/** * Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. * * Licensed under the Apache License, Version 2.0 (the "License"). You may not use this file except in compliance * with the License. A copy of the License is located at * * http://www.apache.org/licenses/LICENSE-2.0 * * or in the 'license' file accompanying this file. This file is distributed on an 'AS IS' BASIS, WITHOUT WARRANTIES * OR CONDITIONS OF ANY KIND, express or implied. See the License for the specific language governing permissions * and limitations under the License. */ import type { Construct } from 'constructs'; import type { IWorkloadIdentityRef, WorkloadIdentityReference } from '../../../aws-bedrockagentcore'; import * as iam from '../../../aws-iam'; import type { IResource, ResourceProps } from '../../../core'; import { Resource } from '../../../core'; /****************************************************************************** * Interface *****************************************************************************/ /** * A workload identity for Amazon Bedrock AgentCore. * * Represents the stable identity of an agent within an account's agent identity directory. * It ties together IAM roles, OAuth2 flows, API keys, and workload access tokens * for consistent authentication across environments. * * @see https://docs.aws.amazon.com/bedrock-agentcore/latest/devguide/understanding-agent-identities.html */ export interface IWorkloadIdentity extends IResource, iam.IGrantable, IWorkloadIdentityRef { /** * The ARN of this workload identity. * @attribute */ readonly workloadIdentityArn: string; /** * The name of this workload identity. * @attribute */ readonly workloadIdentityName: string; /** * Timestamp when the workload identity was created. * @attribute */ readonly createdTime?: string; /** * Timestamp when the workload identity was last updated. * @attribute */ readonly lastUpdatedTime?: string; /** * Grants IAM actions on this workload identity, scoped to its ARN and the parent resources * required by the Bedrock AgentCore authorization model. */ grant(grantee: iam.IGrantable, ...actions: string[]): iam.Grant; /** * Grant `GetWorkloadIdentity` and `ListWorkloadIdentities`, scoped to this identity * and parent resources required by the Bedrock AgentCore authorization model. */ grantRead(grantee: iam.IGrantable): iam.Grant; /** * Grant control plane permissions to manage this workload identity. */ grantAdmin(grantee: iam.IGrantable): iam.Grant; /** * Grant data plane permissions to mint workload access tokens * (`GetWorkloadAccessToken`, `GetWorkloadAccessTokenForJWT`, `GetWorkloadAccessTokenForUserId`). */ grantUse(grantee: iam.IGrantable): iam.Grant; /** * Grant read, list, admin, and use permissions. */ grantFullAccess(grantee: iam.IGrantable): iam.Grant; } /** * Properties for a new {@link WorkloadIdentity}. */ export interface WorkloadIdentityProps { /** * Name of the workload identity. * * @default - a name generated by CDK */ readonly workloadIdentityName?: string; /** * Allowed OAuth2 return URLs for resources associated with this workload identity. * * @default - no return URLs */ readonly allowedResourceOauth2ReturnUrls?: string[]; /** * Tags for this workload identity. * * @default - no tags */ readonly tags?: { [key: string]: string; }; } /** * Attributes for importing an existing workload identity. */ export interface WorkloadIdentityAttributes { /** * ARN of the workload identity. */ readonly workloadIdentityArn: string; /** * Name of the workload identity. */ readonly workloadIdentityName: string; /** * Resource creation time. * * @default - not set */ readonly createdTime?: string; /** * Resource last-updated time. * * @default - not set */ readonly lastUpdatedTime?: string; } /****************************************************************************** * Abstract base *****************************************************************************/ declare abstract class WorkloadIdentityBase extends Resource implements IWorkloadIdentity { abstract readonly workloadIdentityArn: string; abstract readonly workloadIdentityName: string; abstract readonly createdTime?: string; abstract readonly lastUpdatedTime?: string; readonly grantPrincipal: iam.IPrincipal; get workloadIdentityRef(): WorkloadIdentityReference; constructor(scope: Construct, id: string, props?: ResourceProps); /** * [disable-awslint:no-grants] */ grant(grantee: iam.IGrantable, ...actions: string[]): iam.Grant; /** * [disable-awslint:no-grants] */ grantRead(grantee: iam.IGrantable): iam.Grant; /** * [disable-awslint:no-grants] */ grantAdmin(grantee: iam.IGrantable): iam.Grant; /** * [disable-awslint:no-grants] */ grantUse(grantee: iam.IGrantable): iam.Grant; /** * [disable-awslint:no-grants] */ grantFullAccess(grantee: iam.IGrantable): iam.Grant; } /****************************************************************************** * Class *****************************************************************************/ /** * L2 construct for `AWS::BedrockAgentCore::WorkloadIdentity`. * * A workload identity is the stable identity of an agent in an AWS account. It ties together * IAM roles, OAuth2 flows, API keys, and workload access tokens for consistent authentication * across environments. * * @see https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-bedrockagentcore-workloadidentity.html * @resource AWS::BedrockAgentCore::WorkloadIdentity */ export declare class WorkloadIdentity extends WorkloadIdentityBase { /** Uniquely identifies this class. */ static readonly PROPERTY_INJECTION_ID: string; /** * Import an existing workload identity. */ static fromWorkloadIdentityAttributes(scope: Construct, id: string, attrs: WorkloadIdentityAttributes): IWorkloadIdentity; readonly workloadIdentityArn: string; readonly workloadIdentityName: string; private _createdTime?; private _lastUpdatedTime?; private readonly _resource; get createdTime(): string | undefined; get lastUpdatedTime(): string | undefined; constructor(scope: Construct, id: string, props?: WorkloadIdentityProps); } export {};