aws-cdk.aws-bedrock-agentcore-alpha 2.224.0a0__py3-none-any.whl → 2.229.1a0__py3-none-any.whl

{aws_cdk_aws_bedrock_agentcore_alpha-2.224.0a0.dist-info → aws_cdk_aws_bedrock_agentcore_alpha-2.229.1a0.dist-info}/METADATA

@@ -1,6 +1,6 @@
 Metadata-Version: 2.1
 Name: aws-cdk.aws-bedrock-agentcore-alpha
-Version: 2.224.0a0
+Version: 2.229.1a0
 Summary: The CDK Construct Library for Amazon Bedrock
 Home-page: https://github.com/aws/aws-cdk
 Author: Amazon Web Services
@@ -22,8 +22,8 @@ Requires-Python: ~=3.9
 Description-Content-Type: text/markdown
 License-File: LICENSE
 License-File: NOTICE
-Requires-Dist: aws-cdk-lib <3.0.0,>=2.224.0
-Requires-Dist: aws-cdk.aws-bedrock-alpha ==2.224.0.a0
+Requires-Dist: aws-cdk-lib <3.0.0,>=2.229.1
+Requires-Dist: aws-cdk.aws-bedrock-alpha ==2.229.1.a0
 Requires-Dist: constructs <11.0.0,>=10.0.0
 Requires-Dist: jsii <2.0.0,>=1.119.0
 Requires-Dist: publication >=0.0.3
@@ -53,6 +53,8 @@ Requires-Dist: typeguard <4.3.0,>=2.13.3
 
 This construct library facilitates the deployment of Bedrock AgentCore primitives, enabling you to create sophisticated AI applications that can interact with your systems and data sources.
 
+> **Note:** Users need to ensure their CDK deployment role has the `iam:CreateServiceLinkedRole` permission for AgentCore service-linked roles.
+
 ## Table of contents
 
 * [AgentCore Runtime](#agentcore-runtime)
@@ -78,12 +80,104 @@ This construct library facilitates the deployment of Bedrock AgentCore primitive
   * [Code Interpreter Network Modes](#code-interpreter-network-modes)
   * [Basic Code Interpreter Creation](#basic-code-interpreter-creation)
   * [Code Interpreter IAM permissions](#code-interpreter-iam-permissions)
+* [Gateway](#gateway)
+
+  * [Gateway Properties](#gateway-properties)
+  * [Basic Gateway Creation](#basic-gateway-creation)
+  * [Protocol configuration](#protocol-configuration)
+  * [Inbound authorization](#inbound-authorization)
+  * [Gateway with KMS Encryption](#gateway-with-kms-encryption)
+  * [Gateway with Custom Execution Role](#gateway-with-custom-execution-role)
+  * [Gateway IAM Permissions](#gateway-iam-permissions)
+* [Gateway Target](#gateway-target)
+
+  * [Gateway Target Properties](#gateway-target-properties)
+  * [Targets types](#targets-types)
+  * [Outbound auth](#outbound-auth)
+  * [Api schema](#api-schema-for-openapi-and-smithy-target)
+  * [Basic Gateway Target Creation](#basic-gateway-target-creation)
+
+    * [Using addTarget methods (Recommended)](#using-addtarget-methods-recommended)
+    * [Using static factory methods](#using-static-factory-methods)
+  * [Lambda Target with Tool Schema](#tools-schema-for-lambda-target)
+  * [Smithy Model Target with OAuth](#api-schema-for-openapi-and-smithy-target)
+  * [Gateway Target IAM Permissions](#gateway-target-iam-permissions)
 * [Memory](#memory)
 
   * [Memory properties](#memory-properties)
   * [Basic Memory Creation](#basic-memory-creation)
   * [LTM Memory Extraction Stategies](#ltm-memory-extraction-stategies)
   * [Memory Strategy Methods](#memory-strategy-methods)
+* [Amazon Bedrock AgentCore Construct Library](#amazon-bedrock-agentcore-construct-library)
+
+  * [Table of contents](#table-of-contents)
+  * [AgentCore Runtime](#agentcore-runtime)
+
+    * [Runtime Endpoints](#runtime-endpoints)
+    * [AgentCore Runtime Properties](#agentcore-runtime-properties)
+    * [Runtime Endpoint Properties](#runtime-endpoint-properties)
+    * [Creating a Runtime](#creating-a-runtime)
+
+      * [Option 1: Use an existing image in ECR](#option-1-use-an-existing-image-in-ecr)
+      * [Option 2: Use a local asset](#option-2-use-a-local-asset)
+      * [Option 3: Use direct code deployment](#option-3-use-direct-code-deployment)
+    * [Granting Permissions to Invoke Bedrock Models or Inference Profiles](#granting-permissions-to-invoke-bedrock-models-or-inference-profiles)
+    * [Runtime Versioning](#runtime-versioning)
+
+      * [Managing Endpoints and Versions](#managing-endpoints-and-versions)
+
+        * [Step 1: Initial Deployment](#step-1-initial-deployment)
+        * [Step 2: Creating Custom Endpoints](#step-2-creating-custom-endpoints)
+        * [Step 3: Runtime Update Deployment](#step-3-runtime-update-deployment)
+        * [Step 4: Testing with Staging Endpoints](#step-4-testing-with-staging-endpoints)
+        * [Step 5: Promoting to Production](#step-5-promoting-to-production)
+    * [Creating Standalone Runtime Endpoints](#creating-standalone-runtime-endpoints)
+
+      * [Example: Creating an endpoint for an existing runtime](#example-creating-an-endpoint-for-an-existing-runtime)
+    * [Runtime Authentication Configuration](#runtime-authentication-configuration)
+
+      * [IAM Authentication (Default)](#iam-authentication-default)
+      * [Cognito Authentication](#cognito-authentication)
+      * [JWT Authentication](#jwt-authentication)
+      * [OAuth Authentication](#oauth-authentication)
+      * [Using a Custom IAM Role](#using-a-custom-iam-role)
+    * [Runtime Network Configuration](#runtime-network-configuration)
+
+      * [Public Network Mode (Default)](#public-network-mode-default)
+      * [VPC Network Mode](#vpc-network-mode)
+      * [Managing Security Groups with VPC Configuration](#managing-security-groups-with-vpc-configuration)
+  * [Browser](#browser)
+
+    * [Browser Network modes](#browser-network-modes)
+    * [Browser Properties](#browser-properties)
+    * [Basic Browser Creation](#basic-browser-creation)
+    * [Browser with Tags](#browser-with-tags)
+    * [Browser with VPC](#browser-with-vpc)
+    * [Browser with Recording Configuration](#browser-with-recording-configuration)
+    * [Browser with Custom Execution Role](#browser-with-custom-execution-role)
+    * [Browser with S3 Recording and Permissions](#browser-with-s3-recording-and-permissions)
+    * [Browser IAM Permissions](#browser-iam-permissions)
+  * [Code Interpreter](#code-interpreter)
+
+    * [Code Interpreter Network Modes](#code-interpreter-network-modes)
+    * [Code Interpreter Properties](#code-interpreter-properties)
+    * [Basic Code Interpreter Creation](#basic-code-interpreter-creation)
+    * [Code Interpreter with VPC](#code-interpreter-with-vpc)
+    * [Code Interpreter with Sandbox Network Mode](#code-interpreter-with-sandbox-network-mode)
+    * [Code Interpreter with Custom Execution Role](#code-interpreter-with-custom-execution-role)
+    * [Code Interpreter IAM Permissions](#code-interpreter-iam-permissions)
+    * [Code interpreter with tags](#code-interpreter-with-tags)
+  * [Memory](#memory)
+
+    * [Memory Properties](#memory-properties)
+    * [Basic Memory Creation](#basic-memory-creation)
+    * [LTM Memory Extraction Stategies](#ltm-memory-extraction-stategies)
+    * [Memory with Built-in Strategies](#memory-with-built-in-strategies)
+    * [Memory with custom Strategies](#memory-with-custom-strategies)
+
+      * [Memory with Custom Execution Role](#memory-with-custom-execution-role)
+    * [Memory with self-managed Strategies](#memory-with-self-managed-strategies)
+    * [Memory Strategy Methods](#memory-strategy-methods)
 
