advertisedScopeMapping': {'string': 'string'}}}}}

Operation to delete a Harness.

See also: AWS API Documentation

Request Syntax

client.delete_harness(
    harnessId='string',
    clientToken='string',
    deleteManagedMemory=True|False
)
type harnessId:

string

param harnessId:

[REQUIRED]

The ID of the harness to delete.

type clientToken:

string

param clientToken:

A unique, case-sensitive identifier to ensure idempotency of the request.

This field is autopopulated if not provided.

type deleteManagedMemory:

boolean

param deleteManagedMemory:

Whether to delete the managed memory on harness deletion. Default: true. If false, the memory is disassociated and becomes a regular customer-owned resource.

rtype:

dict

returns:

Response Syntax

{
    'harness': {
        'harnessId': 'string',
        'harnessName': 'string',
        'arn': 'string',
        'status': 'CREATING'|'CREATE_FAILED'|'UPDATING'|'UPDATE_FAILED'|'READY'|'DELETING'|'DELETE_FAILED',
        'harnessVersion': 'string',
        'executionRoleArn': 'string',
        'createdAt': datetime(2015, 1, 1),
        'updatedAt': datetime(2015, 1, 1),
        'model': {
            'bedrockModelConfig': {
                'modelId': 'string',
                'maxTokens': 123,
                'temperature': ...,
                'topP': ...,
                'apiFormat': 'converse_stream'|'responses'|'chat_completions',
                'additionalParams': {...}|[...]|123|123.4|'string'|True|None
            },
            'openAiModelConfig': {
                'modelId': 'string',
                'apiKeyArn': 'string',
                'maxTokens': 123,
                'temperature': ...,
                'topP': ...,
                'apiFormat': 'chat_completions'|'responses',
                'additionalParams': {...}|[...]|123|123.4|'string'|True|None
            },
            'geminiModelConfig': {
                'modelId': 'string',
                'apiKeyArn': 'string',
                'maxTokens': 123,
                'temperature': ...,
                'topP': ...,
                'topK': 123
            },
            'liteLlmModelConfig': {
                'modelId': 'string',
                'apiKeyArn': 'string',
                'apiBase': 'string',
                'maxTokens': 123,
                'temperature': ...,
                'topP': ...,
                'additionalParams': {...}|[...]|123|123.4|'string'|True|None
            }
        },
        'systemPrompt': [
            {
                'text': 'string'
            },
        ],
        'tools': [
            {
                'type': 'remote_mcp'|'agentcore_browser'|'agentcore_gateway'|'inline_function'|'agentcore_code_interpreter',
                'name': 'string',
                'config': {
                    'remoteMcp': {
                        'url': 'string',
                        'headers': {
                            'string': 'string'
                        }
                    },
                    'agentCoreBrowser': {
                        'browserArn': 'string'
                    },
                    'agentCoreGateway': {
                        'gatewayArn': 'string',
                        'outboundAuth': {
                            'awsIam': {},
                            'none': {},
                            'oauth': {
                                'providerArn': 'string',
                                'scopes': [
                                    'string',
                                ],
                                'customParameters': {
                                    'string': 'string'
                                },
                                'grantType': 'CLIENT_CREDENTIALS'|'AUTHORIZATION_CODE'|'TOKEN_EXCHANGE',
                                'defaultReturnUrl': 'string'
                            }
                        }
                    },
                    'inlineFunction': {
                        'description': 'string',
                        'inputSchema': {...}|[...]|123|123.4|'string'|True|None
                    },
                    'agentCoreCodeInterpreter': {
                        'codeInterpreterArn': 'string'
                    }
                }
            },
        ],
        'skills': [
            {
                'path': 'string',
                's3': {
                    'uri': 'string'
                },
                'git': {
                    'url': 'string',
                    'path': 'string',
                    'auth': {
                        'credentialArn': 'string',
                        'username': 'string'
                    }
                },
                'awsSkills': {
                    'paths': [
                        'string',
                    ]
                }
            },
        ],
        'allowedTools': [
            'string',
        ],
        'truncation': {
            'strategy': 'sliding_window'|'summarization'|'none',
            'config': {
                'slidingWindow': {
                    'messagesCount': 123
                },
                'summarization': {
                    'summaryRatio': ...,
                    'preserveRecentMessages': 123,
                    'summarizationSystemPrompt': 'string'
                }
            }
        },
        'environment': {
            'agentCoreRuntimeEnvironment': {
                'agentRuntimeArn': 'string',
                'agentRuntimeName': 'string',
                'agentRuntimeId': 'string',
                'lifecycleConfiguration': {
                    'idleRuntimeSessionTimeout': 123,
                    'maxLifetime': 123
                },
                'networkConfiguration': {
                    'networkMode': 'PUBLIC'|'VPC',
                    'networkModeConfig': {
                        'securityGroups': [
                            'string',
                        ],
                        'subnets': [
                            'string',
                        ],
                        'requireServiceS3Endpoint': True|False
                    }
                },
                'filesystemConfigurations': [
                    {
                        'sessionStorage': {
                            'mountPath': 'string'
                        },
                        's3FilesAccessPoint': {
                            'accessPointArn': 'string',
                            'mountPath': 'string'
                        },
                        'efsAccessPoint': {
                            'accessPointArn': 'string',
                            'mountPath': 'string'
                        }
                    },
                ]
            }
        },
        'environmentArtifact': {
            'containerConfiguration': {
                'containerUri': 'string'
            }
        },
        'environmentVariables': {
            'string': 'string'
        },
        'authorizerConfiguration': {
            'customJWTAuthorizer': {
                'discoveryUrl': 'string',
                'allowedAudience': [
                    'string',
                ],
                'allowedClients': [
                    'string',
                ],
                'allowedScopes': [
                    'string',
                ],
                'advertisedScopeMapping': {
                    'string': 'string'
                },
                'customClaims': [
                    {
                        'inboundTokenClaimName': 'string',
                        'inboundTokenClaimValueType': 'STRING'|'STRING_ARRAY',
                        'authorizingClaimMatchValue': {
                            'claimMatchValue': {
                                'matchValueString': 'string',
                                'matchValueStringList': [
                                    'string',
                                ]
                            },
                            'claimMatchOperator': 'EQUALS'|'CONTAINS'|'CONTAINS_ANY'
                        }
                    },
                ],
                'privateEndpoint': {
                    'selfManagedLatticeResource': {
                        'resourceConfigurationIdentifier': 'string'
                    },
                    'managedVpcResource': {
                        'vpcIdentifier': 'string',
                        'subnetIds': [
                            'string',
                        ],
                        'endpointIpAddressType': 'IPV4'|'IPV6',
                        'securityGroupIds': [
                            'string',
                        ],
                        'tags': {
                            'string': 'string'
                        },
                        'routingDomain': 'string'
                    }
                },
                'privateEndpointOverrides': [
                    {
                        'domain': 'string',
                        'privateEndpoint': {
                            'selfManagedLatticeResource': {
                                'resourceConfigurationIdentifier': 'string'
                            },
                            'managedVpcResource': {
                                'vpcIdentifier': 'string',
                                'subnetIds': [
                                    'string',
                                ],
                                'endpointIpAddressType': 'IPV4'|'IPV6',
                                'securityGroupIds': [
                                    'string',
                                ],
                                'tags': {
                                    'string': 'string'
                                },
                                'routingDomain': 'string'
                            }
                        }
                    },
                ],
                'allowedWorkloadConfiguration': {
                    'hostingEnvironments': [
                        {
                            'arn': 'string'
                        },
                    ],
                    'workloadIdentities': [
                        'string',
                    ]
                }
            }
        },
        'memory': {
            'agentCoreMemoryConfiguration': {
                'arn': 'string',
                'actorId': 'string',
                'messagesCount': 123,
                'retrievalConfig': {
                    'string': {
                        'topK': 123,
                        'relevanceScore': ...,
                        'strategyId': 'string'
                    }
                }
            },
            'managedMemoryConfiguration': {
                'arn': 'string',
                'strategies': [
                    'SEMANTIC'|'SUMMARIZATION'|'USER_PREFERENCE'|'EPISODIC',
                ],
                'eventExpiryDuration': 123,
                'encryptionKeyArn': 'string'
            },
            'disabled': {}
        },
        'maxIterations': 123,
        'maxTokens': 123,
        'timeoutSeconds': 123,
        'failureReason': 'string'
    }
}

Response Structure

  • (dict) --

    • harness (dict) --

      The harness that was deleted.

      • harnessId (string) --

        The ID of the harness.

      • harnessName (string) --

        The name of the harness.

      • arn (string) --

        The ARN of the harness.

      • status (string) --

        The status of the harness.

      • harnessVersion (string) --

        The version of the harness. Incremented on every successful UpdateHarness.

      • executionRoleArn (string) --

        IAM role the harness assumes when running.

      • createdAt (datetime) --

        The createdAt time of the harness.

      • updatedAt (datetime) --

        The updatedAt time of the harness.

      • model (dict) --

        The configuration of the default model used by the Harness.

        • bedrockModelConfig (dict) --

          Configuration for an Amazon Bedrock model.

          • modelId (string) --

            The Bedrock model ID.

          • maxTokens (integer) --

            The maximum number of tokens to allow in the generated response per model call.

          • temperature (float) --

            The temperature to set when calling the model.

          • topP (float) --

            The topP set when calling the model.

          • apiFormat (string) --

            The API format to use when calling the Bedrock provider.

          • additionalParams (:ref:`document<document>`) --

            Provider-specific parameters passed through to the model provider unchanged.

        • openAiModelConfig (dict) --

          Configuration for an OpenAI model.

          • modelId (string) --

            The OpenAI model ID.

          • apiKeyArn (string) --

            The ARN of your OpenAI API key on AgentCore Identity.

          • maxTokens (integer) --

            The maximum number of tokens to allow in the generated response per model call.

          • temperature (float) --

            The temperature to set when calling the model.

          • topP (float) --

            The topP set when calling the model.

          • apiFormat (string) --

            The API format to use when calling the OpenAI provider.

          • additionalParams (:ref:`document<document>`) --

            Provider-specific parameters passed through to the model provider unchanged.

        • geminiModelConfig (dict) --

          Configuration for a Google Gemini model.

          • modelId (string) --

            The Gemini model ID.

          • apiKeyArn (string) --

            The ARN of your Gemini API key on AgentCore Identity.

          • maxTokens (integer) --

            The maximum number of tokens to allow in the generated response per model call.

          • temperature (float) --

            The temperature to set when calling the model.

          • topP (float) --

            The topP set when calling the model.

          • topK (integer) --

            The topK set when calling the model.

        • liteLlmModelConfig (dict) --

          The LiteLLM model configuration for connecting to third-party model providers.

          • modelId (string) --

            The LiteLLM model identifier (e.g., "anthropic/claude-3-sonnet").

          • apiKeyArn (string) --

            The ARN of the API key in AgentCore Identity for authenticating with the model provider.

          • apiBase (string) --

            The base URL for the model provider's API endpoint.

          • maxTokens (integer) --

            The maximum number of tokens to allow in the generated response per iteration.

          • temperature (float) --

            The temperature to set when calling the model.

          • topP (float) --

            The topP set when calling the model.

          • additionalParams (:ref:`document<document>`) --

            Provider-specific parameters passed through to the model provider unchanged.

      • systemPrompt (list) --

        The system prompt of the harness.

        • (dict) --

          A content block in the system prompt.

          • text (string) --

            The text content of the system prompt block.

      • tools (list) --

        The tools of the harness.

        • (dict) --

          A tool available to the agent loop.

          • type (string) --

            The type of tool.

          • name (string) --

            Unique name for the tool. If not provided, a name will be inferred or generated.

          • config (dict) --

            Tool-specific configuration.

            • remoteMcp (dict) --

              Configuration for remote MCP server.

              • url (string) --

                URL of the MCP endpoint.

              • headers (dict) --

                Custom headers to include when connecting to the remote MCP server.

                • (string) --

                  The key of an HTTP header.

                  • (string) --

                    The value of an HTTP header.

            • agentCoreBrowser (dict) --

              Configuration for AgentCore Browser.

              • browserArn (string) --

                If not populated, the built-in Browser ARN is used.

            • agentCoreGateway (dict) --

              Configuration for AgentCore Gateway.

              • gatewayArn (string) --

                The ARN of the desired AgentCore Gateway.

              • outboundAuth (dict) --

                How harness authenticates to this Gateway. Defaults to AWS_IAM (SigV4) if omitted.

                • awsIam (dict) --

                  SigV4-sign requests using the agent's execution role.

                • none (dict) --

                  No authentication.

                • oauth (dict) --

                  Use OAuth credentials for outbound authentication to the gateway.

                  • providerArn (string) --

                    The Amazon Resource Name (ARN) of the OAuth credential provider. This ARN identifies the provider in Amazon Web Services.

                  • scopes (list) --

                    The OAuth scopes for the credential provider. These scopes define the level of access requested from the OAuth provider.

                    • (string) --

                  • customParameters (dict) --

                    The custom parameters for the OAuth credential provider. These parameters provide additional configuration for the OAuth authentication process.

                    • (string) --

                      • (string) --

                  • grantType (string) --

                    Specifies the kind of credentials to use for authorization:

                    • CLIENT_CREDENTIALS - Authorization with a client ID and secret.

                    • AUTHORIZATION_CODE - Authorization with a token that is specific to an individual end user.

                    • TOKEN_EXCHANGE - Authorization using on-behalf-of token exchange. An inbound user token is exchanged for a downstream access token scoped to the target audience.

                  • defaultReturnUrl (string) --

                    The URL where the end user's browser is redirected after obtaining the authorization code. Generally points to the customer's application.

            • inlineFunction (dict) --

              Configuration for an inline function tool.

              • description (string) --

                Description of what the tool does, provided to the model.

              • inputSchema (:ref:`document<document>`) --

                JSON Schema describing the tool's input parameters.

            • agentCoreCodeInterpreter (dict) --

              Configuration for AgentCore Code Interpreter.

              • codeInterpreterArn (string) --

                If not populated, the built-in Code Interpreter ARN is used.

      • skills (list) --

        The skills of the harness.

        • (dict) --

          A skill available to the agent.

          • path (string) --

            The filesystem path to the skill definition.

          • s3 (dict) --

            An S3 source containing the skill.

            • uri (string) --

              The S3 URI pointing to the skill directory (e.g., s3://bucket/skills/my-skill/).

          • git (dict) --

            A git repository containing the skill.

            • url (string) --

              The HTTPS URL of the git repository.

            • path (string) --

              Subdirectory within the repository containing the skill.

            • auth (dict) --

              Authentication configuration for private repositories.

              • credentialArn (string) --

                The ARN of the credential in AgentCore Identity containing the password or personal access token.

              • username (string) --

                Username for authentication. Defaults to 'oauth2' if not specified.

          • awsSkills (dict) --

            AWS Skills baked into the harness's underlying Runtime.

            • paths (list) --

              Optionally filter allowed skills with glob syntax, e.g., ['core-skills/*'].

              • (string) --

      • allowedTools (list) --

        The allowed tools of the harness. All tools are allowed by default.

        • (string) --

      • truncation (dict) --

        Configuration for truncating model context.

        • strategy (string) --

          The truncation strategy to use.

        • config (dict) --

          The strategy-specific configuration.

          • slidingWindow (dict) --

            Configuration for sliding window truncation.

            • messagesCount (integer) --

              The number of recent messages to retain in the context window.

          • summarization (dict) --

            Configuration for summarization-based truncation.

            • summaryRatio (float) --

              The ratio of content to summarize.

            • preserveRecentMessages (integer) --

              The number of recent messages to preserve without summarization.

            • summarizationSystemPrompt (string) --

              The system prompt used for generating summaries.

      • environment (dict) --

        The compute environment on which the Harness runs.

        • agentCoreRuntimeEnvironment (dict) --

          The AgentCore Runtime environment configuration.

          • agentRuntimeArn (string) --

            The ARN of the underlying AgentCore Runtime.

          • agentRuntimeName (string) --

            The name of the underlying AgentCore Runtime.

          • agentRuntimeId (string) --

            The ID of the underlying AgentCore Runtime.

          • lifecycleConfiguration (dict) --

            LifecycleConfiguration lets you manage the lifecycle of runtime sessions and resources in AgentCore Runtime. This configuration helps optimize resource utilization by automatically cleaning up idle sessions and preventing long-running instances from consuming resources indefinitely.

            • idleRuntimeSessionTimeout (integer) --

              Timeout in seconds for idle runtime sessions. When a session remains idle for this duration, it will be automatically terminated. Default: 900 seconds (15 minutes).

            • maxLifetime (integer) --

              Maximum lifetime for the instance in seconds. Once reached, instances will be automatically terminated and replaced. Default: 28800 seconds (8 hours).

          • networkConfiguration (dict) --

            SecurityConfig for the Agent.

            • networkMode (string) --

              The network mode for the AgentCore Runtime.

            • networkModeConfig (dict) --

              The network mode configuration for the AgentCore Runtime.

              • securityGroups (list) --

                The security groups associated with the VPC configuration.

                • (string) --

              • subnets (list) --

                The subnets associated with the VPC configuration.

                • (string) --

              • requireServiceS3Endpoint (boolean) --

                Controls whether a service-managed Amazon S3 gateway endpoint is provisioned in the VPC network topology for the agent runtime. This gateway is used by Amazon Bedrock AgentCore Runtime to download code and container images during agent startup.

                Starting May 5, 2026, Amazon Bedrock AgentCore Runtime is gradually rolling out a change to how network isolation is configured for VPC mode agents. Agent runtimes created on or after this rollout will no longer include the service-managed Amazon S3 gateway. Instead, all network access, including to Amazon S3, is governed exclusively by your VPC configuration. This field cannot be set on agent runtimes created after the rollout. Passing this field in an UpdateAgentRuntime request for these agent runtimes returns a ValidationException.

                Agent runtimes created before the rollout are not affected and continue to operate with the service-managed Amazon S3 gateway. To enforce full VPC network isolation on these existing agent runtimes, set this field to false via the UpdateAgentRuntime API. Before opting out, ensure your VPC provides the Amazon S3 access required for agent startup. If this field is not specified or is set to true, the service-managed Amazon S3 gateway remains provisioned.

                This field is only supported in the UpdateAgentRuntime API for pre-rollout agent runtimes. Passing this field in a CreateAgentRuntime request returns a ValidationException.

          • filesystemConfigurations (list) --

            The filesystem configurations for the runtime environment.

            • (dict) --

              Configuration for a filesystem that can be mounted into the AgentCore Runtime.

              • sessionStorage (dict) --

                Configuration for session storage. Session storage provides persistent storage that is preserved across AgentCore Runtime session invocations.

                • mountPath (string) --

                  The mount path for the session storage filesystem inside the AgentCore Runtime. The path must be under /mnt with exactly one subdirectory level (for example, /mnt/data).

              • s3FilesAccessPoint (dict) --

                Configuration for an Amazon S3 Files access point to mount into the AgentCore Runtime.

                • accessPointArn (string) --

                  The ARN of the S3 Files access point to mount into the AgentCore Runtime.

                • mountPath (string) --

                  The mount path for the S3 Files access point inside the AgentCore Runtime. The path must be under /mnt with exactly one subdirectory level (for example, /mnt/data).

              • efsAccessPoint (dict) --

                Configuration for an Amazon EFS access point to mount into the AgentCore Runtime.

                • accessPointArn (string) --

                  The ARN of the EFS access point to mount into the AgentCore Runtime.

                • mountPath (string) --

                  The mount path for the EFS access point inside the AgentCore Runtime. The path must be under /mnt with exactly one subdirectory level (for example, /mnt/data).

      • environmentArtifact (dict) --

        The environment artifact (e.g., container) in which the Harness operates.

        • containerConfiguration (dict) --

          Representation of a container configuration.

          • containerUri (string) --

            The ECR URI of the container.

      • environmentVariables (dict) --

        Environment variables exposed in the environment in which the harness operates.

        • (string) --

          • (string) --

      • authorizerConfiguration (dict) --

        Represents inbound authorization configuration options used to authenticate incoming requests.

        • customJWTAuthorizer (dict) --

          The inbound JWT-based authorization, specifying how incoming requests should be authenticated.

          • discoveryUrl (string) --

            This URL is used to fetch OpenID Connect configuration or authorization server metadata for validating incoming tokens.

          • allowedAudience (list) --

            Represents individual audience values that are validated in the incoming JWT token validation process.

            • (string) --

          • allowedClients (list) --

            Represents individual client IDs that are validated in the incoming JWT token validation process.

            • (string) --

          • allowedScopes (list) --

            An array of scopes that are allowed to access the token.

            • (string) --

          • advertisedScopeMapping (dict) --

            A map that associates each scope in allowedScopes with a corresponding advertised scope value. The advertised scope appears in OAuth protected resource metadata and WWW-Authenticate response headers. Use this parameter when the scope that clients request from your identity provider differs from the scope in the validated token. Each key is a scope from allowedScopes that the service uses for token validation. Each value is the corresponding scope that the service advertises to clients. Scopes without a mapping entry appear unchanged to clients.

            • (string) --

              • (string) --

          • customClaims (list) --

            An array of objects that define a custom claim validation name, value, and operation

            • (dict) --

              Defines the name of a custom claim field and rules for finding matches to authenticate its value.

              • inboundTokenClaimName (string) --

                The name of the custom claim field to check.

              • inboundTokenClaimValueType (string) --

                The data type of the claim value to check for.

                • Use STRING if you want to find an exact match to a string you define.

                • Use STRING_ARRAY if you want to fnd a match to at least one value in an array you define.

              • authorizingClaimMatchValue (dict) --

                Defines the value or values to match for and the relationship of the match.

                • claimMatchValue (dict) --

                  The value or values to match for.

                  • matchValueString (string) --

                    The string value to match for.

                  • matchValueStringList (list) --

                    An array of strings to check for a match.

                    • (string) --

                • claimMatchOperator (string) --

                  Defines the relationship between the claim field value and the value or values you're matching for.

          • privateEndpoint (dict) --

            The private endpoint configuration for a gateway target. Defines how the gateway connects to private resources in your VPC.

            • selfManagedLatticeResource (dict) --

              Configuration for connecting to a private resource using a self-managed VPC Lattice resource configuration.

              • resourceConfigurationIdentifier (string) --

                The ARN or ID of the VPC Lattice resource configuration.

            • managedVpcResource (dict) --

              Configuration for connecting to a private resource using a managed VPC Lattice resource. The gateway creates and manages the VPC Lattice resources on your behalf.

              • vpcIdentifier (string) --

                The ID of the VPC that contains your private resource.

              • subnetIds (list) --

                The subnet IDs within the VPC where the VPC Lattice resource gateway is placed.

                • (string) --

              • endpointIpAddressType (string) --

                The IP address type for the resource configuration endpoint.

              • securityGroupIds (list) --

                The security group IDs to associate with the VPC Lattice resource gateway. If not specified, the default security group for the VPC is used.

                • (string) --

              • tags (dict) --

                Tags to apply to the managed VPC Lattice resource gateway.

                • (string) --

                  • (string) --

              • routingDomain (string) --

                An intermediate domain to use as the resource configuration endpoint instead of the actual target domain. Use this when you want to route traffic through an intermediate component such as a VPC endpoint or internal load balancer. For more information, see xref:lattice-vpc-egress-routing-domain[Route traffic through an intermediate domain].

          • privateEndpointOverrides (list) --

            The private endpoint overrides for the custom JWT authorizer configuration.

            • (dict) --

              A mapping of a specific domain to a private endpoint for secure connectivity through a VPC Lattice resource configuration.

              • domain (string) --

                The domain to override with a private endpoint.

              • privateEndpoint (dict) --

                The private endpoint configuration for the specified domain.

                • selfManagedLatticeResource (dict) --

                  Configuration for connecting to a private resource using a self-managed VPC Lattice resource configuration.

                  • resourceConfigurationIdentifier (string) --

                    The ARN or ID of the VPC Lattice resource configuration.

                • managedVpcResource (dict) --

                  Configuration for connecting to a private resource using a managed VPC Lattice resource. The gateway creates and manages the VPC Lattice resources on your behalf.

                  • vpcIdentifier (string) --

                    The ID of the VPC that contains your private resource.

                  • subnetIds (list) --

                    The subnet IDs within the VPC where the VPC Lattice resource gateway is placed.

                    • (string) --

                  • endpointIpAddressType (string) --

                    The IP address type for the resource configuration endpoint.

                  • securityGroupIds (list) --

                    The security group IDs to associate with the VPC Lattice resource gateway. If not specified, the default security group for the VPC is used.

                    • (string) --

                  • tags (dict) --

                    Tags to apply to the managed VPC Lattice resource gateway.

                    • (string) --

                      • (string) --

                  • routingDomain (string) --

                    An intermediate domain to use as the resource configuration endpoint instead of the actual target domain. Use this when you want to route traffic through an intermediate component such as a VPC endpoint or internal load balancer. For more information, see xref:lattice-vpc-egress-routing-domain[Route traffic through an intermediate domain].

          • allowedWorkloadConfiguration (dict) --

            The configuration that restricts which workloads in the request's identity chain are allowed to invoke the target, identified by their hosting environments and workload identities. At launch, this is supported only for AgentCore Runtime targets, and the allowed workloads are AgentCore Gateways.

            • hostingEnvironments (list) --

              The list of hosting environments whose workloads are allowed to invoke the target. At launch, the only supported hosting environment is AgentCore Gateway.

              • (dict) --

                A hosting environment whose workloads are allowed to invoke the target. At launch, the only supported hosting environment is AgentCore Gateway.

                • arn (string) --

                  The Amazon Resource Name (ARN) of the hosting environment.

            • workloadIdentities (list) --

              The list of workload identities that are allowed to invoke the target.

              • (string) --

      • memory (dict) --

        AgentCore Memory instance configuration for short and long term memory.

        • agentCoreMemoryConfiguration (dict) --

          The AgentCore Memory configuration.

          • arn (string) --

            The ARN of the AgentCore Memory resource.

          • actorId (string) --

            The actor ID for memory operations.

          • messagesCount (integer) --

            The number of messages to retrieve from memory.

          • retrievalConfig (dict) --

            The retrieval configuration for long-term memory, mapping namespace path templates to retrieval settings.

            • (string) --

              • (dict) --

                Configuration for memory retrieval within a namespace.

                • topK (integer) --

                  The maximum number of memory entries to retrieve.

                • relevanceScore (float) --

                  The minimum relevance score for retrieved memories.

                • strategyId (string) --

                  The ID of the retrieval strategy to use.

        • managedMemoryConfiguration (dict) --

          Harness creates and manages a memory resource in the customer's account.

          • arn (string) --

            The ARN of the managed AgentCore Memory resource. Read-only on Get, ignored on Create/Update input.

          • strategies (list) --

            Strategy types to enable. Defaults to [SEMANTIC, SUMMARIZATION].

            • (string) --

          • eventExpiryDuration (integer) --

            Event retention in days. Defaults to 30.

          • encryptionKeyArn (string) --

            Customer-managed KMS key. Defaults to AWS-owned key. Not updatable after creation.

        • disabled (dict) --

          Explicitly opt out of memory.

      • maxIterations (integer) --

        The maximum number of iterations in the agent loop allowed before exiting per invocation.

      • maxTokens (integer) --

        The maximum total number of output tokens the agent can generate across all model calls within a single invocation.

      • timeoutSeconds (integer) --

        The maximum duration per invocation.

      • failureReason (string) --

        Reason why create or update operations fail.

GetAgentRuntime (updated) Link ¶
Changes (response)
{'authorizerConfiguration': {'customJWTAuthorizer': {'advertisedScopeMapping': {'string': 'string'}}}}

Gets an Amazon Bedrock AgentCore Runtime.

See also: AWS API Documentation

Request Syntax

client.get_agent_runtime(
    agentRuntimeId='string',
    agentRuntimeVersion='string'
)
type agentRuntimeId:

string

param agentRuntimeId:

[REQUIRED]

The unique identifier of the AgentCore Runtime to retrieve.

type agentRuntimeVersion:

string

param agentRuntimeVersion:

The version of the AgentCore Runtime to retrieve.

rtype:

dict

returns:

Response Syntax

{
    'agentRuntimeArn': 'string',
    'agentRuntimeName': 'string',
    'agentRuntimeId': 'string',
    'agentRuntimeVersion': 'string',
    'createdAt': datetime(2015, 1, 1),
    'lastUpdatedAt': datetime(2015, 1, 1),
    'roleArn': 'string',
    'networkConfiguration': {
        'networkMode': 'PUBLIC'|'VPC',
        'networkModeConfig': {
            'securityGroups': [
                'string',
            ],
            'subnets': [
                'string',
            ],
            'requireServiceS3Endpoint': True|False
        }
    },
    'status': 'CREATING'|'CREATE_FAILED'|'UPDATING'|'UPDATE_FAILED'|'READY'|'DELETING',
    'lifecycleConfiguration': {
        'idleRuntimeSessionTimeout': 123,
        'maxLifetime': 123
    },
    'failureReason': 'string',
    'description': 'string',
    'workloadIdentityDetails': {
        'workloadIdentityArn': 'string'
    },
    'agentRuntimeArtifact': {
        'containerConfiguration': {
            'containerUri': 'string'
        },
        'codeConfiguration': {
            'code': {
                's3': {
                    'bucket': 'string',
                    'prefix': 'string',
                    'versionId': 'string'
                }
            },
            'runtime': 'PYTHON_3_10'|'PYTHON_3_11'|'PYTHON_3_12'|'PYTHON_3_13'|'PYTHON_3_14'|'NODE_22',
            'entryPoint': [
                'string',
            ]
        }
    },
    'protocolConfiguration': {
        'serverProtocol': 'MCP'|'HTTP'|'A2A'|'AGUI'
    },
    'environmentVariables': {
        'string': 'string'
    },
    'authorizerConfiguration': {
        'customJWTAuthorizer': {
            'discoveryUrl': 'string',
            'allowedAudience': [
                'string',
            ],
            'allowedClients': [
                'string',
            ],
            'allowedScopes': [
                'string',
            ],
            'advertisedScopeMapping': {
                'string': 'string'
            },
            'customClaims': [
                {
                    'inboundTokenClaimName': 'string',
                    'inboundTokenClaimValueType': 'STRING'|'STRING_ARRAY',
                    'authorizingClaimMatchValue': {
                        'claimMatchValue': {
                            'matchValueString': 'string',
                            'matchValueStringList': [
                                'string',
                            ]
                        },
                        'claimMatchOperator': 'EQUALS'|'CONTAINS'|'CONTAINS_ANY'
                    }
                },
            ],
            'privateEndpoint': {
                'selfManagedLatticeResource': {
                    'resourceConfigurationIdentifier': 'string'
                },
                'managedVpcResource': {
                    'vpcIdentifier': 'string',
                    'subnetIds': [
                        'string',
                    ],
                    'endpointIpAddressType': 'IPV4'|'IPV6',
                    'securityGroupIds': [
                        'string',
                    ],
                    'tags': {
                        'string': 'string'
                    },
                    'routingDomain': 'string'
                }
            },
            'privateEndpointOverrides': [
                {
                    'domain': 'string',
                    'privateEndpoint': {
                        'selfManagedLatticeResource': {
                            'resourceConfigurationIdentifier': 'string'
                        },
                        'managedVpcResource': {
                            'vpcIdentifier': 'string',
                            'subnetIds': [
                                'string',
                            ],
                            'endpointIpAddressType': 'IPV4'|'IPV6',
                            'securityGroupIds': [
                                'string',
                            ],
                            'tags': {
                                'string': 'string'
                            },
                            'routingDomain': 'string'
                        }
                    }
                },
            ],
            'allowedWorkloadConfiguration': {
                'hostingEnvironments': [
                    {
                        'arn': 'string'
                    },
                ],
                'workloadIdentities': [
                    'string',
                ]
            }
        }
    },
    'requestHeaderConfiguration': {
        'requestHeaderAllowlist': [
            'string',
        ]
    },
    'metadataConfiguration': {
        'requireMMDSV2': True|False
    },
    'filesystemConfigurations': [
        {
            'sessionStorage': {
                'mountPath': 'string'
            },
            's3FilesAccessPoint': {
                'accessPointArn': 'string',
                'mountPath': 'string'
            },
            'efsAccessPoint': {
                'accessPointArn': 'string',
                'mountPath': 'string'
            }
        },
    ]
}

Response Structure

  • (dict) --

    • agentRuntimeArn (string) --

      The Amazon Resource Name (ARN) of the AgentCore Runtime.

