Gateway

bedrockagentcorecontrol.services.k8s.aws/v1alpha1

TypeLink
GoDocbedrockagentcorecontrol-controller/apis/v1alpha1#Gateway

Metadata

PropertyValue
ScopeNamespaced
KindGateway
ListKindGatewayList
Pluralgateways
Singulargateway

Spec

authorizerConfiguration: 
  customJWTAuthorizer: 
    allowedAudience:
    - string
    allowedClients:
    - string
    allowedScopes:
    - string
    customClaims:
      authorizingClaimMatchValue: 
        claimMatchOperator: string
        claimMatchValue: 
          matchValueString: string
          matchValueStringList:
          - string
      inboundTokenClaimName: string
      inboundTokenClaimValueType: string
    discoveryURL: string
authorizerType: string
description: string
exceptionLevel: string
interceptorConfigurations:
  inputConfiguration: 
    passRequestHeaders: boolean
  interceptionPoints:
  - string
  interceptor: 
    lambda: 
      arn: string
kmsKeyARN: string
kmsKeyRef: 
  from: 
    name: string
    namespace: string
name: string
policyEngineConfiguration: 
  arn: string
  mode: string
protocolConfiguration: 
  mcp: 
    instructions: string
    searchType: string
    supportedVersions:
    - string
protocolType: string
roleARN: string
roleRef: 
  from: 
    name: string
    namespace: string
tags: {}
FieldDescription
authorizerConfiguration
Optional		object
The authorizer configuration for the gateway. Required if authorizerType
is CUSTOM_JWT.
authorizerConfiguration.customJWTAuthorizer
Optional		object
Configuration for inbound JWT-based authorization, specifying how incoming
requests should be authenticated.
authorizerConfiguration.customJWTAuthorizer.allowedAudience
Optional		array
authorizerConfiguration.customJWTAuthorizer.allowedAudience.[]
Required		string
authorizerConfiguration.customJWTAuthorizer.allowedClients.[]
Required		string
authorizerConfiguration.customJWTAuthorizer.allowedScopes.[]
Required		string
authorizerConfiguration.customJWTAuthorizer.customClaims.[]
Required		object
Defines the name of a custom claim field and rules for finding matches to
authenticate its value.
authorizerConfiguration.customJWTAuthorizer.customClaims.[].authorizingClaimMatchValue.claimMatchOperator
Optional		string
authorizerConfiguration.customJWTAuthorizer.customClaims.[].authorizingClaimMatchValue.claimMatchValue
Optional		object
The value or values to match for.

* Include a matchValueString with the EQUALS operator to specify a string
that matches the claim field value.

* Include a matchValueArray to specify an array of string values. You
can use the following operators: Use CONTAINS to yield a match if the
claim field value is in the array. Use CONTAINS_ANY to yield a match if
the claim field value contains any of the strings in the array.
authorizerConfiguration.customJWTAuthorizer.customClaims.[].authorizingClaimMatchValue.claimMatchValue.matchValueString
Optional		string
authorizerConfiguration.customJWTAuthorizer.customClaims.[].authorizingClaimMatchValue.claimMatchValue.matchValueStringList
Optional		array
authorizerConfiguration.customJWTAuthorizer.customClaims.[].authorizingClaimMatchValue.claimMatchValue.matchValueStringList.[]
Required		string
authorizerConfiguration.customJWTAuthorizer.customClaims.[].inboundTokenClaimValueType
Optional		string
authorizerConfiguration.customJWTAuthorizer.discoveryURL
Optional		string
authorizerType
Required		string
The type of authorizer to use for the gateway.

* CUSTOM_JWT - Authorize with a bearer token.

* AWS_IAM - Authorize with your Amazon Web Services IAM credentials.

* NONE - No authorization
description
Optional		string
The description of the gateway.
exceptionLevel
Optional		string
The level of detail in error messages returned when invoking the gateway.

* If the value is DEBUG, granular exception messages are returned to help
a user debug the gateway.

* If the value is omitted, a generic error message is returned to the
end user.
interceptorConfigurations
Optional		array
A list of configuration settings for a gateway interceptor. Gateway interceptors
allow custom code to be invoked during gateway invocations.
interceptorConfigurations.[]
Required		object
The configuration for an interceptor on a gateway. This structure defines
settings for an interceptor that will be invoked during the invocation of
the gateway.
interceptorConfigurations.[].inputConfiguration.passRequestHeaders
Optional		boolean
interceptorConfigurations.[].interceptionPoints
Optional		array
interceptorConfigurations.[].interceptionPoints.[]
Required		string
interceptorConfigurations.[].interceptor.lambda
Optional		object
The lambda configuration for the interceptor
interceptorConfigurations.[].interceptor.lambda.arn
Optional		string
kmsKeyARN
Optional		string
The Amazon Resource Name (ARN) of the KMS key used to encrypt data associated
with the gateway.