 ## AgentCore Runtime
 
@@ -119,6 +213,8 @@ to production by simply updating the endpoint to point to the newer version.
 | `authorizerConfiguration` | `RuntimeAuthorizerConfiguration` | No | Authorizer configuration for the agent runtime. Use `RuntimeAuthorizerConfiguration` static methods to create configurations for IAM, Cognito, JWT, or OAuth authentication |
 | `environmentVariables` | `{ [key: string]: string }` | No | Environment variables for the agent runtime. Maximum 50 environment variables |
 | `tags` | `{ [key: string]: string }` | No | Tags for the agent runtime. A list of key:value pairs of tags to apply to this Runtime resource |
+| `lifecycleConfiguration` | LifecycleConfiguration | No | The life cycle configuration for the AgentCore Runtime. Defaults to 900 seconds (15 minutes) for idle, 28800 seconds (8 hours) for max life time |
+| `requestHeaderConfiguration` | RequestHeaderConfiguration | No | Configuration for HTTP request headers that will be passed through to the runtime. Defaults to no configuration |
 
 ### Runtime Endpoint Properties
 
@@ -151,28 +247,11 @@ runtime = agentcore.Runtime(self, "MyAgentRuntime",
 )
 ```
 
-To grant the runtime permission to invoke a Bedrock model or inference profile:
-
-```python
-# Note: This example uses @aws-cdk/aws-bedrock-alpha which must be installed separately
-# runtime: agentcore.Runtime
-
-
-# Create a cross-region inference profile for Claude 3.7 Sonnet
-inference_profile = bedrock.CrossRegionInferenceProfile.from_config(
-    geo_region=bedrock.CrossRegionInferenceProfileRegion.US,
-    model=bedrock.BedrockFoundationModel.ANTHROPIC_CLAUDE_3_7_SONNET_V1_0
-)
-
-# Grant the runtime permission to invoke the inference profile
-inference_profile.grant_invoke(runtime)
-```
-
 #### Option 2: Use a local asset
 
 Reference a local directory containing a Dockerfile.
 Images are built from a local Docker context directory (with a Dockerfile), uploaded to Amazon Elastic Container Registry (ECR)
-by the CDK toolkit,and can be naturally referenced in your CDK app .
+by the CDK toolkit,and can be naturally referenced in your CDK app.
 
 ```python
 agent_runtime_artifact = agentcore.AgentRuntimeArtifact.from_asset(
@@ -184,6 +263,61 @@ runtime = agentcore.Runtime(self, "MyAgentRuntime",
 )
 ```
 
+#### Option 3: Use direct code deployment
+
+With the container deployment method, developers create a Dockerfile, build ARM-compatible containers, manage ECR repositories, and upload containers for code changes. This works well where container DevOps pipelines have already been established to automate deployments.
+
+However, customers looking for fully managed deployments can benefit from direct code deployment, which can significantly improve developer time and productivity. Direct code deployment provides a secure and scalable path forward for rapid prototyping agent capabilities to deploying production workloads at scale.
+
+With direct code deployment, developers create a zip archive of code and dependencies, upload to Amazon S3, and configure the bucket in the agent configuration. A ZIP archive containing Linux arm64 dependencies needs to be uploaded to S3 as a pre-requisite to Create Agent Runtime.
+
+For more information, please refer to the [documentation](https://docs.aws.amazon.com/bedrock-agentcore/latest/devguide/runtime-get-started-code-deploy.html).
+
+```python
+# S3 bucket containing the agent core
+code_bucket = s3.Bucket(self, "AgentCode",
+    bucket_name="my-code-bucket",
+    removal_policy=RemovalPolicy.DESTROY
+)
+
+# the bucket above needs to contain the agent code
+
+agent_runtime_artifact = agentcore.AgentRuntimeArtifact.from_s3(s3.Location(
+    bucket_name=code_bucket.bucket_name,
+    object_key="deployment_package.zip"
+), agentcore.AgentCoreRuntime.PYTHON_3_12, ["opentelemetry-instrument", "main.py"])
+
+runtime_instance = agentcore.Runtime(self, "MyAgentRuntime",
+    runtime_name="myAgent",
+    agent_runtime_artifact=agent_runtime_artifact
+)
+```
+
+### Granting Permissions to Invoke Bedrock Models or Inference Profiles
+
+To grant the runtime permissions to invoke Bedrock models or inference profiles:
+
+```python
+# Note: This example uses @aws-cdk/aws-bedrock-alpha which must be installed separately
+# runtime: agentcore.Runtime
+
+
+# Define the Bedrock Foundation Model
+model = bedrock.BedrockFoundationModel.ANTHROPIC_CLAUDE_3_7_SONNET_V1_0
+
+# Grant the runtime permissions to invoke the model
+model.grant_invoke(runtime)
+
+# Create a cross-region inference profile for Claude 3.7 Sonnet
+inference_profile = bedrock.CrossRegionInferenceProfile.from_config(
+    geo_region=bedrock.CrossRegionInferenceProfileRegion.US,
+    model=bedrock.BedrockFoundationModel.ANTHROPIC_CLAUDE_3_7_SONNET_V1_0
+)
+
+# Grant the runtime permissions to invoke the inference profile
+inference_profile.grant_invoke(runtime)
+```
+
 ### Runtime Versioning
 
 Amazon Bedrock AgentCore automatically manages runtime versioning to ensure safe deployments and rollback capabilities.
@@ -479,6 +613,58 @@ runtime.connections.allow_to(database_security_group, ec2.Port.tcp(5432), "Allow
 runtime.connections.allow_to_any_ipv4(ec2.Port.tcp(443), "Allow HTTPS outbound")
 ```
 
