|
276 | 276 | "errors":[ |
277 | 277 | {"shape":"ServiceQuotaExceededException"}, |
278 | 278 | {"shape":"AccessDeniedException"}, |
279 | | - {"shape":"ConflictException"}, |
280 | 279 | {"shape":"ValidationException"}, |
281 | | - {"shape":"ResourceNotFoundException"}, |
| 280 | + {"shape":"ConflictException"}, |
282 | 281 | {"shape":"ThrottlingException"}, |
| 282 | + {"shape":"ResourceNotFoundException"}, |
283 | 283 | {"shape":"InternalServerException"} |
284 | 284 | ], |
285 | 285 | "documentation":"<p>Creates a policy within the AgentCore Policy system. Policies provide real-time, deterministic control over agentic interactions with AgentCore Gateway. Using the Cedar policy language, you can define fine-grained policies that specify which interactions with Gateway tools are permitted based on input parameters and OAuth claims, ensuring agents operate within defined boundaries and business rules. The policy is validated during creation against the Cedar schema generated from the Gateway's tools' input schemas, which defines the available tools, their parameters, and expected data types. This is an asynchronous operation. Use the <a href=\"https://docs.aws.amazon.com/bedrock-agentcore-control/latest/APIReference/API_GetPolicy.html\">GetPolicy</a> operation to poll the <code>status</code> field to track completion.</p>" |
|
573 | 573 | "input":{"shape":"DeletePolicyRequest"}, |
574 | 574 | "output":{"shape":"DeletePolicyResponse"}, |
575 | 575 | "errors":[ |
| 576 | + {"shape":"ValidationException"}, |
576 | 577 | {"shape":"AccessDeniedException"}, |
577 | 578 | {"shape":"ConflictException"}, |
578 | | - {"shape":"ValidationException"}, |
579 | 579 | {"shape":"ResourceNotFoundException"}, |
580 | 580 | {"shape":"ThrottlingException"}, |
581 | 581 | {"shape":"InternalServerException"} |
|
593 | 593 | "input":{"shape":"DeletePolicyEngineRequest"}, |
594 | 594 | "output":{"shape":"DeletePolicyEngineResponse"}, |
595 | 595 | "errors":[ |
| 596 | + {"shape":"ValidationException"}, |
596 | 597 | {"shape":"AccessDeniedException"}, |
597 | 598 | {"shape":"ConflictException"}, |
598 | | - {"shape":"ValidationException"}, |
599 | 599 | {"shape":"ResourceNotFoundException"}, |
600 | 600 | {"shape":"ThrottlingException"}, |
601 | 601 | {"shape":"InternalServerException"} |
|
886 | 886 | "errors":[ |
887 | 887 | {"shape":"AccessDeniedException"}, |
888 | 888 | {"shape":"ValidationException"}, |
889 | | - {"shape":"ResourceNotFoundException"}, |
890 | 889 | {"shape":"ThrottlingException"}, |
| 890 | + {"shape":"ResourceNotFoundException"}, |
891 | 891 | {"shape":"InternalServerException"} |
892 | 892 | ], |
893 | 893 | "documentation":"<p>Retrieves detailed information about a specific policy within the AgentCore Policy system. This operation returns the complete policy definition, metadata, and current status, allowing administrators to review and manage policy configurations.</p>", |
|
905 | 905 | "errors":[ |
906 | 906 | {"shape":"AccessDeniedException"}, |
907 | 907 | {"shape":"ValidationException"}, |
908 | | - {"shape":"ResourceNotFoundException"}, |
909 | 908 | {"shape":"ThrottlingException"}, |
| 909 | + {"shape":"ResourceNotFoundException"}, |
910 | 910 | {"shape":"InternalServerException"} |
911 | 911 | ], |
