Skip to content

docs: add harness permissions to IAM policy and permissions guide #1089

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
notgitika wants to merge 5 commits into
base: preview
Choose a base branch
from
+41 −0
Open

docs: add harness permissions to IAM policy and permissions guide #1089

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
f2b2988
docs: add harness permissions to IAM policy and permissions guide
notgitika May 1, 2026
649bbfc
docs: remove misplaced harness row from CFN execution role table
notgitika May 1, 2026
b050dc1
docs: add iam:PassRole for harness deployment
notgitika May 1, 2026
a86ba70
fix: update E2E test to match batch evaluation API migration
notgitika May 1, 2026
8e97d24
Revert "fix: update E2E test to match batch evaluation API migration"
notgitika May 1, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
17 changes: 17 additions & 0 deletions docs/PERMISSIONS.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -39,6 +39,7 @@ Attach this to every IAM user or role that will run AgentCore CLI commands. The
- `sts:GetCallerIdentity`, `cloudformation:DescribeStacks`, `tag:GetResources` for basic operations
- `bedrock-agentcore:Invoke*`, `bedrock-agentcore:Get*`, `bedrock-agentcore:List*` for invoking agents and checking
status
- Harness CRUD and invoke actions for `deploy`, `invoke`, and `status` when the project uses harnesses
- Credential provider and token vault actions for `deploy` when the project uses identity features
- CloudWatch Logs, X-Ray, and Application Signals actions for `logs`, `traces`, and observability setup
- Bedrock actions for agent import and AI-assisted code generation (optional, see
Expand Down Expand Up @@ -164,6 +165,7 @@ safely removed:

| If your team does not use... | Remove from user policy | Remove from CFN execution policy |
| ------------------------------- | -------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------ |
| Harnesses | `HarnessManagement` | _(no change)_ |
| Container builds (CodeZip only) | _(no change)_ | `EcrContainerBuilds`, `CodeBuildContainerBuilds` |
| MCP Lambda compute | _(no change)_ | `LambdaMcpAndCustomResources` (keep if using container builds, which need Lambda for custom resources) |
| Agent import from Bedrock | `BedrockAgentImport` | _(no change)_ |
Expand Down Expand Up @@ -335,6 +337,21 @@ Required for all deployment operations (`deploy`, `status`, `diff`).
| `bedrock-agentcore:Evaluate` | `run evals` | Run on-demand evaluation against agent traces |
| `bedrock-agentcore:UpdateOnlineEvaluationConfig` | `pause online-eval`, `resume online-eval` | Pause or resume online evaluation |

### Harness management

Harnesses are deployed imperatively (direct API calls, not through CloudFormation), so harness CRUD permissions must be
on the developer's IAM principal, not just the CFN execution role.

| Action | CLI Commands | Purpose |
| --------------------------------- | ---------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------- |
| `bedrock-agentcore:CreateHarness` | `deploy` | Create a new harness |
| `bedrock-agentcore:GetHarness` | `deploy`, `status`, `invoke` | Get harness details and deployment state |
| `bedrock-agentcore:UpdateHarness` | `deploy` | Update an existing harness configuration |
| `bedrock-agentcore:DeleteHarness` | `deploy` | Delete a harness (during removal or teardown) |
| `bedrock-agentcore:ListHarnesses` | `status` | List harnesses in the account |
| `bedrock-agentcore:InvokeHarness` | `invoke` | Invoke a deployed harness (streaming) |
| `iam:PassRole` | `deploy` | Pass the CDK-created execution role to the CreateHarness/UpdateHarness API. Scope with `iam:PassedToService: bedrock-agentcore.amazonaws.com` |

### Identity and credential management

| Action | CLI Commands | Purpose |
Expand Down
24 changes: 24 additions & 0 deletions docs/policies/iam-policy-user.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -55,6 +55,30 @@
],
"Resource": "*"
},
{
"Sid": "HarnessManagement",
"Effect": "Allow",
"Action": [
"bedrock-agentcore:CreateHarness",
"bedrock-agentcore:GetHarness",
"bedrock-agentcore:UpdateHarness",
"bedrock-agentcore:DeleteHarness",
"bedrock-agentcore:ListHarnesses",
"bedrock-agentcore:InvokeHarness"
],
"Resource": "*"
},
{
"Sid": "HarnessPassRole",
"Effect": "Allow",
"Action": "iam:PassRole",
"Resource": "arn:aws:iam::ACCOUNT_ID:role/*",
"Condition": {
"StringEquals": {
"iam:PassedToService": "bedrock-agentcore.amazonaws.com"
}
}
},
{
"Sid": "IdentityCredentialManagement",
"Effect": "Allow",
Expand Down
Loading