+### Other configuration
+
+#### Lifecycle configuration
+
+The LifecycleConfiguration input parameter to CreateAgentRuntime lets you manage the lifecycle of runtime sessions and resources in Amazon Bedrock AgentCore Runtime. This configuration helps optimize resource utilization by automatically cleaning up idle sessions and preventing long-running instances from consuming resources indefinitely.
+
+You can configure:
+
+* idleRuntimeSessionTimeout: Timeout in seconds for idle runtime sessions. When a session remains idle for this duration, it will trigger termination. Termination can last up to 15 seconds due to logging and other process completion. Default: 900 seconds (15 minutes)
+* maxLifetime: Maximum lifetime for the instance in seconds. Once reached, instances will initialize termination. Termination can last up to 15 seconds due to logging and other process completion. Default: 28800 seconds (8 hours)
+
+For additional information, please refer to the [documentation](https://docs.aws.amazon.com/bedrock-agentcore/latest/devguide/runtime-lifecycle-settings.html).
+
+```python
+repository = ecr.Repository(self, "TestRepository",
+    repository_name="test-agent-runtime"
+)
+
+agent_runtime_artifact = agentcore.AgentRuntimeArtifact.from_ecr_repository(repository, "v1.0.0")
+
+agentcore.Runtime(self, "test-runtime",
+    runtime_name="test_runtime",
+    agent_runtime_artifact=agent_runtime_artifact,
+    lifecycle_configuration=agentcore.LifecycleConfiguration(
+        idle_runtime_session_timeout=Duration.minutes(10),
+        max_lifetime=Duration.hours(4)
+    )
+)
+```
+
+#### Request header configuration
+
+Custom headers let you pass contextual information from your application directly to your agent code without cluttering the main request payload. This includes authentication tokens like JWT (JSON Web Tokens, which contain user identity and authorization claims) through the Authorization header, allowing your agent to make decisions based on who is calling it. You can also pass custom metadata like user preferences, session identifiers, or trace context using headers prefixed with X-Amzn-Bedrock-AgentCore-Runtime-Custom-, giving your agent access to up to 20 pieces of runtime context that travel alongside each request. This information can be also used in downstream systems like AgentCore Memory that you can namespace based on those characteristics like user_id or aud in claims like line of business.
+
+For additional information, please refer to the [documentation](https://docs.aws.amazon.com/bedrock-agentcore/latest/devguide/runtime-header-allowlist.html).
+
+```python
+repository = ecr.Repository(self, "TestRepository",
+    repository_name="test-agent-runtime"
+)
+
+agent_runtime_artifact = agentcore.AgentRuntimeArtifact.from_ecr_repository(repository, "v1.0.0")
+
+agentcore.Runtime(self, "test-runtime",
+    runtime_name="test_runtime",
+    agent_runtime_artifact=agent_runtime_artifact,
+    request_header_configuration=agentcore.RequestHeaderConfiguration(
+        allowlisted_headers=["X-Amzn-Bedrock-AgentCore-Runtime-Custom-H1"]
+    )
+)
+```
+
 ## Browser
 
 The Amazon Bedrock AgentCore Browser provides a secure, cloud-based browser that enables AI agents to interact with websites. It includes security features such as session isolation, built-in observability through live viewing, CloudTrail logging, and session replay capabilities.
@@ -518,6 +704,7 @@ For more information on VPC connectivity for Amazon Bedrock AgentCore Browser, p
 | `recordingConfig` | `RecordingConfig` | No | Recording configuration for browser. Defaults to no recording |
 | `executionRole` | `iam.IRole` | No | The IAM role that provides permissions for the browser to access AWS services. A new role will be created if not provided |
 | `tags` | `{ [key: string]: string }` | No | Tags to apply to the browser resource |
+| `browserSigning` | BrowserSigning | No | Browser signing configuration. Defaults to DISABLED |
 
 ### Basic Browser Creation
 
@@ -641,6 +828,21 @@ browser = agentcore.BrowserCustom(self, "MyBrowser",
 )
 ```
 
+### Browser with Browser signing
+
+AI agents need to browse the web on your behalf. When your agent visits a website to gather information, complete a form, or verify data, it encounters the same defenses designed to stop unwanted bots: CAPTCHAs, rate limits, and outright blocks.
+
+Amazon Bedrock AgentCore Browser supports Web Bot Auth. Web Bot Auth is a draft IETF protocol that gives agents verifiable cryptographic identities. When you enable Web Bot Auth in AgentCore Browser, the service issues cryptographic credentials that websites can verify. The agent presents these credentials with every request. The WAF may now additionally check the signature, confirm it matches a trusted directory, and allow the request through if verified bots are allowed by the domain owner and other WAF checks are clear.
+
+To enable the browser to sign requests using the Web Bot Auth protocol, create a browser tool with the browserSigning configuration:
+
+```python
+browser = agentcore.BrowserCustom(self, "test-browser",
+    browser_custom_name="test_browser",
+    browser_signing=agentcore.BrowserSigning.ENABLED
+)
+```
+
 ### Browser IAM Permissions
 
 The Browser construct provides convenient methods for granting IAM permissions:
@@ -822,6 +1024,761 @@ code_interpreter = agentcore.CodeInterpreterCustom(self, "MyCodeInterpreter",
 )
 ```
 