    • agentRuntimeName (string) --

      The name of the AgentCore Runtime.

    • agentRuntimeId (string) --

      The unique identifier of the AgentCore Runtime.

    • agentRuntimeVersion (string) --

      The version of the AgentCore Runtime.

    • createdAt (datetime) --

      The timestamp when the AgentCore Runtime was created.

    • lastUpdatedAt (datetime) --

      The timestamp when the AgentCore Runtime was last updated.

    • roleArn (string) --

      The IAM role ARN that provides permissions for the AgentCore Runtime.

    • networkConfiguration (dict) --

      The network configuration for the AgentCore Runtime.

      • networkMode (string) --

        The network mode for the AgentCore Runtime.

      • networkModeConfig (dict) --

        The network mode configuration for the AgentCore Runtime.

        • securityGroups (list) --

          The security groups associated with the VPC configuration.

          • (string) --

        • subnets (list) --

          The subnets associated with the VPC configuration.

          • (string) --

        • requireServiceS3Endpoint (boolean) --

          Controls whether a service-managed Amazon S3 gateway endpoint is provisioned in the VPC network topology for the agent runtime. This gateway is used by Amazon Bedrock AgentCore Runtime to download code and container images during agent startup.

          Starting May 5, 2026, Amazon Bedrock AgentCore Runtime is gradually rolling out a change to how network isolation is configured for VPC mode agents. Agent runtimes created on or after this rollout will no longer include the service-managed Amazon S3 gateway. Instead, all network access, including to Amazon S3, is governed exclusively by your VPC configuration. This field cannot be set on agent runtimes created after the rollout. Passing this field in an UpdateAgentRuntime request for these agent runtimes returns a ValidationException.

          Agent runtimes created before the rollout are not affected and continue to operate with the service-managed Amazon S3 gateway. To enforce full VPC network isolation on these existing agent runtimes, set this field to false via the UpdateAgentRuntime API. Before opting out, ensure your VPC provides the Amazon S3 access required for agent startup. If this field is not specified or is set to true, the service-managed Amazon S3 gateway remains provisioned.

          This field is only supported in the UpdateAgentRuntime API for pre-rollout agent runtimes. Passing this field in a CreateAgentRuntime request returns a ValidationException.

    • status (string) --

      The current status of the AgentCore Runtime.

    • lifecycleConfiguration (dict) --

      The life cycle configuration for the AgentCore Runtime.

      • idleRuntimeSessionTimeout (integer) --

        Timeout in seconds for idle runtime sessions. When a session remains idle for this duration, it will be automatically terminated. Default: 900 seconds (15 minutes).

      • maxLifetime (integer) --

        Maximum lifetime for the instance in seconds. Once reached, instances will be automatically terminated and replaced. Default: 28800 seconds (8 hours).

    • failureReason (string) --

      The reason for failure if the AgentCore Runtime is in a failed state.

    • description (string) --

      The description of the AgentCore Runtime.

    • workloadIdentityDetails (dict) --

      The workload identity details for the AgentCore Runtime.

      • workloadIdentityArn (string) --

        The ARN associated with the workload identity.

    • agentRuntimeArtifact (dict) --

      The artifact of the AgentCore Runtime.

      • containerConfiguration (dict) --

        The container configuration for the agent artifact.

        • containerUri (string) --

          The ECR URI of the container.

      • codeConfiguration (dict) --

        The code configuration for the agent runtime artifact, including the source code location and execution settings.

        • code (dict) --

          The source code location and configuration details.

          • s3 (dict) --

            The Amazon Amazon S3 object that contains the source code for the agent runtime.

            • bucket (string) --

              The name of the Amazon S3 bucket. This bucket contains the stored data.

            • prefix (string) --

              The prefix for objects in the Amazon S3 bucket. This prefix is added to the object keys to organize the data.

            • versionId (string) --

              The version ID of the Amazon Amazon S3 object. If not specified, the latest version of the object is used.

        • runtime (string) --

          The runtime environment for executing the agent code. Specify the programming language and version to use for the agent runtime. For valid values, see the list of supported runtimes.

        • entryPoint (list) --

          The entry point for the code execution, specifying the function or method that should be invoked when the code runs.

          • (string) --

    • protocolConfiguration (dict) --

      The protocol configuration for an agent runtime. This structure defines how the agent runtime communicates with clients.

      • serverProtocol (string) --

        The server protocol for the agent runtime. This field specifies which protocol the agent runtime uses to communicate with clients.

    • environmentVariables (dict) --

      Environment variables set in the AgentCore Runtime environment.

      • (string) --

        • (string) --

    • authorizerConfiguration (dict) --

      The authorizer configuration for the AgentCore Runtime.

      • customJWTAuthorizer (dict) --

        The inbound JWT-based authorization, specifying how incoming requests should be authenticated.

        • discoveryUrl (string) --

          This URL is used to fetch OpenID Connect configuration or authorization server metadata for validating incoming tokens.

        • allowedAudience (list) --

          Represents individual audience values that are validated in the incoming JWT token validation process.

          • (string) --

        • allowedClients (list) --

          Represents individual client IDs that are validated in the incoming JWT token validation process.

          • (string) --

        • allowedScopes (list) --

          An array of scopes that are allowed to access the token.

          • (string) --

        • advertisedScopeMapping (dict) --

          A map that associates each scope in allowedScopes with a corresponding advertised scope value. The advertised scope appears in OAuth protected resource metadata and WWW-Authenticate response headers. Use this parameter when the scope that clients request from your identity provider differs from the scope in the validated token. Each key is a scope from allowedScopes that the service uses for token validation. Each value is the corresponding scope that the service advertises to clients. Scopes without a mapping entry appear unchanged to clients.

          • (string) --

            • (string) --

        • customClaims (list) --

          An array of objects that define a custom claim validation name, value, and operation

          • (dict) --

            Defines the name of a custom claim field and rules for finding matches to authenticate its value.

            • inboundTokenClaimName (string) --

              The name of the custom claim field to check.

            • inboundTokenClaimValueType (string) --

              The data type of the claim value to check for.

              • Use STRING if you want to find an exact match to a string you define.

              • Use STRING_ARRAY if you want to fnd a match to at least one value in an array you define.

            • authorizingClaimMatchValue (dict) --

              Defines the value or values to match for and the relationship of the match.

              • claimMatchValue (dict) --

                The value or values to match for.

                • matchValueString (string) --

                  The string value to match for.

                • matchValueStringList (list) --

                  An array of strings to check for a match.

                  • (string) --

              • claimMatchOperator (string) --

                Defines the relationship between the claim field value and the value or values you're matching for.

        • privateEndpoint (dict) --

          The private endpoint configuration for a gateway target. Defines how the gateway connects to private resources in your VPC.

          • selfManagedLatticeResource (dict) --

            Configuration for connecting to a private resource using a self-managed VPC Lattice resource configuration.

            • resourceConfigurationIdentifier (string) --

              The ARN or ID of the VPC Lattice resource configuration.

          • managedVpcResource (dict) --

            Configuration for connecting to a private resource using a managed VPC Lattice resource. The gateway creates and manages the VPC Lattice resources on your behalf.

            • vpcIdentifier (string) --

              The ID of the VPC that contains your private resource.

            • subnetIds (list) --

              The subnet IDs within the VPC where the VPC Lattice resource gateway is placed.

              • (string) --

            • endpointIpAddressType (string) --

              The IP address type for the resource configuration endpoint.

            • securityGroupIds (list) --

              The security group IDs to associate with the VPC Lattice resource gateway. If not specified, the default security group for the VPC is used.

              • (string) --

            • tags (dict) --

              Tags to apply to the managed VPC Lattice resource gateway.

              • (string) --

                • (string) --

            • routingDomain (string) --

              An intermediate domain to use as the resource configuration endpoint instead of the actual target domain. Use this when you want to route traffic through an intermediate component such as a VPC endpoint or internal load balancer. For more information, see xref:lattice-vpc-egress-routing-domain[Route traffic through an intermediate domain].

        • privateEndpointOverrides (list) --

          The private endpoint overrides for the custom JWT authorizer configuration.

          • (dict) --

            A mapping of a specific domain to a private endpoint for secure connectivity through a VPC Lattice resource configuration.

            • domain (string) --

              The domain to override with a private endpoint.

            • privateEndpoint (dict) --

              The private endpoint configuration for the specified domain.

              • selfManagedLatticeResource (dict) --

                Configuration for connecting to a private resource using a self-managed VPC Lattice resource configuration.

                • resourceConfigurationIdentifier (string) --

                  The ARN or ID of the VPC Lattice resource configuration.

              • managedVpcResource (dict) --

                Configuration for connecting to a private resource using a managed VPC Lattice resource. The gateway creates and manages the VPC Lattice resources on your behalf.

                • vpcIdentifier (string) --

                  The ID of the VPC that contains your private resource.

                • subnetIds (list) --

                  The subnet IDs within the VPC where the VPC Lattice resource gateway is placed.

                  • (string) --

                • endpointIpAddressType (string) --

                  The IP address type for the resource configuration endpoint.

                • securityGroupIds (list) --

                  The security group IDs to associate with the VPC Lattice resource gateway. If not specified, the default security group for the VPC is used.

                  • (string) --

                • tags (dict) --

                  Tags to apply to the managed VPC Lattice resource gateway.

                  • (string) --

                    • (string) --

                • routingDomain (string) --

                  An intermediate domain to use as the resource configuration endpoint instead of the actual target domain. Use this when you want to route traffic through an intermediate component such as a VPC endpoint or internal load balancer. For more information, see xref:lattice-vpc-egress-routing-domain[Route traffic through an intermediate domain].

        • allowedWorkloadConfiguration (dict) --

          The configuration that restricts which workloads in the request's identity chain are allowed to invoke the target, identified by their hosting environments and workload identities. At launch, this is supported only for AgentCore Runtime targets, and the allowed workloads are AgentCore Gateways.

          • hostingEnvironments (list) --

            The list of hosting environments whose workloads are allowed to invoke the target. At launch, the only supported hosting environment is AgentCore Gateway.

            • (dict) --

              A hosting environment whose workloads are allowed to invoke the target. At launch, the only supported hosting environment is AgentCore Gateway.

              • arn (string) --

                The Amazon Resource Name (ARN) of the hosting environment.

          • workloadIdentities (list) --

            The list of workload identities that are allowed to invoke the target.

            • (string) --

    • requestHeaderConfiguration (dict) --

      Configuration for HTTP request headers that will be passed through to the runtime.

      • requestHeaderAllowlist (list) --

        A list of HTTP request headers that are allowed to be passed through to the runtime.

        • (string) --

    • metadataConfiguration (dict) --

      Configuration for microVM Metadata Service (MMDS) settings for the AgentCore Runtime.

      • requireMMDSV2 (boolean) --

        Enables MMDSv2 (microVM Metadata Service Version 2) requirement for the agent runtime. When set to true, the runtime microVM will only accept MMDSv2 requests.

    • filesystemConfigurations (list) --

      The filesystem configurations mounted into the AgentCore Runtime.

      • (dict) --

        Configuration for a filesystem that can be mounted into the AgentCore Runtime.

        • sessionStorage (dict) --

          Configuration for session storage. Session storage provides persistent storage that is preserved across AgentCore Runtime session invocations.

          • mountPath (string) --

            The mount path for the session storage filesystem inside the AgentCore Runtime. The path must be under /mnt with exactly one subdirectory level (for example, /mnt/data).

        • s3FilesAccessPoint (dict) --

          Configuration for an Amazon S3 Files access point to mount into the AgentCore Runtime.

          • accessPointArn (string) --

            The ARN of the S3 Files access point to mount into the AgentCore Runtime.

          • mountPath (string) --

            The mount path for the S3 Files access point inside the AgentCore Runtime. The path must be under /mnt with exactly one subdirectory level (for example, /mnt/data).

        • efsAccessPoint (dict) --

          Configuration for an Amazon EFS access point to mount into the AgentCore Runtime.

          • accessPointArn (string) --

            The ARN of the EFS access point to mount into the AgentCore Runtime.

          • mountPath (string) --

            The mount path for the EFS access point inside the AgentCore Runtime. The path must be under /mnt with exactly one subdirectory level (for example, /mnt/data).

GetGateway (updated) Link ¶
Changes (response)
{'authorizerConfiguration': {'customJWTAuthorizer': {'advertisedScopeMapping': {'string': 'string'}}}}

Retrieves information about a specific Gateway.

See also: AWS API Documentation

Request Syntax

client.get_gateway(
    gatewayIdentifier='string'
)
type gatewayIdentifier:

string

param gatewayIdentifier:

[REQUIRED]

The identifier of the gateway to retrieve.

rtype:

dict

returns:

Response Syntax

{
    'gatewayArn': 'string',
    'gatewayId': 'string',
    'gatewayUrl': 'string',
    'createdAt': datetime(2015, 1, 1),
    'updatedAt': datetime(2015, 1, 1),
    'status': 'CREATING'|'UPDATING'|'UPDATE_UNSUCCESSFUL'|'DELETING'|'READY'|'FAILED',
    'statusReasons': [
        'string',
    ],
    'name': 'string',
    'description': 'string',
    'roleArn': 'string',
    'protocolType': 'MCP',
    'protocolConfiguration': {
        'mcp': {
            'supportedVersions': [
                'string',
            ],
            'instructions': 'string',
            'searchType': 'SEMANTIC',
            'sessionConfiguration': {
                'sessionTimeoutInSeconds': 123
            },
            'streamingConfiguration': {
                'enableResponseStreaming': True|False
            }
        }
    },
    'authorizerType': 'CUSTOM_JWT'|'AWS_IAM'|'NONE'|'AUTHENTICATE_ONLY',
    'authorizerConfiguration': {
        'customJWTAuthorizer': {
            'discoveryUrl': 'string',
            'allowedAudience': [
                'string',
            ],
            'allowedClients': [
                'string',
            ],
            'allowedScopes': [
                'string',
            ],
            'advertisedScopeMapping': {
                'string': 'string'
            },
            'customClaims': [
                {
                    'inboundTokenClaimName': 'string',
                    'inboundTokenClaimValueType': 'STRING'|'STRING_ARRAY',
                    'authorizingClaimMatchValue': {
                        'claimMatchValue': {
                            'matchValueString': 'string',
                            'matchValueStringList': [
                                'string',
                            ]
                        },
                        'claimMatchOperator': 'EQUALS'|'CONTAINS'|'CONTAINS_ANY'
                    }
                },
            ],
            'privateEndpoint': {
                'selfManagedLatticeResource': {
                    'resourceConfigurationIdentifier': 'string'
                },
                'managedVpcResource': {
                    'vpcIdentifier': 'string',
                    'subnetIds': [
                        'string',
                    ],
                    'endpointIpAddressType': 'IPV4'|'IPV6',
                    'securityGroupIds': [
                        'string',
                    ],
                    'tags': {
                        'string': 'string'
                    },
                    'routingDomain': 'string'
                }
            },
            'privateEndpointOverrides': [
                {
                    'domain': 'string',
                    'privateEndpoint': {
                        'selfManagedLatticeResource': {
                            'resourceConfigurationIdentifier': 'string'
                        },
                        'managedVpcResource': {
                            'vpcIdentifier': 'string',
                            'subnetIds': [
                                'string',
                            ],
                            'endpointIpAddressType': 'IPV4'|'IPV6',
                            'securityGroupIds': [
                                'string',
                            ],
                            'tags': {
                                'string': 'string'
                            },
                            'routingDomain': 'string'
                        }
                    }
                },
            ],
            'allowedWorkloadConfiguration': {
                'hostingEnvironments': [
                    {
                        'arn': 'string'
                    },
                ],
                'workloadIdentities': [
                    'string',
                ]
            }
        }
    },
    'kmsKeyArn': 'string',
    'customTransformConfiguration': {
        'lambda': {
            'arn': 'string'
        }
    },
    'interceptorConfigurations': [
        {
            'interceptor': {
                'lambda': {
                    'arn': 'string'
                }
            },
            'interceptionPoints': [
                'REQUEST'|'RESPONSE',
            ],
            'inputConfiguration': {
                'passRequestHeaders': True|False,
                'payloadFilter': {
                    'exclude': [
                        {
                            'field': 'RESPONSE_BODY'
                        },
                    ]
                }
            }
        },
    ],
    'policyEngineConfiguration': {
        'arn': 'string',
        'mode': 'LOG_ONLY'|'ENFORCE'
    },
    'workloadIdentityDetails': {
        'workloadIdentityArn': 'string'
    },
    'exceptionLevel': 'DEBUG',
    'webAclArn': 'string',
    'wafConfiguration': {
        'failureMode': 'FAIL_CLOSE'|'FAIL_OPEN'
    }
}

Response Structure

  • (dict) --

    • gatewayArn (string) --

      The Amazon Resource Name (ARN) of the gateway.

    • gatewayId (string) --

      The unique identifier of the gateway.

    • gatewayUrl (string) --

      An endpoint for invoking gateway.

    • createdAt (datetime) --

      The timestamp when the gateway was created.

    • updatedAt (datetime) --

      The timestamp when the gateway was last updated.

    • status (string) --

      The current status of the gateway.

    • statusReasons (list) --

      The reasons for the current status of the gateway.

      • (string) --

    • name (string) --

      The name of the gateway.

    • description (string) --

      The description of the gateway.

    • roleArn (string) --

      The IAM role ARN that provides permissions for the gateway.

    • protocolType (string) --

      Protocol applied to a gateway.

    • protocolConfiguration (dict) --

      The configuration for a gateway protocol. This structure defines how the gateway communicates with external services.

      • mcp (dict) --

        The configuration for the Model Context Protocol (MCP). This protocol enables communication between Amazon Bedrock Agent and external tools.

        • supportedVersions (list) --

          The supported versions of the Model Context Protocol. This field specifies which versions of the protocol the gateway can use.

          • (string) --

        • instructions (string) --

          The instructions for using the Model Context Protocol gateway. These instructions provide guidance on how to interact with the gateway.

        • searchType (string) --

          The search type for the Model Context Protocol gateway. This field specifies how the gateway handles search operations.

        • sessionConfiguration (dict) --

          The session configuration for the MCP gateway. This configuration controls session behavior, including session timeout settings.

          • sessionTimeoutInSeconds (integer) --

            The session timeout in seconds. After this timeout, the session expires and subsequent requests to this session will receive an error. The minimum value is 900 seconds (15 minutes), the maximum value is 28800 seconds (8 hours), and the default value is 3600 seconds (1 hour).

        • streamingConfiguration (dict) --

          The streaming configuration for the MCP gateway. This configuration controls whether response streaming is enabled for the gateway.

          • enableResponseStreaming (boolean) --

            Indicates whether response streaming is enabled for the gateway. When set to true, the gateway streams responses from targets back to the client.

    • authorizerType (string) --

      Authorizer type for the gateway.

    • authorizerConfiguration (dict) --

      The authorizer configuration for the gateway.

      • customJWTAuthorizer (dict) --

        The inbound JWT-based authorization, specifying how incoming requests should be authenticated.

        • discoveryUrl (string) --

          This URL is used to fetch OpenID Connect configuration or authorization server metadata for validating incoming tokens.

        • allowedAudience (list) --

          Represents individual audience values that are validated in the incoming JWT token validation process.

          • (string) --

        • allowedClients (list) --

          Represents individual client IDs that are validated in the incoming JWT token validation process.

          • (string) --

        • allowedScopes (list) --

          An array of scopes that are allowed to access the token.

          • (string) --

        • advertisedScopeMapping (dict) --

          A map that associates each scope in allowedScopes with a corresponding advertised scope value. The advertised scope appears in OAuth protected resource metadata and WWW-Authenticate response headers. Use this parameter when the scope that clients request from your identity provider differs from the scope in the validated token. Each key is a scope from allowedScopes that the service uses for token validation. Each value is the corresponding scope that the service advertises to clients. Scopes without a mapping entry appear unchanged to clients.

          • (string) --

            • (string) --

        • customClaims (list) --

          An array of objects that define a custom claim validation name, value, and operation

          • (dict) --

            Defines the name of a custom claim field and rules for finding matches to authenticate its value.

            • inboundTokenClaimName (string) --

              The name of the custom claim field to check.

            • inboundTokenClaimValueType (string) --

              The data type of the claim value to check for.

              • Use STRING if you want to find an exact match to a string you define.

              • Use STRING_ARRAY if you want to fnd a match to at least one value in an array you define.

            • authorizingClaimMatchValue (dict) --

              Defines the value or values to match for and the relationship of the match.

              • claimMatchValue (dict) --

                The value or values to match for.

                • matchValueString (string) --

                  The string value to match for.

                • matchValueStringList (list) --

                  An array of strings to check for a match.

                  • (string) --

              • claimMatchOperator (string) --

                Defines the relationship between the claim field value and the value or values you're matching for.

        • privateEndpoint (dict) --

          The private endpoint configuration for a gateway target. Defines how the gateway connects to private resources in your VPC.

          • selfManagedLatticeResource (dict) --

            Configuration for connecting to a private resource using a self-managed VPC Lattice resource configuration.

            • resourceConfigurationIdentifier (string) --

              The ARN or ID of the VPC Lattice resource configuration.

          • managedVpcResource (dict) --

            Configuration for connecting to a private resource using a managed VPC Lattice resource. The gateway creates and manages the VPC Lattice resources on your behalf.

            • vpcIdentifier (string) --

              The ID of the VPC that contains your private resource.

            • subnetIds (list) --

              The subnet IDs within the VPC where the VPC Lattice resource gateway is placed.

              • (string) --

            • endpointIpAddressType (string) --

              The IP address type for the resource configuration endpoint.

            • securityGroupIds (list) --

              The security group IDs to associate with the VPC Lattice resource gateway. If not specified, the default security group for the VPC is used.

              • (string) --

            • tags (dict) --

              Tags to apply to the managed VPC Lattice resource gateway.

              • (string) --

                • (string) --

            • routingDomain (string) --

              An intermediate domain to use as the resource configuration endpoint instead of the actual target domain. Use this when you want to route traffic through an intermediate component such as a VPC endpoint or internal load balancer. For more information, see xref:lattice-vpc-egress-routing-domain[Route traffic through an intermediate domain].

        • privateEndpointOverrides (list) --

          The private endpoint overrides for the custom JWT authorizer configuration.

          • (dict) --

            A mapping of a specific domain to a private endpoint for secure connectivity through a VPC Lattice resource configuration.

            • domain (string) --

              The domain to override with a private endpoint.

            • privateEndpoint (dict) --

              The private endpoint configuration for the specified domain.

              • selfManagedLatticeResource (dict) --

                Configuration for connecting to a private resource using a self-managed VPC Lattice resource configuration.

                • resourceConfigurationIdentifier (string) --

                  The ARN or ID of the VPC Lattice resource configuration.

              • managedVpcResource (dict) --

                Configuration for connecting to a private resource using a managed VPC Lattice resource. The gateway creates and manages the VPC Lattice resources on your behalf.

                • vpcIdentifier (string) --

                  The ID of the VPC that contains your private resource.

                • subnetIds (list) --

                  The subnet IDs within the VPC where the VPC Lattice resource gateway is placed.

                  • (string) --

                • endpointIpAddressType (string) --

                  The IP address type for the resource configuration endpoint.

                • securityGroupIds (list) --

                  The security group IDs to associate with the VPC Lattice resource gateway. If not specified, the default security group for the VPC is used.

                  • (string) --

                • tags (dict) --

                  Tags to apply to the managed VPC Lattice resource gateway.

                  • (string) --

                    • (string) --

                • routingDomain (string) --

                  An intermediate domain to use as the resource configuration endpoint instead of the actual target domain. Use this when you want to route traffic through an intermediate component such as a VPC endpoint or internal load balancer. For more information, see xref:lattice-vpc-egress-routing-domain[Route traffic through an intermediate domain].

        • allowedWorkloadConfiguration (dict) --

          The configuration that restricts which workloads in the request's identity chain are allowed to invoke the target, identified by their hosting environments and workload identities. At launch, this is supported only for AgentCore Runtime targets, and the allowed workloads are AgentCore Gateways.

          • hostingEnvironments (list) --

            The list of hosting environments whose workloads are allowed to invoke the target. At launch, the only supported hosting environment is AgentCore Gateway.

            • (dict) --

              A hosting environment whose workloads are allowed to invoke the target. At launch, the only supported hosting environment is AgentCore Gateway.

              • arn (string) --

                The Amazon Resource Name (ARN) of the hosting environment.

          • workloadIdentities (list) --

            The list of workload identities that are allowed to invoke the target.

            • (string) --

    • kmsKeyArn (string) --

      The Amazon Resource Name (ARN) of the KMS key used to encrypt the gateway.

    • customTransformConfiguration (dict) --

      The custom transformation configuration for the gateway. This configuration defines how the gateway transforms requests and responses.

      • lambda (dict) --

        The Lambda configuration for custom transformations. This configuration defines how the gateway uses a Lambda function to transform data.

        • arn (string) --

          The Amazon Resource Name (ARN) of the Lambda function. This function is invoked by the gateway to transform data.

    • interceptorConfigurations (list) --

      The interceptors configured on the gateway.

      • (dict) --

        The configuration for an interceptor on a gateway. This structure defines settings for an interceptor that will be invoked during the invocation of the gateway.

        • interceptor (dict) --

          The infrastructure settings of an interceptor configuration. This structure defines how the interceptor can be invoked.

          • lambda (dict) --

            The details of the lambda function used for the interceptor.

            • arn (string) --

              The arn of the lambda function to be invoked for the interceptor.

        • interceptionPoints (list) --

          The supported points of interception. This field specifies which points during the gateway invocation to invoke the interceptor

          • (string) --

        • inputConfiguration (dict) --

          The configuration for the input of the interceptor. This field specifies how the input to the interceptor is constructed

          • passRequestHeaders (boolean) --

            Indicates whether to pass request headers as input into the interceptor. When set to true, request headers will be passed.

          • payloadFilter (dict) --

            The filter that determines which parts of the request or response payload are passed as input to the interceptor.

            • exclude (list) --

              The list of selectors that identify payload fields to exclude from the interceptor input.

              • (dict) --

                A selector that identifies a payload field to exclude from the interceptor input.

                • field (string) --

                  The field to exclude from the interceptor input.

    • policyEngineConfiguration (dict) --

      The policy engine configuration for the gateway.

      • arn (string) --

        The ARN of the policy engine. The policy engine contains Cedar policies that define fine-grained authorization rules specifying who can perform what actions on which resources as agents interact through the gateway.

      • mode (string) --

        The enforcement mode for the policy engine. Valid values include:

        • LOG_ONLY - The policy engine evaluates each action against your policies and adds traces on whether tool calls would be allowed or denied, but does not enforce the decision. Use this mode to test and validate policies before enabling enforcement.

        • ENFORCE - The policy engine evaluates actions against your policies and enforces decisions by allowing or denying agent operations. Test and validate policies in LOG_ONLY mode before enabling enforcement to avoid unintended denials or adversely affecting production traffic.

    • workloadIdentityDetails (dict) --

      The workload identity details for the gateway.

      • workloadIdentityArn (string) --

        The ARN associated with the workload identity.

    • exceptionLevel (string) --

      The level of detail in error messages returned when invoking the gateway.

      • If the value is DEBUG, granular exception messages are returned to help a user debug the gateway.

      • If the value is omitted, a generic error message is returned to the end user.

    • webAclArn (string) --

      The Amazon Resource Name (ARN) of the Amazon Web Services WAF web ACL associated with the gateway.

    • wafConfiguration (dict) --

      The Amazon Web Services WAF configuration for the gateway.

      • failureMode (string) --

        The failure mode that determines how the gateway handles requests when Amazon Web Services WAF is unreachable or times out. Valid values include:

        • FAIL_CLOSE - The gateway blocks requests when Amazon Web Services WAF cannot be evaluated.

        • FAIL_OPEN - The gateway allows requests when Amazon Web Services WAF cannot be evaluated.

