Describe the feature
We want to deploy this pattern via CDK:
Consumer → Gateway (CUSTOM_JWT, Cognito OIDC) → HTTP Target → AgentCore Runtime
The boto3 API supports this (confirmed working, botocore 1.43+):
control.create_gateway_target(
gatewayIdentifier=gateway_id,
name="my-agent",
targetConfiguration={
"http": {"agentcoreRuntime": {"arn": "<runtime-arn>", "qualifier": "DEFAULT"}}
},
credentialProviderConfigurations=[
{"credentialProviderType": "JWT_PASSTHROUGH"}
],
)
We cannot find a way to achieve this with the CDK L2 (aws_cdk.aws_bedrockagentcore):
-
No add_http_target() / GatewayTarget.for_http()
- Only Lambda, MCP Server, OpenAPI, Smithy, API Gateway targets exist
-
No GatewayCredentialProvider.from_jwt_passthrough()
- Only from_iam_role(), from_oauth_identity(), from_api_key_identity() exist
-
Gateway L2 always emits ProtocolType: MCP, which causes:
"HTTP target configuration is not supported for gateways with MCP protocol type"
- Per docs (gateway-create-api.html): "If you omit this field, the gateway
can have both MCP and HTTP targets"
Similarly the CloudFormation L1 (AWS::BedrockAgentCore::GatewayTarget) rejects:
- "Http" in TargetConfigurationProperty (only "Mcp" accepted)
- "JWT_PASSTHROUGH" in CredentialProviderType enum
Is there a supported CDK/CloudFormation path for this use case that we're
missing? If not, please consider adding:
- gateway.add_http_target() for targetConfiguration.http.agentcoreRuntime
- GatewayCredentialProvider.from_jwt_passthrough()
- Option to omit ProtocolType (so gateway accepts both MCP + HTTP targets)
- CFN schema update: Http target type, JWT_PASSTHROUGH enum value
Use Case
To support IaC via CDK.
The AWS Console and botocre library supports this features.
Attaching a spike test script that shows how we can achieve this using botocre sdk.
spike_gateway_jwt_redacted.py
Proposed Solution
No response
Other Information
No response
Acknowledgements
AWS CDK Library version (aws-cdk-lib)
2.257.0
AWS CDK CLI version
2.1115.0
Environment details (OS name and version, etc.)
Mac
Describe the feature
We want to deploy this pattern via CDK:
Consumer → Gateway (CUSTOM_JWT, Cognito OIDC) → HTTP Target → AgentCore Runtime
The boto3 API supports this (confirmed working, botocore 1.43+):
We cannot find a way to achieve this with the CDK L2 (aws_cdk.aws_bedrockagentcore):
No add_http_target() / GatewayTarget.for_http()
No GatewayCredentialProvider.from_jwt_passthrough()
Gateway L2 always emits ProtocolType: MCP, which causes:
"HTTP target configuration is not supported for gateways with MCP protocol type"
can have both MCP and HTTP targets"
Similarly the CloudFormation L1 (AWS::BedrockAgentCore::GatewayTarget) rejects:
Is there a supported CDK/CloudFormation path for this use case that we're
missing? If not, please consider adding:
Use Case
To support IaC via CDK.
The AWS Console and botocre library supports this features.
Attaching a spike test script that shows how we can achieve this using botocre sdk.
spike_gateway_jwt_redacted.py
Proposed Solution
No response
Other Information
No response
Acknowledgements
AWS CDK Library version (aws-cdk-lib)
2.257.0
AWS CDK CLI version
2.1115.0
Environment details (OS name and version, etc.)
Mac