912 | 912 | "documentation":"<p>Retrieves detailed information about a specific policy engine within the AgentCore Policy system. This operation returns the complete policy engine configuration, metadata, and current status, allowing administrators to review and manage policy engine settings.</p>", |
|
924 | 924 | "errors":[ |
925 | 925 | {"shape":"AccessDeniedException"}, |
926 | 926 | {"shape":"ValidationException"}, |
927 | | - {"shape":"ResourceNotFoundException"}, |
928 | 927 | {"shape":"ThrottlingException"}, |
| 928 | + {"shape":"ResourceNotFoundException"}, |
929 | 929 | {"shape":"InternalServerException"} |
930 | 930 | ], |
931 | 931 | "documentation":"<p>Retrieves information about a policy generation request within the AgentCore Policy system. Policy generation converts natural language descriptions into Cedar policy statements using AI-powered translation, enabling non-technical users to create policies.</p>", |
|
1242 | 1242 | "errors":[ |
1243 | 1243 | {"shape":"AccessDeniedException"}, |
1244 | 1244 | {"shape":"ValidationException"}, |
1245 | | - {"shape":"ResourceNotFoundException"}, |
1246 | 1245 | {"shape":"ThrottlingException"}, |
| 1246 | + {"shape":"ResourceNotFoundException"}, |
1247 | 1247 | {"shape":"InternalServerException"} |
1248 | 1248 | ], |
1249 | 1249 | "documentation":"<p>Retrieves a list of policies within the AgentCore Policy engine. This operation supports pagination and filtering to help administrators manage and discover policies across policy engines. Results can be filtered by policy engine or resource associations.</p>", |
|
1279 | 1279 | "errors":[ |
1280 | 1280 | {"shape":"AccessDeniedException"}, |
1281 | 1281 | {"shape":"ValidationException"}, |
1282 | | - {"shape":"ResourceNotFoundException"}, |
1283 | 1282 | {"shape":"ThrottlingException"}, |
| 1283 | + {"shape":"ResourceNotFoundException"}, |
1284 | 1284 | {"shape":"InternalServerException"} |
1285 | 1285 | ], |
1286 | 1286 | "documentation":"<p>Retrieves a list of generated policy assets from a policy generation request within the AgentCore Policy system. This operation returns the actual Cedar policies and related artifacts produced by the AI-powered policy generation process, allowing users to review and select from multiple generated policy options.</p>", |
|
1298 | 1298 | "errors":[ |
1299 | 1299 | {"shape":"AccessDeniedException"}, |
1300 | 1300 | {"shape":"ValidationException"}, |
1301 | | - {"shape":"ResourceNotFoundException"}, |
1302 | 1301 | {"shape":"ThrottlingException"}, |
| 1302 | + {"shape":"ResourceNotFoundException"}, |
1303 | 1303 | {"shape":"InternalServerException"} |
1304 | 1304 | ], |
1305 | 1305 | "documentation":"<p>Retrieves a list of policy generation requests within the AgentCore Policy system. This operation supports pagination and filtering to help track and manage AI-powered policy generation operations.</p>", |
|
1659 | 1659 | "UpdatePolicy":{ |
1660 | 1660 | "name":"UpdatePolicy", |
1661 | 1661 | "http":{ |
1662 | | - "method":"PUT", |
| 1662 | + "method":"PATCH", |
1663 | 1663 | "requestUri":"/policy-engines/{policyEngineId}/policies/{policyId}", |
1664 | 1664 | "responseCode":202 |
1665 | 1665 | }, |
1666 | 1666 | "input":{"shape":"UpdatePolicyRequest"}, |
1667 | 1667 | "output":{"shape":"UpdatePolicyResponse"}, |
1668 | 1668 | "errors":[ |
1669 | 1669 | {"shape":"AccessDeniedException"}, |
1670 | | - {"shape":"ConflictException"}, |
1671 | 1670 | {"shape":"ValidationException"}, |
1672 | | - {"shape":"ResourceNotFoundException"}, |