GetHarness (updated) Link ¶
Changes (response)
{'harness': {'authorizerConfiguration': {'customJWTAuthorizer': {'advertisedScopeMapping': {'string': 'string'}}}}}

Operation to get a single harness.

See also: AWS API Documentation

Request Syntax

client.get_harness(
    harnessId='string',
    harnessVersion='string'
)
type harnessId:

string

param harnessId:

[REQUIRED]

The ID of the harness to retrieve.

type harnessVersion:

string

param harnessVersion:

Specific version of the harness to retrieve. If omitted, returns the current Harness configuration, including its status.

rtype:

dict

returns:

Response Syntax

{
    'harness': {
        'harnessId': 'string',
        'harnessName': 'string',
        'arn': 'string',
        'status': 'CREATING'|'CREATE_FAILED'|'UPDATING'|'UPDATE_FAILED'|'READY'|'DELETING'|'DELETE_FAILED',
        'harnessVersion': 'string',
        'executionRoleArn': 'string',
        'createdAt': datetime(2015, 1, 1),
        'updatedAt': datetime(2015, 1, 1),
        'model': {
            'bedrockModelConfig': {
                'modelId': 'string',
                'maxTokens': 123,
                'temperature': ...,
                'topP': ...,
                'apiFormat': 'converse_stream'|'responses'|'chat_completions',
                'additionalParams': {...}|[...]|123|123.4|'string'|True|None
            },
            'openAiModelConfig': {
                'modelId': 'string',
                'apiKeyArn': 'string',
                'maxTokens': 123,
                'temperature': ...,
                'topP': ...,
                'apiFormat': 'chat_completions'|'responses',
                'additionalParams': {...}|[...]|123|123.4|'string'|True|None
            },
            'geminiModelConfig': {
                'modelId': 'string',
                'apiKeyArn': 'string',
                'maxTokens': 123,
                'temperature': ...,
                'topP': ...,
                'topK': 123
            },
            'liteLlmModelConfig': {
                'modelId': 'string',
                'apiKeyArn': 'string',
                'apiBase': 'string',
                'maxTokens': 123,
                'temperature': ...,
                'topP': ...,
                'additionalParams': {...}|[...]|123|123.4|'string'|True|None
            }
        },
        'systemPrompt': [
            {
                'text': 'string'
            },
        ],
        'tools': [
            {
                'type': 'remote_mcp'|'agentcore_browser'|'agentcore_gateway'|'inline_function'|'agentcore_code_interpreter',
                'name': 'string',
                'config': {
                    'remoteMcp': {
                        'url': 'string',
                        'headers': {
                            'string': 'string'
                        }
                    },
                    'agentCoreBrowser': {
                        'browserArn': 'string'
                    },
                    'agentCoreGateway': {
                        'gatewayArn': 'string',
                        'outboundAuth': {
                            'awsIam': {},
                            'none': {},
                            'oauth': {
                                'providerArn': 'string',
                                'scopes': [
                                    'string',
                                ],
                                'customParameters': {
                                    'string': 'string'
                                },
                                'grantType': 'CLIENT_CREDENTIALS'|'AUTHORIZATION_CODE'|'TOKEN_EXCHANGE',
                                'defaultReturnUrl': 'string'
                            }
                        }
                    },
                    'inlineFunction': {
                        'description': 'string',
                        'inputSchema': {...}|[...]|123|123.4|'string'|True|None
                    },
                    'agentCoreCodeInterpreter': {
                        'codeInterpreterArn': 'string'
                    }
                }
            },
        ],
        'skills': [
            {
                'path': 'string',
                's3': {
                    'uri': 'string'
                },
                'git': {
                    'url': 'string',
                    'path': 'string',
                    'auth': {
                        'credentialArn': 'string',
                        'username': 'string'
                    }
                },
                'awsSkills': {
                    'paths': [
                        'string',
                    ]
                }
            },
        ],
        'allowedTools': [
            'string',
        ],
        'truncation': {
            'strategy': 'sliding_window'|'summarization'|'none',
            'config': {
                'slidingWindow': {
                    'messagesCount': 123
                },
                'summarization': {
                    'summaryRatio': ...,
                    'preserveRecentMessages': 123,
                    'summarizationSystemPrompt': 'string'
                }
            }
        },
        'environment': {
            'agentCoreRuntimeEnvironment': {
                'agentRuntimeArn': 'string',
                'agentRuntimeName': 'string',
                'agentRuntimeId': 'string',
                'lifecycleConfiguration': {
                    'idleRuntimeSessionTimeout': 123,
                    'maxLifetime': 123
                },
                'networkConfiguration': {
                    'networkMode': 'PUBLIC'|'VPC',
                    'networkModeConfig': {
                        'securityGroups': [
                            'string',
                        ],
                        'subnets': [
                            'string',
                        ],
                        'requireServiceS3Endpoint': True|False
                    }
                },
                'filesystemConfigurations': [
                    {
                        'sessionStorage': {
                            'mountPath': 'string'
                        },
                        's3FilesAccessPoint': {
                            'accessPointArn': 'string',
                            'mountPath': 'string'
                        },
                        'efsAccessPoint': {
                            'accessPointArn': 'string',
                            'mountPath': 'string'
                        }
                    },
                ]
            }
        },
        'environmentArtifact': {
            'containerConfiguration': {
                'containerUri': 'string'
            }
        },
        'environmentVariables': {
            'string': 'string'
        },
        'authorizerConfiguration': {
            'customJWTAuthorizer': {
                'discoveryUrl': 'string',
                'allowedAudience': [
                    'string',
                ],
                'allowedClients': [
                    'string',
                ],
                'allowedScopes': [
                    'string',
                ],
                'advertisedScopeMapping': {
                    'string': 'string'
                },
                'customClaims': [
                    {
                        'inboundTokenClaimName': 'string',
                        'inboundTokenClaimValueType': 'STRING'|'STRING_ARRAY',
                        'authorizingClaimMatchValue': {
                            'claimMatchValue': {
                                'matchValueString': 'string',
                                'matchValueStringList': [
                                    'string',
                                ]
                            },
                            'claimMatchOperator': 'EQUALS'|'CONTAINS'|'CONTAINS_ANY'
                        }
                    },
                ],
                'privateEndpoint': {
                    'selfManagedLatticeResource': {
                        'resourceConfigurationIdentifier': 'string'
                    },
                    'managedVpcResource': {
                        'vpcIdentifier': 'string',
                        'subnetIds': [
                            'string',
                        ],
                        'endpointIpAddressType': 'IPV4'|'IPV6',
                        'securityGroupIds': [
                            'string',
                        ],
                        'tags': {
                            'string': 'string'
                        },
                        'routingDomain': 'string'
                    }
                },
                'privateEndpointOverrides': [
                    {
                        'domain': 'string',
                        'privateEndpoint': {
                            'selfManagedLatticeResource': {
                                'resourceConfigurationIdentifier': 'string'
                            },
                            'managedVpcResource': {
                                'vpcIdentifier': 'string',
                                'subnetIds': [
                                    'string',
                                ],
                                'endpointIpAddressType': 'IPV4'|'IPV6',
                                'securityGroupIds': [
                                    'string',
                                ],
                                'tags': {
                                    'string': 'string'
                                },
                                'routingDomain': 'string'
                            }
                        }
                    },
                ],
                'allowedWorkloadConfiguration': {
                    'hostingEnvironments': [
                        {
                            'arn': 'string'
                        },
                    ],
                    'workloadIdentities': [
                        'string',
                    ]
                }
            }
        },
        'memory': {
            'agentCoreMemoryConfiguration': {
                'arn': 'string',
                'actorId': 'string',
                'messagesCount': 123,
                'retrievalConfig': {
                    'string': {
                        'topK': 123,
                        'relevanceScore': ...,
                        'strategyId': 'string'
                    }
                }
            },
            'managedMemoryConfiguration': {
                'arn': 'string',
                'strategies': [
                    'SEMANTIC'|'SUMMARIZATION'|'USER_PREFERENCE'|'EPISODIC',
                ],
                'eventExpiryDuration': 123,
                'encryptionKeyArn': 'string'
            },
            'disabled': {}
        },
        'maxIterations': 123,
        'maxTokens': 123,
        'timeoutSeconds': 123,
        'failureReason': 'string'
    }
}

Response Structure

  • (dict) --

    • harness (dict) --

      The harness resource.

      • harnessId (string) --

        The ID of the harness.

      • harnessName (string) --

        The name of the harness.

      • arn (string) --

        The ARN of the harness.

      • status (string) --

        The status of the harness.

      • harnessVersion (string) --

        The version of the harness. Incremented on every successful UpdateHarness.

      • executionRoleArn (string) --

        IAM role the harness assumes when running.

      • createdAt (datetime) --

        The createdAt time of the harness.

      • updatedAt (datetime) --

        The updatedAt time of the harness.

      • model (dict) --

        The configuration of the default model used by the Harness.

        • bedrockModelConfig (dict) --

          Configuration for an Amazon Bedrock model.

          • modelId (string) --

            The Bedrock model ID.

          • maxTokens (integer) --

            The maximum number of tokens to allow in the generated response per model call.

          • temperature (float) --

            The temperature to set when calling the model.

          • topP (float) --

            The topP set when calling the model.

          • apiFormat (string) --

            The API format to use when calling the Bedrock provider.

          • additionalParams (:ref:`document<document>`) --

            Provider-specific parameters passed through to the model provider unchanged.

        • openAiModelConfig (dict) --

          Configuration for an OpenAI model.

          • modelId (string) --

            The OpenAI model ID.

          • apiKeyArn (string) --

            The ARN of your OpenAI API key on AgentCore Identity.

          • maxTokens (integer) --

            The maximum number of tokens to allow in the generated response per model call.

          • temperature (float) --

            The temperature to set when calling the model.

          • topP (float) --

            The topP set when calling the model.

          • apiFormat (string) --

            The API format to use when calling the OpenAI provider.

          • additionalParams (:ref:`document<document>`) --

            Provider-specific parameters passed through to the model provider unchanged.

        • geminiModelConfig (dict) --

          Configuration for a Google Gemini model.

          • modelId (string) --

            The Gemini model ID.

          • apiKeyArn (string) --

            The ARN of your Gemini API key on AgentCore Identity.

          • maxTokens (integer) --

            The maximum number of tokens to allow in the generated response per model call.

          • temperature (float) --

            The temperature to set when calling the model.

          • topP (float) --

            The topP set when calling the model.

          • topK (integer) --

            The topK set when calling the model.

        • liteLlmModelConfig (dict) --

          The LiteLLM model configuration for connecting to third-party model providers.

          • modelId (string) --

            The LiteLLM model identifier (e.g., "anthropic/claude-3-sonnet").

          • apiKeyArn (string) --

            The ARN of the API key in AgentCore Identity for authenticating with the model provider.

          • apiBase (string) --

            The base URL for the model provider's API endpoint.

          • maxTokens (integer) --

            The maximum number of tokens to allow in the generated response per iteration.

          • temperature (float) --

            The temperature to set when calling the model.

          • topP (float) --

            The topP set when calling the model.

          • additionalParams (:ref:`document<document>`) --

            Provider-specific parameters passed through to the model provider unchanged.

      • systemPrompt (list) --

        The system prompt of the harness.

        • (dict) --

          A content block in the system prompt.

          • text (string) --

            The text content of the system prompt block.

      • tools (list) --

        The tools of the harness.

        • (dict) --

          A tool available to the agent loop.

          • type (string) --

            The type of tool.

          • name (string) --

            Unique name for the tool. If not provided, a name will be inferred or generated.

          • config (dict) --

            Tool-specific configuration.

            • remoteMcp (dict) --

              Configuration for remote MCP server.

              • url (string) --

                URL of the MCP endpoint.

              • headers (dict) --

                Custom headers to include when connecting to the remote MCP server.

                • (string) --

                  The key of an HTTP header.

                  • (string) --

                    The value of an HTTP header.

            • agentCoreBrowser (dict) --

              Configuration for AgentCore Browser.

              • browserArn (string) --

                If not populated, the built-in Browser ARN is used.

            • agentCoreGateway (dict) --

              Configuration for AgentCore Gateway.

              • gatewayArn (string) --

                The ARN of the desired AgentCore Gateway.

              • outboundAuth (dict) --

                How harness authenticates to this Gateway. Defaults to AWS_IAM (SigV4) if omitted.

                • awsIam (dict) --

                  SigV4-sign requests using the agent's execution role.

                • none (dict) --

                  No authentication.

                • oauth (dict) --

                  Use OAuth credentials for outbound authentication to the gateway.

                  • providerArn (string) --

                    The Amazon Resource Name (ARN) of the OAuth credential provider. This ARN identifies the provider in Amazon Web Services.

                  • scopes (list) --

                    The OAuth scopes for the credential provider. These scopes define the level of access requested from the OAuth provider.

                    • (string) --

                  • customParameters (dict) --

                    The custom parameters for the OAuth credential provider. These parameters provide additional configuration for the OAuth authentication process.

                    • (string) --

                      • (string) --

                  • grantType (string) --

                    Specifies the kind of credentials to use for authorization:

                    • CLIENT_CREDENTIALS - Authorization with a client ID and secret.

                    • AUTHORIZATION_CODE - Authorization with a token that is specific to an individual end user.

                    • TOKEN_EXCHANGE - Authorization using on-behalf-of token exchange. An inbound user token is exchanged for a downstream access token scoped to the target audience.

                  • defaultReturnUrl (string) --

                    The URL where the end user's browser is redirected after obtaining the authorization code. Generally points to the customer's application.

            • inlineFunction (dict) --

              Configuration for an inline function tool.

              • description (string) --

                Description of what the tool does, provided to the model.

              • inputSchema (:ref:`document<document>`) --

                JSON Schema describing the tool's input parameters.

            • agentCoreCodeInterpreter (dict) --

              Configuration for AgentCore Code Interpreter.

              • codeInterpreterArn (string) --

                If not populated, the built-in Code Interpreter ARN is used.

      • skills (list) --

        The skills of the harness.

        • (dict) --

          A skill available to the agent.

          • path (string) --

            The filesystem path to the skill definition.

          • s3 (dict) --

            An S3 source containing the skill.

            • uri (string) --

              The S3 URI pointing to the skill directory (e.g., s3://bucket/skills/my-skill/).

          • git (dict) --

            A git repository containing the skill.

            • url (string) --

              The HTTPS URL of the git repository.

            • path (string) --

              Subdirectory within the repository containing the skill.

            • auth (dict) --

              Authentication configuration for private repositories.

              • credentialArn (string) --

                The ARN of the credential in AgentCore Identity containing the password or personal access token.

              • username (string) --

                Username for authentication. Defaults to 'oauth2' if not specified.

          • awsSkills (dict) --

            AWS Skills baked into the harness's underlying Runtime.

            • paths (list) --

              Optionally filter allowed skills with glob syntax, e.g., ['core-skills/*'].

              • (string) --

      • allowedTools (list) --

        The allowed tools of the harness. All tools are allowed by default.

        • (string) --

      • truncation (dict) --

        Configuration for truncating model context.

        • strategy (string) --

          The truncation strategy to use.

        • config (dict) --

          The strategy-specific configuration.

          • slidingWindow (dict) --

            Configuration for sliding window truncation.

            • messagesCount (integer) --

              The number of recent messages to retain in the context window.

          • summarization (dict) --

            Configuration for summarization-based truncation.

            • summaryRatio (float) --

              The ratio of content to summarize.

            • preserveRecentMessages (integer) --

              The number of recent messages to preserve without summarization.

            • summarizationSystemPrompt (string) --

              The system prompt used for generating summaries.

      • environment (dict) --

        The compute environment on which the Harness runs.

        • agentCoreRuntimeEnvironment (dict) --

          The AgentCore Runtime environment configuration.

          • agentRuntimeArn (string) --

            The ARN of the underlying AgentCore Runtime.

          • agentRuntimeName (string) --

            The name of the underlying AgentCore Runtime.

          • agentRuntimeId (string) --

            The ID of the underlying AgentCore Runtime.

          • lifecycleConfiguration (dict) --

            LifecycleConfiguration lets you manage the lifecycle of runtime sessions and resources in AgentCore Runtime. This configuration helps optimize resource utilization by automatically cleaning up idle sessions and preventing long-running instances from consuming resources indefinitely.

            • idleRuntimeSessionTimeout (integer) --

              Timeout in seconds for idle runtime sessions. When a session remains idle for this duration, it will be automatically terminated. Default: 900 seconds (15 minutes).

            • maxLifetime (integer) --

              Maximum lifetime for the instance in seconds. Once reached, instances will be automatically terminated and replaced. Default: 28800 seconds (8 hours).

          • networkConfiguration (dict) --

            SecurityConfig for the Agent.

            • networkMode (string) --

              The network mode for the AgentCore Runtime.

            • networkModeConfig (dict) --

              The network mode configuration for the AgentCore Runtime.

              • securityGroups (list) --

                The security groups associated with the VPC configuration.

                • (string) --

              • subnets (list) --

                The subnets associated with the VPC configuration.

                • (string) --

              • requireServiceS3Endpoint (boolean) --

                Controls whether a service-managed Amazon S3 gateway endpoint is provisioned in the VPC network topology for the agent runtime. This gateway is used by Amazon Bedrock AgentCore Runtime to download code and container images during agent startup.

                Starting May 5, 2026, Amazon Bedrock AgentCore Runtime is gradually rolling out a change to how network isolation is configured for VPC mode agents. Agent runtimes created on or after this rollout will no longer include the service-managed Amazon S3 gateway. Instead, all network access, including to Amazon S3, is governed exclusively by your VPC configuration. This field cannot be set on agent runtimes created after the rollout. Passing this field in an UpdateAgentRuntime request for these agent runtimes returns a ValidationException.

                Agent runtimes created before the rollout are not affected and continue to operate with the service-managed Amazon S3 gateway. To enforce full VPC network isolation on these existing agent runtimes, set this field to false via the UpdateAgentRuntime API. Before opting out, ensure your VPC provides the Amazon S3 access required for agent startup. If this field is not specified or is set to true, the service-managed Amazon S3 gateway remains provisioned.

                This field is only supported in the UpdateAgentRuntime API for pre-rollout agent runtimes. Passing this field in a CreateAgentRuntime request returns a ValidationException.

          • filesystemConfigurations (list) --

            The filesystem configurations for the runtime environment.

            • (dict) --

              Configuration for a filesystem that can be mounted into the AgentCore Runtime.

              • sessionStorage (dict) --

                Configuration for session storage. Session storage provides persistent storage that is preserved across AgentCore Runtime session invocations.

                • mountPath (string) --

                  The mount path for the session storage filesystem inside the AgentCore Runtime. The path must be under /mnt with exactly one subdirectory level (for example, /mnt/data).

              • s3FilesAccessPoint (dict) --

                Configuration for an Amazon S3 Files access point to mount into the AgentCore Runtime.

                • accessPointArn (string) --

                  The ARN of the S3 Files access point to mount into the AgentCore Runtime.

                • mountPath (string) --

                  The mount path for the S3 Files access point inside the AgentCore Runtime. The path must be under /mnt with exactly one subdirectory level (for example, /mnt/data).

              • efsAccessPoint (dict) --

                Configuration for an Amazon EFS access point to mount into the AgentCore Runtime.

                • accessPointArn (string) --

                  The ARN of the EFS access point to mount into the AgentCore Runtime.

                • mountPath (string) --

                  The mount path for the EFS access point inside the AgentCore Runtime. The path must be under /mnt with exactly one subdirectory level (for example, /mnt/data).

      • environmentArtifact (dict) --

        The environment artifact (e.g., container) in which the Harness operates.

        • containerConfiguration (dict) --

          Representation of a container configuration.

          • containerUri (string) --

            The ECR URI of the container.

      • environmentVariables (dict) --

        Environment variables exposed in the environment in which the harness operates.

        • (string) --

          • (string) --

      • authorizerConfiguration (dict) --

        Represents inbound authorization configuration options used to authenticate incoming requests.

        • customJWTAuthorizer (dict) --

          The inbound JWT-based authorization, specifying how incoming requests should be authenticated.

          • discoveryUrl (string) --

            This URL is used to fetch OpenID Connect configuration or authorization server metadata for validating incoming tokens.

          • allowedAudience (list) --

            Represents individual audience values that are validated in the incoming JWT token validation process.

            • (string) --

          • allowedClients (list) --

            Represents individual client IDs that are validated in the incoming JWT token validation process.

            • (string) --

          • allowedScopes (list) --

            An array of scopes that are allowed to access the token.

            • (string) --

          • advertisedScopeMapping (dict) --

            A map that associates each scope in allowedScopes with a corresponding advertised scope value. The advertised scope appears in OAuth protected resource metadata and WWW-Authenticate response headers. Use this parameter when the scope that clients request from your identity provider differs from the scope in the validated token. Each key is a scope from allowedScopes that the service uses for token validation. Each value is the corresponding scope that the service advertises to clients. Scopes without a mapping entry appear unchanged to clients.

            • (string) --

              • (string) --

          • customClaims (list) --

            An array of objects that define a custom claim validation name, value, and operation

            • (dict) --

              Defines the name of a custom claim field and rules for finding matches to authenticate its value.

              • inboundTokenClaimName (string) --

                The name of the custom claim field to check.

              • inboundTokenClaimValueType (string) --

                The data type of the claim value to check for.

                • Use STRING if you want to find an exact match to a string you define.

                • Use STRING_ARRAY if you want to fnd a match to at least one value in an array you define.

              • authorizingClaimMatchValue (dict) --

                Defines the value or values to match for and the relationship of the match.

                • claimMatchValue (dict) --

                  The value or values to match for.

                  • matchValueString (string) --

                    The string value to match for.

                  • matchValueStringList (list) --

                    An array of strings to check for a match.

                    • (string) --

                • claimMatchOperator (string) --

                  Defines the relationship between the claim field value and the value or values you're matching for.

          • privateEndpoint (dict) --

            The private endpoint configuration for a gateway target. Defines how the gateway connects to private resources in your VPC.

            • selfManagedLatticeResource (dict) --

              Configuration for connecting to a private resource using a self-managed VPC Lattice resource configuration.

              • resourceConfigurationIdentifier (string) --

                The ARN or ID of the VPC Lattice resource configuration.

            • managedVpcResource (dict) --

              Configuration for connecting to a private resource using a managed VPC Lattice resource. The gateway creates and manages the VPC Lattice resources on your behalf.

              • vpcIdentifier (string) --

                The ID of the VPC that contains your private resource.

              • subnetIds (list) --

                The subnet IDs within the VPC where the VPC Lattice resource gateway is placed.

                • (string) --

              • endpointIpAddressType (string) --

                The IP address type for the resource configuration endpoint.

              • securityGroupIds (list) --

                The security group IDs to associate with the VPC Lattice resource gateway. If not specified, the default security group for the VPC is used.

                • (string) --

              • tags (dict) --

                Tags to apply to the managed VPC Lattice resource gateway.

                • (string) --

                  • (string) --

              • routingDomain (string) --

                An intermediate domain to use as the resource configuration endpoint instead of the actual target domain. Use this when you want to route traffic through an intermediate component such as a VPC endpoint or internal load balancer. For more information, see xref:lattice-vpc-egress-routing-domain[Route traffic through an intermediate domain].

          • privateEndpointOverrides (list) --

            The private endpoint overrides for the custom JWT authorizer configuration.

            • (dict) --

              A mapping of a specific domain to a private endpoint for secure connectivity through a VPC Lattice resource configuration.

              • domain (string) --

                The domain to override with a private endpoint.

              • privateEndpoint (dict) --

                The private endpoint configuration for the specified domain.

                • selfManagedLatticeResource (dict) --

                  Configuration for connecting to a private resource using a self-managed VPC Lattice resource configuration.

                  • resourceConfigurationIdentifier (string) --

                    The ARN or ID of the VPC Lattice resource configuration.

                • managedVpcResource (dict) --

                  Configuration for connecting to a private resource using a managed VPC Lattice resource. The gateway creates and manages the VPC Lattice resources on your behalf.

                  • vpcIdentifier (string) --

                    The ID of the VPC that contains your private resource.

                  • subnetIds (list) --

                    The subnet IDs within the VPC where the VPC Lattice resource gateway is placed.

                    • (string) --

                  • endpointIpAddressType (string) --

                    The IP address type for the resource configuration endpoint.

                  • securityGroupIds (list) --

                    The security group IDs to associate with the VPC Lattice resource gateway. If not specified, the default security group for the VPC is used.

                    • (string) --

                  • tags (dict) --

                    Tags to apply to the managed VPC Lattice resource gateway.

                    • (string) --

                      • (string) --

                  • routingDomain (string) --

                    An intermediate domain to use as the resource configuration endpoint instead of the actual target domain. Use this when you want to route traffic through an intermediate component such as a VPC endpoint or internal load balancer. For more information, see xref:lattice-vpc-egress-routing-domain[Route traffic through an intermediate domain].

          • allowedWorkloadConfiguration (dict) --

            The configuration that restricts which workloads in the request's identity chain are allowed to invoke the target, identified by their hosting environments and workload identities. At launch, this is supported only for AgentCore Runtime targets, and the allowed workloads are AgentCore Gateways.

            • hostingEnvironments (list) --

              The list of hosting environments whose workloads are allowed to invoke the target. At launch, the only supported hosting environment is AgentCore Gateway.

              • (dict) --

                A hosting environment whose workloads are allowed to invoke the target. At launch, the only supported hosting environment is AgentCore Gateway.

                • arn (string) --

                  The Amazon Resource Name (ARN) of the hosting environment.

            • workloadIdentities (list) --

              The list of workload identities that are allowed to invoke the target.

              • (string) --

      • memory (dict) --

        AgentCore Memory instance configuration for short and long term memory.

        • agentCoreMemoryConfiguration (dict) --

          The AgentCore Memory configuration.

          • arn (string) --

            The ARN of the AgentCore Memory resource.

          • actorId (string) --

            The actor ID for memory operations.

          • messagesCount (integer) --

            The number of messages to retrieve from memory.

          • retrievalConfig (dict) --

            The retrieval configuration for long-term memory, mapping namespace path templates to retrieval settings.

            • (string) --

              • (dict) --

                Configuration for memory retrieval within a namespace.

                • topK (integer) --

                  The maximum number of memory entries to retrieve.

                • relevanceScore (float) --

                  The minimum relevance score for retrieved memories.

                • strategyId (string) --

                  The ID of the retrieval strategy to use.

        • managedMemoryConfiguration (dict) --

          Harness creates and manages a memory resource in the customer's account.

          • arn (string) --

            The ARN of the managed AgentCore Memory resource. Read-only on Get, ignored on Create/Update input.

          • strategies (list) --

            Strategy types to enable. Defaults to [SEMANTIC, SUMMARIZATION].

            • (string) --

          • eventExpiryDuration (integer) --

            Event retention in days. Defaults to 30.

          • encryptionKeyArn (string) --

            Customer-managed KMS key. Defaults to AWS-owned key. Not updatable after creation.

        • disabled (dict) --

          Explicitly opt out of memory.

      • maxIterations (integer) --

        The maximum number of iterations in the agent loop allowed before exiting per invocation.

      • maxTokens (integer) --

        The maximum total number of output tokens the agent can generate across all model calls within a single invocation.

      • timeoutSeconds (integer) --

        The maximum duration per invocation.

      • failureReason (string) --

        Reason why create or update operations fail.

GetPaymentManager (updated) Link ¶
Changes (response)
{'authorizerConfiguration': {'customJWTAuthorizer': {'advertisedScopeMapping': {'string': 'string'}}}}

Retrieves information about a specific payment manager.

See also: AWS API Documentation

Request Syntax

client.get_payment_manager(
    paymentManagerId='string'
)
type paymentManagerId:

string

param paymentManagerId:

[REQUIRED]

The unique identifier of the payment manager to retrieve.

rtype:

dict

returns:

Response Syntax

{
    'paymentManagerArn': 'string',
    'paymentManagerId': 'string',
    'name': 'string',
    'description': 'string',
    'authorizerType': 'CUSTOM_JWT'|'AWS_IAM',
    'authorizerConfiguration': {
        'customJWTAuthorizer': {
            'discoveryUrl': 'string',
            'allowedAudience': [
                'string',
            ],
            'allowedClients': [
                'string',
            ],
            'allowedScopes': [
                'string',
            ],
            'advertisedScopeMapping': {
                'string': 'string'
            },
            'customClaims': [
                {
                    'inboundTokenClaimName': 'string',
                    'inboundTokenClaimValueType': 'STRING'|'STRING_ARRAY',
                    'authorizingClaimMatchValue': {
                        'claimMatchValue': {
                            'matchValueString': 'string',
                            'matchValueStringList': [
                                'string',
                            ]
                        },
                        'claimMatchOperator': 'EQUALS'|'CONTAINS'|'CONTAINS_ANY'
                    }
                },
            ],
            'privateEndpoint': {
                'selfManagedLatticeResource': {
                    'resourceConfigurationIdentifier': 'string'
                },
                'managedVpcResource': {
                    'vpcIdentifier': 'string',
                    'subnetIds': [
                        'string',
                    ],
                    'endpointIpAddressType': 'IPV4'|'IPV6',
                    'securityGroupIds': [
                        'string',
                    ],
                    'tags': {
                        'string': 'string'
                    },
                    'routingDomain': 'string'
                }
            },
            'privateEndpointOverrides': [
                {
                    'domain': 'string',
                    'privateEndpoint': {
                        'selfManagedLatticeResource': {
                            'resourceConfigurationIdentifier': 'string'
                        },
                        'managedVpcResource': {
                            'vpcIdentifier': 'string',
                            'subnetIds': [
                                'string',
                            ],
                            'endpointIpAddressType': 'IPV4'|'IPV6',
                            'securityGroupIds': [
                                'string',
                            ],
                            'tags': {
                                'string': 'string'
                            },
                            'routingDomain': 'string'
                        }
                    }
                },
            ],
            'allowedWorkloadConfiguration': {
                'hostingEnvironments': [
                    {
                        'arn': 'string'
                    },
                ],
                'workloadIdentities': [
                    'string',
                ]
            }
        }
    },
    'roleArn': 'string',
    'workloadIdentityDetails': {
        'workloadIdentityArn': 'string'
    },
    'createdAt': datetime(2015, 1, 1),
    'lastUpdatedAt': datetime(2015, 1, 1),
    'status': 'CREATING'|'UPDATING'|'DELETING'|'READY'|'CREATE_FAILED'|'UPDATE_FAILED'|'DELETE_FAILED',
    'tags': {
        'string': 'string'
    }
}

Response Structure

  • (dict) --

    • paymentManagerArn (string) --

      The Amazon Resource Name (ARN) of the payment manager.