+## Gateway
+
+The Gateway construct provides a way to create Amazon Bedrock Agent Core Gateways, which serve as integration points between agents and external services.
+
+### Gateway Properties
+
+| Name | Type | Required | Description |
+|------|------|----------|-------------|
+| `gatewayName` | `string` | Yes | The name of the gateway. Valid characters are a-z, A-Z, 0-9, _ (underscore) and - (hyphen). Maximum 100 characters |
+| `description` | `string` | No | Optional description for the gateway. Maximum 200 characters |
+| `protocolConfiguration` | `IGatewayProtocolConfig` | No | The protocol configuration for the gateway. Defaults to MCP protocol |
+| `authorizerConfiguration` | `IGatewayAuthorizerConfig` | No | The authorizer configuration for the gateway. Defaults to Cognito |
+| `exceptionLevel` | `GatewayExceptionLevel` | No | The verbosity of exception messages. Use DEBUG mode to see granular exception messages |
+| `kmsKey` | `kms.IKey` | No | The AWS KMS key used to encrypt data associated with the gateway |
+| `role` | `iam.IRole` | No | The IAM role that provides permissions for the gateway to access AWS services. A new role will be created if not provided |
+| `tags` | `{ [key: string]: string }` | No | Tags for the gateway. A list of key:value pairs of tags to apply to this Gateway resource |
+
+### Basic Gateway Creation
+
+The protocol configuration defaults to MCP and the inbound auth configuration uses Cognito (it is automatically created on your behalf).
+
+```python
+# Create a basic gateway with default MCP protocol and Cognito authorizer
+gateway = agentcore.Gateway(self, "MyGateway",
+    gateway_name="my-gateway"
+)
+```
+
+### Protocol configuration
+
+Currently MCP is the only protocol available. To configure it, use the `protocol` property with `McpProtocolConfiguration`:
+
+* Instructions: Guidance for how to use the gateway with your tools
+* Semantic search: Smart tool discovery that finds the right tools without typical limits. It improves accuracy by finding relevant tools based on context
+* Supported versions: Which MCP protocol versions the gateway can use
+
+```python
+gateway = agentcore.Gateway(self, "MyGateway",
+    gateway_name="my-gateway",
+    protocol_configuration=agentcore.McpProtocolConfiguration(
+        instructions="Use this gateway to connect to external MCP tools",
+        search_type=agentcore.McpGatewaySearchType.SEMANTIC,
+        supported_versions=[agentcore.MCPProtocolVersion.MCP_2025_03_26]
+    )
+)
+```
+
+### Inbound authorization
+
+Before you create your gateway, you must set up inbound authorization. Inbound authorization validates users who attempt to access targets through
+your AgentCore gateway. By default, if not provided, the construct will create and configure Cognito as the default identity provider
+(inbound Auth setup). AgentCore supports the following types of inbound authorization:
+
+**JSON Web Token (JWT)** – A secure and compact token used for authorization. After creating the JWT, you specify it as the authorization
+configuration when you create the gateway. You can create a JWT with any of the identity providers at Provider setup and configuration.
+
+You can configure a custom authorization provider using the `inboundAuthorizer` property with `GatewayAuthorizer.usingCustomJwt()`.
+You need to specify an OAuth discovery server and client IDs/audiences when you create the gateway. You can specify the following:
+
+* Discovery Url — String that must match the pattern ^.+/.well-known/openid-configuration$ for OpenID Connect discovery URLs
+* At least one of the below options depending on the chosen identity provider.
+* Allowed audiences — List of allowed audiences for JWT tokens
+* Allowed clients — List of allowed client identifiers
+
+```python
+gateway = agentcore.Gateway(self, "MyGateway",
+    gateway_name="my-gateway",
+    authorizer_configuration=agentcore.GatewayAuthorizer.using_custom_jwt(
+        discovery_url="https://auth.example.com/.well-known/openid-configuration",
+        allowed_audience=["my-app"],
+        allowed_clients=["my-client-id"]
+    )
+)
+```
+
+**IAM** – Authorizes through the credentials of the AWS IAM identity trying to access the gateway.
+
+```python
+gateway = agentcore.Gateway(self, "MyGateway",
+    gateway_name="my-gateway",
+    authorizer_configuration=agentcore.GatewayAuthorizer.using_aws_iam()
+)
+
+# Grant access to a Lambda function's role
+lambda_role = iam.Role(self, "LambdaRole",
+    assumed_by=iam.ServicePrincipal("lambda.amazonaws.com")
+)
+
+# The Lambda needs permission to invoke the gateway
+gateway.grant_invoke(lambda_role)
+```
+
+### Gateway with KMS Encryption
+
+You can provide a KMS key, and configure the authorizer as well as the protocol configuration.
+
+```python
+# Create a KMS key for encryption
+encryption_key = kms.Key(self, "GatewayEncryptionKey",
+    enable_key_rotation=True,
+    description="KMS key for gateway encryption"
+)
+
+# Create gateway with KMS encryption
+gateway = agentcore.Gateway(self, "MyGateway",
+    gateway_name="my-encrypted-gateway",
+    description="Gateway with KMS encryption",
+    protocol_configuration=agentcore.McpProtocolConfiguration(
+        instructions="Use this gateway to connect to external MCP tools",
+        search_type=agentcore.McpGatewaySearchType.SEMANTIC,
+        supported_versions=[agentcore.MCPProtocolVersion.MCP_2025_03_26]
+    ),
+    authorizer_configuration=agentcore.GatewayAuthorizer.using_custom_jwt(
+        discovery_url="https://auth.example.com/.well-known/openid-configuration",
+        allowed_audience=["my-app"],
+        allowed_clients=["my-client-id"]
+    ),
+    kms_key=encryption_key,
+    exception_level=agentcore.GatewayExceptionLevel.DEBUG
+)
+```
+
+### Gateway with Custom Execution Role
+
+```python
+# Create a custom execution role
+execution_role = iam.Role(self, "GatewayExecutionRole",
+    assumed_by=iam.ServicePrincipal("bedrock-agentcore.amazonaws.com"),
+    managed_policies=[
+        iam.ManagedPolicy.from_aws_managed_policy_name("AmazonBedrockAgentCoreGatewayExecutionRolePolicy")
+    ]
+)
+
+# Create gateway with custom execution role
+gateway = agentcore.Gateway(self, "MyGateway",
+    gateway_name="my-gateway",
+    description="Gateway with custom execution role",
+    protocol_configuration=agentcore.McpProtocolConfiguration(