| 1671 | + {"shape":"ConflictException"}, |
1673 | 1672 | {"shape":"ThrottlingException"}, |
| 1673 | + {"shape":"ResourceNotFoundException"}, |
1674 | 1674 | {"shape":"InternalServerException"} |
1675 | 1675 | ], |
1676 | 1676 | "documentation":"<p>Updates an existing policy within the AgentCore Policy system. This operation allows modification of the policy description and definition while maintaining the policy's identity. The updated policy is validated against the Cedar schema before being applied. This is an asynchronous operation. Use the <code>GetPolicy</code> operation to poll the <code>status</code> field to track completion.</p>", |
|
1679 | 1679 | "UpdatePolicyEngine":{ |
1680 | 1680 | "name":"UpdatePolicyEngine", |
1681 | 1681 | "http":{ |
1682 | | - "method":"PUT", |
| 1682 | + "method":"PATCH", |
1683 | 1683 | "requestUri":"/policy-engines/{policyEngineId}", |
1684 | 1684 | "responseCode":202 |
1685 | 1685 | }, |
1686 | 1686 | "input":{"shape":"UpdatePolicyEngineRequest"}, |
1687 | 1687 | "output":{"shape":"UpdatePolicyEngineResponse"}, |
1688 | 1688 | "errors":[ |
1689 | 1689 | {"shape":"AccessDeniedException"}, |
1690 | | - {"shape":"ConflictException"}, |
1691 | 1690 | {"shape":"ValidationException"}, |
1692 | | - {"shape":"ResourceNotFoundException"}, |
| 1691 | + {"shape":"ConflictException"}, |
1693 | 1692 | {"shape":"ThrottlingException"}, |
| 1693 | + {"shape":"ResourceNotFoundException"}, |
1694 | 1694 | {"shape":"InternalServerException"} |
1695 | 1695 | ], |
1696 | 1696 | "documentation":"<p>Updates an existing policy engine within the AgentCore Policy system. This operation allows modification of the policy engine description while maintaining its identity. This is an asynchronous operation. Use the <code>GetPolicyEngine</code> operation to poll the <code>status</code> field to track completion.</p>", |
|
1746 | 1746 | "PYTHON_3_10", |
1747 | 1747 | "PYTHON_3_11", |
1748 | 1748 | "PYTHON_3_12", |
1749 | | - "PYTHON_3_13" |
| 1749 | + "PYTHON_3_13", |
| 1750 | + "PYTHON_3_14" |
1750 | 1751 | ] |
1751 | 1752 | }, |
1752 | 1753 | "AgentRuntime":{ |
|
3671 | 3672 | "shape":"ClientToken", |
3672 | 3673 | "documentation":"<p>A unique, case-sensitive identifier that you provide to ensure the idempotency of the request. If you retry a request with the same client token, the service returns the same response without creating a duplicate policy engine.</p>", |
3673 | 3674 | "idempotencyToken":true |
| 3675 | + }, |
| 3676 | + "encryptionKeyArn":{ |
| 3677 | + "shape":"KmsKeyArn", |
| 3678 | + "documentation":"<p>The Amazon Resource Name (ARN) of the KMS key used to encrypt the policy engine data.</p>" |
| 3679 | + }, |
| 3680 | + "tags":{ |
| 3681 | + "shape":"TagsMap", |
| 3682 | + "documentation":"<p>A map of tag keys and values to assign to an AgentCore Policy. Tags enable you to categorize your resources in different ways, for example, by purpose, owner, or environment.</p>" |
3674 | 3683 | } |
3675 | 3684 | } |
3676 | 3685 | }, |
|
3717 | 3726 | "statusReasons":{ |
3718 | 3727 | "shape":"PolicyStatusReasons", |
3719 | 3728 | "documentation":"<p>Additional information about the policy engine status. This provides details about any failures or the current state of the policy engine creation process.</p>" |
| 3729 | + }, |
| 3730 | + "encryptionKeyArn":{ |
| 3731 | + "shape":"KmsKeyArn", |
