UNPKG

aws-cdk-lib

Version:

Version 2 of the AWS Cloud Development Kit library

github.com/aws/aws-cdk

aws/aws-cdk

120 lines (119 loc) 4.74 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
/** * Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. * * Licensed under the Apache License, Version 2.0 (the "License"). You may not use this file except in compliance * with the License. A copy of the License is located at * * http://www.apache.org/licenses/LICENSE-2.0 * * or in the 'license' file accompanying this file. This file is distributed on an 'AS IS' BASIS, WITHOUT WARRANTIES * OR CONDITIONS OF ANY KIND, express or implied. See the License for the specific language governing permissions * and limitations under the License. */ /** * Secrets Manager actions to read credential material stored for Token Vault providers. * * Outbound gateway targets apply the same actions on the secret ARN; principals that call * `GetResourceApiKey` / `GetResourceOauth2Token` (or that mirror gateway behavior) typically need both * `bedrock-agentcore` data-plane actions and read access to the backing secret. * * @see https://docs.aws.amazon.com/bedrock-agentcore/latest/devguide/security-iam-awsmanpol.html */ export declare const TOKEN_VAULT_CREDENTIAL_SECRET_READ_PERMS: readonly ["secretsmanager:GetSecretValue", "secretsmanager:DescribeSecret"]; /** * Secrets Manager actions to write credential material for Token Vault providers. * * Create and Update control plane operations (e.g. CreateApiKeyCredentialProvider, * UpdateApiKeyCredentialProvider) store/update the credential in Secrets Manager, * requiring PutSecretValue on the backing secret. */ export declare const TOKEN_VAULT_CREDENTIAL_SECRET_WRITE_PERMS: readonly ["secretsmanager:PutSecretValue"]; /** * IAM actions for AgentCore API key credential providers (Token Vault). * * @see https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonbedrockagentcore.html */ export declare class ApiKeyCredentialProviderIdentityPerms { /** * Read a single API key credential provider definition. */ static readonly READ_PERMS: string[]; /** * List API key credential providers (resource-scoped per IAM service authorization reference). */ static readonly LIST_PERMS: string[]; /** * Control plane permissions to create, read, update, and delete this provider. */ static readonly ADMIN_PERMS: string[]; /** * Data plane permissions to retrieve the API key material for outbound calls. */ static readonly USE_PERMS: string[]; /** * All API key credential provider actions used by the L2 grant helpers. */ static readonly FULL_ACCESS_PERMS: string[]; private constructor(); } /** * IAM actions for AgentCore OAuth2 credential providers (Token Vault). * * @see https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonbedrockagentcore.html */ export declare class OAuth2CredentialProviderIdentityPerms { /** * Read a single OAuth2 credential provider definition. */ static readonly READ_PERMS: string[]; /** * List OAuth2 credential providers (resource-scoped per IAM service authorization reference). */ static readonly LIST_PERMS: string[]; /** * Control plane permissions to create, read, update, and delete this provider. */ static readonly ADMIN_PERMS: string[]; /** * Data plane permissions to complete OAuth flows and retrieve tokens for outbound calls. */ static readonly USE_PERMS: string[]; /** * All OAuth2 credential provider actions used by the L2 grant helpers. */ static readonly FULL_ACCESS_PERMS: string[]; private constructor(); } /** * IAM actions for AgentCore workload identities. * * @see https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonbedrockagentcore.html */ export declare class WorkloadIdentityPerms { /** * Read a single workload identity. */ static readonly READ_PERMS: string[]; /** * List workload identities (resource-scoped per IAM service authorization reference). */ static readonly LIST_PERMS: string[]; /** * Control plane permissions to create, read, update, and delete this workload identity. */ static readonly ADMIN_PERMS: string[]; /** * Data plane permissions to mint workload access tokens. * * These actions require both the workload identity ARN and the * workload-identity-directory ARN as resource scope. * * @see https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonbedrockagentcore.html */ static readonly USE_PERMS: string[]; /** * All workload identity actions used by the L2 grant helpers. */ static readonly FULL_ACCESS_PERMS: string[]; private constructor(); }