+        instructions="Use this gateway to connect to external MCP tools",
+        search_type=agentcore.McpGatewaySearchType.SEMANTIC,
+        supported_versions=[agentcore.MCPProtocolVersion.MCP_2025_03_26]
+    ),
+    authorizer_configuration=agentcore.GatewayAuthorizer.using_custom_jwt(
+        discovery_url="https://auth.example.com/.well-known/openid-configuration",
+        allowed_audience=["my-app"],
+        allowed_clients=["my-client-id"]
+    ),
+    role=execution_role
+)
+```
+
+### Gateway IAM Permissions
+
+The Gateway construct provides convenient methods for granting IAM permissions:
+
+```python
+# Create a gateway
+gateway = agentcore.Gateway(self, "MyGateway",
+    gateway_name="my-gateway",
+    description="Gateway for external service integration",
+    protocol_configuration=agentcore.McpProtocolConfiguration(
+        instructions="Use this gateway to connect to external MCP tools",
+        search_type=agentcore.McpGatewaySearchType.SEMANTIC,
+        supported_versions=[agentcore.MCPProtocolVersion.MCP_2025_03_26]
+    ),
+    authorizer_configuration=agentcore.GatewayAuthorizer.using_custom_jwt(
+        discovery_url="https://auth.example.com/.well-known/openid-configuration",
+        allowed_audience=["my-app"],
+        allowed_clients=["my-client-id"]
+    )
+)
+
+# Create a role that needs access to the gateway
+user_role = iam.Role(self, "UserRole",
+    assumed_by=iam.ServicePrincipal("lambda.amazonaws.com")
+)
+
+# Grant read permissions (Get and List actions)
+gateway.grant_read(user_role)
+
+# Grant manage permissions (Create, Update, Delete actions)
+gateway.grant_manage(user_role)
+
+# Grant specific custom permissions
+gateway.grant(user_role, "bedrock-agentcore:GetGateway")
+```
+
+## Gateway Target
+
+After Creating gateways, you can add targets which define the tools that your gateway will host. Gateway supports multiple target
+types including Lambda functions and API specifications (either OpenAPI schemas or Smithy models). Gateway allows you to attach multiple
+targets to a Gateway and you can change the targets / tools attached to a gateway at any point. Each target can have its own
+credential provider attached enabling you to securely access targets whether they need IAM, API Key, or OAuth credentials.
+
+### Gateway Target Properties
+
+| Name | Type | Required | Description |
+|------|------|----------|-------------|
+| `gatewayTargetName` | `string` | Yes | The name of the gateway target. Valid characters are a-z, A-Z, 0-9, _ (underscore) and - (hyphen) |
+| `description` | `string` | No | Optional description for the gateway target. Maximum 200 characters |
+| `gateway` | `IGateway` | Yes | The gateway this target belongs to |
+| `targetConfiguration` | `ITargetConfiguration` | Yes | The target configuration (Lambda, OpenAPI, or Smithy). **Note:** Users typically don't create this directly. When using convenience methods like `GatewayTarget.forLambda()`, `GatewayTarget.forOpenApi()`, `GatewayTarget.forSmithy()` or the gateway's `addLambdaTarget()`, `addOpenApiTarget()`, `addSmithyTarget()` methods, this configuration is created internally for you. Only needed when using the GatewayTarget constructor directly for [advanced scenarios](#advanced-usage-direct-configuration-for-gateway-target). |
+| `credentialProviderConfigurations` | `IGatewayCredentialProvider[]` | No | Credential providers for authentication. Defaults to `[GatewayCredentialProvider.fromIamRole()]`. Use `GatewayCredentialProvider.fromApiKeyIdentityArn()`, `GatewayCredentialProvider.fromOauthIdentityArn()`, or `GatewayCredentialProvider.fromIamRole()` |
+| `validateOpenApiSchema` | `boolean` | No | (OpenAPI targets only) Whether to validate the OpenAPI schema at synthesis time. Defaults to `true`. Only applies to inline and local asset schemas. For more information refer here [https://docs.aws.amazon.com/bedrock-agentcore/latest/devguide/gateway-schema-openapi.html](https://docs.aws.amazon.com/bedrock-agentcore/latest/devguide/gateway-schema-openapi.html) |
+
+This approach gives you full control over the configuration but is typically not necessary for most use cases.
+
+### Targets types
+
+You can create the following targets types:
+
+**Lambda Target**: Lambda targets allow you to connect your gateway to AWS Lambda functions that implement your tools. This is useful
+when you want to execute custom code in response to tool invocations.
+
+* Supports GATEWAY_IAM_ROLE credential provider only
+* Ideal for custom serverless function integration
+* Need tool schema (tool schema is a blueprint that describes the functions your Lambda provides to AI agents).
+  The construct provide [3 ways to upload a tool schema to Lambda target](#tools-schema-for-lambda-target)
+* When using the default IAM authentication (no `credentialProviderConfigurations` specified),
+  the construct automatocally grants the gateway role permission to invoke your Lambda function (`lambda:InvokeFunction`).
+
+**OpenAPI Schema Target** : OpenAPI widely used standard for describing RESTful APIs. Gateway supports OpenAPI 3.0
+specifications for defining API targets. It connects to REST APIs using OpenAPI specifications
+
+* Supports OAUTH and API_KEY credential providers (Do not support IAM, you must provide `credentialProviderConfigurations`)
+* Ideal for integrating with external REST services
+* Need API schema. The construct provide [3 ways to upload a API schema to OpenAPI target](#api-schema-for-openapi-and-smithy-target)
+
+**Smithy Model Target** : Smithy is a language for defining services and software development kits (SDKs). Smithy models provide
+a more structured approach to defining APIs compared to OpenAPI, and are particularly useful for connecting to AWS services.
+AgentCore Gateway supports built-in AWS service models only. It connects to services using Smithy model definitions
+
+* Supports OAUTH and API_KEY credential providers
+* Ideal for AWS service integrations
+* Need API schema. The construct provide 3 ways to upload a API schema to Smity target
+* When using the default IAM authentication (no `credentialProviderConfigurations` specified), The construct only
+  grants permission to read the Smithy schema file from S3. You MUST manually grant permissions for the gateway
+  role to invoke the actual Smithy API endpoints
+
+> Note: For Smithy model targets that access AWS services, your Gateway's execution role needs permissions to access those services.