| 3732 | + "documentation":"<p>The Amazon Resource Name (ARN) of the KMS key used to encrypt the policy engine data.</p>" |
3720 | 3733 | } |
3721 | 3734 | } |
3722 | 3735 | }, |
|
4716 | 4729 | "statusReasons":{ |
4717 | 4730 | "shape":"PolicyStatusReasons", |
4718 | 4731 | "documentation":"<p>Additional information about the deletion status. This provides details about the deletion process or any issues that may have occurred.</p>" |
| 4732 | + }, |
| 4733 | + "encryptionKeyArn":{ |
| 4734 | + "shape":"KmsKeyArn", |
| 4735 | + "documentation":"<p>The Amazon Resource Name (ARN) of the KMS key used to encrypt the policy engine data.</p>" |
4719 | 4736 | } |
4720 | 4737 | } |
4721 | 4738 | }, |
|
5764 | 5781 | "requestHeaderConfiguration":{ |
5765 | 5782 | "shape":"RequestHeaderConfiguration", |
5766 | 5783 | "documentation":"<p>Configuration for HTTP request headers that will be passed through to the runtime.</p>" |
| 5784 | + }, |
| 5785 | + "metadataConfiguration":{ |
| 5786 | + "shape":"RuntimeMetadataConfiguration", |
| 5787 | + "documentation":"<p>Configuration for microVM Metadata Service (MMDS) settings for the AgentCore Runtime.</p>" |
5767 | 5788 | } |
5768 | 5789 | } |
5769 | 5790 | }, |
|
6477 | 6498 | "statusReasons":{ |
6478 | 6499 | "shape":"PolicyStatusReasons", |
6479 | 6500 | "documentation":"<p>Additional information about the policy engine status. This provides details about any failures or the current state of the policy engine.</p>" |
| 6501 | + }, |
| 6502 | + "encryptionKeyArn":{ |
| 6503 | + "shape":"KmsKeyArn", |
| 6504 | + "documentation":"<p>The Amazon Resource Name (ARN) of the KMS key used to encrypt the policy engine data.</p>" |
6480 | 6505 | } |
6481 | 6506 | } |
6482 | 6507 | }, |
|
8864 | 8889 | "cedar":{ |
8865 | 8890 | "shape":"CedarPolicy", |
8866 | 8891 | "documentation":"<p>The Cedar policy definition within the policy definition structure. This contains the Cedar policy statement that defines the authorization logic using Cedar's human-readable, analyzable policy language. Cedar policies specify principals (who can access), actions (what operations are allowed), resources (what can be accessed), and optional conditions for fine-grained control. Cedar provides a formal policy language designed for authorization with deterministic evaluation, making policies testable, reviewable, and auditable. All Cedar policies follow a default-deny model where actions are denied unless explicitly permitted, and forbid policies always override permit policies.</p>" |
| 8892 | + }, |
| 8893 | + "policyGeneration":{ |
| 8894 | + "shape":"PolicyGenerationDetails", |
| 8895 | + "documentation":"<p>The generated policy asset information within the policy definition structure. This contains information identifying a generated policy asset from the AI-powered policy generation process within the AgentCore Policy system. Each asset contains a Cedar policy statement generated from natural language input, along with associated metadata and analysis findings to help users evaluate and select the most appropriate policy option.</p>" |
8867 | 8896 | } |
8868 | 8897 | }, |
8869 | 8898 | "documentation":"<p>Represents the definition structure for policies within the AgentCore Policy system. This structure encapsulates different policy formats and languages that can be used to define access control rules.</p>", |
|
8912 | 8941 | "statusReasons":{ |
