/** * Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. * * Licensed under the Apache License, Version 2.0 (the "License"). You may not use this file except in compliance * with the License. A copy of the License is located at * * http://www.apache.org/licenses/LICENSE-2.0 * * or in the 'license' file accompanying this file. This file is distributed on an 'AS IS' BASIS, WITHOUT WARRANTIES * OR CONDITIONS OF ANY KIND, express or implied. See the License for the specific language governing permissions * and limitations under the License. */ import type { Construct } from 'constructs'; import type { ApiKeyCredentialProviderReference, IApiKeyCredentialProviderRef } from '../../../aws-bedrockagentcore'; import * as iam from '../../../aws-iam'; import type { IResource, ResourceProps, SecretValue } from '../../../core'; import { Resource } from '../../../core'; /****************************************************************************** * Interface *****************************************************************************/ /** * An API key credential provider registered in AgentCore Token Vault. */ export interface IApiKeyCredentialProvider extends IResource, iam.IGrantable, IApiKeyCredentialProviderRef { /** * The ARN of this credential provider. * @attribute */ readonly credentialProviderArn: string; /** * The ARN of the Secrets Manager secret that stores the API key after the resource is created. * * May be undefined for resources imported without this attribute. * * @attribute */ readonly apiKeySecretArn?: string; /** * Timestamp when the credential provider was created. * @attribute */ readonly createdTime?: string; /** * Timestamp when the credential provider was last updated. * @attribute */ readonly lastUpdatedTime?: string; /** * Grants IAM actions to the IAM principal. */ grant(grantee: iam.IGrantable, ...actions: string[]): iam.Grant; /** * Grant `GetApiKeyCredentialProvider` and `ListApiKeyCredentialProviders`, scoped to this * provider and parent resources required by the Bedrock AgentCore authorization model. */ grantRead(grantee: iam.IGrantable): iam.Grant; /** * Grant control plane permissions to manage this provider. */ grantAdmin(grantee: iam.IGrantable): iam.Grant; /** * Grant permission to retrieve API key material for outbound calls (`GetResourceApiKey`). */ grantUse(grantee: iam.IGrantable): iam.Grant; /** * Grant read, admin, and credential retrieval permissions. */ grantFullAccess(grantee: iam.IGrantable): iam.Grant; /** * ARNs for use with gateway targets (`GatewayCredentialProvider.fromApiKeyIdentity` or `fromApiKeyIdentityArn`). */ bindForGatewayApiKeyTarget(): GatewayApiKeyIdentityBinding; } /** * Provider and secret ARNs for wiring a Token Vault API key identity into a gateway target. */ export interface GatewayApiKeyIdentityBinding { /** * API key credential provider ARN. */ readonly providerArn: string; /** * Secrets Manager secret ARN for the API key material. */ readonly secretArn: string; } /** * Properties for a new {@link ApiKeyCredentialProvider} (Token Vault resource). */ export interface ApiKeyCredentialProviderProps { /** * Name of the credential provider. * * @default a name generated by CDK */ readonly apiKeyCredentialProviderName?: string; /** * The API key value. * * **NOTE:** The API key will be included in the CloudFormation template as part of synthesis. * The service stores the key in Secrets Manager after creation, but the value is visible * in the template and deployment history. Use `SecretValue.unsafePlainText()` to explicitly * acknowledge plaintext, or pass a reference from another construct to avoid embedding the * literal value. * * If omitted, you can supply the key through another mechanism supported by the service. * * @default - no key in template (provider may still be created depending on service behavior) */ readonly apiKey?: SecretValue; /** * Tags for this credential provider. * * @default - no tags */ readonly tags?: { [key: string]: string; }; } /** * Attributes for importing an existing API key credential provider. */ export interface ApiKeyCredentialProviderAttributes { /** * ARN of the credential provider. */ readonly credentialProviderArn: string; /** * ARN of the Secrets Manager secret for the API key, if known. * * @default - not set; required for {@link ApiKeyCredentialProvider.bindForGatewayApiKeyTarget} on imported providers */ readonly apiKeySecretArn?: string; /** * Resource creation time. * * @default - not set */ readonly createdTime?: string; /** * Resource last-updated time. * * @default - not set */ readonly lastUpdatedTime?: string; } /****************************************************************************** * Abstract base *****************************************************************************/ declare abstract class ApiKeyCredentialProviderBase extends Resource implements IApiKeyCredentialProvider { abstract readonly credentialProviderArn: string; abstract readonly apiKeySecretArn?: string; abstract readonly createdTime?: string; abstract readonly lastUpdatedTime?: string; readonly grantPrincipal: iam.IPrincipal; get apiKeyCredentialProviderRef(): ApiKeyCredentialProviderReference; constructor(scope: Construct, id: string, props?: ResourceProps); /** * [disable-awslint:no-grants] */ grant(grantee: iam.IGrantable, ...actions: string[]): iam.Grant; /** * [disable-awslint:no-grants] */ grantRead(grantee: iam.IGrantable): iam.Grant; /** * [disable-awslint:no-grants] */ grantAdmin(grantee: iam.IGrantable): iam.Grant; /** * [disable-awslint:no-grants] */ grantUse(grantee: iam.IGrantable): iam.Grant; /** * [disable-awslint:no-grants] */ grantFullAccess(grantee: iam.IGrantable): iam.Grant; abstract bindForGatewayApiKeyTarget(): GatewayApiKeyIdentityBinding; } /****************************************************************************** * Class *****************************************************************************/ /** * L2 construct for `AWS::BedrockAgentCore::ApiKeyCredentialProvider`. * * Use this to register an API key identity in AgentCore Token Vault. To attach the identity to a * gateway target, use {@link GatewayCredentialProvider.fromApiKeyIdentity} with this construct, or * {@link ApiKeyCredentialProvider.bindForGatewayApiKeyTarget} with {@link GatewayCredentialProvider.fromApiKeyIdentityArn}. * * @see https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-bedrockagentcore-apikeycredentialprovider.html * @resource AWS::BedrockAgentCore::ApiKeyCredentialProvider */ export declare class ApiKeyCredentialProvider extends ApiKeyCredentialProviderBase { /** Uniquely identifies this class. */ static readonly PROPERTY_INJECTION_ID: string; /** * Import an existing API key credential provider. */ static fromApiKeyCredentialProviderAttributes(scope: Construct, id: string, attrs: ApiKeyCredentialProviderAttributes): IApiKeyCredentialProvider; readonly credentialProviderArn: string; /** * The name of this API key credential provider. * @attribute */ readonly apiKeyCredentialProviderName: string; readonly createdTime?: string; readonly lastUpdatedTime?: string; private _apiKeySecretArn?; private readonly __resource; get apiKeySecretArn(): string | undefined; constructor(scope: Construct, id: string, props?: ApiKeyCredentialProviderProps); /** * ARNs for {@link GatewayCredentialProvider.fromApiKeyIdentity} / {@link GatewayCredentialProvider.fromApiKeyIdentityArn}. */ bindForGatewayApiKeyTarget(): GatewayApiKeyIdentityBinding; } export {};