feat(bedrock-agentcore-alpha): add support for custom claims and scopes to runtime/gateway authorizers #36810
Conversation
github-actions
bot
added
the
valued-contributor
|
|
||||||||||||||
|
|
||||||||||||||
aws-cdk-automation
added
pr/needs-further-review
alvazjor
changed the title
| private readonly value: string | string[], | ||
| ) { | ||
| // Validate that value matches the valueType | ||
| if (valueType === CustomClaimValueType.STRING && typeof value !== 'string') { |
There was a problem hiding this comment.
Since value is an open string(s), lets do an initial validation to check if it is a token
| /** | ||
| * Custom claim match operator for Gateway JWT authorizers. | ||
| */ | ||
| export enum GatewayCustomClaimOperator { |
There was a problem hiding this comment.
To avoid this duplication of enums, I think is ok to have a single type called CustomClaimValueType and CustomClaimOperator and reuse both on the gatways and runtime. Just dont include that shared file in the index.ts so it wont be exposed as part of the public api
There was a problem hiding this comment.
That is fine for ClaimValueType, but the operator needs to be exposed since users can provide it, for instance:
agentcore.GatewayCustomClaim.withStringArrayValue('roles', ['admin'], agentcore.GatewayCustomClaimOperator.CONTAINS)
Should I re-export it from runtime and gateway ? Something like:
export { CustomClaimOperator as RuntimeCustomClaimOperator } from '../../common/types';
and under common/types:
/**
* Custom claim match operator.
* Shared by Runtime and Gateway custom claim implementations.
* @internal
*/
export enum CustomClaimOperator {
/** Equals operator - used for STRING type claims */
EQUALS = 'EQUALS',
/** Contains operator - used for STRING_ARRAY type claims. Checks if the claim array contains a specific string value. */
CONTAINS = 'CONTAINS',
/** ContainsAny operator - used for STRING_ARRAY type claims. Checks if the claim array contains any of the provided string values. */
CONTAINS_ANY = 'CONTAINS_ANY',
}
There was a problem hiding this comment.
What I dont like is the duplication part, so would it be a problem if we just keep a generic one? are we expecting them to differ at some point or do we have some knowledge at this time of some condition that justifies having an exact copy just with diff enum names?
There was a problem hiding this comment.
No, we can keep a generic one ! I will just need to export it publicly. So if I export the common/types file above, does that work ?
There was a problem hiding this comment.
btw, I think tthe re-export part will also be ok and will work, I just want to avoid potential JSII problems by doing that, but it seems safe, based on the initial research I did
There was a problem hiding this comment.
No, we can keep a generic one ! I will just need to export it publicly. So if I export the common/types file above, does that work ?
Yep, that works
There was a problem hiding this comment.
ok thanks ! I'll do the changes, that will also remove the re-export
aws-cdk-automation
removed
the
pr/needs-community-review
mergify
bot
dismissed
alvazjor’s stale review
Pull request has been modified.
aws-cdk-automation
added
the
pr/needs-community-review
3 participants
Issue # (if applicable)
Add support for allowed audience to runtime and gateway JWT authorizers
see https://docs.aws.amazon.com/bedrock-agentcore/latest/devguide/inbound-jwt-authorizer.html, as well as https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-properties-bedrockagentcore-runtime-customjwtauthorizerconfiguration.html and https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-properties-bedrockagentcore-gateway-customjwtauthorizerconfiguration.html
Reason for this change
Coverage of missing features
Description of changes
Add missing properties to existing code
Describe any new or updated permissions being added
No changes in perms
Description of how you validated changes
Added unit tests
Updated an integ test
Checklist
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license