8913 | 8942 | "shape":"PolicyStatusReasons", |
8914 | 8943 | "documentation":"<p>Additional information about the policy engine status. This provides details about any failures or the current state of the policy engine lifecycle.</p>" |
| 8944 | + }, |
| 8945 | + "encryptionKeyArn":{ |
| 8946 | + "shape":"KmsKeyArn", |
| 8947 | + "documentation":"<p>The Amazon Resource Name (ARN) of the KMS key used to encrypt the policy engine data.</p>" |
8915 | 8948 | } |
8916 | 8949 | }, |
8917 | 8950 | "documentation":"<p>Represents a policy engine resource within the AgentCore Policy system. Policy engines serve as containers for grouping related policies and provide the execution context for policy evaluation and management. Each policy engine can be associated with one Gateway (one engine per Gateway), where it intercepts all agent tool calls and evaluates them against the contained policies before allowing tools to execute. The policy engine maintains the Cedar schema generated from the Gateway's tool manifest, ensuring that policies are validated against the actual tools and parameters available. Policy engines support two enforcement modes that can be configured when associating with a Gateway: log-only mode for testing (evaluates decisions without blocking) and enforce mode for production (actively allows or denies based on policy evaluation).</p>" |
|
9037 | 9070 | "type":"list", |
9038 | 9071 | "member":{"shape":"PolicyGenerationAsset"} |
9039 | 9072 | }, |
| 9073 | + "PolicyGenerationDetails":{ |
| 9074 | + "type":"structure", |
| 9075 | + "required":[ |
| 9076 | + "policyGenerationId", |
| 9077 | + "policyGenerationAssetId" |
| 9078 | + ], |
| 9079 | + "members":{ |
| 9080 | + "policyGenerationId":{ |
| 9081 | + "shape":"ResourceId", |
| 9082 | + "documentation":"<p>The unique identifier for this policy generation request.</p>" |
| 9083 | + }, |
| 9084 | + "policyGenerationAssetId":{ |
| 9085 | + "shape":"ResourceId", |
| 9086 | + "documentation":"<p>The unique identifier for this generated policy asset within the policy generation request.</p>" |
| 9087 | + } |
| 9088 | + }, |
| 9089 | + "documentation":"<p>Represents the information identifying a generated policy asset from the AI-powered policy generation process within the AgentCore Policy system. Each asset contains a Cedar policy statement generated from natural language input, along with associated metadata and analysis findings to help users evaluate and select the most appropriate policy option.</p>" |
| 9090 | + }, |
9040 | 9091 | "PolicyGenerationName":{ |
9041 | 9092 | "type":"string", |
9042 | 9093 | "max":48, |
|
9313 | 9364 | "min":1, |
9314 | 9365 | "pattern":"([0-9]{12})\\.dkr\\.ecr\\.([a-z0-9-]+)\\.amazonaws\\.com/((?:[a-z0-9]+(?:[._-][a-z0-9]+)*/)*[a-z0-9]+(?:[._-][a-z0-9]+)*)(?::([^:@]{1,300}))?(?:@(.+))?" |
9315 | 9366 | }, |
| 9367 | + "RuntimeMetadataConfiguration":{ |
| 9368 | + "type":"structure", |
| 9369 | + "required":["requireMMDSV2"], |
| 9370 | + "members":{ |
| 9371 | + "requireMMDSV2":{ |
| 9372 | + "shape":"Boolean", |
| 9373 | + "documentation":"<p>Enables MMDSv2 (microVM Metadata Service Version 2) requirement for the agent runtime. When set to <code>true</code>, the runtime microVM will only accept MMDSv2 requests.</p>" |
| 9374 | + } |
| 9375 | + }, |
| 9376 | + "documentation":"<p>Configuration for microVM metadata service settings.</p>" |