    • paymentManagerId (string) --

      The unique identifier of the payment manager.

    • name (string) --

      The name of the payment manager.

    • description (string) --

      The description of the payment manager.

    • authorizerType (string) --

      The type of authorizer used by the payment manager.

      • CUSTOM_JWT - Authorize with a bearer token.

      • AWS_IAM - Authorize with your Amazon Web Services IAM credentials.

    • authorizerConfiguration (dict) --

      Represents inbound authorization configuration options used to authenticate incoming requests.

      • customJWTAuthorizer (dict) --

        The inbound JWT-based authorization, specifying how incoming requests should be authenticated.

        • discoveryUrl (string) --

          This URL is used to fetch OpenID Connect configuration or authorization server metadata for validating incoming tokens.

        • allowedAudience (list) --

          Represents individual audience values that are validated in the incoming JWT token validation process.

          • (string) --

        • allowedClients (list) --

          Represents individual client IDs that are validated in the incoming JWT token validation process.

          • (string) --

        • allowedScopes (list) --

          An array of scopes that are allowed to access the token.

          • (string) --

        • advertisedScopeMapping (dict) --

          A map that associates each scope in allowedScopes with a corresponding advertised scope value. The advertised scope appears in OAuth protected resource metadata and WWW-Authenticate response headers. Use this parameter when the scope that clients request from your identity provider differs from the scope in the validated token. Each key is a scope from allowedScopes that the service uses for token validation. Each value is the corresponding scope that the service advertises to clients. Scopes without a mapping entry appear unchanged to clients.

          • (string) --

            • (string) --

        • customClaims (list) --

          An array of objects that define a custom claim validation name, value, and operation

          • (dict) --

            Defines the name of a custom claim field and rules for finding matches to authenticate its value.

            • inboundTokenClaimName (string) --

              The name of the custom claim field to check.

            • inboundTokenClaimValueType (string) --

              The data type of the claim value to check for.

              • Use STRING if you want to find an exact match to a string you define.

              • Use STRING_ARRAY if you want to fnd a match to at least one value in an array you define.

            • authorizingClaimMatchValue (dict) --

              Defines the value or values to match for and the relationship of the match.

              • claimMatchValue (dict) --

                The value or values to match for.

                • matchValueString (string) --

                  The string value to match for.

                • matchValueStringList (list) --

                  An array of strings to check for a match.

                  • (string) --

              • claimMatchOperator (string) --

                Defines the relationship between the claim field value and the value or values you're matching for.

        • privateEndpoint (dict) --

          The private endpoint configuration for a gateway target. Defines how the gateway connects to private resources in your VPC.

          • selfManagedLatticeResource (dict) --

            Configuration for connecting to a private resource using a self-managed VPC Lattice resource configuration.

            • resourceConfigurationIdentifier (string) --

              The ARN or ID of the VPC Lattice resource configuration.

          • managedVpcResource (dict) --

            Configuration for connecting to a private resource using a managed VPC Lattice resource. The gateway creates and manages the VPC Lattice resources on your behalf.

            • vpcIdentifier (string) --

              The ID of the VPC that contains your private resource.

            • subnetIds (list) --

              The subnet IDs within the VPC where the VPC Lattice resource gateway is placed.

              • (string) --

            • endpointIpAddressType (string) --

              The IP address type for the resource configuration endpoint.

            • securityGroupIds (list) --

              The security group IDs to associate with the VPC Lattice resource gateway. If not specified, the default security group for the VPC is used.

              • (string) --

            • tags (dict) --

              Tags to apply to the managed VPC Lattice resource gateway.

              • (string) --

                • (string) --

            • routingDomain (string) --

              An intermediate domain to use as the resource configuration endpoint instead of the actual target domain. Use this when you want to route traffic through an intermediate component such as a VPC endpoint or internal load balancer. For more information, see xref:lattice-vpc-egress-routing-domain[Route traffic through an intermediate domain].

        • privateEndpointOverrides (list) --

          The private endpoint overrides for the custom JWT authorizer configuration.

          • (dict) --

            A mapping of a specific domain to a private endpoint for secure connectivity through a VPC Lattice resource configuration.

            • domain (string) --

              The domain to override with a private endpoint.

            • privateEndpoint (dict) --

              The private endpoint configuration for the specified domain.

              • selfManagedLatticeResource (dict) --

                Configuration for connecting to a private resource using a self-managed VPC Lattice resource configuration.

                • resourceConfigurationIdentifier (string) --

                  The ARN or ID of the VPC Lattice resource configuration.

              • managedVpcResource (dict) --

                Configuration for connecting to a private resource using a managed VPC Lattice resource. The gateway creates and manages the VPC Lattice resources on your behalf.

                • vpcIdentifier (string) --

                  The ID of the VPC that contains your private resource.

                • subnetIds (list) --

                  The subnet IDs within the VPC where the VPC Lattice resource gateway is placed.

                  • (string) --

                • endpointIpAddressType (string) --

                  The IP address type for the resource configuration endpoint.

                • securityGroupIds (list) --

                  The security group IDs to associate with the VPC Lattice resource gateway. If not specified, the default security group for the VPC is used.

                  • (string) --

                • tags (dict) --

                  Tags to apply to the managed VPC Lattice resource gateway.

                  • (string) --

                    • (string) --

                • routingDomain (string) --

                  An intermediate domain to use as the resource configuration endpoint instead of the actual target domain. Use this when you want to route traffic through an intermediate component such as a VPC endpoint or internal load balancer. For more information, see xref:lattice-vpc-egress-routing-domain[Route traffic through an intermediate domain].

        • allowedWorkloadConfiguration (dict) --

          The configuration that restricts which workloads in the request's identity chain are allowed to invoke the target, identified by their hosting environments and workload identities. At launch, this is supported only for AgentCore Runtime targets, and the allowed workloads are AgentCore Gateways.

          • hostingEnvironments (list) --

            The list of hosting environments whose workloads are allowed to invoke the target. At launch, the only supported hosting environment is AgentCore Gateway.

            • (dict) --

              A hosting environment whose workloads are allowed to invoke the target. At launch, the only supported hosting environment is AgentCore Gateway.

              • arn (string) --

                The Amazon Resource Name (ARN) of the hosting environment.

          • workloadIdentities (list) --

            The list of workload identities that are allowed to invoke the target.

            • (string) --

    • roleArn (string) --

      The Amazon Resource Name (ARN) of the IAM role associated with the payment manager.

    • workloadIdentityDetails (dict) --

      The information about the workload identity.

      • workloadIdentityArn (string) --

        The ARN associated with the workload identity.

    • createdAt (datetime) --

      The timestamp when the payment manager was created.

    • lastUpdatedAt (datetime) --

      The timestamp when the payment manager was last updated.

    • status (string) --

      The current status of the payment manager. Possible values include CREATING, READY, UPDATING, DELETING, CREATE_FAILED, UPDATE_FAILED, and DELETE_FAILED.

    • tags (dict) --

      The tags associated with the payment manager.

      • (string) --

        • (string) --

GetRegistry (updated) Link ¶
Changes (response)
{'authorizerConfiguration': {'customJWTAuthorizer': {'advertisedScopeMapping': {'string': 'string'}}}}

Retrieves information about a specific registry.

See also: AWS API Documentation

Request Syntax

client.get_registry(
    registryId='string'
)
type registryId:

string

param registryId:

[REQUIRED]

The identifier of the registry to retrieve. You can specify either the Amazon Resource Name (ARN) or the ID of the registry.

rtype:

dict

returns:

Response Syntax

{
    'name': 'string',
    'description': 'string',
    'registryId': 'string',
    'registryArn': 'string',
    'authorizerType': 'CUSTOM_JWT'|'AWS_IAM',
    'authorizerConfiguration': {
        'customJWTAuthorizer': {
            'discoveryUrl': 'string',
            'allowedAudience': [
                'string',
            ],
            'allowedClients': [
                'string',
            ],
            'allowedScopes': [
                'string',
            ],
            'advertisedScopeMapping': {
                'string': 'string'
            },
            'customClaims': [
                {
                    'inboundTokenClaimName': 'string',
                    'inboundTokenClaimValueType': 'STRING'|'STRING_ARRAY',
                    'authorizingClaimMatchValue': {
                        'claimMatchValue': {
                            'matchValueString': 'string',
                            'matchValueStringList': [
                                'string',
                            ]
                        },
                        'claimMatchOperator': 'EQUALS'|'CONTAINS'|'CONTAINS_ANY'
                    }
                },
            ],
            'privateEndpoint': {
                'selfManagedLatticeResource': {
                    'resourceConfigurationIdentifier': 'string'
                },
                'managedVpcResource': {
                    'vpcIdentifier': 'string',
                    'subnetIds': [
                        'string',
                    ],
                    'endpointIpAddressType': 'IPV4'|'IPV6',
                    'securityGroupIds': [
                        'string',
                    ],
                    'tags': {
                        'string': 'string'
                    },
                    'routingDomain': 'string'
                }
            },
            'privateEndpointOverrides': [
                {
                    'domain': 'string',
                    'privateEndpoint': {
                        'selfManagedLatticeResource': {
                            'resourceConfigurationIdentifier': 'string'
                        },
                        'managedVpcResource': {
                            'vpcIdentifier': 'string',
                            'subnetIds': [
                                'string',
                            ],
                            'endpointIpAddressType': 'IPV4'|'IPV6',
                            'securityGroupIds': [
                                'string',
                            ],
                            'tags': {
                                'string': 'string'
                            },
                            'routingDomain': 'string'
                        }
                    }
                },
            ],
            'allowedWorkloadConfiguration': {
                'hostingEnvironments': [
                    {
                        'arn': 'string'
                    },
                ],
                'workloadIdentities': [
                    'string',
                ]
            }
        }
    },
    'approvalConfiguration': {
        'autoApproval': True|False
    },
    'status': 'CREATING'|'READY'|'UPDATING'|'CREATE_FAILED'|'UPDATE_FAILED'|'DELETING'|'DELETE_FAILED',
    'statusReason': 'string',
    'createdAt': datetime(2015, 1, 1),
    'updatedAt': datetime(2015, 1, 1)
}

Response Structure

  • (dict) --

    • name (string) --

      The name of the registry.

    • description (string) --

      The description of the registry.

    • registryId (string) --

      The unique identifier of the registry.

    • registryArn (string) --

      The Amazon Resource Name (ARN) of the registry.

    • authorizerType (string) --

      The type of authorizer used by the registry. This controls the authorization method for the Search and Invoke APIs used by consumers.

      • CUSTOM_JWT - Authorize with a bearer token.

      • AWS_IAM - Authorize with your Amazon Web Services IAM credentials.

    • authorizerConfiguration (dict) --

      The authorizer configuration for the registry. For details, see the AuthorizerConfiguration data type.

      • customJWTAuthorizer (dict) --

        The inbound JWT-based authorization, specifying how incoming requests should be authenticated.

        • discoveryUrl (string) --

          This URL is used to fetch OpenID Connect configuration or authorization server metadata for validating incoming tokens.

        • allowedAudience (list) --

          Represents individual audience values that are validated in the incoming JWT token validation process.

          • (string) --

        • allowedClients (list) --

          Represents individual client IDs that are validated in the incoming JWT token validation process.

          • (string) --

        • allowedScopes (list) --

          An array of scopes that are allowed to access the token.

          • (string) --

        • advertisedScopeMapping (dict) --

          A map that associates each scope in allowedScopes with a corresponding advertised scope value. The advertised scope appears in OAuth protected resource metadata and WWW-Authenticate response headers. Use this parameter when the scope that clients request from your identity provider differs from the scope in the validated token. Each key is a scope from allowedScopes that the service uses for token validation. Each value is the corresponding scope that the service advertises to clients. Scopes without a mapping entry appear unchanged to clients.

          • (string) --

            • (string) --

        • customClaims (list) --

          An array of objects that define a custom claim validation name, value, and operation

          • (dict) --

            Defines the name of a custom claim field and rules for finding matches to authenticate its value.

            • inboundTokenClaimName (string) --

              The name of the custom claim field to check.

            • inboundTokenClaimValueType (string) --

              The data type of the claim value to check for.

              • Use STRING if you want to find an exact match to a string you define.

              • Use STRING_ARRAY if you want to fnd a match to at least one value in an array you define.

            • authorizingClaimMatchValue (dict) --

              Defines the value or values to match for and the relationship of the match.

              • claimMatchValue (dict) --

                The value or values to match for.

                • matchValueString (string) --

                  The string value to match for.

                • matchValueStringList (list) --

                  An array of strings to check for a match.

                  • (string) --

              • claimMatchOperator (string) --

                Defines the relationship between the claim field value and the value or values you're matching for.

        • privateEndpoint (dict) --

          The private endpoint configuration for a gateway target. Defines how the gateway connects to private resources in your VPC.

          • selfManagedLatticeResource (dict) --

            Configuration for connecting to a private resource using a self-managed VPC Lattice resource configuration.

            • resourceConfigurationIdentifier (string) --

              The ARN or ID of the VPC Lattice resource configuration.

          • managedVpcResource (dict) --

            Configuration for connecting to a private resource using a managed VPC Lattice resource. The gateway creates and manages the VPC Lattice resources on your behalf.

            • vpcIdentifier (string) --

              The ID of the VPC that contains your private resource.

            • subnetIds (list) --

              The subnet IDs within the VPC where the VPC Lattice resource gateway is placed.

              • (string) --

            • endpointIpAddressType (string) --

              The IP address type for the resource configuration endpoint.

            • securityGroupIds (list) --

              The security group IDs to associate with the VPC Lattice resource gateway. If not specified, the default security group for the VPC is used.

              • (string) --

            • tags (dict) --

              Tags to apply to the managed VPC Lattice resource gateway.

              • (string) --

                • (string) --

            • routingDomain (string) --

              An intermediate domain to use as the resource configuration endpoint instead of the actual target domain. Use this when you want to route traffic through an intermediate component such as a VPC endpoint or internal load balancer. For more information, see xref:lattice-vpc-egress-routing-domain[Route traffic through an intermediate domain].

        • privateEndpointOverrides (list) --

          The private endpoint overrides for the custom JWT authorizer configuration.

          • (dict) --

            A mapping of a specific domain to a private endpoint for secure connectivity through a VPC Lattice resource configuration.

            • domain (string) --

              The domain to override with a private endpoint.

            • privateEndpoint (dict) --

              The private endpoint configuration for the specified domain.

              • selfManagedLatticeResource (dict) --

                Configuration for connecting to a private resource using a self-managed VPC Lattice resource configuration.

                • resourceConfigurationIdentifier (string) --

                  The ARN or ID of the VPC Lattice resource configuration.

              • managedVpcResource (dict) --

                Configuration for connecting to a private resource using a managed VPC Lattice resource. The gateway creates and manages the VPC Lattice resources on your behalf.

                • vpcIdentifier (string) --

                  The ID of the VPC that contains your private resource.

                • subnetIds (list) --

                  The subnet IDs within the VPC where the VPC Lattice resource gateway is placed.

                  • (string) --

                • endpointIpAddressType (string) --

                  The IP address type for the resource configuration endpoint.

                • securityGroupIds (list) --

                  The security group IDs to associate with the VPC Lattice resource gateway. If not specified, the default security group for the VPC is used.

                  • (string) --

                • tags (dict) --

                  Tags to apply to the managed VPC Lattice resource gateway.

                  • (string) --

                    • (string) --

                • routingDomain (string) --

                  An intermediate domain to use as the resource configuration endpoint instead of the actual target domain. Use this when you want to route traffic through an intermediate component such as a VPC endpoint or internal load balancer. For more information, see xref:lattice-vpc-egress-routing-domain[Route traffic through an intermediate domain].

        • allowedWorkloadConfiguration (dict) --

          The configuration that restricts which workloads in the request's identity chain are allowed to invoke the target, identified by their hosting environments and workload identities. At launch, this is supported only for AgentCore Runtime targets, and the allowed workloads are AgentCore Gateways.

          • hostingEnvironments (list) --

            The list of hosting environments whose workloads are allowed to invoke the target. At launch, the only supported hosting environment is AgentCore Gateway.

            • (dict) --

              A hosting environment whose workloads are allowed to invoke the target. At launch, the only supported hosting environment is AgentCore Gateway.

              • arn (string) --

                The Amazon Resource Name (ARN) of the hosting environment.

          • workloadIdentities (list) --

            The list of workload identities that are allowed to invoke the target.

            • (string) --

    • approvalConfiguration (dict) --

      The approval configuration for registry records. For details, see the ApprovalConfiguration data type.

      • autoApproval (boolean) --

        Whether registry records are auto-approved. When set to true, records are automatically approved upon creation. When set to false (the default), records require explicit approval for security purposes.

    • status (string) --

      The current status of the registry. Possible values include CREATING, READY, UPDATING, CREATE_FAILED, UPDATE_FAILED, DELETING, and DELETE_FAILED.

    • statusReason (string) --

      The reason for the current status, typically set when the status is a failure state.

    • createdAt (datetime) --

      The timestamp when the registry was created.

    • updatedAt (datetime) --

      The timestamp when the registry was last updated.

UpdateAgentRuntime (updated) Link ¶
Changes (request)
{'authorizerConfiguration': {'customJWTAuthorizer': {'advertisedScopeMapping': {'string': 'string'}}}}

Updates an existing Amazon Secure Agent.

See also: AWS API Documentation

Request Syntax

client.update_agent_runtime(
    agentRuntimeId='string',
    agentRuntimeArtifact={
        'containerConfiguration': {
            'containerUri': 'string'
        },
        'codeConfiguration': {
            'code': {
                's3': {
                    'bucket': 'string',
                    'prefix': 'string',
                    'versionId': 'string'
                }
            },
            'runtime': 'PYTHON_3_10'|'PYTHON_3_11'|'PYTHON_3_12'|'PYTHON_3_13'|'PYTHON_3_14'|'NODE_22',
            'entryPoint': [
                'string',
            ]
        }
    },
    roleArn='string',
    networkConfiguration={
        'networkMode': 'PUBLIC'|'VPC',
        'networkModeConfig': {
            'securityGroups': [
                'string',
            ],
            'subnets': [
                'string',
            ],
            'requireServiceS3Endpoint': True|False
        }
    },
    description='string',
    authorizerConfiguration={
        'customJWTAuthorizer': {
            'discoveryUrl': 'string',
            'allowedAudience': [
                'string',
            ],
            'allowedClients': [
                'string',
            ],
            'allowedScopes': [
                'string',
            ],
            'advertisedScopeMapping': {
                'string': 'string'
            },
            'customClaims': [
                {
                    'inboundTokenClaimName': 'string',
                    'inboundTokenClaimValueType': 'STRING'|'STRING_ARRAY',
                    'authorizingClaimMatchValue': {
                        'claimMatchValue': {
                            'matchValueString': 'string',
                            'matchValueStringList': [
                                'string',
                            ]
                        },
                        'claimMatchOperator': 'EQUALS'|'CONTAINS'|'CONTAINS_ANY'
                    }
                },
            ],
            'privateEndpoint': {
                'selfManagedLatticeResource': {
                    'resourceConfigurationIdentifier': 'string'
                },
                'managedVpcResource': {
                    'vpcIdentifier': 'string',
                    'subnetIds': [
                        'string',
                    ],
                    'endpointIpAddressType': 'IPV4'|'IPV6',
                    'securityGroupIds': [
                        'string',
                    ],
                    'tags': {
                        'string': 'string'
                    },
                    'routingDomain': 'string'
                }
            },
            'privateEndpointOverrides': [
                {
                    'domain': 'string',
                    'privateEndpoint': {
                        'selfManagedLatticeResource': {
                            'resourceConfigurationIdentifier': 'string'
                        },
                        'managedVpcResource': {
                            'vpcIdentifier': 'string',
                            'subnetIds': [
                                'string',
                            ],
                            'endpointIpAddressType': 'IPV4'|'IPV6',
                            'securityGroupIds': [
                                'string',
                            ],
                            'tags': {
                                'string': 'string'
                            },
                            'routingDomain': 'string'
                        }
                    }
                },
            ],
            'allowedWorkloadConfiguration': {
                'hostingEnvironments': [
                    {
                        'arn': 'string'
                    },
                ],
                'workloadIdentities': [
                    'string',
                ]
            }
        }
    },
    requestHeaderConfiguration={
        'requestHeaderAllowlist': [
            'string',
        ]
    },
    protocolConfiguration={
        'serverProtocol': 'MCP'|'HTTP'|'A2A'|'AGUI'
    },
    lifecycleConfiguration={
        'idleRuntimeSessionTimeout': 123,
        'maxLifetime': 123
    },
    metadataConfiguration={
        'requireMMDSV2': True|False
    },
    environmentVariables={
        'string': 'string'
    },
    filesystemConfigurations=[
        {
            'sessionStorage': {
                'mountPath': 'string'
            },
            's3FilesAccessPoint': {
                'accessPointArn': 'string',
                'mountPath': 'string'
            },
            'efsAccessPoint': {
                'accessPointArn': 'string',
                'mountPath': 'string'
            }
        },
    ],
    clientToken='string'
)
type agentRuntimeId:

string

param agentRuntimeId:

[REQUIRED]

The unique identifier of the AgentCore Runtime to update.

type agentRuntimeArtifact:

dict

param agentRuntimeArtifact:

[REQUIRED]

The updated artifact of the AgentCore Runtime.

  • containerConfiguration (dict) --

    The container configuration for the agent artifact.

    • containerUri (string) -- [REQUIRED]

      The ECR URI of the container.

  • codeConfiguration (dict) --

    The code configuration for the agent runtime artifact, including the source code location and execution settings.

    • code (dict) -- [REQUIRED]

      The source code location and configuration details.

      • s3 (dict) --

        The Amazon Amazon S3 object that contains the source code for the agent runtime.

        • bucket (string) -- [REQUIRED]

          The name of the Amazon S3 bucket. This bucket contains the stored data.

        • prefix (string) -- [REQUIRED]

          The prefix for objects in the Amazon S3 bucket. This prefix is added to the object keys to organize the data.

        • versionId (string) --

          The version ID of the Amazon Amazon S3 object. If not specified, the latest version of the object is used.

    • runtime (string) -- [REQUIRED]

      The runtime environment for executing the agent code. Specify the programming language and version to use for the agent runtime. For valid values, see the list of supported runtimes.

    • entryPoint (list) -- [REQUIRED]

      The entry point for the code execution, specifying the function or method that should be invoked when the code runs.

      • (string) --

type roleArn:

string

param roleArn:

[REQUIRED]

The updated IAM role ARN that provides permissions for the AgentCore Runtime.

type networkConfiguration:

dict

param networkConfiguration:

[REQUIRED]

The updated network configuration for the AgentCore Runtime.

  • networkMode (string) -- [REQUIRED]

    The network mode for the AgentCore Runtime.

  • networkModeConfig (dict) --

    The network mode configuration for the AgentCore Runtime.

    • securityGroups (list) -- [REQUIRED]

      The security groups associated with the VPC configuration.

      • (string) --

    • subnets (list) -- [REQUIRED]

      The subnets associated with the VPC configuration.

      • (string) --

    • requireServiceS3Endpoint (boolean) --

      Controls whether a service-managed Amazon S3 gateway endpoint is provisioned in the VPC network topology for the agent runtime. This gateway is used by Amazon Bedrock AgentCore Runtime to download code and container images during agent startup.

      Starting May 5, 2026, Amazon Bedrock AgentCore Runtime is gradually rolling out a change to how network isolation is configured for VPC mode agents. Agent runtimes created on or after this rollout will no longer include the service-managed Amazon S3 gateway. Instead, all network access, including to Amazon S3, is governed exclusively by your VPC configuration. This field cannot be set on agent runtimes created after the rollout. Passing this field in an UpdateAgentRuntime request for these agent runtimes returns a ValidationException.

      Agent runtimes created before the rollout are not affected and continue to operate with the service-managed Amazon S3 gateway. To enforce full VPC network isolation on these existing agent runtimes, set this field to false via the UpdateAgentRuntime API. Before opting out, ensure your VPC provides the Amazon S3 access required for agent startup. If this field is not specified or is set to true, the service-managed Amazon S3 gateway remains provisioned.

      This field is only supported in the UpdateAgentRuntime API for pre-rollout agent runtimes. Passing this field in a CreateAgentRuntime request returns a ValidationException.

type description:

string

param description:

The updated description of the AgentCore Runtime.

type authorizerConfiguration:

dict

param authorizerConfiguration:

The updated authorizer configuration for the AgentCore Runtime.

  • customJWTAuthorizer (dict) --

    The inbound JWT-based authorization, specifying how incoming requests should be authenticated.

    • discoveryUrl (string) -- [REQUIRED]

      This URL is used to fetch OpenID Connect configuration or authorization server metadata for validating incoming tokens.

    • allowedAudience (list) --

      Represents individual audience values that are validated in the incoming JWT token validation process.

      • (string) --

    • allowedClients (list) --

      Represents individual client IDs that are validated in the incoming JWT token validation process.

      • (string) --

    • allowedScopes (list) --

      An array of scopes that are allowed to access the token.

      • (string) --

    • advertisedScopeMapping (dict) --

      A map that associates each scope in allowedScopes with a corresponding advertised scope value. The advertised scope appears in OAuth protected resource metadata and WWW-Authenticate response headers. Use this parameter when the scope that clients request from your identity provider differs from the scope in the validated token. Each key is a scope from allowedScopes that the service uses for token validation. Each value is the corresponding scope that the service advertises to clients. Scopes without a mapping entry appear unchanged to clients.

      • (string) --

        • (string) --

    • customClaims (list) --

      An array of objects that define a custom claim validation name, value, and operation

      • (dict) --

        Defines the name of a custom claim field and rules for finding matches to authenticate its value.

        • inboundTokenClaimName (string) -- [REQUIRED]

          The name of the custom claim field to check.

        • inboundTokenClaimValueType (string) -- [REQUIRED]

          The data type of the claim value to check for.

          • Use STRING if you want to find an exact match to a string you define.

          • Use STRING_ARRAY if you want to fnd a match to at least one value in an array you define.

        • authorizingClaimMatchValue (dict) -- [REQUIRED]

          Defines the value or values to match for and the relationship of the match.

          • claimMatchValue (dict) -- [REQUIRED]

            The value or values to match for.

            • matchValueString (string) --

              The string value to match for.

            • matchValueStringList (list) --

              An array of strings to check for a match.

              • (string) --

          • claimMatchOperator (string) -- [REQUIRED]

            Defines the relationship between the claim field value and the value or values you're matching for.

    • privateEndpoint (dict) --

      The private endpoint configuration for a gateway target. Defines how the gateway connects to private resources in your VPC.

      • selfManagedLatticeResource (dict) --

        Configuration for connecting to a private resource using a self-managed VPC Lattice resource configuration.

        • resourceConfigurationIdentifier (string) --

          The ARN or ID of the VPC Lattice resource configuration.

      • managedVpcResource (dict) --

        Configuration for connecting to a private resource using a managed VPC Lattice resource. The gateway creates and manages the VPC Lattice resources on your behalf.

        • vpcIdentifier (string) -- [REQUIRED]

          The ID of the VPC that contains your private resource.

        • subnetIds (list) -- [REQUIRED]

          The subnet IDs within the VPC where the VPC Lattice resource gateway is placed.

          • (string) --

        • endpointIpAddressType (string) -- [REQUIRED]

          The IP address type for the resource configuration endpoint.

        • securityGroupIds (list) --

          The security group IDs to associate with the VPC Lattice resource gateway. If not specified, the default security group for the VPC is used.

          • (string) --

        • tags (dict) --

          Tags to apply to the managed VPC Lattice resource gateway.

          • (string) --

            • (string) --

        • routingDomain (string) --

          An intermediate domain to use as the resource configuration endpoint instead of the actual target domain. Use this when you want to route traffic through an intermediate component such as a VPC endpoint or internal load balancer. For more information, see xref:lattice-vpc-egress-routing-domain[Route traffic through an intermediate domain].

    • privateEndpointOverrides (list) --

      The private endpoint overrides for the custom JWT authorizer configuration.

      • (dict) --

        A mapping of a specific domain to a private endpoint for secure connectivity through a VPC Lattice resource configuration.

        • domain (string) -- [REQUIRED]

          The domain to override with a private endpoint.

        • privateEndpoint (dict) -- [REQUIRED]

          The private endpoint configuration for the specified domain.

          • selfManagedLatticeResource (dict) --

            Configuration for connecting to a private resource using a self-managed VPC Lattice resource configuration.

            • resourceConfigurationIdentifier (string) --

              The ARN or ID of the VPC Lattice resource configuration.

          • managedVpcResource (dict) --

            Configuration for connecting to a private resource using a managed VPC Lattice resource. The gateway creates and manages the VPC Lattice resources on your behalf.

            • vpcIdentifier (string) -- [REQUIRED]

              The ID of the VPC that contains your private resource.

            • subnetIds (list) -- [REQUIRED]

              The subnet IDs within the VPC where the VPC Lattice resource gateway is placed.

              • (string) --

            • endpointIpAddressType (string) -- [REQUIRED]

              The IP address type for the resource configuration endpoint.

            • securityGroupIds (list) --

              The security group IDs to associate with the VPC Lattice resource gateway. If not specified, the default security group for the VPC is used.

              • (string) --

            • tags (dict) --

              Tags to apply to the managed VPC Lattice resource gateway.

              • (string) --

                • (string) --

            • routingDomain (string) --

              An intermediate domain to use as the resource configuration endpoint instead of the actual target domain. Use this when you want to route traffic through an intermediate component such as a VPC endpoint or internal load balancer. For more information, see xref:lattice-vpc-egress-routing-domain[Route traffic through an intermediate domain].

    • allowedWorkloadConfiguration (dict) --

      The configuration that restricts which workloads in the request's identity chain are allowed to invoke the target, identified by their hosting environments and workload identities. At launch, this is supported only for AgentCore Runtime targets, and the allowed workloads are AgentCore Gateways.

