bedrock-agentcore: use IUserPool and IUserPoolClient interfaces instead of string identifiers

[mazyu36]

Describe the feature

The current RuntimeAuthorizerConfiguration.usingCognito() method in agentcore requires string identifiers (User Pool ID and Client ID) to be passed as parameters.

AWS CDK best practices emphasize passing construct interfaces rather than string identifiers, which provides better type safety and a more intuitive developer experience.

Additionally, the region parameter is redundant since it can be automatically derived from the stack's environment (env.region).

Current Implementation:

authorizerConfiguration: agentcore.RuntimeAuthorizerConfiguration.usingCognito(
  "us-west-2_ABC123",  // User Pool ID (string)
  "client123",         // Client ID (string)
  "us-west-2"         // Region (optional, string) - redundant!
)

Use Case

When use AgentCore Runtime with Cognito UserPool and UserPoolClient.

Proposed Solution

Modify RuntimeAuthorizerConfiguration.usingCognito() to:

1. Accept IUserPool and IUserPoolClient interfaces instead of strings for better type safety and DX
2. Remove the region parameter entirely and automatically use the stack's env.region

Proposed Implementation:

import * as cognito from 'aws-cdk-lib/aws-cognito';

declare const userPool: new cognito.UserPool;
declare const userPoolClient: cognito.UserPoolClient;

const runtime = new agentcore.Runtime(this, "MyAgentRuntime", {
  runtimeName: "myAgent",
  agentRuntimeArtifact: agentRuntimeArtifact,
  authorizerConfiguration: agentcore.RuntimeAuthorizerConfiguration.usingCognito(
    userPool,  // IUserPool interface
    userClient     // IUserPoolClient interface
    // region automatically resolved from stack.env.region
  ),
});

Other Information

No response

Acknowledgements

• I may be able to implement this feature request
• This feature might incur a breaking change

AWS CDK Library version (aws-cdk-lib)

2.221.0

AWS CDK CLI version

all

Environment details (OS name and version, etc.)

all

[pahud]

Hi @mazyu36,

Thank you for this well-documented feature request! This proposal aligns well with AWS CDK best practices of using construct interfaces over string identifiers.

Analysis

The current implementation in RuntimeAuthorizerConfiguration.usingCognito() accepts string parameters:

public static usingCognito(
 userPoolId: string,
 clientId: string,
 region?: string,
 allowedAudience?: string[],
): RuntimeAuthorizerConfiguration

Your proposal to accept IUserPool and IUserPoolClient interfaces would provide:

1. Better type safety - Compile-time validation of construct references
2. Improved DX - IntelliSense support and automatic property access
3. Consistency - Matches patterns used throughout CDK (e.g., API Gateway's UserPoolAuthorizer)
4. Automatic region resolution - Eliminates redundant parameter via Stack.of(this).region

Implementation Considerations

Since this is an alpha module, the breaking change is acceptable. The implementation would:

• Extract userPoolId from IUserPool.userPoolId
• Extract userPoolClientId from IUserPoolClient.userPoolClientId
• Derive region from stack context using Token.asString({ Ref: 'AWS::Region' }) (already used in the current implementation)

We'll review your PR when it's ready.

[github-actions]

Comments on closed issues and PRs are hard for our team to see.
If you need help, please open a new issue that references this one.