+> For example, for a DynamoDB target, your execution role needs permissions to perform DynamoDB operations.
+> This is not managed by the construct due to the large number of options. Please refer to
+> [Smithy Model Permission](https://docs.aws.amazon.com/bedrock-agentcore/latest/devguide/gateway-prerequisites-permissions.html) for example.
+
+**MCP Server Target**: Model Context Protocol (MCP) servers provide external tools, data access, and custom functions for AI agents.
+MCP servers enable agents to interact with external systems and services through a standardized protocol. Gateway automatically
+discovers and indexes available tools from MCP servers through synchronization.
+
+**Key Features:**
+
+* Requires explicit authentication configuration (OAuth2 recommended, empty array for NoAuth)
+* Ideal for connecting to external MCP-compliant servers
+* The endpoint must use HTTPS protocol
+* Supported MCP protocol versions: 2025-06-18, 2025-03-26
+* Automatic tool discovery through synchronization
+
+**Synchronization Behavior:**
+
+MCP Server targets require synchronization to discover and index available tools:
+
+* **Implicit Synchronization (Automatic)**: Tool discovery happens automatically during:
+
+  * Target creation (`CreateGatewayTarget`)
+  * Target updates (`UpdateGatewayTarget`)
+  * The Gateway calls the MCP server's `tools/list` endpoint and indexes tools without user intervention
+* **Explicit Synchronization (Manual)**: When the MCP server's tools change independently (new tools added, schemas modified, tools removed):
+
+  * The Gateway's tool catalog becomes stale
+  * Call the `SynchronizeGatewayTargets` API to refresh the catalog
+  * Use the `grantSync()` method to grant permissions to Lambda functions, CI/CD pipelines, or scheduled tasks that will trigger synchronization
+
+**Authentication & Permissions:**
+
+When using OAuth2, the Gateway service role automatically receives:
+
+* `bedrock-agentcore:GetWorkloadAccessToken`
+* `bedrock-agentcore:GetResourceOauth2Token`
+* `secretsmanager:GetSecretValue`
+* KMS decrypt (if secrets are encrypted)
+
+For explicit synchronization, use `grantSync()` to grant `bedrock-agentcore:SynchronizeGatewayTargets` permission to your operator roles.
+
+> For more information, refer to the [MCP Server Target documentation](https://docs.aws.amazon.com/bedrock-agentcore/latest/devguide/gateway-target-MCPservers.html).
+
+### Understanding Tool Naming
+
+When tools are exposed through gateway targets, AgentCore Gateway prefixes each tool name with the target name to ensure uniqueness across multiple targets. This is important to understand when building your application logic.
+
+**Naming Pattern:**
+
+**Example:**
+
+If your target is named `my-lambda-target` and provides a tool called `calculate_price`, agents will discover and invoke it as `my-lambda-target__calculate_price`.
+
+**Important Considerations:**
+
+* **For Lambda Targets**: Your Lambda handler must strip the target name prefix before processing the tool request. The full tool name (with prefix) is sent in the event.
+* **For MCP Server Targets**: The MCP server receives tool calls with the prefixed name from the gateway.
+* **For OpenAPI/Smithy Targets**: The gateway handles the prefix automatically when mapping to API operations based on the `operationId`.
+
+This naming convention ensures that:
+
+* Tools from different targets don't collide even if they have the same name
+* Agents can access tools from multiple targets through a single gateway
+* Tool names remain unique in the unified tool catalog
+
+For more details, see the [Gateway Tool Naming Documentation](https://docs.aws.amazon.com/bedrock-agentcore/latest/devguide/gateway-tool-naming.html).
+
+### Tools schema For Lambda target
+
+The lambda target need tools schema to understand the fuunction lambda provides. You can upload the tool schema by following 3 ways:
+
+* From a local asset file
+
+```python
+tool_schema = agentcore.ToolSchema.from_local_asset(
+    path.join(__dirname, "schemas", "my-tool-schema.json"))
+```
+
+* From an existing S3 file:
+
+```python
+tool_schema = agentcore.ToolSchema.from_s3_file(
+    s3.Bucket.from_bucket_name(self, "SchemasBucket", "my-schemas-bucket"), "tools/complex-tool-schema.json", "123456789012")
+```
+
+* From Inline:
+
+```python
+tool_schema = agentcore.ToolSchema.from_inline([
+    name="hello_world",
+    description="A simple hello world tool",
+    input_schema=agentcore.SchemaDefinition(
+        type=agentcore.SchemaDefinitionType.OBJECT,
+        properties={
+            "name": agentcore.SchemaDefinition(
+                type=agentcore.SchemaDefinitionType.STRING,
+                description="The name to greet"
+            )
+        },
+        required=["name"]
+    )
+])
+```
+
+### Api schema For OpenAPI and Smithy target
+
+The OpenAPI and Smithy target need API Schema. The Gateway construct provide three ways to upload API schema for your target:
+
+* From a local asset file (requires binding to scope):
+
+```python
+# When using ApiSchema.fromLocalAsset, you must bind the schema to a scope
+schema = agentcore.ApiSchema.from_local_asset(path.join(__dirname, "mySchema.yml"))
+
+schema.bind(self)
+```
+
+* From an inline schema:
+
+```python
+inline_schema = agentcore.ApiSchema.from_inline("""
+    openapi: 3.0.3
+    info:
+      title: Library API
+      version: 1.0.0
+    paths:
+      /search:
+        get:
+          summary: Search for books
+          operationId: searchBooks
+          parameters:
+            - name: query
+              in: query
+              required: true
+              schema:
+                type: string
+    """)
+```
+
+* From an existing S3 file:
+
+```python
+bucket = s3.Bucket.from_bucket_name(self, "ExistingBucket", "my-schema-bucket")
+s3_schema = agentcore.ApiSchema.from_s3_file(bucket, "schemas/action-group.yaml")
+```
+
+### Outbound auth
+
+Outbound authorization lets Amazon Bedrock AgentCore gateways securely access gateway targets on behalf of users authenticated
+and authorized during Inbound Auth.
+
+AgentCore Gateway supports the following types of outbound authorization:
+
+**IAM-based outbound authorization** – The gateway uses its execution role to authenticate with AWS services. This is the default
+and most common approach for Lambda targets and AWS service integrations.