      • hostingEnvironments (list) --

        The list of hosting environments whose workloads are allowed to invoke the target. At launch, the only supported hosting environment is AgentCore Gateway.

        • (dict) --

          A hosting environment whose workloads are allowed to invoke the target. At launch, the only supported hosting environment is AgentCore Gateway.

          • arn (string) -- [REQUIRED]

            The Amazon Resource Name (ARN) of the hosting environment.

      • workloadIdentities (list) --

        The list of workload identities that are allowed to invoke the target.

        • (string) --

type requestHeaderConfiguration:

dict

param requestHeaderConfiguration:

The updated configuration for HTTP request headers that will be passed through to the runtime.

  • requestHeaderAllowlist (list) --

    A list of HTTP request headers that are allowed to be passed through to the runtime.

    • (string) --

type protocolConfiguration:

dict

param protocolConfiguration:

The protocol configuration for an agent runtime. This structure defines how the agent runtime communicates with clients.

  • serverProtocol (string) -- [REQUIRED]

    The server protocol for the agent runtime. This field specifies which protocol the agent runtime uses to communicate with clients.

type lifecycleConfiguration:

dict

param lifecycleConfiguration:

The updated life cycle configuration for the AgentCore Runtime.

  • idleRuntimeSessionTimeout (integer) --

    Timeout in seconds for idle runtime sessions. When a session remains idle for this duration, it will be automatically terminated. Default: 900 seconds (15 minutes).

  • maxLifetime (integer) --

    Maximum lifetime for the instance in seconds. Once reached, instances will be automatically terminated and replaced. Default: 28800 seconds (8 hours).

type metadataConfiguration:

dict

param metadataConfiguration:

The updated configuration for microVM Metadata Service (MMDS) settings for the AgentCore Runtime.

  • requireMMDSV2 (boolean) -- [REQUIRED]

    Enables MMDSv2 (microVM Metadata Service Version 2) requirement for the agent runtime. When set to true, the runtime microVM will only accept MMDSv2 requests.

type environmentVariables:

dict

param environmentVariables:

Updated environment variables to set in the AgentCore Runtime environment.

  • (string) --

    • (string) --

type filesystemConfigurations:

list

param filesystemConfigurations:

The updated filesystem configurations to mount into the AgentCore Runtime.

  • (dict) --

    Configuration for a filesystem that can be mounted into the AgentCore Runtime.

    • sessionStorage (dict) --

      Configuration for session storage. Session storage provides persistent storage that is preserved across AgentCore Runtime session invocations.

      • mountPath (string) -- [REQUIRED]

        The mount path for the session storage filesystem inside the AgentCore Runtime. The path must be under /mnt with exactly one subdirectory level (for example, /mnt/data).

    • s3FilesAccessPoint (dict) --

      Configuration for an Amazon S3 Files access point to mount into the AgentCore Runtime.

      • accessPointArn (string) -- [REQUIRED]

        The ARN of the S3 Files access point to mount into the AgentCore Runtime.

      • mountPath (string) -- [REQUIRED]

        The mount path for the S3 Files access point inside the AgentCore Runtime. The path must be under /mnt with exactly one subdirectory level (for example, /mnt/data).

    • efsAccessPoint (dict) --

      Configuration for an Amazon EFS access point to mount into the AgentCore Runtime.

      • accessPointArn (string) -- [REQUIRED]

        The ARN of the EFS access point to mount into the AgentCore Runtime.

      • mountPath (string) -- [REQUIRED]

        The mount path for the EFS access point inside the AgentCore Runtime. The path must be under /mnt with exactly one subdirectory level (for example, /mnt/data).

type clientToken:

string

param clientToken:

A unique, case-sensitive identifier to ensure idempotency of the request.

This field is autopopulated if not provided.

rtype:

dict

returns:

Response Syntax

{
    'agentRuntimeArn': 'string',
    'agentRuntimeId': 'string',
    'workloadIdentityDetails': {
        'workloadIdentityArn': 'string'
    },
    'agentRuntimeVersion': 'string',
    'createdAt': datetime(2015, 1, 1),
    'lastUpdatedAt': datetime(2015, 1, 1),
    'status': 'CREATING'|'CREATE_FAILED'|'UPDATING'|'UPDATE_FAILED'|'READY'|'DELETING'
}

Response Structure

  • (dict) --

    • agentRuntimeArn (string) --

      The Amazon Resource Name (ARN) of the updated AgentCore Runtime.

    • agentRuntimeId (string) --

      The unique identifier of the updated AgentCore Runtime.

    • workloadIdentityDetails (dict) --

      The workload identity details for the updated AgentCore Runtime.

      • workloadIdentityArn (string) --

        The ARN associated with the workload identity.

    • agentRuntimeVersion (string) --

      The version of the updated AgentCore Runtime.

    • createdAt (datetime) --

      The timestamp when the AgentCore Runtime was created.

    • lastUpdatedAt (datetime) --

      The timestamp when the AgentCore Runtime was last updated.

    • status (string) --

      The current status of the updated AgentCore Runtime.

UpdateGateway (updated) Link ¶
Changes (both)
{'authorizerConfiguration': {'customJWTAuthorizer': {'advertisedScopeMapping': {'string': 'string'}}}}

Updates an existing gateway.

See also: AWS API Documentation

Request Syntax

client.update_gateway(
    gatewayIdentifier='string',
    name='string',
    description='string',
    roleArn='string',
    protocolType='MCP',
    protocolConfiguration={
        'mcp': {
            'supportedVersions': [
                'string',
            ],
            'instructions': 'string',
            'searchType': 'SEMANTIC',
            'sessionConfiguration': {
                'sessionTimeoutInSeconds': 123
            },
            'streamingConfiguration': {
                'enableResponseStreaming': True|False
            }
        }
    },
    authorizerType='CUSTOM_JWT'|'AWS_IAM'|'NONE'|'AUTHENTICATE_ONLY',
    authorizerConfiguration={
        'customJWTAuthorizer': {
            'discoveryUrl': 'string',
            'allowedAudience': [
                'string',
            ],
            'allowedClients': [
                'string',
            ],
            'allowedScopes': [
                'string',
            ],
            'advertisedScopeMapping': {
                'string': 'string'
            },
            'customClaims': [
                {
                    'inboundTokenClaimName': 'string',
                    'inboundTokenClaimValueType': 'STRING'|'STRING_ARRAY',
                    'authorizingClaimMatchValue': {
                        'claimMatchValue': {
                            'matchValueString': 'string',
                            'matchValueStringList': [
                                'string',
                            ]
                        },
                        'claimMatchOperator': 'EQUALS'|'CONTAINS'|'CONTAINS_ANY'
                    }
                },
            ],
            'privateEndpoint': {
                'selfManagedLatticeResource': {
                    'resourceConfigurationIdentifier': 'string'
                },
                'managedVpcResource': {
                    'vpcIdentifier': 'string',
                    'subnetIds': [
                        'string',
                    ],
                    'endpointIpAddressType': 'IPV4'|'IPV6',
                    'securityGroupIds': [
                        'string',
                    ],
                    'tags': {
                        'string': 'string'
                    },
                    'routingDomain': 'string'
                }
            },
            'privateEndpointOverrides': [
                {
                    'domain': 'string',
                    'privateEndpoint': {
                        'selfManagedLatticeResource': {
                            'resourceConfigurationIdentifier': 'string'
                        },
                        'managedVpcResource': {
                            'vpcIdentifier': 'string',
                            'subnetIds': [
                                'string',
                            ],
                            'endpointIpAddressType': 'IPV4'|'IPV6',
                            'securityGroupIds': [
                                'string',
                            ],
                            'tags': {
                                'string': 'string'
                            },
                            'routingDomain': 'string'
                        }
                    }
                },
            ],
            'allowedWorkloadConfiguration': {
                'hostingEnvironments': [
                    {
                        'arn': 'string'
                    },
                ],
                'workloadIdentities': [
                    'string',
                ]
            }
        }
    },
    kmsKeyArn='string',
    customTransformConfiguration={
        'lambda': {
            'arn': 'string'
        }
    },
    interceptorConfigurations=[
        {
            'interceptor': {
                'lambda': {
                    'arn': 'string'
                }
            },
            'interceptionPoints': [
                'REQUEST'|'RESPONSE',
            ],
            'inputConfiguration': {
                'passRequestHeaders': True|False,
                'payloadFilter': {
                    'exclude': [
                        {
                            'field': 'RESPONSE_BODY'
                        },
                    ]
                }
            }
        },
    ],
    policyEngineConfiguration={
        'arn': 'string',
        'mode': 'LOG_ONLY'|'ENFORCE'
    },
    exceptionLevel='DEBUG',
    wafConfiguration={
        'failureMode': 'FAIL_CLOSE'|'FAIL_OPEN'
    }
)
type gatewayIdentifier:

string

param gatewayIdentifier:

[REQUIRED]

The identifier of the gateway to update.

type name:

string

param name:

[REQUIRED]

The name of the gateway. This name must be the same as the one when the gateway was created.

type description:

string

param description:

The updated description for the gateway.

type roleArn:

string

param roleArn:

[REQUIRED]

The updated IAM role ARN that provides permissions for the gateway.

type protocolType:

string

param protocolType:

The updated protocol type for the gateway.

type protocolConfiguration:

dict

param protocolConfiguration:

The configuration for a gateway protocol. This structure defines how the gateway communicates with external services.

  • mcp (dict) --

    The configuration for the Model Context Protocol (MCP). This protocol enables communication between Amazon Bedrock Agent and external tools.

    • supportedVersions (list) --

      The supported versions of the Model Context Protocol. This field specifies which versions of the protocol the gateway can use.

      • (string) --

    • instructions (string) --

      The instructions for using the Model Context Protocol gateway. These instructions provide guidance on how to interact with the gateway.

    • searchType (string) --

      The search type for the Model Context Protocol gateway. This field specifies how the gateway handles search operations.

    • sessionConfiguration (dict) --

      The session configuration for the MCP gateway. This configuration controls session behavior, including session timeout settings.

      • sessionTimeoutInSeconds (integer) --

        The session timeout in seconds. After this timeout, the session expires and subsequent requests to this session will receive an error. The minimum value is 900 seconds (15 minutes), the maximum value is 28800 seconds (8 hours), and the default value is 3600 seconds (1 hour).

    • streamingConfiguration (dict) --

      The streaming configuration for the MCP gateway. This configuration controls whether response streaming is enabled for the gateway.

      • enableResponseStreaming (boolean) --

        Indicates whether response streaming is enabled for the gateway. When set to true, the gateway streams responses from targets back to the client.

type authorizerType:

string

param authorizerType:

[REQUIRED]

The updated authorizer type for the gateway.

type authorizerConfiguration:

dict

param authorizerConfiguration:

The updated authorizer configuration for the gateway.

  • customJWTAuthorizer (dict) --

    The inbound JWT-based authorization, specifying how incoming requests should be authenticated.

    • discoveryUrl (string) -- [REQUIRED]

      This URL is used to fetch OpenID Connect configuration or authorization server metadata for validating incoming tokens.

    • allowedAudience (list) --

      Represents individual audience values that are validated in the incoming JWT token validation process.

      • (string) --

    • allowedClients (list) --

      Represents individual client IDs that are validated in the incoming JWT token validation process.

      • (string) --

    • allowedScopes (list) --

      An array of scopes that are allowed to access the token.

      • (string) --

    • advertisedScopeMapping (dict) --

      A map that associates each scope in allowedScopes with a corresponding advertised scope value. The advertised scope appears in OAuth protected resource metadata and WWW-Authenticate response headers. Use this parameter when the scope that clients request from your identity provider differs from the scope in the validated token. Each key is a scope from allowedScopes that the service uses for token validation. Each value is the corresponding scope that the service advertises to clients. Scopes without a mapping entry appear unchanged to clients.

      • (string) --

        • (string) --

    • customClaims (list) --

      An array of objects that define a custom claim validation name, value, and operation

      • (dict) --

        Defines the name of a custom claim field and rules for finding matches to authenticate its value.

        • inboundTokenClaimName (string) -- [REQUIRED]

          The name of the custom claim field to check.

        • inboundTokenClaimValueType (string) -- [REQUIRED]

          The data type of the claim value to check for.

          • Use STRING if you want to find an exact match to a string you define.

          • Use STRING_ARRAY if you want to fnd a match to at least one value in an array you define.

        • authorizingClaimMatchValue (dict) -- [REQUIRED]

          Defines the value or values to match for and the relationship of the match.

          • claimMatchValue (dict) -- [REQUIRED]

            The value or values to match for.

            • matchValueString (string) --

              The string value to match for.

            • matchValueStringList (list) --

              An array of strings to check for a match.

              • (string) --

          • claimMatchOperator (string) -- [REQUIRED]

            Defines the relationship between the claim field value and the value or values you're matching for.

    • privateEndpoint (dict) --

      The private endpoint configuration for a gateway target. Defines how the gateway connects to private resources in your VPC.

      • selfManagedLatticeResource (dict) --

        Configuration for connecting to a private resource using a self-managed VPC Lattice resource configuration.

        • resourceConfigurationIdentifier (string) --

          The ARN or ID of the VPC Lattice resource configuration.

      • managedVpcResource (dict) --

        Configuration for connecting to a private resource using a managed VPC Lattice resource. The gateway creates and manages the VPC Lattice resources on your behalf.

        • vpcIdentifier (string) -- [REQUIRED]

          The ID of the VPC that contains your private resource.

        • subnetIds (list) -- [REQUIRED]

          The subnet IDs within the VPC where the VPC Lattice resource gateway is placed.

          • (string) --

        • endpointIpAddressType (string) -- [REQUIRED]

          The IP address type for the resource configuration endpoint.

        • securityGroupIds (list) --

          The security group IDs to associate with the VPC Lattice resource gateway. If not specified, the default security group for the VPC is used.

          • (string) --

        • tags (dict) --

          Tags to apply to the managed VPC Lattice resource gateway.

          • (string) --

            • (string) --

        • routingDomain (string) --

          An intermediate domain to use as the resource configuration endpoint instead of the actual target domain. Use this when you want to route traffic through an intermediate component such as a VPC endpoint or internal load balancer. For more information, see xref:lattice-vpc-egress-routing-domain[Route traffic through an intermediate domain].

    • privateEndpointOverrides (list) --

      The private endpoint overrides for the custom JWT authorizer configuration.

      • (dict) --

        A mapping of a specific domain to a private endpoint for secure connectivity through a VPC Lattice resource configuration.

        • domain (string) -- [REQUIRED]

          The domain to override with a private endpoint.

        • privateEndpoint (dict) -- [REQUIRED]

          The private endpoint configuration for the specified domain.

          • selfManagedLatticeResource (dict) --

            Configuration for connecting to a private resource using a self-managed VPC Lattice resource configuration.

            • resourceConfigurationIdentifier (string) --

              The ARN or ID of the VPC Lattice resource configuration.

          • managedVpcResource (dict) --

            Configuration for connecting to a private resource using a managed VPC Lattice resource. The gateway creates and manages the VPC Lattice resources on your behalf.

            • vpcIdentifier (string) -- [REQUIRED]

              The ID of the VPC that contains your private resource.

            • subnetIds (list) -- [REQUIRED]

              The subnet IDs within the VPC where the VPC Lattice resource gateway is placed.

              • (string) --

            • endpointIpAddressType (string) -- [REQUIRED]

              The IP address type for the resource configuration endpoint.

            • securityGroupIds (list) --

              The security group IDs to associate with the VPC Lattice resource gateway. If not specified, the default security group for the VPC is used.

              • (string) --

            • tags (dict) --

              Tags to apply to the managed VPC Lattice resource gateway.

              • (string) --

                • (string) --

            • routingDomain (string) --

              An intermediate domain to use as the resource configuration endpoint instead of the actual target domain. Use this when you want to route traffic through an intermediate component such as a VPC endpoint or internal load balancer. For more information, see xref:lattice-vpc-egress-routing-domain[Route traffic through an intermediate domain].

    • allowedWorkloadConfiguration (dict) --

      The configuration that restricts which workloads in the request's identity chain are allowed to invoke the target, identified by their hosting environments and workload identities. At launch, this is supported only for AgentCore Runtime targets, and the allowed workloads are AgentCore Gateways.

      • hostingEnvironments (list) --

        The list of hosting environments whose workloads are allowed to invoke the target. At launch, the only supported hosting environment is AgentCore Gateway.

        • (dict) --

          A hosting environment whose workloads are allowed to invoke the target. At launch, the only supported hosting environment is AgentCore Gateway.

          • arn (string) -- [REQUIRED]

            The Amazon Resource Name (ARN) of the hosting environment.

      • workloadIdentities (list) --

        The list of workload identities that are allowed to invoke the target.

        • (string) --

type kmsKeyArn:

string

param kmsKeyArn:

The updated ARN of the KMS key used to encrypt the gateway.

type customTransformConfiguration:

dict

param customTransformConfiguration:

The updated custom transformation configuration for the gateway. This configuration defines how the gateway transforms requests and responses.

  • lambda (dict) --

    The Lambda configuration for custom transformations. This configuration defines how the gateway uses a Lambda function to transform data.

    • arn (string) --

      The Amazon Resource Name (ARN) of the Lambda function. This function is invoked by the gateway to transform data.

type interceptorConfigurations:

list

param interceptorConfigurations:

The updated interceptor configurations for the gateway.

  • (dict) --

    The configuration for an interceptor on a gateway. This structure defines settings for an interceptor that will be invoked during the invocation of the gateway.

    • interceptor (dict) -- [REQUIRED]

      The infrastructure settings of an interceptor configuration. This structure defines how the interceptor can be invoked.

      • lambda (dict) --

        The details of the lambda function used for the interceptor.

        • arn (string) -- [REQUIRED]

          The arn of the lambda function to be invoked for the interceptor.

    • interceptionPoints (list) -- [REQUIRED]

      The supported points of interception. This field specifies which points during the gateway invocation to invoke the interceptor

      • (string) --

    • inputConfiguration (dict) --

      The configuration for the input of the interceptor. This field specifies how the input to the interceptor is constructed

      • passRequestHeaders (boolean) -- [REQUIRED]

        Indicates whether to pass request headers as input into the interceptor. When set to true, request headers will be passed.

      • payloadFilter (dict) --

        The filter that determines which parts of the request or response payload are passed as input to the interceptor.

        • exclude (list) -- [REQUIRED]

          The list of selectors that identify payload fields to exclude from the interceptor input.

          • (dict) --

            A selector that identifies a payload field to exclude from the interceptor input.

            • field (string) --

              The field to exclude from the interceptor input.

type policyEngineConfiguration:

dict

param policyEngineConfiguration:

The updated policy engine configuration for the gateway. A policy engine is a collection of policies that evaluates and authorizes agent tool calls. When associated with a gateway, the policy engine intercepts all agent requests and determines whether to allow or deny each action based on the defined policies.

  • arn (string) -- [REQUIRED]

    The ARN of the policy engine. The policy engine contains Cedar policies that define fine-grained authorization rules specifying who can perform what actions on which resources as agents interact through the gateway.

  • mode (string) -- [REQUIRED]

    The enforcement mode for the policy engine. Valid values include:

    • LOG_ONLY - The policy engine evaluates each action against your policies and adds traces on whether tool calls would be allowed or denied, but does not enforce the decision. Use this mode to test and validate policies before enabling enforcement.

    • ENFORCE - The policy engine evaluates actions against your policies and enforces decisions by allowing or denying agent operations. Test and validate policies in LOG_ONLY mode before enabling enforcement to avoid unintended denials or adversely affecting production traffic.

type exceptionLevel:

string

param exceptionLevel:

The level of detail in error messages returned when invoking the gateway.

  • If the value is DEBUG, granular exception messages are returned to help a user debug the gateway.

  • If the value is omitted, a generic error message is returned to the end user.

type wafConfiguration:

dict

param wafConfiguration:

The updated Amazon Web Services WAF configuration for the gateway.

  • failureMode (string) --

    The failure mode that determines how the gateway handles requests when Amazon Web Services WAF is unreachable or times out. Valid values include:

    • FAIL_CLOSE - The gateway blocks requests when Amazon Web Services WAF cannot be evaluated.

    • FAIL_OPEN - The gateway allows requests when Amazon Web Services WAF cannot be evaluated.

rtype:

dict

returns:

Response Syntax

{
    'gatewayArn': 'string',
    'gatewayId': 'string',
    'gatewayUrl': 'string',
    'createdAt': datetime(2015, 1, 1),
    'updatedAt': datetime(2015, 1, 1),
    'status': 'CREATING'|'UPDATING'|'UPDATE_UNSUCCESSFUL'|'DELETING'|'READY'|'FAILED',
    'statusReasons': [
        'string',
    ],
    'name': 'string',
    'description': 'string',
    'roleArn': 'string',
    'protocolType': 'MCP',
    'protocolConfiguration': {
        'mcp': {
            'supportedVersions': [
                'string',
            ],
            'instructions': 'string',
            'searchType': 'SEMANTIC',
            'sessionConfiguration': {
                'sessionTimeoutInSeconds': 123
            },
            'streamingConfiguration': {
                'enableResponseStreaming': True|False
            }
        }
    },
    'authorizerType': 'CUSTOM_JWT'|'AWS_IAM'|'NONE'|'AUTHENTICATE_ONLY',
    'authorizerConfiguration': {
        'customJWTAuthorizer': {
            'discoveryUrl': 'string',
            'allowedAudience': [
                'string',
            ],
            'allowedClients': [
                'string',
            ],
            'allowedScopes': [
                'string',
            ],
            'advertisedScopeMapping': {
                'string': 'string'
            },
            'customClaims': [
                {
                    'inboundTokenClaimName': 'string',
                    'inboundTokenClaimValueType': 'STRING'|'STRING_ARRAY',
                    'authorizingClaimMatchValue': {
                        'claimMatchValue': {
                            'matchValueString': 'string',
                            'matchValueStringList': [
                                'string',
                            ]
                        },
                        'claimMatchOperator': 'EQUALS'|'CONTAINS'|'CONTAINS_ANY'
                    }
                },
            ],
            'privateEndpoint': {
                'selfManagedLatticeResource': {
                    'resourceConfigurationIdentifier': 'string'
                },
                'managedVpcResource': {
                    'vpcIdentifier': 'string',
                    'subnetIds': [
                        'string',
                    ],
                    'endpointIpAddressType': 'IPV4'|'IPV6',
                    'securityGroupIds': [
                        'string',
                    ],
                    'tags': {
                        'string': 'string'
                    },
                    'routingDomain': 'string'
                }
            },
            'privateEndpointOverrides': [
                {
                    'domain': 'string',
                    'privateEndpoint': {
                        'selfManagedLatticeResource': {
                            'resourceConfigurationIdentifier': 'string'
                        },
                        'managedVpcResource': {
                            'vpcIdentifier': 'string',
                            'subnetIds': [
                                'string',
                            ],
                            'endpointIpAddressType': 'IPV4'|'IPV6',
                            'securityGroupIds': [
                                'string',
                            ],
                            'tags': {
                                'string': 'string'
                            },
                            'routingDomain': 'string'
                        }
                    }
                },
            ],
            'allowedWorkloadConfiguration': {
                'hostingEnvironments': [
                    {
                        'arn': 'string'
                    },
                ],
                'workloadIdentities': [
                    'string',
                ]
            }
        }
    },
    'kmsKeyArn': 'string',
    'customTransformConfiguration': {
        'lambda': {
            'arn': 'string'
        }
    },
    'interceptorConfigurations': [
        {
            'interceptor': {
                'lambda': {
                    'arn': 'string'
                }
            },
            'interceptionPoints': [
                'REQUEST'|'RESPONSE',
            ],
            'inputConfiguration': {
                'passRequestHeaders': True|False,
                'payloadFilter': {
                    'exclude': [
                        {
                            'field': 'RESPONSE_BODY'
                        },
                    ]
                }
            }
        },
    ],
    'policyEngineConfiguration': {
        'arn': 'string',
        'mode': 'LOG_ONLY'|'ENFORCE'
    },
    'workloadIdentityDetails': {
        'workloadIdentityArn': 'string'
    },
    'exceptionLevel': 'DEBUG',
    'webAclArn': 'string',
    'wafConfiguration': {
        'failureMode': 'FAIL_CLOSE'|'FAIL_OPEN'
    }
}

Response Structure

  • (dict) --

    • gatewayArn (string) --

      The Amazon Resource Name (ARN) of the updated gateway.

    • gatewayId (string) --

      The unique identifier of the updated gateway.

    • gatewayUrl (string) --

      An endpoint for invoking the updated gateway.

    • createdAt (datetime) --

      The timestamp when the gateway was created.

    • updatedAt (datetime) --

      The timestamp when the gateway was last updated.

    • status (string) --

      The current status of the updated gateway.

    • statusReasons (list) --

      The reasons for the current status of the updated gateway.

      • (string) --

    • name (string) --

      The name of the gateway.

    • description (string) --

      The updated description of the gateway.

    • roleArn (string) --

      The updated IAM role ARN that provides permissions for the gateway.

    • protocolType (string) --

      The updated protocol type for the gateway.

    • protocolConfiguration (dict) --

      The configuration for a gateway protocol. This structure defines how the gateway communicates with external services.

      • mcp (dict) --

        The configuration for the Model Context Protocol (MCP). This protocol enables communication between Amazon Bedrock Agent and external tools.

        • supportedVersions (list) --

          The supported versions of the Model Context Protocol. This field specifies which versions of the protocol the gateway can use.

          • (string) --

        • instructions (string) --

          The instructions for using the Model Context Protocol gateway. These instructions provide guidance on how to interact with the gateway.

        • searchType (string) --

          The search type for the Model Context Protocol gateway. This field specifies how the gateway handles search operations.

        • sessionConfiguration (dict) --

          The session configuration for the MCP gateway. This configuration controls session behavior, including session timeout settings.

          • sessionTimeoutInSeconds (integer) --

            The session timeout in seconds. After this timeout, the session expires and subsequent requests to this session will receive an error. The minimum value is 900 seconds (15 minutes), the maximum value is 28800 seconds (8 hours), and the default value is 3600 seconds (1 hour).

        • streamingConfiguration (dict) --

          The streaming configuration for the MCP gateway. This configuration controls whether response streaming is enabled for the gateway.

          • enableResponseStreaming (boolean) --

            Indicates whether response streaming is enabled for the gateway. When set to true, the gateway streams responses from targets back to the client.

    • authorizerType (string) --

      The updated authorizer type for the gateway.

    • authorizerConfiguration (dict) --

      The updated authorizer configuration for the gateway.

      • customJWTAuthorizer (dict) --

        The inbound JWT-based authorization, specifying how incoming requests should be authenticated.

        • discoveryUrl (string) --

          This URL is used to fetch OpenID Connect configuration or authorization server metadata for validating incoming tokens.

        • allowedAudience (list) --

          Represents individual audience values that are validated in the incoming JWT token validation process.

          • (string) --

        • allowedClients (list) --

          Represents individual client IDs that are validated in the incoming JWT token validation process.

          • (string) --

        • allowedScopes (list) --

          An array of scopes that are allowed to access the token.

          • (string) --

        • advertisedScopeMapping (dict) --

          A map that associates each scope in allowedScopes with a corresponding advertised scope value. The advertised scope appears in OAuth protected resource metadata and WWW-Authenticate response headers. Use this parameter when the scope that clients request from your identity provider differs from the scope in the validated token. Each key is a scope from allowedScopes that the service uses for token validation. Each value is the corresponding scope that the service advertises to clients. Scopes without a mapping entry appear unchanged to clients.

          • (string) --

            • (string) --

        • customClaims (list) --

          An array of objects that define a custom claim validation name, value, and operation

          • (dict) --

            Defines the name of a custom claim field and rules for finding matches to authenticate its value.

            • inboundTokenClaimName (string) --

              The name of the custom claim field to check.

            • inboundTokenClaimValueType (string) --

              The data type of the claim value to check for.

              • Use STRING if you want to find an exact match to a string you define.

              • Use STRING_ARRAY if you want to fnd a match to at least one value in an array you define.

            • authorizingClaimMatchValue (dict) --

              Defines the value or values to match for and the relationship of the match.

              • claimMatchValue (dict) --

                The value or values to match for.

                • matchValueString (string) --

                  The string value to match for.

                • matchValueStringList (list) --

                  An array of strings to check for a match.

                  • (string) --

              • claimMatchOperator (string) --

                Defines the relationship between the claim field value and the value or values you're matching for.

        • privateEndpoint (dict) --

          The private endpoint configuration for a gateway target. Defines how the gateway connects to private resources in your VPC.

          • selfManagedLatticeResource (dict) --

            Configuration for connecting to a private resource using a self-managed VPC Lattice resource configuration.

            • resourceConfigurationIdentifier (string) --

              The ARN or ID of the VPC Lattice resource configuration.

          • managedVpcResource (dict) --

            Configuration for connecting to a private resource using a managed VPC Lattice resource. The gateway creates and manages the VPC Lattice resources on your behalf.

            • vpcIdentifier (string) --

              The ID of the VPC that contains your private resource.

            • subnetIds (list) --

              The subnet IDs within the VPC where the VPC Lattice resource gateway is placed.

              • (string) --

            • endpointIpAddressType (string) --

              The IP address type for the resource configuration endpoint.

            • securityGroupIds (list) --

              The security group IDs to associate with the VPC Lattice resource gateway. If not specified, the default security group for the VPC is used.

              • (string) --

            • tags (dict) --

              Tags to apply to the managed VPC Lattice resource gateway.

              • (string) --

                • (string) --

            • routingDomain (string) --

              An intermediate domain to use as the resource configuration endpoint instead of the actual target domain. Use this when you want to route traffic through an intermediate component such as a VPC endpoint or internal load balancer. For more information, see xref:lattice-vpc-egress-routing-domain[Route traffic through an intermediate domain].

        • privateEndpointOverrides (list) --

          The private endpoint overrides for the custom JWT authorizer configuration.

          • (dict) --

            A mapping of a specific domain to a private endpoint for secure connectivity through a VPC Lattice resource configuration.

            • domain (string) --

              The domain to override with a private endpoint.

            • privateEndpoint (dict) --

              The private endpoint configuration for the specified domain.

              • selfManagedLatticeResource (dict) --

                Configuration for connecting to a private resource using a self-managed VPC Lattice resource configuration.

