Skip to content

docs: add harness permissions to IAM policy and permissions guide#1089

Open
notgitika wants to merge 5 commits intoaws:previewfrom
notgitika:docs/harness-permissions
Open

docs: add harness permissions to IAM policy and permissions guide#1089
notgitika wants to merge 5 commits intoaws:previewfrom
notgitika:docs/harness-permissions

Conversation

@notgitika
Copy link
Copy Markdown
Contributor

@notgitika notgitika commented May 1, 2026
edited
Loading

Summary

  • Added HarnessManagement statement to iam-policy-user.json with 6 harness actions (CreateHarness, GetHarness, UpdateHarness, DeleteHarness, ListHarnesses, InvokeHarness)
  • Updated PERMISSIONS.md with harness management reference section, scoping-down table entry, and CFN execution role reference

Harnesses use imperative deployment (direct API calls, not CDK/CloudFormation), so the developer IAM principal needs these permissions directly. This was missing, causing the E2E harness tests to fail with a 403 on CreateHarness.

Also applied the fix to the e2e-github-actions IAM role in our test accunt so the tests pass immediately.

Test plan

  • Verified iam-policy-user.json is valid JSON
  • Verified prettier formatting passes
  • Added harness-management inline policy to e2e-github-actions role in 685197708687
  • Re-run E2E tests to confirm harness-bedrock.test.ts passes

@notgitika
docs: add harness permissions to IAM policy and permissions guide
f2b2988 
Harnesses use imperative deployment (direct API calls, not CDK/CloudFormation),
so the developer IAM principal needs harness CRUD + invoke permissions. This was
missing, causing E2E harness tests to fail with 403 on CreateHarness.

Added bedrock-agentcore:CreateHarness, GetHarness, UpdateHarness, DeleteHarness,
ListHarnesses, and InvokeHarness to iam-policy-user.json and PERMISSIONS.md.
@notgitika notgitika requested a review from a team May 1, 2026 20:11
@notgitika notgitika closed this May 1, 2026
@github-actions github-actions Bot added the agentcore-harness-reviewing AgentCore Harness review in progress label May 1, 2026
@notgitika notgitika reopened this May 1, 2026
@agentcore-cli-automation
Copy link
Copy Markdown

agentcore-cli-automation commented May 1, 2026

The new row added to the table at the end of this file is in the wrong section and will likely confuse readers.

The ## CFN execution role permissions section (line 409) and the ### Bedrock AgentCore resources subsection (line 419) are both explicitly about permissions that belong on the CloudFormation execution role, not the developer principal. Adding this row there:

| `bedrock-agentcore:CreateHarness`, `UpdateHarness`, ... | Imperative harness deployment (direct API) |

contradicts the whole point of the PR (and the prose you just added above it in the "Harness management" section, which correctly says "harness CRUD permissions must be on the developer's IAM principal, not just the CFN execution role"). It also doesn't fit the column header "Resource Type Created" — there is no CFN resource type for harnesses.

A few options:

  1. Drop the row entirely — the new "### Harness management" subsection under the user-policy section already documents these actions.
  2. If you want to call out in the CFN section that harnesses are not managed by CFN, add a short paragraph under ## CFN execution role permissions rather than a row in the "resources created" table.
  3. Move this row into its own subsection at the end of the CFN section (e.g. "### Not applicable: imperative resources") so it isn't mistaken for a CFN-managed resource type.

@github-actions github-actions Bot removed the agentcore-harness-reviewing AgentCore Harness review in progress label May 1, 2026
@notgitika
docs: remove misplaced harness row from CFN execution role table
649bbfc 
Harness permissions belong on the developer principal, not the CFN
execution role. The user-policy "Harness management" section already
documents these actions correctly.
@agentcore-cli-automation
Copy link
Copy Markdown

agentcore-cli-automation commented May 1, 2026

The addition to the ### Bedrock AgentCore resources table under ## CFN execution role permissions (line ~447) contradicts the rest of the doc:

| `bedrock-agentcore:CreateHarness`, `UpdateHarness`, `DeleteHarness`, `GetHarness`, `ListHarnesses` | Imperative harness deployment (direct API) |

That section explicitly says "These permissions are needed on the CloudFormation execution role (cdk-*-cfn-exec-role-*), not on your user" and the table's second column is "Resource Type Created" — mapping actions to CFN resource types the exec role provisions. Harness isn't CFN-managed, which is the whole point of the PR, and the scoping-down table on line 168 correctly says _(no change)_ for the CFN execution policy column.

As-is, a reader scoping down their CFN exec role would conclude they need to add these harness actions there, which is wrong (and would also contradict the bedrock-agentcore:* wildcard already in iam-policy-cfn-execution.json).

Options:

  1. Drop this row from the CFN exec role table entirely — harness isn't a CFN resource and doesn't belong here.
  2. If you want to keep a pointer for readers who are looking in this section, move it out of the ### Bedrock AgentCore resources subsection into a short note under ## CFN execution role permissions that says harness is imperative and links to the new ### Harness management section above.

@agentcore-cli-automation
Copy link
Copy Markdown

agentcore-cli-automation commented May 1, 2026

The PR description says Closes #1047, but #1047 is a closed, unrelated PR ("test(agent-inspector): add traces e2e tests") — not a harness-permissions issue. Please update the description to reference the actual tracking issue (if any), or drop the Closes link so we don't auto-close the wrong thing on merge.

notgitika added 3 commits May 1, 2026 16:31
@notgitika
docs: add iam:PassRole for harness deployment
b050dc1 
The harness deployer passes a CDK-created execution role to the
CreateHarness/UpdateHarness API, which requires iam:PassRole scoped
with iam:PassedToService condition to bedrock-agentcore.amazonaws.com.
@notgitika
fix: update E2E test to match batch evaluation API migration
a86ba70 
- batchEvaluateId → batchEvaluationId (field renamed in API migration)
- --lookback → --days for run eval (correct CLI flag)
- Tool description recommendation test now expects ValidationException
  since the test agent has no tool traces (never calls search/calculator)
@notgitika
Revert "fix: update E2E test to match batch evaluation API migration"
8e97d24 
This reverts commit a86ba70.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@notgitika @agentcore-cli-automation