From b238ea8ffa082f9cac461d8ed612354b6cce6d97 Mon Sep 17 00:00:00 2001
From: alvarog2491 <159990212+alvarog2491@users.noreply.github.com>
Date: Sat, 11 Apr 2026 13:42:45 +0200
Subject: [PATCH] fix: add AWS_IAM as a valid authorizer type for gateway
 commands

---
 docs/commands.md                                | 2 +-
 src/cli/commands/add/__tests__/validate.test.ts | 6 ++++++
 src/cli/commands/add/validate.ts                | 9 +++++++--
 src/cli/primitives/GatewayPrimitive.ts          | 2 +-
 4 files changed, 15 insertions(+), 4 deletions(-)

diff --git a/docs/commands.md b/docs/commands.md
index 281be5c7..f2ea60a0 100644
--- a/docs/commands.md
+++ b/docs/commands.md
@@ -276,7 +276,7 @@ agentcore add gateway \
 | `--name <name>`               | Gateway name                                                 |
 | `--description <desc>`        | Gateway description                                          |
 | `--runtimes <names>`          | Comma-separated runtime names to expose through this gateway |
-| `--authorizer-type <type>`    | `NONE` (default) or `CUSTOM_JWT`                             |
+| `--authorizer-type <type>`    | `NONE` (default), `AWS_IAM`, or `CUSTOM_JWT`                 |
 | `--discovery-url <url>`       | OIDC discovery URL (required for CUSTOM_JWT)                 |
 | `--allowed-audience <values>` | Comma-separated allowed audiences (required for CUSTOM_JWT)  |
 | `--allowed-clients <values>`  | Comma-separated allowed client IDs (required for CUSTOM_JWT) |
diff --git a/src/cli/commands/add/__tests__/validate.test.ts b/src/cli/commands/add/__tests__/validate.test.ts
index 2b23baa9..b5e03289 100644
--- a/src/cli/commands/add/__tests__/validate.test.ts
+++ b/src/cli/commands/add/__tests__/validate.test.ts
@@ -55,6 +55,11 @@ const validGatewayOptionsNone: AddGatewayOptions = {
   authorizerType: 'NONE',
 };
 
+const validGatewayOptionsIam: AddGatewayOptions = {
+  name: 'test-gateway',
+  authorizerType: 'AWS_IAM',
+};
+
 const validGatewayOptionsJwt: AddGatewayOptions = {
   name: 'test-gateway',
   authorizerType: 'CUSTOM_JWT',
@@ -343,6 +348,7 @@ describe('validate', () => {
     // AC14: Valid options pass
     it('passes for valid options', () => {
       expect(validateAddGatewayOptions(validGatewayOptionsNone)).toEqual({ valid: true });
+      expect(validateAddGatewayOptions(validGatewayOptionsIam)).toEqual({ valid: true });
       expect(validateAddGatewayOptions(validGatewayOptionsJwt)).toEqual({ valid: true });
     });
 
diff --git a/src/cli/commands/add/validate.ts b/src/cli/commands/add/validate.ts
index 83f36d69..f40b4ad9 100644
--- a/src/cli/commands/add/validate.ts
+++ b/src/cli/commands/add/validate.ts
@@ -2,6 +2,7 @@ import { ConfigIO, findConfigRoot } from '../../../lib';
 import {
   AgentNameSchema,
   BuildTypeSchema,
+  GatewayAuthorizerTypeSchema,
   GatewayExceptionLevelSchema,
   GatewayNameSchema,
   ModelProviderSchema,
@@ -296,8 +297,12 @@ export function validateAddGatewayOptions(options: AddGatewayOptions): Validatio
     return { valid: false, error: nameResult.error.issues[0]?.message ?? 'Invalid gateway name' };
   }
 
-  if (options.authorizerType && !['NONE', 'CUSTOM_JWT'].includes(options.authorizerType)) {
-    return { valid: false, error: 'Invalid authorizer type. Use NONE or CUSTOM_JWT' };
+  if (options.authorizerType) {
+    const result = GatewayAuthorizerTypeSchema.safeParse(options.authorizerType);
+    if (!result.success) {
+      const valid = GatewayAuthorizerTypeSchema.options.join(', ');
+      return { valid: false, error: `Invalid authorizer type. Use ${valid}` };
+    }
   }
 
   if (options.authorizerType === 'CUSTOM_JWT') {
diff --git a/src/cli/primitives/GatewayPrimitive.ts b/src/cli/primitives/GatewayPrimitive.ts
index 51877953..308f9a7e 100644
--- a/src/cli/primitives/GatewayPrimitive.ts
+++ b/src/cli/primitives/GatewayPrimitive.ts
@@ -162,7 +162,7 @@ export class GatewayPrimitive extends BasePrimitive<AddGatewayOptions, Removable
       .option('--name <name>', 'Gateway name [non-interactive]')
       .option('--description <desc>', 'Gateway description [non-interactive]')
       .option('--runtimes <runtimes>', 'Comma-separated runtime names to expose through this gateway [non-interactive]')
-      .option('--authorizer-type <type>', 'Authorizer type: NONE or CUSTOM_JWT [non-interactive]')
+      .option('--authorizer-type <type>', 'Authorizer type: NONE, AWS_IAM, or CUSTOM_JWT [non-interactive]')
       .option('--discovery-url <url>', 'OIDC discovery URL (for CUSTOM_JWT) [non-interactive]')
       .option('--allowed-audience <audience>', 'Comma-separated allowed audiences (for CUSTOM_JWT) [non-interactive]')
       .option('--allowed-clients <clients>', 'Comma-separated allowed client IDs (for CUSTOM_JWT) [non-interactive]')