aws · mergify · Oct 29, 2025 · Oct 27, 2025 · Oct 28, 2025 · Oct 28, 2025
diff --git a/packages/@aws-cdk/aws-bedrock-agentcore-alpha/README.md b/packages/@aws-cdk/aws-bedrock-agentcore-alpha/README.md
@@ -303,6 +303,10 @@ IAM authentication is the default mode, when no authorizerConfiguration is set t
 To configure AWS Cognito User Pool authentication:
 
 ```typescript
+declare const userPool: cognito.UserPool;
+declare const userPoolClient: cognito.UserPoolClient;
+declare const anotherUserPoolClient: cognito.UserPoolClient;
+
 const repository = new ecr.Repository(this, "TestRepository", {
   repositoryName: "test-agent-runtime",
 });
@@ -312,9 +316,8 @@ const runtime = new agentcore.Runtime(this, "MyAgentRuntime", {
   runtimeName: "myAgent",
   agentRuntimeArtifact: agentRuntimeArtifact,
   authorizerConfiguration: agentcore.RuntimeAuthorizerConfiguration.usingCognito(
-    "us-west-2_ABC123",  // User Pool ID (required)
-    "client123",         // Client ID (required)
-    "us-west-2"         // Region (optional, defaults to stack region)
+    userPool, // User Pool (required)
+    [userPoolClient, anotherUserPoolClient], // User Pool Clients
   ),
 });
 ```

diff --git a/...aws-cdk/aws-bedrock-agentcore-alpha/agentcore/runtime/runtime-authorizer-configuration.ts b/...aws-cdk/aws-bedrock-agentcore-alpha/agentcore/runtime/runtime-authorizer-configuration.ts
@@ -11,9 +11,9 @@
  *  and limitations under the License.
  */
 
-import { Token } from 'aws-cdk-lib';
 import { CfnRuntime } from 'aws-cdk-lib/aws-bedrockagentcore';
 import { ValidationError } from './validation-helpers';
+import { IUserPool, IUserPoolClient } from 'aws-cdk-lib/aws-cognito';
 
 /**
  * Abstract base class for runtime authorizer configurations.
@@ -54,19 +54,17 @@ export abstract class RuntimeAuthorizerConfiguration {
    * Use AWS Cognito User Pool authentication.
    * Validates Cognito-issued JWT tokens.
    *
-   * @param userPoolId The Cognito User Pool ID (e.g., 'us-west-2_ABC123')
-   * @param clientId The Cognito App Client ID
-   * @param region Optional AWS region where the User Pool is located (defaults to stack region)
+   * @param userPool The Cognito User Pool
+   * @param userPoolClient The Cognito User Pool App Clients
    * @param allowedAudience Optional array of allowed audiences
    * @returns RuntimeAuthorizerConfiguration for Cognito authentication
    */
   public static usingCognito(
-    userPoolId: string,
-    clientId: string,
-    region?: string,
+    userPool: IUserPool,
+    userPoolClients: IUserPoolClient[],
     allowedAudience?: string[],
   ): RuntimeAuthorizerConfiguration {
-    return new CognitoAuthorizerConfiguration(userPoolId, clientId, region, allowedAudience);
+    return new CognitoAuthorizerConfiguration(userPool, userPoolClients, allowedAudience);
   }
 
   /**
@@ -134,25 +132,21 @@ class JwtAuthorizerConfiguration extends RuntimeAuthorizerConfiguration {
  */
 class CognitoAuthorizerConfiguration extends RuntimeAuthorizerConfiguration {
   constructor(
-    private readonly userPoolId: string,
-    private readonly clientId: string,
-    private readonly region?: string,
+    private readonly userPool: IUserPool,
+    private readonly userPoolClients: IUserPoolClient[],
     private readonly allowedAudience?: string[],
   ) {
     super();
   }
 
   public _render(): CfnRuntime.AuthorizerConfigurationProperty {
-    // If region is not provided, use a token that will be resolved to the stack region
-    // This will be resolved during synthesis
-    const region = this.region ?? Token.asString({ Ref: 'AWS::Region' });
-    const discoveryUrl = `https://cognito-idp.${region}.amazonaws.com/${this.userPoolId}/.well-known/openid-configuration`;
+    const discoveryUrl = `https://cognito-idp.${this.userPool.env.region}.amazonaws.com/${this.userPool.userPoolId}/.well-known/openid-configuration`;
 
     // Use JWT format for Cognito (CloudFormation expects JWT format)
     return {
       customJwtAuthorizer: {
         discoveryUrl: discoveryUrl,
-        allowedClients: [this.clientId],
+        allowedClients: this.userPoolClients.map(client => client.userPoolClientId),
         allowedAudience: this.allowedAudience,
       },
     };

diff --git a/packages/@aws-cdk/aws-bedrock-agentcore-alpha/rosetta/default.ts-fixture b/packages/@aws-cdk/aws-bedrock-agentcore-alpha/rosetta/default.ts-fixture
@@ -4,6 +4,7 @@ import { Construct } from 'constructs';
 import { Stack } from 'aws-cdk-lib';
 import { Duration, RemovalPolicy, aws_s3_deployment } from 'aws-cdk-lib';
 import * as agentcore from '@aws-cdk/aws-bedrock-agentcore-alpha';
+import * as cognito from 'aws-cdk-lib/aws-cognito';
 import * as iam from 'aws-cdk-lib/aws-iam';
 import * as s3 from 'aws-cdk-lib/aws-s3';
 import * as sns from 'aws-cdk-lib/aws-sns';

diff --git a/...js.snapshot/BedrockAgentCoreRuntimeCognitoTestDefaultTestDeployAssert362339C9.assets.json b/...js.snapshot/BedrockAgentCoreRuntimeCognitoTestDefaultTestDeployAssert362339C9.assets.json
diff --git a/....snapshot/BedrockAgentCoreRuntimeCognitoTestDefaultTestDeployAssert362339C9.template.json b/....snapshot/BedrockAgentCoreRuntimeCognitoTestDefaultTestDeployAssert362339C9.template.json
diff --git a/...napshot/asset.f06c9f54828243752afd2df4e39ab9d2987b5ccf44e6bdc05621c18d5488f240/Dockerfile b/...napshot/asset.f06c9f54828243752afd2df4e39ab9d2987b5ccf44e6bdc05621c18d5488f240/Dockerfile
diff --git a/...js.snapshot/asset.f06c9f54828243752afd2df4e39ab9d2987b5ccf44e6bdc05621c18d5488f240/app.py b/...js.snapshot/asset.f06c9f54828243752afd2df4e39ab9d2987b5ccf44e6bdc05621c18d5488f240/app.py
diff --git a/...t/asset.f06c9f54828243752afd2df4e39ab9d2987b5ccf44e6bdc05621c18d5488f240/requirements.txt b/...t/asset.f06c9f54828243752afd2df4e39ab9d2987b5ccf44e6bdc05621c18d5488f240/requirements.txt
diff --git a/...e/integ.runtime-cognito.js.snapshot/aws-cdk-bedrock-agentcore-runtime-cognito.assets.json b/...e/integ.runtime-cognito.js.snapshot/aws-cdk-bedrock-agentcore-runtime-cognito.assets.json