                • resourceConfigurationIdentifier (string) --

                  The ARN or ID of the VPC Lattice resource configuration.

              • managedVpcResource (dict) --

                Configuration for connecting to a private resource using a managed VPC Lattice resource. The gateway creates and manages the VPC Lattice resources on your behalf.

                • vpcIdentifier (string) --

                  The ID of the VPC that contains your private resource.

                • subnetIds (list) --

                  The subnet IDs within the VPC where the VPC Lattice resource gateway is placed.

                  • (string) --

                • endpointIpAddressType (string) --

                  The IP address type for the resource configuration endpoint.

                • securityGroupIds (list) --

                  The security group IDs to associate with the VPC Lattice resource gateway. If not specified, the default security group for the VPC is used.

                  • (string) --

                • tags (dict) --

                  Tags to apply to the managed VPC Lattice resource gateway.

                  • (string) --

                    • (string) --

                • routingDomain (string) --

                  An intermediate domain to use as the resource configuration endpoint instead of the actual target domain. Use this when you want to route traffic through an intermediate component such as a VPC endpoint or internal load balancer. For more information, see xref:lattice-vpc-egress-routing-domain[Route traffic through an intermediate domain].

        • allowedWorkloadConfiguration (dict) --

          The configuration that restricts which workloads in the request's identity chain are allowed to invoke the target, identified by their hosting environments and workload identities. At launch, this is supported only for AgentCore Runtime targets, and the allowed workloads are AgentCore Gateways.

          • hostingEnvironments (list) --

            The list of hosting environments whose workloads are allowed to invoke the target. At launch, the only supported hosting environment is AgentCore Gateway.

            • (dict) --

              A hosting environment whose workloads are allowed to invoke the target. At launch, the only supported hosting environment is AgentCore Gateway.

              • arn (string) --

                The Amazon Resource Name (ARN) of the hosting environment.

          • workloadIdentities (list) --

            The list of workload identities that are allowed to invoke the target.

            • (string) --

    • kmsKeyArn (string) --

      The updated ARN of the KMS key used to encrypt the gateway.

    • customTransformConfiguration (dict) --

      The custom transformation configuration for the gateway. This configuration defines how the gateway transforms requests and responses.

      • lambda (dict) --

        The Lambda configuration for custom transformations. This configuration defines how the gateway uses a Lambda function to transform data.

        • arn (string) --

          The Amazon Resource Name (ARN) of the Lambda function. This function is invoked by the gateway to transform data.

    • interceptorConfigurations (list) --

      The updated interceptor configurations for the gateway.

      • (dict) --

        The configuration for an interceptor on a gateway. This structure defines settings for an interceptor that will be invoked during the invocation of the gateway.

        • interceptor (dict) --

          The infrastructure settings of an interceptor configuration. This structure defines how the interceptor can be invoked.

          • lambda (dict) --

            The details of the lambda function used for the interceptor.

            • arn (string) --

              The arn of the lambda function to be invoked for the interceptor.

        • interceptionPoints (list) --

          The supported points of interception. This field specifies which points during the gateway invocation to invoke the interceptor

          • (string) --

        • inputConfiguration (dict) --

          The configuration for the input of the interceptor. This field specifies how the input to the interceptor is constructed

          • passRequestHeaders (boolean) --

            Indicates whether to pass request headers as input into the interceptor. When set to true, request headers will be passed.

          • payloadFilter (dict) --

            The filter that determines which parts of the request or response payload are passed as input to the interceptor.

            • exclude (list) --

              The list of selectors that identify payload fields to exclude from the interceptor input.

              • (dict) --

                A selector that identifies a payload field to exclude from the interceptor input.

                • field (string) --

                  The field to exclude from the interceptor input.

    • policyEngineConfiguration (dict) --

      The updated policy engine configuration for the gateway.

      • arn (string) --

        The ARN of the policy engine. The policy engine contains Cedar policies that define fine-grained authorization rules specifying who can perform what actions on which resources as agents interact through the gateway.

      • mode (string) --

        The enforcement mode for the policy engine. Valid values include:

        • LOG_ONLY - The policy engine evaluates each action against your policies and adds traces on whether tool calls would be allowed or denied, but does not enforce the decision. Use this mode to test and validate policies before enabling enforcement.

        • ENFORCE - The policy engine evaluates actions against your policies and enforces decisions by allowing or denying agent operations. Test and validate policies in LOG_ONLY mode before enabling enforcement to avoid unintended denials or adversely affecting production traffic.

    • workloadIdentityDetails (dict) --

      The workload identity details for the updated gateway.

      • workloadIdentityArn (string) --

        The ARN associated with the workload identity.

    • exceptionLevel (string) --

      The level of detail in error messages returned when invoking the gateway.

      • If the value is DEBUG, granular exception messages are returned to help a user debug the gateway.

      • If the value is omitted, a generic error message is returned to the end user.

    • webAclArn (string) --

      The Amazon Resource Name (ARN) of the Amazon Web Services WAF web ACL associated with the gateway.

    • wafConfiguration (dict) --

      The Amazon Web Services WAF configuration for the gateway.

      • failureMode (string) --

        The failure mode that determines how the gateway handles requests when Amazon Web Services WAF is unreachable or times out. Valid values include:

        • FAIL_CLOSE - The gateway blocks requests when Amazon Web Services WAF cannot be evaluated.

        • FAIL_OPEN - The gateway allows requests when Amazon Web Services WAF cannot be evaluated.

UpdateHarness (updated) Link ¶
Changes (request, response)
Request
{'authorizerConfiguration': {'optionalValue': {'customJWTAuthorizer': {'advertisedScopeMapping': {'string': 'string'}}}}}
Response
{'harness': {'authorizerConfiguration': {'customJWTAuthorizer': {'advertisedScopeMapping': {'string': 'string'}}}}}

Operation to update a harness.

See also: AWS API Documentation

Request Syntax

client.update_harness(
    harnessId='string',
    clientToken='string',
    executionRoleArn='string',
    environment={
        'agentCoreRuntimeEnvironment': {
            'lifecycleConfiguration': {
                'idleRuntimeSessionTimeout': 123,
                'maxLifetime': 123
            },
            'networkConfiguration': {
                'networkMode': 'PUBLIC'|'VPC',
                'networkModeConfig': {
                    'securityGroups': [
                        'string',
                    ],
                    'subnets': [
                        'string',
                    ],
                    'requireServiceS3Endpoint': True|False
                }
            },
            'filesystemConfigurations': [
                {
                    'sessionStorage': {
                        'mountPath': 'string'
                    },
                    's3FilesAccessPoint': {
                        'accessPointArn': 'string',
                        'mountPath': 'string'
                    },
                    'efsAccessPoint': {
                        'accessPointArn': 'string',
                        'mountPath': 'string'
                    }
                },
            ]
        }
    },
    environmentArtifact={
        'optionalValue': {
            'containerConfiguration': {
                'containerUri': 'string'
            }
        }
    },
    environmentVariables={
        'string': 'string'
    },
    authorizerConfiguration={
        'optionalValue': {
            'customJWTAuthorizer': {
                'discoveryUrl': 'string',
                'allowedAudience': [
                    'string',
                ],
                'allowedClients': [
                    'string',
                ],
                'allowedScopes': [
                    'string',
                ],
                'advertisedScopeMapping': {
                    'string': 'string'
                },
                'customClaims': [
                    {
                        'inboundTokenClaimName': 'string',
                        'inboundTokenClaimValueType': 'STRING'|'STRING_ARRAY',
                        'authorizingClaimMatchValue': {
                            'claimMatchValue': {
                                'matchValueString': 'string',
                                'matchValueStringList': [
                                    'string',
                                ]
                            },
                            'claimMatchOperator': 'EQUALS'|'CONTAINS'|'CONTAINS_ANY'
                        }
                    },
                ],
                'privateEndpoint': {
                    'selfManagedLatticeResource': {
                        'resourceConfigurationIdentifier': 'string'
                    },
                    'managedVpcResource': {
                        'vpcIdentifier': 'string',
                        'subnetIds': [
                            'string',
                        ],
                        'endpointIpAddressType': 'IPV4'|'IPV6',
                        'securityGroupIds': [
                            'string',
                        ],
                        'tags': {
                            'string': 'string'
                        },
                        'routingDomain': 'string'
                    }
                },
                'privateEndpointOverrides': [
                    {
                        'domain': 'string',
                        'privateEndpoint': {
                            'selfManagedLatticeResource': {
                                'resourceConfigurationIdentifier': 'string'
                            },
                            'managedVpcResource': {
                                'vpcIdentifier': 'string',
                                'subnetIds': [
                                    'string',
                                ],
                                'endpointIpAddressType': 'IPV4'|'IPV6',
                                'securityGroupIds': [
                                    'string',
                                ],
                                'tags': {
                                    'string': 'string'
                                },
                                'routingDomain': 'string'
                            }
                        }
                    },
                ],
                'allowedWorkloadConfiguration': {
                    'hostingEnvironments': [
                        {
                            'arn': 'string'
                        },
                    ],
                    'workloadIdentities': [
                        'string',
                    ]
                }
            }
        }
    },
    model={
        'bedrockModelConfig': {
            'modelId': 'string',
            'maxTokens': 123,
            'temperature': ...,
            'topP': ...,
            'apiFormat': 'converse_stream'|'responses'|'chat_completions',
            'additionalParams': {...}|[...]|123|123.4|'string'|True|None
        },
        'openAiModelConfig': {
            'modelId': 'string',
            'apiKeyArn': 'string',
            'maxTokens': 123,
            'temperature': ...,
            'topP': ...,
            'apiFormat': 'chat_completions'|'responses',
            'additionalParams': {...}|[...]|123|123.4|'string'|True|None
        },
        'geminiModelConfig': {
            'modelId': 'string',
            'apiKeyArn': 'string',
            'maxTokens': 123,
            'temperature': ...,
            'topP': ...,
            'topK': 123
        },
        'liteLlmModelConfig': {
            'modelId': 'string',
            'apiKeyArn': 'string',
            'apiBase': 'string',
            'maxTokens': 123,
            'temperature': ...,
            'topP': ...,
            'additionalParams': {...}|[...]|123|123.4|'string'|True|None
        }
    },
    systemPrompt=[
        {
            'text': 'string'
        },
    ],
    tools=[
        {
            'type': 'remote_mcp'|'agentcore_browser'|'agentcore_gateway'|'inline_function'|'agentcore_code_interpreter',
            'name': 'string',
            'config': {
                'remoteMcp': {
                    'url': 'string',
                    'headers': {
                        'string': 'string'
                    }
                },
                'agentCoreBrowser': {
                    'browserArn': 'string'
                },
                'agentCoreGateway': {
                    'gatewayArn': 'string',
                    'outboundAuth': {
                        'awsIam': {}
                        ,
                        'none': {}
                        ,
                        'oauth': {
                            'providerArn': 'string',
                            'scopes': [
                                'string',
                            ],
                            'customParameters': {
                                'string': 'string'
                            },
                            'grantType': 'CLIENT_CREDENTIALS'|'AUTHORIZATION_CODE'|'TOKEN_EXCHANGE',
                            'defaultReturnUrl': 'string'
                        }
                    }
                },
                'inlineFunction': {
                    'description': 'string',
                    'inputSchema': {...}|[...]|123|123.4|'string'|True|None
                },
                'agentCoreCodeInterpreter': {
                    'codeInterpreterArn': 'string'
                }
            }
        },
    ],
    skills=[
        {
            'path': 'string',
            's3': {
                'uri': 'string'
            },
            'git': {
                'url': 'string',
                'path': 'string',
                'auth': {
                    'credentialArn': 'string',
                    'username': 'string'
                }
            },
            'awsSkills': {
                'paths': [
                    'string',
                ]
            }
        },
    ],
    allowedTools=[
        'string',
    ],
    memory={
        'optionalValue': {
            'agentCoreMemoryConfiguration': {
                'arn': 'string',
                'actorId': 'string',
                'messagesCount': 123,
                'retrievalConfig': {
                    'string': {
                        'topK': 123,
                        'relevanceScore': ...,
                        'strategyId': 'string'
                    }
                }
            },
            'managedMemoryConfiguration': {
                'arn': 'string',
                'strategies': [
                    'SEMANTIC'|'SUMMARIZATION'|'USER_PREFERENCE'|'EPISODIC',
                ],
                'eventExpiryDuration': 123,
                'encryptionKeyArn': 'string'
            },
            'disabled': {}

        }
    },
    truncation={
        'strategy': 'sliding_window'|'summarization'|'none',
        'config': {
            'slidingWindow': {
                'messagesCount': 123
            },
            'summarization': {
                'summaryRatio': ...,
                'preserveRecentMessages': 123,
                'summarizationSystemPrompt': 'string'
            }
        }
    },
    maxIterations=123,
    maxTokens=123,
    timeoutSeconds=123
)
type harnessId:

string

param harnessId:

[REQUIRED]

The ID of the harness to update.

type clientToken:

string

param clientToken:

A unique, case-sensitive identifier to ensure idempotency of the request.

This field is autopopulated if not provided.

type executionRoleArn:

string

param executionRoleArn:

The ARN of the IAM role that the harness assumes when running. If not specified, the existing value is retained.

type environment:

dict

param environment:

The compute environment configuration for the harness. If not specified, the existing value is retained.

  • agentCoreRuntimeEnvironment (dict) --

    The AgentCore Runtime environment configuration.

    • lifecycleConfiguration (dict) --

      LifecycleConfiguration lets you manage the lifecycle of runtime sessions and resources in AgentCore Runtime. This configuration helps optimize resource utilization by automatically cleaning up idle sessions and preventing long-running instances from consuming resources indefinitely.

      • idleRuntimeSessionTimeout (integer) --

        Timeout in seconds for idle runtime sessions. When a session remains idle for this duration, it will be automatically terminated. Default: 900 seconds (15 minutes).

      • maxLifetime (integer) --

        Maximum lifetime for the instance in seconds. Once reached, instances will be automatically terminated and replaced. Default: 28800 seconds (8 hours).

    • networkConfiguration (dict) --

      SecurityConfig for the Agent.

      • networkMode (string) -- [REQUIRED]

        The network mode for the AgentCore Runtime.

      • networkModeConfig (dict) --

        The network mode configuration for the AgentCore Runtime.

        • securityGroups (list) -- [REQUIRED]

          The security groups associated with the VPC configuration.

          • (string) --

        • subnets (list) -- [REQUIRED]

          The subnets associated with the VPC configuration.

          • (string) --

        • requireServiceS3Endpoint (boolean) --

          Controls whether a service-managed Amazon S3 gateway endpoint is provisioned in the VPC network topology for the agent runtime. This gateway is used by Amazon Bedrock AgentCore Runtime to download code and container images during agent startup.

          Starting May 5, 2026, Amazon Bedrock AgentCore Runtime is gradually rolling out a change to how network isolation is configured for VPC mode agents. Agent runtimes created on or after this rollout will no longer include the service-managed Amazon S3 gateway. Instead, all network access, including to Amazon S3, is governed exclusively by your VPC configuration. This field cannot be set on agent runtimes created after the rollout. Passing this field in an UpdateAgentRuntime request for these agent runtimes returns a ValidationException.

          Agent runtimes created before the rollout are not affected and continue to operate with the service-managed Amazon S3 gateway. To enforce full VPC network isolation on these existing agent runtimes, set this field to false via the UpdateAgentRuntime API. Before opting out, ensure your VPC provides the Amazon S3 access required for agent startup. If this field is not specified or is set to true, the service-managed Amazon S3 gateway remains provisioned.

          This field is only supported in the UpdateAgentRuntime API for pre-rollout agent runtimes. Passing this field in a CreateAgentRuntime request returns a ValidationException.

    • filesystemConfigurations (list) --

      The filesystem configurations for the runtime environment.

      • (dict) --

        Configuration for a filesystem that can be mounted into the AgentCore Runtime.

        • sessionStorage (dict) --

          Configuration for session storage. Session storage provides persistent storage that is preserved across AgentCore Runtime session invocations.

          • mountPath (string) -- [REQUIRED]

            The mount path for the session storage filesystem inside the AgentCore Runtime. The path must be under /mnt with exactly one subdirectory level (for example, /mnt/data).

        • s3FilesAccessPoint (dict) --

          Configuration for an Amazon S3 Files access point to mount into the AgentCore Runtime.

          • accessPointArn (string) -- [REQUIRED]

            The ARN of the S3 Files access point to mount into the AgentCore Runtime.

          • mountPath (string) -- [REQUIRED]

            The mount path for the S3 Files access point inside the AgentCore Runtime. The path must be under /mnt with exactly one subdirectory level (for example, /mnt/data).

        • efsAccessPoint (dict) --

          Configuration for an Amazon EFS access point to mount into the AgentCore Runtime.

          • accessPointArn (string) -- [REQUIRED]

            The ARN of the EFS access point to mount into the AgentCore Runtime.

          • mountPath (string) -- [REQUIRED]

            The mount path for the EFS access point inside the AgentCore Runtime. The path must be under /mnt with exactly one subdirectory level (for example, /mnt/data).

type environmentArtifact:

dict

param environmentArtifact:

The environment artifact for the harness. Use the optionalValue wrapper to set a new value, or set it to null to clear the existing configuration.

  • optionalValue (dict) --

    The updated environment artifact value, or null to clear the existing configuration.

    • containerConfiguration (dict) --

      Representation of a container configuration.

      • containerUri (string) -- [REQUIRED]

        The ECR URI of the container.

type environmentVariables:

dict

param environmentVariables:

Environment variables to set in the harness runtime environment. If specified, this replaces all existing environment variables. If not specified, the existing value is retained.

  • (string) --

    • (string) --

type authorizerConfiguration:

dict

param authorizerConfiguration:

Wrapper for updating an optional AuthorizerConfiguration field with PATCH semantics. When present in an update request, the authorizer configuration is replaced with optionalValue. When absent, the authorizer configuration is left unchanged. To unset, include the wrapper with optionalValue not specified.

  • optionalValue (dict) --

    The updated authorizer configuration value. If not specified, it will clear the current authorizer configuration of the resource.

    • customJWTAuthorizer (dict) --

      The inbound JWT-based authorization, specifying how incoming requests should be authenticated.

      • discoveryUrl (string) -- [REQUIRED]

        This URL is used to fetch OpenID Connect configuration or authorization server metadata for validating incoming tokens.

      • allowedAudience (list) --

        Represents individual audience values that are validated in the incoming JWT token validation process.

        • (string) --

      • allowedClients (list) --

        Represents individual client IDs that are validated in the incoming JWT token validation process.

        • (string) --

      • allowedScopes (list) --

        An array of scopes that are allowed to access the token.

        • (string) --

      • advertisedScopeMapping (dict) --

        A map that associates each scope in allowedScopes with a corresponding advertised scope value. The advertised scope appears in OAuth protected resource metadata and WWW-Authenticate response headers. Use this parameter when the scope that clients request from your identity provider differs from the scope in the validated token. Each key is a scope from allowedScopes that the service uses for token validation. Each value is the corresponding scope that the service advertises to clients. Scopes without a mapping entry appear unchanged to clients.

        • (string) --

          • (string) --

      • customClaims (list) --

        An array of objects that define a custom claim validation name, value, and operation

        • (dict) --

          Defines the name of a custom claim field and rules for finding matches to authenticate its value.

          • inboundTokenClaimName (string) -- [REQUIRED]

            The name of the custom claim field to check.

          • inboundTokenClaimValueType (string) -- [REQUIRED]

            The data type of the claim value to check for.

            • Use STRING if you want to find an exact match to a string you define.

            • Use STRING_ARRAY if you want to fnd a match to at least one value in an array you define.

          • authorizingClaimMatchValue (dict) -- [REQUIRED]

            Defines the value or values to match for and the relationship of the match.

            • claimMatchValue (dict) -- [REQUIRED]

              The value or values to match for.

              • matchValueString (string) --

                The string value to match for.

              • matchValueStringList (list) --

                An array of strings to check for a match.

                • (string) --

            • claimMatchOperator (string) -- [REQUIRED]

              Defines the relationship between the claim field value and the value or values you're matching for.

      • privateEndpoint (dict) --

        The private endpoint configuration for a gateway target. Defines how the gateway connects to private resources in your VPC.

        • selfManagedLatticeResource (dict) --

          Configuration for connecting to a private resource using a self-managed VPC Lattice resource configuration.

          • resourceConfigurationIdentifier (string) --

            The ARN or ID of the VPC Lattice resource configuration.

        • managedVpcResource (dict) --

          Configuration for connecting to a private resource using a managed VPC Lattice resource. The gateway creates and manages the VPC Lattice resources on your behalf.

          • vpcIdentifier (string) -- [REQUIRED]

            The ID of the VPC that contains your private resource.

          • subnetIds (list) -- [REQUIRED]

            The subnet IDs within the VPC where the VPC Lattice resource gateway is placed.

            • (string) --

          • endpointIpAddressType (string) -- [REQUIRED]

            The IP address type for the resource configuration endpoint.

          • securityGroupIds (list) --

            The security group IDs to associate with the VPC Lattice resource gateway. If not specified, the default security group for the VPC is used.

            • (string) --

          • tags (dict) --

            Tags to apply to the managed VPC Lattice resource gateway.

            • (string) --

              • (string) --

          • routingDomain (string) --

            An intermediate domain to use as the resource configuration endpoint instead of the actual target domain. Use this when you want to route traffic through an intermediate component such as a VPC endpoint or internal load balancer. For more information, see xref:lattice-vpc-egress-routing-domain[Route traffic through an intermediate domain].

      • privateEndpointOverrides (list) --

        The private endpoint overrides for the custom JWT authorizer configuration.

        • (dict) --

          A mapping of a specific domain to a private endpoint for secure connectivity through a VPC Lattice resource configuration.

          • domain (string) -- [REQUIRED]

            The domain to override with a private endpoint.

          • privateEndpoint (dict) -- [REQUIRED]

            The private endpoint configuration for the specified domain.

            • selfManagedLatticeResource (dict) --

              Configuration for connecting to a private resource using a self-managed VPC Lattice resource configuration.

              • resourceConfigurationIdentifier (string) --

                The ARN or ID of the VPC Lattice resource configuration.

            • managedVpcResource (dict) --

              Configuration for connecting to a private resource using a managed VPC Lattice resource. The gateway creates and manages the VPC Lattice resources on your behalf.

              • vpcIdentifier (string) -- [REQUIRED]

                The ID of the VPC that contains your private resource.

              • subnetIds (list) -- [REQUIRED]

                The subnet IDs within the VPC where the VPC Lattice resource gateway is placed.

                • (string) --

              • endpointIpAddressType (string) -- [REQUIRED]

                The IP address type for the resource configuration endpoint.

              • securityGroupIds (list) --

                The security group IDs to associate with the VPC Lattice resource gateway. If not specified, the default security group for the VPC is used.

                • (string) --

              • tags (dict) --

                Tags to apply to the managed VPC Lattice resource gateway.

                • (string) --

                  • (string) --

              • routingDomain (string) --

                An intermediate domain to use as the resource configuration endpoint instead of the actual target domain. Use this when you want to route traffic through an intermediate component such as a VPC endpoint or internal load balancer. For more information, see xref:lattice-vpc-egress-routing-domain[Route traffic through an intermediate domain].

      • allowedWorkloadConfiguration (dict) --

        The configuration that restricts which workloads in the request's identity chain are allowed to invoke the target, identified by their hosting environments and workload identities. At launch, this is supported only for AgentCore Runtime targets, and the allowed workloads are AgentCore Gateways.

        • hostingEnvironments (list) --

          The list of hosting environments whose workloads are allowed to invoke the target. At launch, the only supported hosting environment is AgentCore Gateway.

          • (dict) --

            A hosting environment whose workloads are allowed to invoke the target. At launch, the only supported hosting environment is AgentCore Gateway.

            • arn (string) -- [REQUIRED]

              The Amazon Resource Name (ARN) of the hosting environment.

        • workloadIdentities (list) --

          The list of workload identities that are allowed to invoke the target.

          • (string) --

type model:

dict

param model:

The model configuration for the harness. If not specified, the existing value is retained.

  • bedrockModelConfig (dict) --

    Configuration for an Amazon Bedrock model.

    • modelId (string) -- [REQUIRED]

      The Bedrock model ID.

    • maxTokens (integer) --

      The maximum number of tokens to allow in the generated response per model call.

    • temperature (float) --

      The temperature to set when calling the model.

    • topP (float) --

      The topP set when calling the model.

    • apiFormat (string) --

      The API format to use when calling the Bedrock provider.

    • additionalParams (:ref:`document<document>`) --

      Provider-specific parameters passed through to the model provider unchanged.

  • openAiModelConfig (dict) --

    Configuration for an OpenAI model.

    • modelId (string) -- [REQUIRED]

      The OpenAI model ID.

    • apiKeyArn (string) -- [REQUIRED]

      The ARN of your OpenAI API key on AgentCore Identity.

    • maxTokens (integer) --

      The maximum number of tokens to allow in the generated response per model call.

    • temperature (float) --

      The temperature to set when calling the model.

    • topP (float) --

      The topP set when calling the model.

    • apiFormat (string) --

      The API format to use when calling the OpenAI provider.

    • additionalParams (:ref:`document<document>`) --

      Provider-specific parameters passed through to the model provider unchanged.

  • geminiModelConfig (dict) --

    Configuration for a Google Gemini model.

    • modelId (string) -- [REQUIRED]

      The Gemini model ID.

    • apiKeyArn (string) -- [REQUIRED]

      The ARN of your Gemini API key on AgentCore Identity.

    • maxTokens (integer) --

      The maximum number of tokens to allow in the generated response per model call.

    • temperature (float) --

      The temperature to set when calling the model.

    • topP (float) --

      The topP set when calling the model.

    • topK (integer) --

      The topK set when calling the model.

  • liteLlmModelConfig (dict) --

    The LiteLLM model configuration for connecting to third-party model providers.

    • modelId (string) -- [REQUIRED]

      The LiteLLM model identifier (e.g., "anthropic/claude-3-sonnet").

    • apiKeyArn (string) --

      The ARN of the API key in AgentCore Identity for authenticating with the model provider.

    • apiBase (string) --

      The base URL for the model provider's API endpoint.

    • maxTokens (integer) --

      The maximum number of tokens to allow in the generated response per iteration.

    • temperature (float) --

      The temperature to set when calling the model.

    • topP (float) --

      The topP set when calling the model.

    • additionalParams (:ref:`document<document>`) --

      Provider-specific parameters passed through to the model provider unchanged.

type systemPrompt:

list

param systemPrompt:

The system prompt that defines the agent's behavior. If not specified, the existing value is retained.

  • (dict) --

    A content block in the system prompt.

    • text (string) --

      The text content of the system prompt block.

type tools:

list

param tools:

The tools available to the agent. If specified, this replaces all existing tools. If not specified, the existing value is retained.

  • (dict) --

    A tool available to the agent loop.

    • type (string) -- [REQUIRED]

      The type of tool.

    • name (string) --

      Unique name for the tool. If not provided, a name will be inferred or generated.

    • config (dict) --

      Tool-specific configuration.

      • remoteMcp (dict) --

        Configuration for remote MCP server.

        • url (string) -- [REQUIRED]

          URL of the MCP endpoint.

        • headers (dict) --

          Custom headers to include when connecting to the remote MCP server.

          • (string) --

            The key of an HTTP header.

            • (string) --

              The value of an HTTP header.

      • agentCoreBrowser (dict) --

        Configuration for AgentCore Browser.

        • browserArn (string) --

          If not populated, the built-in Browser ARN is used.

      • agentCoreGateway (dict) --

        Configuration for AgentCore Gateway.

        • gatewayArn (string) -- [REQUIRED]

          The ARN of the desired AgentCore Gateway.

        • outboundAuth (dict) --

          How harness authenticates to this Gateway. Defaults to AWS_IAM (SigV4) if omitted.

          • awsIam (dict) --

            SigV4-sign requests using the agent's execution role.

          • none (dict) --

            No authentication.

          • oauth (dict) --

            Use OAuth credentials for outbound authentication to the gateway.

            • providerArn (string) -- [REQUIRED]

              The Amazon Resource Name (ARN) of the OAuth credential provider. This ARN identifies the provider in Amazon Web Services.

            • scopes (list) -- [REQUIRED]

              The OAuth scopes for the credential provider. These scopes define the level of access requested from the OAuth provider.

              • (string) --

            • customParameters (dict) --

              The custom parameters for the OAuth credential provider. These parameters provide additional configuration for the OAuth authentication process.

              • (string) --

                • (string) --

            • grantType (string) --

              Specifies the kind of credentials to use for authorization:

              • CLIENT_CREDENTIALS - Authorization with a client ID and secret.

              • AUTHORIZATION_CODE - Authorization with a token that is specific to an individual end user.

              • TOKEN_EXCHANGE - Authorization using on-behalf-of token exchange. An inbound user token is exchanged for a downstream access token scoped to the target audience.

            • defaultReturnUrl (string) --

              The URL where the end user's browser is redirected after obtaining the authorization code. Generally points to the customer's application.

      • inlineFunction (dict) --

        Configuration for an inline function tool.

        • description (string) -- [REQUIRED]

          Description of what the tool does, provided to the model.

        • inputSchema (:ref:`document<document>`) -- [REQUIRED]

          JSON Schema describing the tool's input parameters.

      • agentCoreCodeInterpreter (dict) --

        Configuration for AgentCore Code Interpreter.

        • codeInterpreterArn (string) --

          If not populated, the built-in Code Interpreter ARN is used.

type skills:

list

param skills:

The skills available to the agent. If specified, this replaces all existing skills. If not specified, the existing value is retained.

  • (dict) --

    A skill available to the agent.

    • path (string) --

      The filesystem path to the skill definition.

    • s3 (dict) --

      An S3 source containing the skill.

      • uri (string) -- [REQUIRED]

        The S3 URI pointing to the skill directory (e.g., s3://bucket/skills/my-skill/).

    • git (dict) --

      A git repository containing the skill.

      • url (string) -- [REQUIRED]

        The HTTPS URL of the git repository.

      • path (string) --

        Subdirectory within the repository containing the skill.

      • auth (dict) --

        Authentication configuration for private repositories.