+
+**2-legged OAuth (OAuth 2LO)** – Use OAuth 2.0 two-legged flow (2LO) for targets that require OAuth authentication.
+The gateway authenticates on its own behalf, not on behalf of a user.
+
+**API key** – Use the AgentCore service/AWS console to generate an API key to authenticate access to the gateway target.
+
+**Note > You need to set up the outbound identity before you can create a gateway target.
+
+### Basic Gateway Target Creation
+
+You can create targets in two ways: using the static factory methods on `GatewayTarget` or using the convenient `addTarget` methods on the gateway instance.
+
+#### Using addTarget methods (Recommended)
+
+Below are the examples on how you can create Lambda , Smity and OpenAPI target using `addTarget` method.
+
+```python
+# Create a gateway first
+gateway = agentcore.Gateway(self, "MyGateway",
+    gateway_name="my-gateway"
+)
+
+lambda_function = lambda_.Function(self, "MyFunction",
+    runtime=lambda_.Runtime.NODEJS_22_X,
+    handler="index.handler",
+    code=lambda_.Code.from_inline("""
+            exports.handler = async (event) => {
+              return {
+                statusCode: 200,
+                body: JSON.stringify({ message: 'Hello from Lambda!' })
+              };
+            };
+          """)
+)
+
+lambda_target = gateway.add_lambda_target("MyLambdaTarget",
+    gateway_target_name="my-lambda-target",
+    description="Lambda function target",
+    lambda_function=lambda_function,
+    tool_schema=agentcore.ToolSchema.from_inline([
+        name="hello_world",
+        description="A simple hello world tool",
+        input_schema=agentcore.SchemaDefinition(
+            type=agentcore.SchemaDefinitionType.OBJECT,
+            properties={
+                "name": agentcore.SchemaDefinition(
+                    type=agentcore.SchemaDefinitionType.STRING,
+                    description="The name to greet"
+                )
+            },
+            required=["name"]
+        )
+
+    ])
+)
+```
+
+* OpenAPI Target
+
+```python
+gateway = agentcore.Gateway(self, "MyGateway",
+    gateway_name="my-gateway"
+)
+
+# These ARNs are returned when creating the API key credential provider via Console or API
+api_key_provider_arn = "arn:aws:bedrock-agentcore:us-east-1:123456789012:token-vault/abc123/apikeycredentialprovider/my-apikey"
+api_key_secret_arn = "arn:aws:secretsmanager:us-east-1:123456789012:secret:my-apikey-secret-abc123"
+
+bucket = s3.Bucket.from_bucket_name(self, "ExistingBucket", "my-schema-bucket")
+s3my_schema = agentcore.ApiSchema.from_s3_file(bucket, "schemas/myschema.yaml")
+
+# Add an OpenAPI target directly to the gateway
+target = gateway.add_open_api_target("MyTarget",
+    gateway_target_name="my-api-target",
+    description="Target for external API integration",
+    api_schema=s3my_schema,
+    credential_provider_configurations=[
+        agentcore.GatewayCredentialProvider.from_api_key_identity_arn(
+            provider_arn=api_key_provider_arn,
+            secret_arn=api_key_secret_arn,
+            credential_location=agentcore.ApiKeyCredentialLocation.header(
+                credential_parameter_name="X-API-Key"
+            )
+        )
+    ]
+)
+
+# This make sure your s3 bucket is available before target
+target.node.add_dependency(bucket)
+```
+
+* Smithy Target
+
+```python
+gateway = agentcore.Gateway(self, "MyGateway",
+    gateway_name="my-gateway"
+)
+
+smithy_schema = agentcore.ApiSchema.from_local_asset(
+    path.join(__dirname, "models", "smithy-model.json"))
+smithy_schema.bind(self)
+
+smithy_target = gateway.add_smithy_target("MySmithyTarget",
+    gateway_target_name="my-smithy-target",
+    description="Smithy model target",
+    smithy_model=smithy_schema
+)
+```
+
+* MCP Server Target
+
+```python
+gateway = agentcore.Gateway(self, "MyGateway",
+    gateway_name="my-gateway"
+)
+
+# OAuth2 authentication (recommended)
+# Note: Create the OAuth provider using AWS console or Identity L2 construct when available
+oauth_provider_arn = "arn:aws:bedrock-agentcore:us-east-1:123456789012:token-vault/abc123/oauth2credentialprovider/my-oauth"
+oauth_secret_arn = "arn:aws:secretsmanager:us-east-1:123456789012:secret:my-oauth-secret-abc123"
+
+# Add an MCP server target directly to the gateway
+mcp_target = gateway.add_mcp_server_target("MyMcpServer",
+    gateway_target_name="my-mcp-server",
+    description="External MCP server integration",
+    endpoint="https://my-mcp-server.example.com",
+    credential_provider_configurations=[
+        agentcore.GatewayCredentialProvider.from_oauth_identity_arn(
+            provider_arn=oauth_provider_arn,
+            secret_arn=oauth_secret_arn,
+            scopes=["mcp-runtime-server/invoke"]
+        )
+    ]
+)
+
+# Grant sync permission to a Lambda function that will trigger synchronization
+sync_function = lambda_.Function(self, "SyncFunction",
+    runtime=lambda_.Runtime.PYTHON_3_12,
+    handler="index.handler",
+    code=lambda_.Code.from_inline("""
+        import boto3
+
+        def handler(event, context):
+            client = boto3.client('bedrock-agentcore')
+            response = client.synchronize_gateway_targets(
+                gatewayIdentifier=event['gatewayId'],
+                targetIds=[event['targetId']]
+            )
+            return response
+          """)
+)
+
+mcp_target.grant_sync(sync_function)
+```
+
+#### Using static factory methods
+
+Create Gateway target using static convienence method.
+
+* Lambda Target
+
+```python
+gateway = agentcore.Gateway(self, "MyGateway",
+    gateway_name="my-gateway"
+)
+
+lambda_function = lambda_.Function(self, "MyFunction",
+    runtime=lambda_.Runtime.NODEJS_22_X,
+    handler="index.handler",
+    code=lambda_.Code.from_inline("""
+                exports.handler = async (event) => {
+                    return {
+                        statusCode: 200,
+                        body: JSON.stringify({ message: 'Hello from Lambda!' })
+                    };
+                };
+            """)
+)
+
+# Create a gateway target with Lambda and tool schema
+target = agentcore.GatewayTarget.for_lambda(self, "MyLambdaTarget",
+    gateway_target_name="my-lambda-target",
+    description="Target for Lambda function integration",
+    gateway=gateway,
+    lambda_function=lambda_function,
+    tool_schema=agentcore.ToolSchema.from_local_asset(
