aws-cdk-lib/aws-bedrockagentcore/lib/gateway/outbound-auth/api-key.js

Version 2 of the AWS Cloud Development Kit library

"use strict";Object.defineProperty(exports,"__esModule",{value:!0}),exports.ApiKeyCredentialProviderConfiguration=exports.ApiKeyCredentialLocation=exports.ApiKeyCredentialLocationType=void 0;var jsiiDeprecationWarnings=()=>{var tmp=require("../../../../.warnings.jsii.js");return jsiiDeprecationWarnings=()=>tmp,tmp};const JSII_RTTI_SYMBOL_1=Symbol.for("jsii.rtti");var credential_provider_1=()=>{var tmp=require("./credential-provider");return credential_provider_1=()=>tmp,tmp},aws_iam_1=()=>{var tmp=require("../../../../aws-iam");return aws_iam_1=()=>tmp,tmp},core_1=()=>{var tmp=require("../../../../core");return core_1=()=>tmp,tmp},perms_1=()=>{var tmp=require("../perms");return perms_1=()=>tmp,tmp},ApiKeyCredentialLocationType;(function(ApiKeyCredentialLocationType2){ApiKeyCredentialLocationType2.HEADER="HEADER",ApiKeyCredentialLocationType2.QUERY_PARAMETER="QUERY_PARAMETER"})(ApiKeyCredentialLocationType||(exports.ApiKeyCredentialLocationType=ApiKeyCredentialLocationType={}));class ApiKeyCredentialLocation{static[JSII_RTTI_SYMBOL_1]={fqn:"aws-cdk-lib.aws_bedrockagentcore.ApiKeyCredentialLocation",version:"2.257.0"};static header(config){try{jsiiDeprecationWarnings().aws_cdk_lib_aws_bedrockagentcore_ApiKeyAdditionalConfiguration(config)}catch(error){throw process.env.JSII_DEBUG!=="1"&&error.name==="DeprecationError"&&Error.captureStackTrace(error,this.header),error}return new ApiKeyCredentialLocation(ApiKeyCredentialLocationType.HEADER,config?.credentialParameterName??"Authorization",config?.credentialPrefix??"Bearer ")}static queryParameter(config){try{jsiiDeprecationWarnings().aws_cdk_lib_aws_bedrockagentcore_ApiKeyAdditionalConfiguration(config)}catch(error){throw process.env.JSII_DEBUG!=="1"&&error.name==="DeprecationError"&&Error.captureStackTrace(error,this.queryParameter),error}return new ApiKeyCredentialLocation(ApiKeyCredentialLocationType.QUERY_PARAMETER,config?.credentialParameterName??"api_key",config?.credentialPrefix)}credentialParameterName;credentialPrefix;credentialLocationType;constructor(credentialLocationType,credentialParameterName,credentialPrefix){this.credentialLocationType=credentialLocationType,this.credentialParameterName=credentialParameterName,this.credentialPrefix=credentialPrefix}}exports.ApiKeyCredentialLocation=ApiKeyCredentialLocation;class ApiKeyCredentialProviderConfiguration{credentialProviderType=credential_provider_1().CredentialProviderType.API_KEY;providerArn;secretArn;credentialLocation;constructor(configuration){this.providerArn=configuration.providerArn,this.secretArn=configuration.secretArn,this.credentialLocation=configuration.credentialLocation??ApiKeyCredentialLocation.header()}grantNeededPermissionsToRole(gateway){const stack=core_1().Stack.of(gateway),directoryArn=stack.formatArn({service:"bedrock-agentcore",resource:"workload-identity-directory",resourceName:"default",arnFormat:core_1().ArnFormat.SLASH_RESOURCE_NAME}),identityWildcardArn=`${directoryArn}/workload-identity/${gateway.gatewayName}-*`,tokenVaultArn=stack.formatArn({service:"bedrock-agentcore",resource:"token-vault",resourceName:"default",arnFormat:core_1().ArnFormat.SLASH_RESOURCE_NAME}),workloadIdentityGrant=aws_iam_1().Grant.addToPrincipal({grantee:gateway.role,actions:[...perms_1().GATEWAY_WORKLOAD_IDENTITY_PERMS],resourceArns:[directoryArn,identityWildcardArn]}),apiKeyGrant=aws_iam_1().Grant.addToPrincipal({grantee:gateway.role,actions:[...perms_1().GATEWAY_API_KEY_PERMS],resourceArns:[tokenVaultArn,this.providerArn,directoryArn,identityWildcardArn]});let secretResourceArns;core_1().Token.isUnresolved(this.secretArn)?(core_1().Annotations.of(gateway).addWarningV2("aws-cdk-lib.aws-bedrockagentcore:wildcardSecretArnGrant","The secret ARN is an unresolved token. Granting access using a wildcard prefix (bedrock-agentcore-identity!*). To scope the grant to a specific secret, supply a literal secret ARN via fromApiKeyIdentityArn."),secretResourceArns=[stack.formatArn({service:"secretsmanager",resource:"secret",resourceName:"bedrock-agentcore-identity!*",arnFormat:core_1().ArnFormat.COLON_RESOURCE_NAME})]):secretResourceArns=[this.secretArn];const secretGrant=aws_iam_1().Grant.addToPrincipal({grantee:gateway.role,actions:[...perms_1().GATEWAY_SECRETS_PERMS],resourceArns:secretResourceArns});return workloadIdentityGrant.combine(apiKeyGrant).combine(secretGrant)}_render(){return{credentialProviderType:this.credentialProviderType,credentialProvider:{apiKeyCredentialProvider:{providerArn:this.providerArn,credentialLocation:this.credentialLocation.credentialLocationType,credentialParameterName:this.credentialLocation.credentialParameterName,credentialPrefix:this.credentialLocation.credentialPrefix}}}}}exports.ApiKeyCredentialProviderConfiguration=ApiKeyCredentialProviderConfiguration;