Support API_KEY and GATEWAY_IAM_ROLE outbound auth for MCP server targets in agentcore.json

[nggotsir]

Title

Support API_KEY and GATEWAY_IAM_ROLE outbound auth for MCP server targets in agentcore.json

Description

The outboundAuth field in agentcore.json gateway targets currently supports NONE, OAUTH, and API_KEY as enum values, but for mcpServer target types, only NONE and OAUTH actually work. API_KEY is restricted to apiGateway targets, and GATEWAY_IAM_ROLE isn't in the schema at all.

However, the underlying CloudFormation API (CreateGatewayTarget) supports both API_KEY and GATEWAY_IAM_ROLE for MCP server targets. The outbound auth docs confirm MCP server targets support No auth, Gateway IAM Role, and OAuth — and the credential provider docs show the full API_KEY configuration structure.

Use case

MCP servers deployed as Lambda functions behind API Gateway with Bearer token or API key auth. This is a common pattern for MCP servers, and many third-party MCP servers use API key auth. Users connecting AgentCore Gateway to these servers must currently use CDK escape hatches to configure auth.

Current workaround

for (const target of scope.node.findAll()) {
  if ((target as any).cfnResourceType === 'AWS::BedrockAgentCore::GatewayTarget') {
    (target as any).addPropertyOverride('CredentialProviderConfigurations', [{
      CredentialProviderType: 'GATEWAY_IAM_ROLE',
      CredentialProvider: {
        IamCredentialProvider: { Service: 'execute-api', Region: 'eu-central-1' },
      },
    }]);
  }
}

Requested change

1. Allow API_KEY in outboundAuth.type for mcpServer targets (with credentialName referencing an API key credential provider)
2. Add GATEWAY_IAM_ROLE as a valid outboundAuth.type with optional service and region fields for SigV4 signing config

This would bring the CLI/CDK schema in line with what CloudFormation already supports.