+        path.join(__dirname, "schemas", "my-tool-schema.json"))
+)
+```
+
+* OpenAPI Target
+
+```python
+gateway = agentcore.Gateway(self, "MyGateway",
+    gateway_name="my-gateway"
+)
+
+# outbound auth (Use AWS console to create it, Once Identity L2 construct is available you can use it to create identity)
+api_key_identity_arn = "arn:aws:bedrock-agentcore:us-east-1:123456789012:token-vault/abc123/apikeycredentialprovider/my-apikey"
+api_key_secret_arn = "arn:aws:secretsmanager:us-east-1:123456789012:secret:my-apikey-secret-abc123"
+
+opneapi_schema = agentcore.ApiSchema.from_local_asset(path.join(__dirname, "mySchema.yml"))
+opneapi_schema.bind(self)
+
+# Create a gateway target with OpenAPI Schema
+target = agentcore.GatewayTarget.for_open_api(self, "MyTarget",
+    gateway_target_name="my-api-target",
+    description="Target for external API integration",
+    gateway=gateway,  # Note: you need to pass the gateway reference
+    api_schema=opneapi_schema,
+    credential_provider_configurations=[
+        agentcore.GatewayCredentialProvider.from_api_key_identity_arn(
+            provider_arn=api_key_identity_arn,
+            secret_arn=api_key_secret_arn
+        )
+    ]
+)
+```
+
+* Smithy Target
+
+```python
+gateway = agentcore.Gateway(self, "MyGateway",
+    gateway_name="my-gateway"
+)
+
+smithy_schema = agentcore.ApiSchema.from_local_asset(
+    path.join(__dirname, "models", "smithy-model.json"))
+smithy_schema.bind(self)
+
+# Create a gateway target with Smithy Model and OAuth
+target = agentcore.GatewayTarget.for_smithy(self, "MySmithyTarget",
+    gateway_target_name="my-smithy-target",
+    description="Target for Smithy model integration",
+    gateway=gateway,
+    smithy_model=smithy_schema
+)
+```
+
+* MCP Server Target
+
+```python
+gateway = agentcore.Gateway(self, "MyGateway",
+    gateway_name="my-gateway"
+)
+
+# OAuth2 authentication (recommended)
+# Note: Create the OAuth provider using AWS console or Identity L2 construct when available
+oauth_provider_arn = "arn:aws:bedrock-agentcore:us-east-1:123456789012:token-vault/abc123/oauth2credentialprovider/my-oauth"
+oauth_secret_arn = "arn:aws:secretsmanager:us-east-1:123456789012:secret:my-oauth-secret-abc123"
+
+# Create a gateway target with MCP Server
+mcp_target = agentcore.GatewayTarget.for_mcp_server(self, "MyMcpServer",
+    gateway_target_name="my-mcp-server",
+    description="External MCP server integration",
+    gateway=gateway,
+    endpoint="https://my-mcp-server.example.com",
+    credential_provider_configurations=[
+        agentcore.GatewayCredentialProvider.from_oauth_identity_arn(
+            provider_arn=oauth_provider_arn,
+            secret_arn=oauth_secret_arn,
+            scopes=["mcp-runtime-server/invoke"]
+        )
+    ]
+)
+```
+
+### Advanced Usage: Direct Configuration for gateway target
+
+For advanced use cases where you need full control over the target configuration, you can create configurations manually using the static factory methods and use the GatewayTarget constructor directly.
+
+#### Configuration Factory Methods
+
+Each target type has a corresponding configuration class with a static `create()` method:
+
+* **Lambda**: `LambdaTargetConfiguration.create(lambdaFunction, toolSchema)`
+* **OpenAPI**: `OpenApiTargetConfiguration.create(apiSchema, validateSchema?)`
+* **Smithy**: `SmithyTargetConfiguration.create(smithyModel)`
+
+#### Example: Lambda Target with Custom Configuration
+
+```python
+gateway = agentcore.Gateway(self, "MyGateway",
+    gateway_name="my-gateway"
+)
+
+my_lambda_function = lambda_.Function(self, "MyFunction",
+    runtime=lambda_.Runtime.NODEJS_22_X,
+    handler="index.handler",
+    code=lambda_.Code.from_inline("""
+            exports.handler = async (event) => ({ statusCode: 200 });
+          """)
+)
+
+my_tool_schema = agentcore.ToolSchema.from_inline([
+    name="my_tool",
+    description="My custom tool",
+    input_schema=agentcore.SchemaDefinition(
+        type=agentcore.SchemaDefinitionType.OBJECT,
+        properties={}
+    )
+])
+
+# Create a custom Lambda configuration
+custom_config = agentcore.LambdaTargetConfiguration.create(my_lambda_function, my_tool_schema)
+
+# Use the GatewayTarget constructor directly
+target = agentcore.GatewayTarget(self, "AdvancedTarget",
+    gateway=gateway,
+    gateway_target_name="advanced-target",
+    target_configuration=custom_config,  # Manually created configuration
+    credential_provider_configurations=[
+        agentcore.GatewayCredentialProvider.from_iam_role()
+    ]
+)
+```
+
+This approach gives you full control over the configuration but is typically not necessary for most use cases. The convenience methods (`GatewayTarget.forLambda()`, `GatewayTarget.forOpenApi()`, `GatewayTarget.forSmithy()`) handle all of this internally.
+
+### Gateway Target IAM Permissions
+
+The Gateway Target construct provides convenient methods for granting IAM permissions:
+
+```python
+# Create a gateway and target
+gateway = agentcore.Gateway(self, "MyGateway",
+    gateway_name="my-gateway"
+)
+
+smithy_schema = agentcore.ApiSchema.from_local_asset(
+    path.join(__dirname, "models", "smithy-model.json"))
+smithy_schema.bind(self)
+
+# Create a gateway target with Smithy Model and OAuth
+target = agentcore.GatewayTarget.for_smithy(self, "MySmithyTarget",
+    gateway_target_name="my-smithy-target",
+    description="Target for Smithy model integration",
+    gateway=gateway,
+    smithy_model=smithy_schema
+)
+
+# Create a role that needs access to the gateway target
+user_role = iam.Role(self, "UserRole",
+    assumed_by=iam.ServicePrincipal("lambda.amazonaws.com")
+)
+
+# Grant read permissions (Get and List actions)
+target.grant_read(user_role)
+
+# Grant manage permissions (Create, Update, Delete actions)
+target.grant_manage(user_role)
+
+# Grant specific custom permissions
+target.grant(user_role, "bedrock-agentcore:GetGatewayTarget")
+
+# Grants permission to invoke this Gateway
+gateway.grant_invoke(user_role)
+```
+
 ## Memory
 
 Memory is a critical component of intelligence. While Large Language Models (LLMs) have impressive capabilities, they lack persistent memory across conversations. Amazon Bedrock AgentCore Memory addresses this limitation by providing a managed service that enables AI agents to maintain context over time, remember important facts, and deliver consistent, personalized experiences.