aws-cdk-lib
Version:
Version 2 of the AWS Cloud Development Kit library
218 lines (217 loc) • 8.35 kB
TypeScript
/**
* Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
*
* Licensed under the Apache License, Version 2.0 (the "License"). You may not use this file except in compliance
* with the License. A copy of the License is located at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* or in the 'license' file accompanying this file. This file is distributed on an 'AS IS' BASIS, WITHOUT WARRANTIES
* OR CONDITIONS OF ANY KIND, express or implied. See the License for the specific language governing permissions
* and limitations under the License.
*/
import type { Construct } from 'constructs';
import type { ApiKeyCredentialProviderReference, IApiKeyCredentialProviderRef } from '../../../aws-bedrockagentcore';
import * as iam from '../../../aws-iam';
import type { IResource, ResourceProps, SecretValue } from '../../../core';
import { Resource } from '../../../core';
/******************************************************************************
* Interface
*****************************************************************************/
/**
* An API key credential provider registered in AgentCore Token Vault.
*/
export interface IApiKeyCredentialProvider extends IResource, iam.IGrantable, IApiKeyCredentialProviderRef {
/**
* The ARN of this credential provider.
* @attribute
*/
readonly credentialProviderArn: string;
/**
* The ARN of the Secrets Manager secret that stores the API key after the resource is created.
*
* May be undefined for resources imported without this attribute.
*
* @attribute
*/
readonly apiKeySecretArn?: string;
/**
* Timestamp when the credential provider was created.
* @attribute
*/
readonly createdTime?: string;
/**
* Timestamp when the credential provider was last updated.
* @attribute
*/
readonly lastUpdatedTime?: string;
/**
* Grants IAM actions to the IAM principal.
*/
grant(grantee: iam.IGrantable, ...actions: string[]): iam.Grant;
/**
* Grant `GetApiKeyCredentialProvider` and `ListApiKeyCredentialProviders`, scoped to this
* provider and parent resources required by the Bedrock AgentCore authorization model.
*/
grantRead(grantee: iam.IGrantable): iam.Grant;
/**
* Grant control plane permissions to manage this provider.
*/
grantAdmin(grantee: iam.IGrantable): iam.Grant;
/**
* Grant permission to retrieve API key material for outbound calls (`GetResourceApiKey`).
*/
grantUse(grantee: iam.IGrantable): iam.Grant;
/**
* Grant read, admin, and credential retrieval permissions.
*/
grantFullAccess(grantee: iam.IGrantable): iam.Grant;
/**
* ARNs for use with gateway targets (`GatewayCredentialProvider.fromApiKeyIdentity` or `fromApiKeyIdentityArn`).
*/
bindForGatewayApiKeyTarget(): GatewayApiKeyIdentityBinding;
}
/**
* Provider and secret ARNs for wiring a Token Vault API key identity into a gateway target.
*/
export interface GatewayApiKeyIdentityBinding {
/**
* API key credential provider ARN.
*/
readonly providerArn: string;
/**
* Secrets Manager secret ARN for the API key material.
*/
readonly secretArn: string;
}
/**
* Properties for a new {@link ApiKeyCredentialProvider} (Token Vault resource).
*/
export interface ApiKeyCredentialProviderProps {
/**
* Name of the credential provider.
*
* @default a name generated by CDK
*/
readonly apiKeyCredentialProviderName?: string;
/**
* The API key value.
*
* **NOTE:** The API key will be included in the CloudFormation template as part of synthesis.
* The service stores the key in Secrets Manager after creation, but the value is visible
* in the template and deployment history. Use `SecretValue.unsafePlainText()` to explicitly
* acknowledge plaintext, or pass a reference from another construct to avoid embedding the
* literal value.
*
* If omitted, you can supply the key through another mechanism supported by the service.
*
* @default - no key in template (provider may still be created depending on service behavior)
*/
readonly apiKey?: SecretValue;
/**
* Tags for this credential provider.
