Skip to content

feat(bedrock-agentcore-alpha): support No Authorization for AgentCore Gateway #36610

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
mazyu36 wants to merge 8 commits into
base: main
Choose a base branch
from
Open

feat(bedrock-agentcore-alpha): support No Authorization for AgentCore Gateway #36610

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
8 commits
Select commit Hold shift + click to select a range
4a1e96d
feat(bedrock-agentcore-alpha): support No Authorization for AgentCore…
mazyu36 Jan 8, 2026
2479e4f
Merge remote-tracking branch 'upstream/main' into feat/gateway-no-aut…
mazyu36 Jan 9, 2026
7640990
add tests and README
mazyu36 Jan 9, 2026
b4444ce
Merge branch 'main' into feat/gateway-no-auth-authorizer
mazyu36 Jan 20, 2026
28463a5
Merge branch 'main' into feat/gateway-no-auth-authorizer
mazyu36 Jan 22, 2026
7cbf7b4
Merge branch 'main' into feat/gateway-no-auth-authorizer
mazyu36 Feb 3, 2026
43c12cc
Merge branch 'main' into feat/gateway-no-auth-authorizer
mazyu36 Feb 8, 2026
b72a91c
Merge branch 'main' into feat/gateway-no-auth-authorizer
mazyu36 Feb 10, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
14 changes: 14 additions & 0 deletions packages/@aws-cdk/aws-bedrock-agentcore-alpha/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1265,6 +1265,20 @@ const lambdaRole = new iam.Role(this, "LambdaRole", {
gateway.grantInvoke(lambdaRole);
```

**No Authorization** – Creates a gateway with no inbound authorization. This is useful for building public MCP servers,
or when you want to skip gateway-level authentication and enforce tool execution-level authentication using Gateway Interceptors.