        • credentialArn (string) -- [REQUIRED]

          The ARN of the credential in AgentCore Identity containing the password or personal access token.

        • username (string) --

          Username for authentication. Defaults to 'oauth2' if not specified.

    • awsSkills (dict) --

      AWS Skills baked into the harness's underlying Runtime.

      • paths (list) --

        Optionally filter allowed skills with glob syntax, e.g., ['core-skills/*'].

        • (string) --

type allowedTools:

list

param allowedTools:

The tools that the agent is allowed to use. If specified, this replaces all existing allowed tools. If not specified, the existing value is retained.

  • (string) --

type memory:

dict

param memory:

The AgentCore Memory configuration. Use the optionalValue wrapper to set a new value, or set it to null to clear the existing configuration.

  • optionalValue (dict) --

    The updated memory configuration value, or null to clear the existing configuration.

    • agentCoreMemoryConfiguration (dict) --

      The AgentCore Memory configuration.

      • arn (string) -- [REQUIRED]

        The ARN of the AgentCore Memory resource.

      • actorId (string) --

        The actor ID for memory operations.

      • messagesCount (integer) --

        The number of messages to retrieve from memory.

      • retrievalConfig (dict) --

        The retrieval configuration for long-term memory, mapping namespace path templates to retrieval settings.

        • (string) --

          • (dict) --

            Configuration for memory retrieval within a namespace.

            • topK (integer) --

              The maximum number of memory entries to retrieve.

            • relevanceScore (float) --

              The minimum relevance score for retrieved memories.

            • strategyId (string) --

              The ID of the retrieval strategy to use.

    • managedMemoryConfiguration (dict) --

      Harness creates and manages a memory resource in the customer's account.

      • arn (string) --

        The ARN of the managed AgentCore Memory resource. Read-only on Get, ignored on Create/Update input.

      • strategies (list) --

        Strategy types to enable. Defaults to [SEMANTIC, SUMMARIZATION].

        • (string) --

      • eventExpiryDuration (integer) --

        Event retention in days. Defaults to 30.

      • encryptionKeyArn (string) --

        Customer-managed KMS key. Defaults to AWS-owned key. Not updatable after creation.

    • disabled (dict) --

      Explicitly opt out of memory.

type truncation:

dict

param truncation:

The truncation configuration for managing conversation context. If not specified, the existing value is retained.

  • strategy (string) -- [REQUIRED]

    The truncation strategy to use.

  • config (dict) --

    The strategy-specific configuration.

    • slidingWindow (dict) --

      Configuration for sliding window truncation.

      • messagesCount (integer) --

        The number of recent messages to retain in the context window.

    • summarization (dict) --

      Configuration for summarization-based truncation.

      • summaryRatio (float) --

        The ratio of content to summarize.

      • preserveRecentMessages (integer) --

        The number of recent messages to preserve without summarization.

      • summarizationSystemPrompt (string) --

        The system prompt used for generating summaries.

type maxIterations:

integer

param maxIterations:

The maximum number of iterations the agent loop can execute per invocation. If not specified, the existing value is retained.

type maxTokens:

integer

param maxTokens:

The maximum total number of output tokens the agent can generate across all model calls within a single invocation. If not specified, the existing value is retained.

type timeoutSeconds:

integer

param timeoutSeconds:

The maximum duration in seconds for the agent loop execution per invocation. If not specified, the existing value is retained.

rtype:

dict

returns:

Response Syntax

{
    'harness': {
        'harnessId': 'string',
        'harnessName': 'string',
        'arn': 'string',
        'status': 'CREATING'|'CREATE_FAILED'|'UPDATING'|'UPDATE_FAILED'|'READY'|'DELETING'|'DELETE_FAILED',
        'harnessVersion': 'string',
        'executionRoleArn': 'string',
        'createdAt': datetime(2015, 1, 1),
        'updatedAt': datetime(2015, 1, 1),
        'model': {
            'bedrockModelConfig': {
                'modelId': 'string',
                'maxTokens': 123,
                'temperature': ...,
                'topP': ...,
                'apiFormat': 'converse_stream'|'responses'|'chat_completions',
                'additionalParams': {...}|[...]|123|123.4|'string'|True|None
            },
            'openAiModelConfig': {
                'modelId': 'string',
                'apiKeyArn': 'string',
                'maxTokens': 123,
                'temperature': ...,
                'topP': ...,
                'apiFormat': 'chat_completions'|'responses',
                'additionalParams': {...}|[...]|123|123.4|'string'|True|None
            },
            'geminiModelConfig': {
                'modelId': 'string',
                'apiKeyArn': 'string',
                'maxTokens': 123,
                'temperature': ...,
                'topP': ...,
                'topK': 123
            },
            'liteLlmModelConfig': {
                'modelId': 'string',
                'apiKeyArn': 'string',
                'apiBase': 'string',
                'maxTokens': 123,
                'temperature': ...,
                'topP': ...,
                'additionalParams': {...}|[...]|123|123.4|'string'|True|None
            }
        },
        'systemPrompt': [
            {
                'text': 'string'
            },
        ],
        'tools': [
            {
                'type': 'remote_mcp'|'agentcore_browser'|'agentcore_gateway'|'inline_function'|'agentcore_code_interpreter',
                'name': 'string',
                'config': {
                    'remoteMcp': {
                        'url': 'string',
                        'headers': {
                            'string': 'string'
                        }
                    },
                    'agentCoreBrowser': {
                        'browserArn': 'string'
                    },
                    'agentCoreGateway': {
                        'gatewayArn': 'string',
                        'outboundAuth': {
                            'awsIam': {},
                            'none': {},
                            'oauth': {
                                'providerArn': 'string',
                                'scopes': [
                                    'string',
                                ],
                                'customParameters': {
                                    'string': 'string'
                                },
                                'grantType': 'CLIENT_CREDENTIALS'|'AUTHORIZATION_CODE'|'TOKEN_EXCHANGE',
                                'defaultReturnUrl': 'string'
                            }
                        }
                    },
                    'inlineFunction': {
                        'description': 'string',
                        'inputSchema': {...}|[...]|123|123.4|'string'|True|None
                    },
                    'agentCoreCodeInterpreter': {
                        'codeInterpreterArn': 'string'
                    }
                }
            },
        ],
        'skills': [
            {
                'path': 'string',
                's3': {
                    'uri': 'string'
                },
                'git': {
                    'url': 'string',
                    'path': 'string',
                    'auth': {
                        'credentialArn': 'string',
                        'username': 'string'
                    }
                },
                'awsSkills': {
                    'paths': [
                        'string',
                    ]
                }
            },
        ],
        'allowedTools': [
            'string',
        ],
        'truncation': {
            'strategy': 'sliding_window'|'summarization'|'none',
            'config': {
                'slidingWindow': {
                    'messagesCount': 123
                },
                'summarization': {
                    'summaryRatio': ...,
                    'preserveRecentMessages': 123,
                    'summarizationSystemPrompt': 'string'
                }
            }
        },
        'environment': {
            'agentCoreRuntimeEnvironment': {
                'agentRuntimeArn': 'string',
                'agentRuntimeName': 'string',
                'agentRuntimeId': 'string',
                'lifecycleConfiguration': {
                    'idleRuntimeSessionTimeout': 123,
                    'maxLifetime': 123
                },
                'networkConfiguration': {
                    'networkMode': 'PUBLIC'|'VPC',
                    'networkModeConfig': {
                        'securityGroups': [
                            'string',
                        ],
                        'subnets': [
                            'string',
                        ],
                        'requireServiceS3Endpoint': True|False
                    }
                },
                'filesystemConfigurations': [
                    {
                        'sessionStorage': {
                            'mountPath': 'string'
                        },
                        's3FilesAccessPoint': {
                            'accessPointArn': 'string',
                            'mountPath': 'string'
                        },
                        'efsAccessPoint': {
                            'accessPointArn': 'string',
                            'mountPath': 'string'
                        }
                    },
                ]
            }
        },
        'environmentArtifact': {
            'containerConfiguration': {
                'containerUri': 'string'
            }
        },
        'environmentVariables': {
            'string': 'string'
        },
        'authorizerConfiguration': {
            'customJWTAuthorizer': {
                'discoveryUrl': 'string',
                'allowedAudience': [
                    'string',
                ],
                'allowedClients': [
                    'string',
                ],
                'allowedScopes': [
                    'string',
                ],
                'advertisedScopeMapping': {
                    'string': 'string'
                },
                'customClaims': [
                    {
                        'inboundTokenClaimName': 'string',
                        'inboundTokenClaimValueType': 'STRING'|'STRING_ARRAY',
                        'authorizingClaimMatchValue': {
                            'claimMatchValue': {
                                'matchValueString': 'string',
                                'matchValueStringList': [
                                    'string',
                                ]
                            },
                            'claimMatchOperator': 'EQUALS'|'CONTAINS'|'CONTAINS_ANY'
                        }
                    },
                ],
                'privateEndpoint': {
                    'selfManagedLatticeResource': {
                        'resourceConfigurationIdentifier': 'string'
                    },
                    'managedVpcResource': {
                        'vpcIdentifier': 'string',
                        'subnetIds': [
                            'string',
                        ],
                        'endpointIpAddressType': 'IPV4'|'IPV6',
                        'securityGroupIds': [
                            'string',
                        ],
                        'tags': {
                            'string': 'string'
                        },
                        'routingDomain': 'string'
                    }
                },
                'privateEndpointOverrides': [
                    {
                        'domain': 'string',
                        'privateEndpoint': {
                            'selfManagedLatticeResource': {
                                'resourceConfigurationIdentifier': 'string'
                            },
                            'managedVpcResource': {
                                'vpcIdentifier': 'string',
                                'subnetIds': [
                                    'string',
                                ],
                                'endpointIpAddressType': 'IPV4'|'IPV6',
                                'securityGroupIds': [
                                    'string',
                                ],
                                'tags': {
                                    'string': 'string'
                                },
                                'routingDomain': 'string'
                            }
                        }
                    },
                ],
                'allowedWorkloadConfiguration': {
                    'hostingEnvironments': [
                        {
                            'arn': 'string'
                        },
                    ],
                    'workloadIdentities': [
                        'string',
                    ]
                }
            }
        },
        'memory': {
            'agentCoreMemoryConfiguration': {
                'arn': 'string',
                'actorId': 'string',
                'messagesCount': 123,
                'retrievalConfig': {
                    'string': {
                        'topK': 123,
                        'relevanceScore': ...,
                        'strategyId': 'string'
                    }
                }
            },
            'managedMemoryConfiguration': {
                'arn': 'string',
                'strategies': [
                    'SEMANTIC'|'SUMMARIZATION'|'USER_PREFERENCE'|'EPISODIC',
                ],
                'eventExpiryDuration': 123,
                'encryptionKeyArn': 'string'
            },
            'disabled': {}
        },
        'maxIterations': 123,
        'maxTokens': 123,
        'timeoutSeconds': 123,
        'failureReason': 'string'
    }
}

Response Structure

  • (dict) --

    • harness (dict) --

      The updated harness.

      • harnessId (string) --

        The ID of the harness.

      • harnessName (string) --

        The name of the harness.

      • arn (string) --

        The ARN of the harness.

      • status (string) --

        The status of the harness.

      • harnessVersion (string) --

        The version of the harness. Incremented on every successful UpdateHarness.

      • executionRoleArn (string) --

        IAM role the harness assumes when running.

      • createdAt (datetime) --

        The createdAt time of the harness.

      • updatedAt (datetime) --

        The updatedAt time of the harness.

      • model (dict) --

        The configuration of the default model used by the Harness.

        • bedrockModelConfig (dict) --

          Configuration for an Amazon Bedrock model.

          • modelId (string) --

            The Bedrock model ID.

          • maxTokens (integer) --

            The maximum number of tokens to allow in the generated response per model call.

          • temperature (float) --

            The temperature to set when calling the model.

          • topP (float) --

            The topP set when calling the model.

          • apiFormat (string) --

            The API format to use when calling the Bedrock provider.

          • additionalParams (:ref:`document<document>`) --

            Provider-specific parameters passed through to the model provider unchanged.

        • openAiModelConfig (dict) --

          Configuration for an OpenAI model.

          • modelId (string) --

            The OpenAI model ID.

          • apiKeyArn (string) --

            The ARN of your OpenAI API key on AgentCore Identity.

          • maxTokens (integer) --

            The maximum number of tokens to allow in the generated response per model call.

          • temperature (float) --

            The temperature to set when calling the model.

          • topP (float) --

            The topP set when calling the model.

          • apiFormat (string) --

            The API format to use when calling the OpenAI provider.

          • additionalParams (:ref:`document<document>`) --

            Provider-specific parameters passed through to the model provider unchanged.

        • geminiModelConfig (dict) --

          Configuration for a Google Gemini model.

          • modelId (string) --

            The Gemini model ID.

          • apiKeyArn (string) --

            The ARN of your Gemini API key on AgentCore Identity.

          • maxTokens (integer) --

            The maximum number of tokens to allow in the generated response per model call.

          • temperature (float) --

            The temperature to set when calling the model.

          • topP (float) --

            The topP set when calling the model.

          • topK (integer) --

            The topK set when calling the model.

        • liteLlmModelConfig (dict) --

          The LiteLLM model configuration for connecting to third-party model providers.

          • modelId (string) --

            The LiteLLM model identifier (e.g., "anthropic/claude-3-sonnet").

          • apiKeyArn (string) --

            The ARN of the API key in AgentCore Identity for authenticating with the model provider.

          • apiBase (string) --

            The base URL for the model provider's API endpoint.

          • maxTokens (integer) --

            The maximum number of tokens to allow in the generated response per iteration.

          • temperature (float) --

            The temperature to set when calling the model.

          • topP (float) --

            The topP set when calling the model.

          • additionalParams (:ref:`document<document>`) --

            Provider-specific parameters passed through to the model provider unchanged.

      • systemPrompt (list) --

        The system prompt of the harness.

        • (dict) --

          A content block in the system prompt.

          • text (string) --

            The text content of the system prompt block.

      • tools (list) --

        The tools of the harness.

        • (dict) --

          A tool available to the agent loop.

          • type (string) --

            The type of tool.

          • name (string) --

            Unique name for the tool. If not provided, a name will be inferred or generated.

          • config (dict) --

            Tool-specific configuration.

            • remoteMcp (dict) --

              Configuration for remote MCP server.

              • url (string) --

                URL of the MCP endpoint.

              • headers (dict) --

                Custom headers to include when connecting to the remote MCP server.

                • (string) --

                  The key of an HTTP header.

                  • (string) --

                    The value of an HTTP header.

            • agentCoreBrowser (dict) --

              Configuration for AgentCore Browser.

              • browserArn (string) --

                If not populated, the built-in Browser ARN is used.

            • agentCoreGateway (dict) --

              Configuration for AgentCore Gateway.

              • gatewayArn (string) --

                The ARN of the desired AgentCore Gateway.

              • outboundAuth (dict) --

                How harness authenticates to this Gateway. Defaults to AWS_IAM (SigV4) if omitted.

                • awsIam (dict) --

                  SigV4-sign requests using the agent's execution role.

                • none (dict) --

                  No authentication.

                • oauth (dict) --

                  Use OAuth credentials for outbound authentication to the gateway.

                  • providerArn (string) --

                    The Amazon Resource Name (ARN) of the OAuth credential provider. This ARN identifies the provider in Amazon Web Services.

                  • scopes (list) --

                    The OAuth scopes for the credential provider. These scopes define the level of access requested from the OAuth provider.

                    • (string) --

                  • customParameters (dict) --

                    The custom parameters for the OAuth credential provider. These parameters provide additional configuration for the OAuth authentication process.

                    • (string) --

                      • (string) --

                  • grantType (string) --

                    Specifies the kind of credentials to use for authorization:

                    • CLIENT_CREDENTIALS - Authorization with a client ID and secret.

                    • AUTHORIZATION_CODE - Authorization with a token that is specific to an individual end user.

                    • TOKEN_EXCHANGE - Authorization using on-behalf-of token exchange. An inbound user token is exchanged for a downstream access token scoped to the target audience.

                  • defaultReturnUrl (string) --

                    The URL where the end user's browser is redirected after obtaining the authorization code. Generally points to the customer's application.

            • inlineFunction (dict) --

              Configuration for an inline function tool.

              • description (string) --

                Description of what the tool does, provided to the model.

              • inputSchema (:ref:`document<document>`) --

                JSON Schema describing the tool's input parameters.

            • agentCoreCodeInterpreter (dict) --

              Configuration for AgentCore Code Interpreter.

              • codeInterpreterArn (string) --

                If not populated, the built-in Code Interpreter ARN is used.

      • skills (list) --

        The skills of the harness.

        • (dict) --

          A skill available to the agent.

          • path (string) --

            The filesystem path to the skill definition.

          • s3 (dict) --

            An S3 source containing the skill.

            • uri (string) --

              The S3 URI pointing to the skill directory (e.g., s3://bucket/skills/my-skill/).

          • git (dict) --

            A git repository containing the skill.

            • url (string) --

              The HTTPS URL of the git repository.

            • path (string) --

              Subdirectory within the repository containing the skill.

            • auth (dict) --

              Authentication configuration for private repositories.

              • credentialArn (string) --

                The ARN of the credential in AgentCore Identity containing the password or personal access token.

              • username (string) --

                Username for authentication. Defaults to 'oauth2' if not specified.

          • awsSkills (dict) --

            AWS Skills baked into the harness's underlying Runtime.

            • paths (list) --

              Optionally filter allowed skills with glob syntax, e.g., ['core-skills/*'].

              • (string) --

      • allowedTools (list) --

        The allowed tools of the harness. All tools are allowed by default.

        • (string) --

      • truncation (dict) --

        Configuration for truncating model context.

        • strategy (string) --

          The truncation strategy to use.

        • config (dict) --

          The strategy-specific configuration.

          • slidingWindow (dict) --

            Configuration for sliding window truncation.

            • messagesCount (integer) --

              The number of recent messages to retain in the context window.

          • summarization (dict) --

            Configuration for summarization-based truncation.

            • summaryRatio (float) --

              The ratio of content to summarize.

            • preserveRecentMessages (integer) --

              The number of recent messages to preserve without summarization.

            • summarizationSystemPrompt (string) --

              The system prompt used for generating summaries.

      • environment (dict) --

        The compute environment on which the Harness runs.

        • agentCoreRuntimeEnvironment (dict) --

          The AgentCore Runtime environment configuration.

          • agentRuntimeArn (string) --

            The ARN of the underlying AgentCore Runtime.

          • agentRuntimeName (string) --

            The name of the underlying AgentCore Runtime.

          • agentRuntimeId (string) --

            The ID of the underlying AgentCore Runtime.

          • lifecycleConfiguration (dict) --

            LifecycleConfiguration lets you manage the lifecycle of runtime sessions and resources in AgentCore Runtime. This configuration helps optimize resource utilization by automatically cleaning up idle sessions and preventing long-running instances from consuming resources indefinitely.

            • idleRuntimeSessionTimeout (integer) --

              Timeout in seconds for idle runtime sessions. When a session remains idle for this duration, it will be automatically terminated. Default: 900 seconds (15 minutes).

            • maxLifetime (integer) --

              Maximum lifetime for the instance in seconds. Once reached, instances will be automatically terminated and replaced. Default: 28800 seconds (8 hours).

          • networkConfiguration (dict) --

            SecurityConfig for the Agent.

            • networkMode (string) --

              The network mode for the AgentCore Runtime.

            • networkModeConfig (dict) --

              The network mode configuration for the AgentCore Runtime.

              • securityGroups (list) --

                The security groups associated with the VPC configuration.

                • (string) --

              • subnets (list) --

                The subnets associated with the VPC configuration.

                • (string) --

              • requireServiceS3Endpoint (boolean) --

                Controls whether a service-managed Amazon S3 gateway endpoint is provisioned in the VPC network topology for the agent runtime. This gateway is used by Amazon Bedrock AgentCore Runtime to download code and container images during agent startup.

                Starting May 5, 2026, Amazon Bedrock AgentCore Runtime is gradually rolling out a change to how network isolation is configured for VPC mode agents. Agent runtimes created on or after this rollout will no longer include the service-managed Amazon S3 gateway. Instead, all network access, including to Amazon S3, is governed exclusively by your VPC configuration. This field cannot be set on agent runtimes created after the rollout. Passing this field in an UpdateAgentRuntime request for these agent runtimes returns a ValidationException.

                Agent runtimes created before the rollout are not affected and continue to operate with the service-managed Amazon S3 gateway. To enforce full VPC network isolation on these existing agent runtimes, set this field to false via the UpdateAgentRuntime API. Before opting out, ensure your VPC provides the Amazon S3 access required for agent startup. If this field is not specified or is set to true, the service-managed Amazon S3 gateway remains provisioned.

                This field is only supported in the UpdateAgentRuntime API for pre-rollout agent runtimes. Passing this field in a CreateAgentRuntime request returns a ValidationException.

          • filesystemConfigurations (list) --

            The filesystem configurations for the runtime environment.

            • (dict) --

              Configuration for a filesystem that can be mounted into the AgentCore Runtime.

              • sessionStorage (dict) --

                Configuration for session storage. Session storage provides persistent storage that is preserved across AgentCore Runtime session invocations.

                • mountPath (string) --

                  The mount path for the session storage filesystem inside the AgentCore Runtime. The path must be under /mnt with exactly one subdirectory level (for example, /mnt/data).

              • s3FilesAccessPoint (dict) --

                Configuration for an Amazon S3 Files access point to mount into the AgentCore Runtime.

                • accessPointArn (string) --

                  The ARN of the S3 Files access point to mount into the AgentCore Runtime.

                • mountPath (string) --

                  The mount path for the S3 Files access point inside the AgentCore Runtime. The path must be under /mnt with exactly one subdirectory level (for example, /mnt/data).

              • efsAccessPoint (dict) --

                Configuration for an Amazon EFS access point to mount into the AgentCore Runtime.

                • accessPointArn (string) --

                  The ARN of the EFS access point to mount into the AgentCore Runtime.

                • mountPath (string) --

                  The mount path for the EFS access point inside the AgentCore Runtime. The path must be under /mnt with exactly one subdirectory level (for example, /mnt/data).

      • environmentArtifact (dict) --

        The environment artifact (e.g., container) in which the Harness operates.

        • containerConfiguration (dict) --

          Representation of a container configuration.

          • containerUri (string) --

            The ECR URI of the container.

      • environmentVariables (dict) --

        Environment variables exposed in the environment in which the harness operates.

        • (string) --

          • (string) --

      • authorizerConfiguration (dict) --

        Represents inbound authorization configuration options used to authenticate incoming requests.

        • customJWTAuthorizer (dict) --

          The inbound JWT-based authorization, specifying how incoming requests should be authenticated.

          • discoveryUrl (string) --

            This URL is used to fetch OpenID Connect configuration or authorization server metadata for validating incoming tokens.

          • allowedAudience (list) --

            Represents individual audience values that are validated in the incoming JWT token validation process.

            • (string) --

          • allowedClients (list) --

            Represents individual client IDs that are validated in the incoming JWT token validation process.

            • (string) --

          • allowedScopes (list) --

            An array of scopes that are allowed to access the token.

            • (string) --

          • advertisedScopeMapping (dict) --

            A map that associates each scope in allowedScopes with a corresponding advertised scope value. The advertised scope appears in OAuth protected resource metadata and WWW-Authenticate response headers. Use this parameter when the scope that clients request from your identity provider differs from the scope in the validated token. Each key is a scope from allowedScopes that the service uses for token validation. Each value is the corresponding scope that the service advertises to clients. Scopes without a mapping entry appear unchanged to clients.

            • (string) --

              • (string) --

          • customClaims (list) --

            An array of objects that define a custom claim validation name, value, and operation

            • (dict) --

              Defines the name of a custom claim field and rules for finding matches to authenticate its value.

              • inboundTokenClaimName (string) --

                The name of the custom claim field to check.

              • inboundTokenClaimValueType (string) --

                The data type of the claim value to check for.

                • Use STRING if you want to find an exact match to a string you define.

                • Use STRING_ARRAY if you want to fnd a match to at least one value in an array you define.

              • authorizingClaimMatchValue (dict) --

                Defines the value or values to match for and the relationship of the match.

                • claimMatchValue (dict) --

                  The value or values to match for.

                  • matchValueString (string) --

                    The string value to match for.

                  • matchValueStringList (list) --

                    An array of strings to check for a match.

                    • (string) --

                • claimMatchOperator (string) --

                  Defines the relationship between the claim field value and the value or values you're matching for.

          • privateEndpoint (dict) --

            The private endpoint configuration for a gateway target. Defines how the gateway connects to private resources in your VPC.

            • selfManagedLatticeResource (dict) --

              Configuration for connecting to a private resource using a self-managed VPC Lattice resource configuration.

              • resourceConfigurationIdentifier (string) --

                The ARN or ID of the VPC Lattice resource configuration.

            • managedVpcResource (dict) --

              Configuration for connecting to a private resource using a managed VPC Lattice resource. The gateway creates and manages the VPC Lattice resources on your behalf.

              • vpcIdentifier (string) --

                The ID of the VPC that contains your private resource.

              • subnetIds (list) --

                The subnet IDs within the VPC where the VPC Lattice resource gateway is placed.

                • (string) --

              • endpointIpAddressType (string) --

                The IP address type for the resource configuration endpoint.

              • securityGroupIds (list) --

                The security group IDs to associate with the VPC Lattice resource gateway. If not specified, the default security group for the VPC is used.

                • (string) --

              • tags (dict) --

                Tags to apply to the managed VPC Lattice resource gateway.

                • (string) --

                  • (string) --

              • routingDomain (string) --

                An intermediate domain to use as the resource configuration endpoint instead of the actual target domain. Use this when you want to route traffic through an intermediate component such as a VPC endpoint or internal load balancer. For more information, see xref:lattice-vpc-egress-routing-domain[Route traffic through an intermediate domain].

          • privateEndpointOverrides (list) --

            The private endpoint overrides for the custom JWT authorizer configuration.

            • (dict) --

              A mapping of a specific domain to a private endpoint for secure connectivity through a VPC Lattice resource configuration.

              • domain (string) --

                The domain to override with a private endpoint.

              • privateEndpoint (dict) --

                The private endpoint configuration for the specified domain.

                • selfManagedLatticeResource (dict) --

                  Configuration for connecting to a private resource using a self-managed VPC Lattice resource configuration.

                  • resourceConfigurationIdentifier (string) --

                    The ARN or ID of the VPC Lattice resource configuration.

                • managedVpcResource (dict) --

                  Configuration for connecting to a private resource using a managed VPC Lattice resource. The gateway creates and manages the VPC Lattice resources on your behalf.

                  • vpcIdentifier (string) --

                    The ID of the VPC that contains your private resource.

                  • subnetIds (list) --

                    The subnet IDs within the VPC where the VPC Lattice resource gateway is placed.

                    • (string) --

                  • endpointIpAddressType (string) --

                    The IP address type for the resource configuration endpoint.

                  • securityGroupIds (list) --

                    The security group IDs to associate with the VPC Lattice resource gateway. If not specified, the default security group for the VPC is used.

                    • (string) --

                  • tags (dict) --

                    Tags to apply to the managed VPC Lattice resource gateway.

                    • (string) --

                      • (string) --

                  • routingDomain (string) --

                    An intermediate domain to use as the resource configuration endpoint instead of the actual target domain. Use this when you want to route traffic through an intermediate component such as a VPC endpoint or internal load balancer. For more information, see xref:lattice-vpc-egress-routing-domain[Route traffic through an intermediate domain].

          • allowedWorkloadConfiguration (dict) --

            The configuration that restricts which workloads in the request's identity chain are allowed to invoke the target, identified by their hosting environments and workload identities. At launch, this is supported only for AgentCore Runtime targets, and the allowed workloads are AgentCore Gateways.

            • hostingEnvironments (list) --

              The list of hosting environments whose workloads are allowed to invoke the target. At launch, the only supported hosting environment is AgentCore Gateway.

              • (dict) --

                A hosting environment whose workloads are allowed to invoke the target. At launch, the only supported hosting environment is AgentCore Gateway.

                • arn (string) --

                  The Amazon Resource Name (ARN) of the hosting environment.

            • workloadIdentities (list) --

              The list of workload identities that are allowed to invoke the target.

              • (string) --

      • memory (dict) --

        AgentCore Memory instance configuration for short and long term memory.

        • agentCoreMemoryConfiguration (dict) --

          The AgentCore Memory configuration.

          • arn (string) --

            The ARN of the AgentCore Memory resource.

          • actorId (string) --

            The actor ID for memory operations.

          • messagesCount (integer) --

            The number of messages to retrieve from memory.

          • retrievalConfig (dict) --

            The retrieval configuration for long-term memory, mapping namespace path templates to retrieval settings.

            • (string) --

              • (dict) --

                Configuration for memory retrieval within a namespace.

                • topK (integer) --

                  The maximum number of memory entries to retrieve.

                • relevanceScore (float) --

                  The minimum relevance score for retrieved memories.

                • strategyId (string) --

                  The ID of the retrieval strategy to use.

        • managedMemoryConfiguration (dict) --

          Harness creates and manages a memory resource in the customer's account.

          • arn (string) --

            The ARN of the managed AgentCore Memory resource. Read-only on Get, ignored on Create/Update input.

          • strategies (list) --

            Strategy types to enable. Defaults to [SEMANTIC, SUMMARIZATION].

            • (string) --

          • eventExpiryDuration (integer) --

            Event retention in days. Defaults to 30.

          • encryptionKeyArn (string) --

            Customer-managed KMS key. Defaults to AWS-owned key. Not updatable after creation.

        • disabled (dict) --

          Explicitly opt out of memory.

      • maxIterations (integer) --

        The maximum number of iterations in the agent loop allowed before exiting per invocation.

      • maxTokens (integer) --

        The maximum total number of output tokens the agent can generate across all model calls within a single invocation.

      • timeoutSeconds (integer) --

        The maximum duration per invocation.

      • failureReason (string) --

        Reason why create or update operations fail.

UpdatePaymentManager (updated) Link ¶
Changes (request)
{'authorizerConfiguration': {'customJWTAuthorizer': {'advertisedScopeMapping': {'string': 'string'}}}}

Updates an existing payment manager. This operation uses PATCH semantics, so you only need to specify the fields you want to change.