*
* @default - no tags
*/
readonly tags?: {
[key: string]: string;
};
}
/**
* Attributes for importing an existing API key credential provider.
*/
export interface ApiKeyCredentialProviderAttributes {
/**
* ARN of the credential provider.
*/
readonly credentialProviderArn: string;
/**
* ARN of the Secrets Manager secret for the API key, if known.
*
* @default - not set; required for {@link ApiKeyCredentialProvider.bindForGatewayApiKeyTarget} on imported providers
*/
readonly apiKeySecretArn?: string;
/**
* Resource creation time.
*
* @default - not set
*/
readonly createdTime?: string;
/**
* Resource last-updated time.
*
* @default - not set
*/
readonly lastUpdatedTime?: string;
}
/******************************************************************************
* Abstract base
*****************************************************************************/
declare abstract class ApiKeyCredentialProviderBase extends Resource implements IApiKeyCredentialProvider {
abstract readonly credentialProviderArn: string;
abstract readonly apiKeySecretArn?: string;
abstract readonly createdTime?: string;
abstract readonly lastUpdatedTime?: string;
readonly grantPrincipal: iam.IPrincipal;
get apiKeyCredentialProviderRef(): ApiKeyCredentialProviderReference;
constructor(scope: Construct, id: string, props?: ResourceProps);
/**
* [disable-awslint:no-grants]
*/
grant(grantee: iam.IGrantable, ...actions: string[]): iam.Grant;
/**
* [disable-awslint:no-grants]
*/
grantRead(grantee: iam.IGrantable): iam.Grant;
/**
* [disable-awslint:no-grants]
*/
grantAdmin(grantee: iam.IGrantable): iam.Grant;
/**
* [disable-awslint:no-grants]
*/
grantUse(grantee: iam.IGrantable): iam.Grant;
/**
* [disable-awslint:no-grants]
*/
grantFullAccess(grantee: iam.IGrantable): iam.Grant;
abstract bindForGatewayApiKeyTarget(): GatewayApiKeyIdentityBinding;
}
/******************************************************************************
* Class
*****************************************************************************/
/**
* L2 construct for `AWS::BedrockAgentCore::ApiKeyCredentialProvider`.
*
* Use this to register an API key identity in AgentCore Token Vault. To attach the identity to a
* gateway target, use {@link GatewayCredentialProvider.fromApiKeyIdentity} with this construct, or
* {@link ApiKeyCredentialProvider.bindForGatewayApiKeyTarget} with {@link GatewayCredentialProvider.fromApiKeyIdentityArn}.
*
* @see https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-bedrockagentcore-apikeycredentialprovider.html
* @resource AWS::BedrockAgentCore::ApiKeyCredentialProvider
*/
export declare class ApiKeyCredentialProvider extends ApiKeyCredentialProviderBase {
/** Uniquely identifies this class. */
static readonly PROPERTY_INJECTION_ID: string;
/**
* Import an existing API key credential provider.
*/
static fromApiKeyCredentialProviderAttributes(scope: Construct, id: string, attrs: ApiKeyCredentialProviderAttributes): IApiKeyCredentialProvider;
readonly credentialProviderArn: string;
/**
* The name of this API key credential provider.
* @attribute
*/
readonly apiKeyCredentialProviderName: string;
readonly createdTime?: string;
readonly lastUpdatedTime?: string;
private _apiKeySecretArn?;
private readonly __resource;
get apiKeySecretArn(): string | undefined;
constructor(scope: Construct, id: string, props?: ApiKeyCredentialProviderProps);
/**
* ARNs for {@link GatewayCredentialProvider.fromApiKeyIdentity} / {@link GatewayCredentialProvider.fromApiKeyIdentityArn}.
*/
bindForGatewayApiKeyTarget(): GatewayApiKeyIdentityBinding;
}
export {};