```typescript fixture=default
const gateway = new agentcore.Gateway(this, "MyGateway", {
gatewayName: "my-gateway",
authorizerConfiguration: agentcore.GatewayAuthorizer.withNoAuth(),
});
```

> **Note:** Do not use No Authorization gateways for testing or development purposes. No Authorization gateways should only be used for production gateways that you intend to make public after you have implemented all the security best practices.

For more information, see [No Authorization](https://docs.aws.amazon.com/bedrock-agentcore/latest/devguide/gateway-inbound-auth.html#gateway-inbound-auth-none).

**Cognito with M2M (Machine-to-Machine) Authentication (Default)** – When no authorizer is specified, the construct automatically creates a Cognito User Pool configured for OAuth 2.0 client credentials flow. This enables machine-to-machine authentication suitable for AI agents and service-to-service communication.

For more information, see [Setting up Amazon Cognito for Gateway inbound authorization](https://docs.aws.amazon.com/bedrock-agentcore/latest/devguide/identity-idp-cognito.html).
Expand Down
28 changes: 28 additions & 0 deletions packages/@aws-cdk/aws-bedrock-agentcore-alpha/lib/gateway/inbound-auth/authorizer.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,8 @@ export enum GatewayAuthorizerType {
CUSTOM_JWT = 'CUSTOM_JWT',
/** AWS IAM authorizer type */
AWS_IAM = 'AWS_IAM',
/** No authorization type */
NONE = 'NONE',
}

/**
Expand Down Expand Up @@ -132,6 +134,24 @@ export class IamAuthorizer implements IGatewayAuthorizerConfig {
}
}

/******************************************************************************
* No Authorization
*****************************************************************************/

/**
* No authorization configuration implementation
*/
export class NoAuthAuthorizer implements IGatewayAuthorizerConfig {
public readonly authorizerType = GatewayAuthorizerType.NONE;

/**
* @internal
*/
_render(): any {
return undefined;
}
}

/******************************************************************************
* Factory
*****************************************************************************/
Expand Down Expand Up @@ -203,4 +223,12 @@ export abstract class GatewayAuthorizer {
customClaims: props.customClaims,
});
}

/**
* No authorization
* @returns IGatewayAuthorizerConfig configured for no authorization
*/
public static withNoAuth(): IGatewayAuthorizerConfig {
return new NoAuthAuthorizer();
}
}
13 changes: 13 additions & 0 deletions packages/@aws-cdk/aws-bedrock-agentcore-alpha/test/agentcore/gateway/gateway.test.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1099,6 +1099,19 @@ describe('Authorizer Configuration Tests', () => {
expect(authorizer.authorizerType).toBe('CUSTOM_JWT');
});

test('Should create Gateway with No Auth authorizer', () => {
new Gateway(stack, 'TestGateway', {
gatewayName: 'test-gateway',
authorizerConfiguration: GatewayAuthorizer.withNoAuth(),
});

const template = Template.fromStack(stack);
template.hasResourceProperties('AWS::BedrockAgentCore::Gateway', {
AuthorizerType: 'NONE',
AuthorizerConfiguration: Match.absent(),
});
});

test('Should create custom JWT authorizer with only allowedScopes', () => {
const authorizer = GatewayAuthorizer.usingCustomJwt({
discoveryUrl: 'https://auth.example.com/.well-known/openid-configuration',
Expand Down
20 changes: 20 additions & 0 deletions ...eway/integ.gateway-no-auth.js.snapshot/BedrockAgentCoreGatewayNoAuthIntegTest.assets.json
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

279 changes: 279 additions & 0 deletions ...ay/integ.gateway-no-auth.js.snapshot/BedrockAgentCoreGatewayNoAuthIntegTest.template.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,279 @@
{
"Resources": {
"NoAuthGatewayServiceRole73E92F41": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"Service": "bedrock-agentcore.amazonaws.com"
}
},
{
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals": {
"aws:SourceAccount": {
"Ref": "AWS::AccountId"
}
},
"ArnLike": {
"aws:SourceArn": {
"Fn::Join": [
"",
[
"arn:",
{
"Ref": "AWS::Partition"
},
":bedrock-agentcore:",
{
"Ref": "AWS::Region"
},
":",
{
"Ref": "AWS::AccountId"
},
":gateway/integ-test-no-auth-gateway*"
]
]
}
}
},
"Effect": "Allow",
"Principal": {
"Service": "bedrock-agentcore.amazonaws.com"
}
}
],
"Version": "2012-10-17"
},
"Description": "Service role for Bedrock AgentCore Gateway integ-test-no-auth-gateway"
}
},
"NoAuthGatewayServiceRoleDefaultPolicy21867BE2": {
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyDocument": {
"Statement": [
{
"Action": "lambda:InvokeFunction",
"Effect": "Allow",
"Resource": [
{
"Fn::GetAtt": [
"TestFunction22AD90FC",
"Arn"
]
},
{
"Fn::Join": [
"",
[
{
"Fn::GetAtt": [
"TestFunction22AD90FC",
"Arn"
]
},
":*"
]
]
}
]
}
],
"Version": "2012-10-17"
},
"PolicyName": "NoAuthGatewayServiceRoleDefaultPolicy21867BE2",
"Roles": [
{
"Ref": "NoAuthGatewayServiceRole73E92F41"
}
]
}
},
"NoAuthGateway34D8B21F": {
"Type": "AWS::BedrockAgentCore::Gateway",
"Properties": {
"AuthorizerType": "NONE",
"Description": "Integration test gateway with No Auth authorizer",
"Name": "integ-test-no-auth-gateway",
"ProtocolConfiguration": {
"Mcp": {
"Instructions": "Default gateway to connect to external MCP tools",
"SearchType": "SEMANTIC",
"SupportedVersions": [
"2025-03-26"
]
}
},
"ProtocolType": "MCP",
"RoleArn": {
"Fn::GetAtt": [
"NoAuthGatewayServiceRole73E92F41",
"Arn"
]
}
}
},
"NoAuthGatewayLambdaTarget244BAC7C": {
"Type": "AWS::BedrockAgentCore::GatewayTarget",
"Properties": {
"CredentialProviderConfigurations": [
{
"CredentialProviderType": "GATEWAY_IAM_ROLE"
}
],
"Description": "Lambda target for No Auth gateway",
"GatewayIdentifier": {
"Fn::GetAtt": [
"NoAuthGateway34D8B21F",
"GatewayIdentifier"
]
},
"Name": "lambda-public-target",
"TargetConfiguration": {
"Mcp": {
"Lambda": {
"LambdaArn": {
"Fn::GetAtt": [
"TestFunction22AD90FC",
"Arn"
]
},
"ToolSchema": {
"InlinePayload": [
{
"Description": "A public tool that can be discovered without authentication",
"InputSchema": {
"Properties": {
"query": {
"Description": "Query parameter",
"Type": "string"
}
},
"Required": [
"query"
],
"Type": "object"
},
"Name": "public_tool"
}
]
}
}
}
}
}
},
"TestFunctionServiceRole6ABD93C7": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"Service": "lambda.amazonaws.com"
}
}
],
"Version": "2012-10-17"
},
"ManagedPolicyArns": [
{
"Fn::Join": [
"",
[
"arn:",
{
"Ref": "AWS::Partition"
},
":iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
]
]
}
]
}
},
"TestFunction22AD90FC": {
"Type": "AWS::Lambda::Function",
"Properties": {
"Code": {
"ZipFile": "\n exports.handler = async (event) => {\n console.log('Received event:', JSON.stringify(event));\n return {\n statusCode: 200,\n body: JSON.stringify({\n message: 'Hello from Lambda!',\n input: event,\n }),\n };\n };\n "
},
"Description": "Lambda function for No Auth Gateway integration test",
"FunctionName": "integ-test-no-auth-gateway-lambda",
"Handler": "index.handler",
"Role": {
"Fn::GetAtt": [
"TestFunctionServiceRole6ABD93C7",
"Arn"
]
},
"Runtime": "nodejs22.x"
},
"DependsOn": [
"TestFunctionServiceRole6ABD93C7"
]
},
"TestFunctionLogGroupE7744A08": {
"Type": "AWS::Logs::LogGroup",
"Properties": {
"LogGroupName": {
"Fn::Join": [
"",
[
"/aws/lambda/",
{
"Ref": "TestFunction22AD90FC"
}
]
]
},
"RetentionInDays": 731
},
"UpdateReplacePolicy": "Retain",
"DeletionPolicy": "Retain"
}
},
"Parameters": {
"BootstrapVersion": {
"Type": "AWS::SSM::Parameter::Value<String>",
"Default": "/cdk-bootstrap/hnb659fds/version",
"Description": "Version of the CDK Bootstrap resources in this environment, automatically retrieved from SSM Parameter Store. [cdk:skip]"
}
},
"Rules": {
"CheckBootstrapVersion": {
"Assertions": [
{
"Assert": {
"Fn::Not": [
{
"Fn::Contains": [
[
"1",
"2",
"3",
"4",
"5"
],
{
"Ref": "BootstrapVersion"
}
]
}
]
},
"AssertDescription": "CDK bootstrap stack version 6 required. Please run 'cdk bootstrap' with a recent version of the CDK CLI."
}
]
}
}
}
Loading
Loading