See also: AWS API Documentation

Request Syntax

client.update_payment_manager(
    paymentManagerId='string',
    description='string',
    authorizerType='CUSTOM_JWT'|'AWS_IAM',
    authorizerConfiguration={
        'customJWTAuthorizer': {
            'discoveryUrl': 'string',
            'allowedAudience': [
                'string',
            ],
            'allowedClients': [
                'string',
            ],
            'allowedScopes': [
                'string',
            ],
            'advertisedScopeMapping': {
                'string': 'string'
            },
            'customClaims': [
                {
                    'inboundTokenClaimName': 'string',
                    'inboundTokenClaimValueType': 'STRING'|'STRING_ARRAY',
                    'authorizingClaimMatchValue': {
                        'claimMatchValue': {
                            'matchValueString': 'string',
                            'matchValueStringList': [
                                'string',
                            ]
                        },
                        'claimMatchOperator': 'EQUALS'|'CONTAINS'|'CONTAINS_ANY'
                    }
                },
            ],
            'privateEndpoint': {
                'selfManagedLatticeResource': {
                    'resourceConfigurationIdentifier': 'string'
                },
                'managedVpcResource': {
                    'vpcIdentifier': 'string',
                    'subnetIds': [
                        'string',
                    ],
                    'endpointIpAddressType': 'IPV4'|'IPV6',
                    'securityGroupIds': [
                        'string',
                    ],
                    'tags': {
                        'string': 'string'
                    },
                    'routingDomain': 'string'
                }
            },
            'privateEndpointOverrides': [
                {
                    'domain': 'string',
                    'privateEndpoint': {
                        'selfManagedLatticeResource': {
                            'resourceConfigurationIdentifier': 'string'
                        },
                        'managedVpcResource': {
                            'vpcIdentifier': 'string',
                            'subnetIds': [
                                'string',
                            ],
                            'endpointIpAddressType': 'IPV4'|'IPV6',
                            'securityGroupIds': [
                                'string',
                            ],
                            'tags': {
                                'string': 'string'
                            },
                            'routingDomain': 'string'
                        }
                    }
                },
            ],
            'allowedWorkloadConfiguration': {
                'hostingEnvironments': [
                    {
                        'arn': 'string'
                    },
                ],
                'workloadIdentities': [
                    'string',
                ]
            }
        }
    },
    roleArn='string',
    clientToken='string'
)
type paymentManagerId:

string

param paymentManagerId:

[REQUIRED]

The unique identifier of the payment manager to update.

type description:

string

param description:

The updated description of the payment manager.

type authorizerType:

string

param authorizerType:

The updated authorizer type for the payment manager.

type authorizerConfiguration:

dict

param authorizerConfiguration:

The updated authorizer configuration for the payment manager.

  • customJWTAuthorizer (dict) --

    The inbound JWT-based authorization, specifying how incoming requests should be authenticated.

    • discoveryUrl (string) -- [REQUIRED]

      This URL is used to fetch OpenID Connect configuration or authorization server metadata for validating incoming tokens.

    • allowedAudience (list) --

      Represents individual audience values that are validated in the incoming JWT token validation process.

      • (string) --

    • allowedClients (list) --

      Represents individual client IDs that are validated in the incoming JWT token validation process.

      • (string) --

    • allowedScopes (list) --

      An array of scopes that are allowed to access the token.

      • (string) --

    • advertisedScopeMapping (dict) --

      A map that associates each scope in allowedScopes with a corresponding advertised scope value. The advertised scope appears in OAuth protected resource metadata and WWW-Authenticate response headers. Use this parameter when the scope that clients request from your identity provider differs from the scope in the validated token. Each key is a scope from allowedScopes that the service uses for token validation. Each value is the corresponding scope that the service advertises to clients. Scopes without a mapping entry appear unchanged to clients.

      • (string) --

        • (string) --

    • customClaims (list) --

      An array of objects that define a custom claim validation name, value, and operation

      • (dict) --

        Defines the name of a custom claim field and rules for finding matches to authenticate its value.

        • inboundTokenClaimName (string) -- [REQUIRED]

          The name of the custom claim field to check.

        • inboundTokenClaimValueType (string) -- [REQUIRED]

          The data type of the claim value to check for.

          • Use STRING if you want to find an exact match to a string you define.

          • Use STRING_ARRAY if you want to fnd a match to at least one value in an array you define.

        • authorizingClaimMatchValue (dict) -- [REQUIRED]

          Defines the value or values to match for and the relationship of the match.

          • claimMatchValue (dict) -- [REQUIRED]

            The value or values to match for.

            • matchValueString (string) --

              The string value to match for.

            • matchValueStringList (list) --

              An array of strings to check for a match.

              • (string) --

          • claimMatchOperator (string) -- [REQUIRED]

            Defines the relationship between the claim field value and the value or values you're matching for.

    • privateEndpoint (dict) --

      The private endpoint configuration for a gateway target. Defines how the gateway connects to private resources in your VPC.

      • selfManagedLatticeResource (dict) --

        Configuration for connecting to a private resource using a self-managed VPC Lattice resource configuration.

        • resourceConfigurationIdentifier (string) --

          The ARN or ID of the VPC Lattice resource configuration.

      • managedVpcResource (dict) --

        Configuration for connecting to a private resource using a managed VPC Lattice resource. The gateway creates and manages the VPC Lattice resources on your behalf.

        • vpcIdentifier (string) -- [REQUIRED]

          The ID of the VPC that contains your private resource.

        • subnetIds (list) -- [REQUIRED]

          The subnet IDs within the VPC where the VPC Lattice resource gateway is placed.

          • (string) --

        • endpointIpAddressType (string) -- [REQUIRED]

          The IP address type for the resource configuration endpoint.

        • securityGroupIds (list) --

          The security group IDs to associate with the VPC Lattice resource gateway. If not specified, the default security group for the VPC is used.

          • (string) --

        • tags (dict) --

          Tags to apply to the managed VPC Lattice resource gateway.

          • (string) --

            • (string) --

        • routingDomain (string) --

          An intermediate domain to use as the resource configuration endpoint instead of the actual target domain. Use this when you want to route traffic through an intermediate component such as a VPC endpoint or internal load balancer. For more information, see xref:lattice-vpc-egress-routing-domain[Route traffic through an intermediate domain].

    • privateEndpointOverrides (list) --

      The private endpoint overrides for the custom JWT authorizer configuration.

      • (dict) --

        A mapping of a specific domain to a private endpoint for secure connectivity through a VPC Lattice resource configuration.

        • domain (string) -- [REQUIRED]

          The domain to override with a private endpoint.

        • privateEndpoint (dict) -- [REQUIRED]

          The private endpoint configuration for the specified domain.

          • selfManagedLatticeResource (dict) --

            Configuration for connecting to a private resource using a self-managed VPC Lattice resource configuration.

            • resourceConfigurationIdentifier (string) --

              The ARN or ID of the VPC Lattice resource configuration.

          • managedVpcResource (dict) --

            Configuration for connecting to a private resource using a managed VPC Lattice resource. The gateway creates and manages the VPC Lattice resources on your behalf.

            • vpcIdentifier (string) -- [REQUIRED]

              The ID of the VPC that contains your private resource.

            • subnetIds (list) -- [REQUIRED]

              The subnet IDs within the VPC where the VPC Lattice resource gateway is placed.

              • (string) --

            • endpointIpAddressType (string) -- [REQUIRED]

              The IP address type for the resource configuration endpoint.

            • securityGroupIds (list) --

              The security group IDs to associate with the VPC Lattice resource gateway. If not specified, the default security group for the VPC is used.

              • (string) --

            • tags (dict) --

              Tags to apply to the managed VPC Lattice resource gateway.

              • (string) --

                • (string) --

            • routingDomain (string) --

              An intermediate domain to use as the resource configuration endpoint instead of the actual target domain. Use this when you want to route traffic through an intermediate component such as a VPC endpoint or internal load balancer. For more information, see xref:lattice-vpc-egress-routing-domain[Route traffic through an intermediate domain].

    • allowedWorkloadConfiguration (dict) --

      The configuration that restricts which workloads in the request's identity chain are allowed to invoke the target, identified by their hosting environments and workload identities. At launch, this is supported only for AgentCore Runtime targets, and the allowed workloads are AgentCore Gateways.

      • hostingEnvironments (list) --

        The list of hosting environments whose workloads are allowed to invoke the target. At launch, the only supported hosting environment is AgentCore Gateway.

        • (dict) --

          A hosting environment whose workloads are allowed to invoke the target. At launch, the only supported hosting environment is AgentCore Gateway.

          • arn (string) -- [REQUIRED]

            The Amazon Resource Name (ARN) of the hosting environment.

      • workloadIdentities (list) --

        The list of workload identities that are allowed to invoke the target.

        • (string) --

type roleArn:

string

param roleArn:

The updated Amazon Resource Name (ARN) of the IAM role for the payment manager.

type clientToken:

string

param clientToken:

A unique, case-sensitive identifier to ensure that the API request completes no more than one time. If you don't specify this field, a value is randomly generated for you. If this token matches a previous request, the service ignores the request, but doesn't return an error. For more information, see Ensuring idempotency.

This field is autopopulated if not provided.

rtype:

dict

returns:

Response Syntax

{
    'paymentManagerArn': 'string',
    'paymentManagerId': 'string',
    'name': 'string',
    'authorizerType': 'CUSTOM_JWT'|'AWS_IAM',
    'roleArn': 'string',
    'workloadIdentityDetails': {
        'workloadIdentityArn': 'string'
    },
    'lastUpdatedAt': datetime(2015, 1, 1),
    'status': 'CREATING'|'UPDATING'|'DELETING'|'READY'|'CREATE_FAILED'|'UPDATE_FAILED'|'DELETE_FAILED'
}

Response Structure

  • (dict) --

    • paymentManagerArn (string) --

      The Amazon Resource Name (ARN) of the updated payment manager.

    • paymentManagerId (string) --

      The unique identifier of the updated payment manager.

    • name (string) --

      The name of the updated payment manager.

    • authorizerType (string) --

      The type of authorizer for the updated payment manager.

    • roleArn (string) --

      The Amazon Resource Name (ARN) of the IAM role associated with the updated payment manager.

    • workloadIdentityDetails (dict) --

      The information about the workload identity.

      • workloadIdentityArn (string) --

        The ARN associated with the workload identity.

    • lastUpdatedAt (datetime) --

      The timestamp when the payment manager was last updated.

    • status (string) --

      The current status of the updated payment manager. Possible values include CREATING, READY, UPDATING, DELETING, CREATE_FAILED, UPDATE_FAILED, and DELETE_FAILED.

UpdateRegistry (updated) Link ¶
Changes (request, response)
Request
{'authorizerConfiguration': {'optionalValue': {'customJWTAuthorizer': {'advertisedScopeMapping': {'string': 'string'}}}}}
Response
{'authorizerConfiguration': {'customJWTAuthorizer': {'advertisedScopeMapping': {'string': 'string'}}}}

Updates an existing registry. This operation uses PATCH semantics, so you only need to specify the fields you want to change.

See also: AWS API Documentation

Request Syntax

client.update_registry(
    registryId='string',
    name='string',
    description={
        'optionalValue': 'string'
    },
    authorizerConfiguration={
        'optionalValue': {
            'customJWTAuthorizer': {
                'discoveryUrl': 'string',
                'allowedAudience': [
                    'string',
                ],
                'allowedClients': [
                    'string',
                ],
                'allowedScopes': [
                    'string',
                ],
                'advertisedScopeMapping': {
                    'string': 'string'
                },
                'customClaims': [
                    {
                        'inboundTokenClaimName': 'string',
                        'inboundTokenClaimValueType': 'STRING'|'STRING_ARRAY',
                        'authorizingClaimMatchValue': {
                            'claimMatchValue': {
                                'matchValueString': 'string',
                                'matchValueStringList': [
                                    'string',
                                ]
                            },
                            'claimMatchOperator': 'EQUALS'|'CONTAINS'|'CONTAINS_ANY'
                        }
                    },
                ],
                'privateEndpoint': {
                    'selfManagedLatticeResource': {
                        'resourceConfigurationIdentifier': 'string'
                    },
                    'managedVpcResource': {
                        'vpcIdentifier': 'string',
                        'subnetIds': [
                            'string',
                        ],
                        'endpointIpAddressType': 'IPV4'|'IPV6',
                        'securityGroupIds': [
                            'string',
                        ],
                        'tags': {
                            'string': 'string'
                        },
                        'routingDomain': 'string'
                    }
                },
                'privateEndpointOverrides': [
                    {
                        'domain': 'string',
                        'privateEndpoint': {
                            'selfManagedLatticeResource': {
                                'resourceConfigurationIdentifier': 'string'
                            },
                            'managedVpcResource': {
                                'vpcIdentifier': 'string',
                                'subnetIds': [
                                    'string',
                                ],
                                'endpointIpAddressType': 'IPV4'|'IPV6',
                                'securityGroupIds': [
                                    'string',
                                ],
                                'tags': {
                                    'string': 'string'
                                },
                                'routingDomain': 'string'
                            }
                        }
                    },
                ],
                'allowedWorkloadConfiguration': {
                    'hostingEnvironments': [
                        {
                            'arn': 'string'
                        },
                    ],
                    'workloadIdentities': [
                        'string',
                    ]
                }
            }
        }
    },
    approvalConfiguration={
        'optionalValue': {
            'autoApproval': True|False
        }
    }
)
type registryId:

string

param registryId:

[REQUIRED]

The identifier of the registry to update. You can specify either the Amazon Resource Name (ARN) or the ID of the registry.

type name:

string

param name:

The updated name of the registry.

type description:

dict

param description:

The updated description of the registry. To clear the description, include the UpdatedDescription wrapper with optionalValue not specified.

  • optionalValue (string) --

    Represents an optional value that is used to update the human-readable description of the resource. If not specified, it will clear the current description of the resource.

type authorizerConfiguration:

dict

param authorizerConfiguration:

The updated authorizer configuration for the registry. Changing the authorizer configuration can break existing consumers of the registry who are using the authorization type prior to the update.

  • optionalValue (dict) --

    The updated authorizer configuration value. If not specified, it will clear the current authorizer configuration of the resource.

    • customJWTAuthorizer (dict) --

      The inbound JWT-based authorization, specifying how incoming requests should be authenticated.

      • discoveryUrl (string) -- [REQUIRED]

        This URL is used to fetch OpenID Connect configuration or authorization server metadata for validating incoming tokens.

      • allowedAudience (list) --

        Represents individual audience values that are validated in the incoming JWT token validation process.

        • (string) --

      • allowedClients (list) --

        Represents individual client IDs that are validated in the incoming JWT token validation process.

        • (string) --

      • allowedScopes (list) --

        An array of scopes that are allowed to access the token.

        • (string) --

      • advertisedScopeMapping (dict) --

        A map that associates each scope in allowedScopes with a corresponding advertised scope value. The advertised scope appears in OAuth protected resource metadata and WWW-Authenticate response headers. Use this parameter when the scope that clients request from your identity provider differs from the scope in the validated token. Each key is a scope from allowedScopes that the service uses for token validation. Each value is the corresponding scope that the service advertises to clients. Scopes without a mapping entry appear unchanged to clients.

        • (string) --

          • (string) --

      • customClaims (list) --

        An array of objects that define a custom claim validation name, value, and operation

        • (dict) --

          Defines the name of a custom claim field and rules for finding matches to authenticate its value.

          • inboundTokenClaimName (string) -- [REQUIRED]

            The name of the custom claim field to check.

          • inboundTokenClaimValueType (string) -- [REQUIRED]

            The data type of the claim value to check for.

            • Use STRING if you want to find an exact match to a string you define.

            • Use STRING_ARRAY if you want to fnd a match to at least one value in an array you define.

          • authorizingClaimMatchValue (dict) -- [REQUIRED]

            Defines the value or values to match for and the relationship of the match.

            • claimMatchValue (dict) -- [REQUIRED]

              The value or values to match for.

              • matchValueString (string) --

                The string value to match for.

              • matchValueStringList (list) --

                An array of strings to check for a match.

                • (string) --

            • claimMatchOperator (string) -- [REQUIRED]

              Defines the relationship between the claim field value and the value or values you're matching for.

      • privateEndpoint (dict) --

        The private endpoint configuration for a gateway target. Defines how the gateway connects to private resources in your VPC.

        • selfManagedLatticeResource (dict) --

          Configuration for connecting to a private resource using a self-managed VPC Lattice resource configuration.

          • resourceConfigurationIdentifier (string) --

            The ARN or ID of the VPC Lattice resource configuration.

        • managedVpcResource (dict) --

          Configuration for connecting to a private resource using a managed VPC Lattice resource. The gateway creates and manages the VPC Lattice resources on your behalf.

          • vpcIdentifier (string) -- [REQUIRED]

            The ID of the VPC that contains your private resource.

          • subnetIds (list) -- [REQUIRED]

            The subnet IDs within the VPC where the VPC Lattice resource gateway is placed.

            • (string) --

          • endpointIpAddressType (string) -- [REQUIRED]

            The IP address type for the resource configuration endpoint.

          • securityGroupIds (list) --

            The security group IDs to associate with the VPC Lattice resource gateway. If not specified, the default security group for the VPC is used.

            • (string) --

          • tags (dict) --

            Tags to apply to the managed VPC Lattice resource gateway.

            • (string) --

              • (string) --

          • routingDomain (string) --

            An intermediate domain to use as the resource configuration endpoint instead of the actual target domain. Use this when you want to route traffic through an intermediate component such as a VPC endpoint or internal load balancer. For more information, see xref:lattice-vpc-egress-routing-domain[Route traffic through an intermediate domain].

      • privateEndpointOverrides (list) --

        The private endpoint overrides for the custom JWT authorizer configuration.

        • (dict) --

          A mapping of a specific domain to a private endpoint for secure connectivity through a VPC Lattice resource configuration.

          • domain (string) -- [REQUIRED]

            The domain to override with a private endpoint.

          • privateEndpoint (dict) -- [REQUIRED]

            The private endpoint configuration for the specified domain.

            • selfManagedLatticeResource (dict) --

              Configuration for connecting to a private resource using a self-managed VPC Lattice resource configuration.

              • resourceConfigurationIdentifier (string) --

                The ARN or ID of the VPC Lattice resource configuration.

            • managedVpcResource (dict) --

              Configuration for connecting to a private resource using a managed VPC Lattice resource. The gateway creates and manages the VPC Lattice resources on your behalf.

              • vpcIdentifier (string) -- [REQUIRED]

                The ID of the VPC that contains your private resource.

              • subnetIds (list) -- [REQUIRED]

                The subnet IDs within the VPC where the VPC Lattice resource gateway is placed.

                • (string) --

              • endpointIpAddressType (string) -- [REQUIRED]

                The IP address type for the resource configuration endpoint.

              • securityGroupIds (list) --

                The security group IDs to associate with the VPC Lattice resource gateway. If not specified, the default security group for the VPC is used.

                • (string) --

              • tags (dict) --

                Tags to apply to the managed VPC Lattice resource gateway.

                • (string) --

                  • (string) --

              • routingDomain (string) --

                An intermediate domain to use as the resource configuration endpoint instead of the actual target domain. Use this when you want to route traffic through an intermediate component such as a VPC endpoint or internal load balancer. For more information, see xref:lattice-vpc-egress-routing-domain[Route traffic through an intermediate domain].

      • allowedWorkloadConfiguration (dict) --

        The configuration that restricts which workloads in the request's identity chain are allowed to invoke the target, identified by their hosting environments and workload identities. At launch, this is supported only for AgentCore Runtime targets, and the allowed workloads are AgentCore Gateways.

        • hostingEnvironments (list) --

          The list of hosting environments whose workloads are allowed to invoke the target. At launch, the only supported hosting environment is AgentCore Gateway.

          • (dict) --

            A hosting environment whose workloads are allowed to invoke the target. At launch, the only supported hosting environment is AgentCore Gateway.

            • arn (string) -- [REQUIRED]

              The Amazon Resource Name (ARN) of the hosting environment.

        • workloadIdentities (list) --

          The list of workload identities that are allowed to invoke the target.

          • (string) --

type approvalConfiguration:

dict

param approvalConfiguration:

The updated approval configuration for registry records. The updated configuration only affects new records that move to PENDING_APPROVAL status after the change. Existing records already in PENDING_APPROVAL status are not affected.

  • optionalValue (dict) --

    The updated approval configuration value. Set to null to unset the approval configuration.

    • autoApproval (boolean) --

      Whether registry records are auto-approved. When set to true, records are automatically approved upon creation. When set to false (the default), records require explicit approval for security purposes.

rtype:

dict

returns:

Response Syntax

{
    'name': 'string',
    'description': 'string',
    'registryId': 'string',
    'registryArn': 'string',
    'authorizerType': 'CUSTOM_JWT'|'AWS_IAM',
    'authorizerConfiguration': {
        'customJWTAuthorizer': {
            'discoveryUrl': 'string',
            'allowedAudience': [
                'string',
            ],
            'allowedClients': [
                'string',
            ],
            'allowedScopes': [
                'string',
            ],
            'advertisedScopeMapping': {
                'string': 'string'
            },
            'customClaims': [
                {
                    'inboundTokenClaimName': 'string',
                    'inboundTokenClaimValueType': 'STRING'|'STRING_ARRAY',
                    'authorizingClaimMatchValue': {
                        'claimMatchValue': {
                            'matchValueString': 'string',
                            'matchValueStringList': [
                                'string',
                            ]
                        },
                        'claimMatchOperator': 'EQUALS'|'CONTAINS'|'CONTAINS_ANY'
                    }
                },
            ],
            'privateEndpoint': {
                'selfManagedLatticeResource': {
                    'resourceConfigurationIdentifier': 'string'
                },
                'managedVpcResource': {
                    'vpcIdentifier': 'string',
                    'subnetIds': [
                        'string',
                    ],
                    'endpointIpAddressType': 'IPV4'|'IPV6',
                    'securityGroupIds': [
                        'string',
                    ],
                    'tags': {
                        'string': 'string'
                    },
                    'routingDomain': 'string'
                }
            },
            'privateEndpointOverrides': [
                {
                    'domain': 'string',
                    'privateEndpoint': {
                        'selfManagedLatticeResource': {
                            'resourceConfigurationIdentifier': 'string'
                        },
                        'managedVpcResource': {
                            'vpcIdentifier': 'string',
                            'subnetIds': [
                                'string',
                            ],
                            'endpointIpAddressType': 'IPV4'|'IPV6',
                            'securityGroupIds': [
                                'string',
                            ],
                            'tags': {
                                'string': 'string'
                            },
                            'routingDomain': 'string'
                        }
                    }
                },
            ],
            'allowedWorkloadConfiguration': {
                'hostingEnvironments': [
                    {
                        'arn': 'string'
                    },
                ],
                'workloadIdentities': [
                    'string',
                ]
            }
        }
    },
    'approvalConfiguration': {
        'autoApproval': True|False
    },
    'status': 'CREATING'|'READY'|'UPDATING'|'CREATE_FAILED'|'UPDATE_FAILED'|'DELETING'|'DELETE_FAILED',
    'statusReason': 'string',
    'createdAt': datetime(2015, 1, 1),
    'updatedAt': datetime(2015, 1, 1)
}

Response Structure

  • (dict) --

    • name (string) --

      The name of the updated registry.

    • description (string) --

      The description of the updated registry.

    • registryId (string) --

      The unique identifier of the updated registry.

    • registryArn (string) --

      The Amazon Resource Name (ARN) of the updated registry.

    • authorizerType (string) --

      The type of authorizer used by the updated registry. This controls the authorization method for the Search and Invoke APIs used by consumers.

      • CUSTOM_JWT - Authorize with a bearer token.

      • AWS_IAM - Authorize with your Amazon Web Services IAM credentials.

    • authorizerConfiguration (dict) --

      The authorizer configuration for the updated registry. For details, see the AuthorizerConfiguration data type.

      • customJWTAuthorizer (dict) --

        The inbound JWT-based authorization, specifying how incoming requests should be authenticated.

        • discoveryUrl (string) --

          This URL is used to fetch OpenID Connect configuration or authorization server metadata for validating incoming tokens.

        • allowedAudience (list) --

          Represents individual audience values that are validated in the incoming JWT token validation process.

          • (string) --

        • allowedClients (list) --

          Represents individual client IDs that are validated in the incoming JWT token validation process.

          • (string) --

        • allowedScopes (list) --

          An array of scopes that are allowed to access the token.

          • (string) --

        • advertisedScopeMapping (dict) --

          A map that associates each scope in allowedScopes with a corresponding advertised scope value. The advertised scope appears in OAuth protected resource metadata and WWW-Authenticate response headers. Use this parameter when the scope that clients request from your identity provider differs from the scope in the validated token. Each key is a scope from allowedScopes that the service uses for token validation. Each value is the corresponding scope that the service advertises to clients. Scopes without a mapping entry appear unchanged to clients.

          • (string) --

            • (string) --

        • customClaims (list) --

          An array of objects that define a custom claim validation name, value, and operation

          • (dict) --

            Defines the name of a custom claim field and rules for finding matches to authenticate its value.

            • inboundTokenClaimName (string) --

              The name of the custom claim field to check.

            • inboundTokenClaimValueType (string) --

              The data type of the claim value to check for.

              • Use STRING if you want to find an exact match to a string you define.

              • Use STRING_ARRAY if you want to fnd a match to at least one value in an array you define.

            • authorizingClaimMatchValue (dict) --

              Defines the value or values to match for and the relationship of the match.

              • claimMatchValue (dict) --

                The value or values to match for.

                • matchValueString (string) --

                  The string value to match for.

                • matchValueStringList (list) --

                  An array of strings to check for a match.

                  • (string) --

              • claimMatchOperator (string) --

                Defines the relationship between the claim field value and the value or values you're matching for.

        • privateEndpoint (dict) --

          The private endpoint configuration for a gateway target. Defines how the gateway connects to private resources in your VPC.

          • selfManagedLatticeResource (dict) --

            Configuration for connecting to a private resource using a self-managed VPC Lattice resource configuration.

            • resourceConfigurationIdentifier (string) --

              The ARN or ID of the VPC Lattice resource configuration.

          • managedVpcResource (dict) --

            Configuration for connecting to a private resource using a managed VPC Lattice resource. The gateway creates and manages the VPC Lattice resources on your behalf.

            • vpcIdentifier (string) --

              The ID of the VPC that contains your private resource.

            • subnetIds (list) --

              The subnet IDs within the VPC where the VPC Lattice resource gateway is placed.

              • (string) --

            • endpointIpAddressType (string) --

              The IP address type for the resource configuration endpoint.

            • securityGroupIds (list) --

              The security group IDs to associate with the VPC Lattice resource gateway. If not specified, the default security group for the VPC is used.

              • (string) --

            • tags (dict) --

              Tags to apply to the managed VPC Lattice resource gateway.

              • (string) --

                • (string) --

            • routingDomain (string) --

              An intermediate domain to use as the resource configuration endpoint instead of the actual target domain. Use this when you want to route traffic through an intermediate component such as a VPC endpoint or internal load balancer. For more information, see xref:lattice-vpc-egress-routing-domain[Route traffic through an intermediate domain].

        • privateEndpointOverrides (list) --

          The private endpoint overrides for the custom JWT authorizer configuration.

          • (dict) --

            A mapping of a specific domain to a private endpoint for secure connectivity through a VPC Lattice resource configuration.

            • domain (string) --

              The domain to override with a private endpoint.

            • privateEndpoint (dict) --

              The private endpoint configuration for the specified domain.

              • selfManagedLatticeResource (dict) --

                Configuration for connecting to a private resource using a self-managed VPC Lattice resource configuration.

                • resourceConfigurationIdentifier (string) --

                  The ARN or ID of the VPC Lattice resource configuration.

              • managedVpcResource (dict) --

                Configuration for connecting to a private resource using a managed VPC Lattice resource. The gateway creates and manages the VPC Lattice resources on your behalf.

                • vpcIdentifier (string) --

                  The ID of the VPC that contains your private resource.

                • subnetIds (list) --

                  The subnet IDs within the VPC where the VPC Lattice resource gateway is placed.

                  • (string) --

                • endpointIpAddressType (string) --

                  The IP address type for the resource configuration endpoint.

                • securityGroupIds (list) --

                  The security group IDs to associate with the VPC Lattice resource gateway. If not specified, the default security group for the VPC is used.

                  • (string) --

                • tags (dict) --

                  Tags to apply to the managed VPC Lattice resource gateway.

                  • (string) --

                    • (string) --

                • routingDomain (string) --

                  An intermediate domain to use as the resource configuration endpoint instead of the actual target domain. Use this when you want to route traffic through an intermediate component such as a VPC endpoint or internal load balancer. For more information, see xref:lattice-vpc-egress-routing-domain[Route traffic through an intermediate domain].

        • allowedWorkloadConfiguration (dict) --

          The configuration that restricts which workloads in the request's identity chain are allowed to invoke the target, identified by their hosting environments and workload identities. At launch, this is supported only for AgentCore Runtime targets, and the allowed workloads are AgentCore Gateways.

          • hostingEnvironments (list) --

            The list of hosting environments whose workloads are allowed to invoke the target. At launch, the only supported hosting environment is AgentCore Gateway.

            • (dict) --

              A hosting environment whose workloads are allowed to invoke the target. At launch, the only supported hosting environment is AgentCore Gateway.

              • arn (string) --

                The Amazon Resource Name (ARN) of the hosting environment.

          • workloadIdentities (list) --

            The list of workload identities that are allowed to invoke the target.

            • (string) --

    • approvalConfiguration (dict) --

      The approval configuration for the updated registry. For details, see the ApprovalConfiguration data type.

      • autoApproval (boolean) --

        Whether registry records are auto-approved. When set to true, records are automatically approved upon creation. When set to false (the default), records require explicit approval for security purposes.

    • status (string) --

      The current status of the updated registry. Possible values include CREATING, READY, UPDATING, CREATE_FAILED, UPDATE_FAILED, DELETING, and DELETE_FAILED.

    • statusReason (string) --

      The reason for the current status of the updated registry.

    • createdAt (datetime) --

      The timestamp when the registry was created.

    • updatedAt (datetime) --

      The timestamp when the registry was last updated.