Regex Pattern: `^arn:aws(
kmsKeyRef
Optional		object
AWSResourceReferenceWrapper provides a wrapper around *AWSResourceReference
type to provide more user friendly syntax for references using ‘from’ field
Ex:
APIIDRef:

from:
name: my-api
kmsKeyRef.from
Optional		object
AWSResourceReference provides all the values necessary to reference another
k8s resource for finding the identifier(Id/ARN/Name)
kmsKeyRef.from.name
Optional		string
kmsKeyRef.from.namespace
Optional		string
name
Required		string
The name of the gateway. The name must be unique within your account.

Regex Pattern: ^([0-9a-zA-Z][-]?){1,100}$
policyEngineConfiguration
Optional		object
The policy engine configuration for the gateway. A policy engine is a collection
of policies that evaluates and authorizes agent tool calls. When associated
with a gateway, the policy engine intercepts all agent requests and determines
whether to allow or deny each action based on the defined policies.
policyEngineConfiguration.arn
Optional		string
policyEngineConfiguration.mode
Optional		string
protocolConfiguration
Optional		object
The configuration settings for the protocol specified in the protocolType
parameter.
protocolConfiguration.mcp
Optional		object
The configuration for a Model Context Protocol (MCP) gateway. This structure
defines how the gateway implements the MCP protocol.
protocolConfiguration.mcp.instructions
Optional		string
protocolConfiguration.mcp.searchType
Optional		string
protocolConfiguration.mcp.supportedVersions
Optional		array
protocolConfiguration.mcp.supportedVersions.[]
Required		string
roleARN
Optional		string
The Amazon Resource Name (ARN) of the IAM role that provides permissions
for the gateway to access Amazon Web Services services.

Regex Pattern: ^arn:aws(-[^:]+)?:iam::([0-9]{12})?:role/.+$
roleRef
Optional		object
AWSResourceReferenceWrapper provides a wrapper around *AWSResourceReference
type to provide more user friendly syntax for references using ‘from’ field
Ex:
APIIDRef:

from:
name: my-api
roleRef.from
Optional		object
AWSResourceReference provides all the values necessary to reference another
k8s resource for finding the identifier(Id/ARN/Name)
roleRef.from.name
Optional		string
roleRef.from.namespace
Optional		string
tags
Optional		object
A map of key-value pairs to associate with the gateway as metadata tags.

Status

ackResourceMetadata: 
  arn: string
  ownerAccountID: string
  partition: string
  region: string
conditions:
- lastTransitionTime: string
  message: string
  reason: string
  status: string
  type: string
createdAt: string
gatewayID: string
gatewayURL: string
status: string
statusReasons:
- string
updatedAt: string
workloadIdentityDetails: 
  workloadIdentityARN: string
FieldDescription
ackResourceMetadata
Optional		object
All CRs managed by ACK have a common Status.ACKResourceMetadata member
that is used to contain resource sync state, account ownership,
constructed ARN for the resource
ackResourceMetadata.arn
Optional		string
ARN is the Amazon Resource Name for the resource. This is a
globally-unique identifier and is set only by the ACK service controller
once the controller has orchestrated the creation of the resource OR
when it has verified that an “adopted” resource (a resource where the
ARN annotation was set by the Kubernetes user on the CR) exists and
matches the supplied CR’s Spec field values.
https://github.com/aws/aws-controllers-k8s/issues/270
ackResourceMetadata.ownerAccountID
Required		string
OwnerAccountID is the AWS Account ID of the account that owns the
backend AWS service API resource.
ackResourceMetadata.partition
Optional		string
Partition is the AWS partition in which the resource exists or will exist
ackResourceMetadata.region
Required		string
Region is the AWS region in which the resource exists or will exist.
conditions
Optional		array
All CRs managed by ACK have a common Status.Conditions member that
contains a collection of ackv1alpha1.Condition objects that describe
the various terminal states of the CR and its backend AWS service API
resource
conditions.[]
Required		object
Condition is the common struct used by all CRDs managed by ACK service
controllers to indicate terminal states of the CR and its backend AWS
service API resource
conditions.[].message
Optional		string
A human readable message indicating details about the transition.
conditions.[].reason
Optional		string
The reason for the condition’s last transition.
conditions.[].status
Optional		string
Status of the condition, one of True, False, Unknown.
conditions.[].type
Optional		string
Type is the type of the Condition
createdAt
Optional		string
The timestamp when the gateway was created.
gatewayID
Optional		string
The unique identifier of the created gateway.

Regex Pattern: ^([0-9a-z][-]?){1,100}-[0-9a-z]{10}$
gatewayURL
Optional		string
The URL endpoint for the created gateway.
status
Optional		string
The current status of the gateway.
statusReasons
Optional		array
The reasons for the current status of the gateway.
statusReasons.[]
Required		string
workloadIdentityDetails
Optional		object
The workload identity details for the created gateway.
workloadIdentityDetails.workloadIdentityARN
Optional		string