| 9377 | + }, |
9316 | 9378 | "S3BucketUri":{ |
9317 | 9379 | "type":"string", |
9318 | 9380 | "pattern":"s3://.{1,2043}" |
|
9861 | 9923 | }, |
9862 | 9924 | "Statement":{ |
9863 | 9925 | "type":"string", |
9864 | | - "max":153600, |
| 9926 | + "max":10000, |
9865 | 9927 | "min":35 |
9866 | 9928 | }, |
9867 | 9929 | "StatusReason":{ |
|
10506 | 10568 | "shape":"LifecycleConfiguration", |
10507 | 10569 | "documentation":"<p>The updated life cycle configuration for the AgentCore Runtime.</p>" |
10508 | 10570 | }, |
| 10571 | + "metadataConfiguration":{ |
| 10572 | + "shape":"RuntimeMetadataConfiguration", |
| 10573 | + "documentation":"<p>The updated configuration for microVM Metadata Service (MMDS) settings for the AgentCore Runtime.</p>" |
| 10574 | + }, |
10509 | 10575 | "environmentVariables":{ |
10510 | 10576 | "shape":"EnvironmentVariablesMap", |
10511 | 10577 | "documentation":"<p>Updated environment variables to set in the AgentCore Runtime environment.</p>" |
|
11119 | 11185 | "locationName":"policyEngineId" |
11120 | 11186 | }, |
11121 | 11187 | "description":{ |
11122 | | - "shape":"Description", |
| 11188 | + "shape":"UpdatedDescription", |
11123 | 11189 | "documentation":"<p>The new description for the policy engine.</p>" |
11124 | 11190 | } |
11125 | 11191 | } |
@@ -11167,15 +11233,18 @@ |
11167 | 11233 | "statusReasons":{ |
11168 | 11234 | "shape":"PolicyStatusReasons", |
11169 | 11235 | "documentation":"<p>Additional information about the update status.</p>" |
| 11236 | + }, |
| 11237 | + "encryptionKeyArn":{ |
| 11238 | + "shape":"KmsKeyArn", |
| 11239 | + "documentation":"<p>The Amazon Resource Name (ARN) of the KMS key used to encrypt the policy engine data.</p>" |
11170 | 11240 | } |
11171 | 11241 | } |
11172 | 11242 | }, |
11173 | 11243 | "UpdatePolicyRequest":{ |
11174 | 11244 | "type":"structure", |
11175 | 11245 | "required":[ |
11176 | 11246 | "policyEngineId", |
11177 | | - "policyId", |
11178 | | - "definition" |
| 11247 | + "policyId" |
11179 | 11248 | ], |
11180 | 11249 | "members":{ |
11181 | 11250 | "policyEngineId":{ |
|
11191 | 11260 | "locationName":"policyId" |
11192 | 11261 | }, |
11193 | 11262 | "description":{ |
11194 | | - "shape":"Description", |
| 11263 | + "shape":"UpdatedDescription", |
11195 | 11264 | "documentation":"<p>The new human-readable description for the policy. This optional field allows updating the policy's documentation while keeping the same policy logic.</p>" |
11196 | 11265 | }, |
11197 | 11266 | "definition":{ |
|
11305 | 11374 | } |
11306 | 11375 | } |
11307 | 11376 | }, |
| 11377 | + "UpdatedDescription":{ |
| 11378 | + "type":"structure", |
| 11379 | + "members":{ |
| 11380 | + "optionalValue":{ |
| 11381 | + "shape":"Description", |
| 11382 | + "documentation":"<p>Represents an optional value that is used to update the human-readable description of the resource. If set to null, it will clear the current description of the resource.</p>" |
| 11383 | + } |
| 11384 | + }, |
| 11385 | + "documentation":"<p>Respresents an optional value that can be provided to update the human-readable description of the resource. If the field is omitted from the request, it will leave the current decription value unchanged.</p>" |
| 11386 | + }, |
11308 | 11387 | "UserPreferenceConsolidationOverride":{ |
11309 | 11388 | "type":"structure", |
11310 | 11389 | "required":[ |
|
0 commit comments