aws-cdk-lib/aws-bedrockagentcore/lib/gateway/outbound-auth/oauth.js

Version 2 of the AWS Cloud Development Kit library

"use strict";Object.defineProperty(exports,"__esModule",{value:!0}),exports.OAuthCredentialProviderConfiguration=void 0;var credential_provider_1=()=>{var tmp=require("./credential-provider");return credential_provider_1=()=>tmp,tmp},aws_iam_1=()=>{var tmp=require("../../../../aws-iam");return aws_iam_1=()=>tmp,tmp},core_1=()=>{var tmp=require("../../../../core");return core_1=()=>tmp,tmp},perms_1=()=>{var tmp=require("../perms");return perms_1=()=>tmp,tmp};class OAuthCredentialProviderConfiguration{credentialProviderType=credential_provider_1().CredentialProviderType.OAUTH;providerArn;secretArn;scopes;customParameters;constructor(configuration){this.providerArn=configuration.providerArn,this.secretArn=configuration.secretArn,this.scopes=configuration.scopes,this.customParameters=configuration.customParameters}grantNeededPermissionsToRole(gateway){const stack=core_1().Stack.of(gateway),directoryArn=stack.formatArn({service:"bedrock-agentcore",resource:"workload-identity-directory",resourceName:"default",arnFormat:core_1().ArnFormat.SLASH_RESOURCE_NAME}),identityWildcardArn=`${directoryArn}/workload-identity/${gateway.gatewayName}-*`,credentialAndIdentityArns=[stack.formatArn({service:"bedrock-agentcore",resource:"token-vault",resourceName:"default",arnFormat:core_1().ArnFormat.SLASH_RESOURCE_NAME}),this.providerArn,directoryArn,identityWildcardArn],workloadIdentityGrant=aws_iam_1().Grant.addToPrincipal({grantee:gateway.role,actions:[...perms_1().GATEWAY_WORKLOAD_IDENTITY_OAUTH_PERMS],resourceArns:[directoryArn,identityWildcardArn]}),completeAuthGrant=aws_iam_1().Grant.addToPrincipal({grantee:gateway.role,actions:[...perms_1().GATEWAY_OAUTH_COMPLETE_AUTH_PERMS],resourceArns:credentialAndIdentityArns}),oauthGrant=aws_iam_1().Grant.addToPrincipal({grantee:gateway.role,actions:[...perms_1().GATEWAY_OAUTH_PERMS],resourceArns:credentialAndIdentityArns});let secretResourceArns;core_1().Token.isUnresolved(this.secretArn)?(core_1().Annotations.of(gateway).addWarningV2("aws-cdk-lib.aws-bedrockagentcore:wildcardSecretArnGrant","The secret ARN is an unresolved token. Granting access using a wildcard prefix (bedrock-agentcore-identity!*). To scope the grant to a specific secret, supply a literal secret ARN via fromOauthIdentityArn."),secretResourceArns=[stack.formatArn({service:"secretsmanager",resource:"secret",resourceName:"bedrock-agentcore-identity!*",arnFormat:core_1().ArnFormat.COLON_RESOURCE_NAME})]):secretResourceArns=[this.secretArn];const secretGrant=aws_iam_1().Grant.addToPrincipal({grantee:gateway.role,actions:[...perms_1().GATEWAY_SECRETS_PERMS],resourceArns:secretResourceArns});return workloadIdentityGrant.combine(completeAuthGrant).combine(oauthGrant).combine(secretGrant)}_render(){return{credentialProviderType:this.credentialProviderType,credentialProvider:{oauthCredentialProvider:{providerArn:this.providerArn,scopes:this.scopes,customParameters:this.customParameters}}}}}exports.OAuthCredentialProviderConfiguration=OAuthCredentialProviderConfiguration;