From 46565c256ad3c821acd9234c48031d83a198e563 Mon Sep 17 00:00:00 2001 From: "T.J Ariyawansa" Date: Fri, 1 May 2026 21:02:35 +0000 Subject: [PATCH 1/5] fix: add missing IAM permissions to e2e policy for config bundles and HTTP gateways - Add ConfigBundleManagement: CreateConfigurationBundle and related CRUD actions needed by post-deploy-config-bundles.ts - Add HttpGatewayIamRoleManagement: iam:CreateRole/DeleteRole/GetRole/ PutRolePolicy/DeleteRolePolicy scoped to arn:aws:iam::*:role/AgentCore-* needed by post-deploy-http-gateways.ts to create execution roles Without these, config-bundle-eval-rec.test.ts and ab-test-target-based.test.ts fail in CI with 403 authorization errors. Co-Authored-By: Claude Sonnet 4.6 (1M context) --- docs/policies/iam-policy-user.json | 26 ++++++++++++++++++++++++++ 1 file changed, 26 insertions(+) diff --git a/docs/policies/iam-policy-user.json b/docs/policies/iam-policy-user.json index d2467a134..3a41d6bfc 100644 --- a/docs/policies/iam-policy-user.json +++ b/docs/policies/iam-policy-user.json @@ -135,6 +135,32 @@ "s3:GetObject" ], "Resource": "*" + }, + { + "Sid": "ConfigBundleManagement", + "Effect": "Allow", + "Action": [ + "bedrock-agentcore:CreateConfigurationBundle", + "bedrock-agentcore:UpdateConfigurationBundle", + "bedrock-agentcore:DeleteConfigurationBundle", + "bedrock-agentcore:GetConfigurationBundle", + "bedrock-agentcore:GetConfigurationBundleVersion", + "bedrock-agentcore:ListConfigurationBundles", + "bedrock-agentcore:ListConfigurationBundleVersions" + ], + "Resource": "*" + }, + { + "Sid": "HttpGatewayIamRoleManagement", + "Effect": "Allow", + "Action": [ + "iam:CreateRole", + "iam:DeleteRole", + "iam:GetRole", + "iam:PutRolePolicy", + "iam:DeleteRolePolicy" + ], + "Resource": "arn:aws:iam::*:role/AgentCore-*" } ] } From 21380d16862fac89f62a19344360f70fca2e02f4 Mon Sep 17 00:00:00 2001 From: "T.J Ariyawansa" Date: Fri, 1 May 2026 21:11:08 +0000 Subject: [PATCH 2/5] fix: add missing IAM permissions and fix --lookback flag in e2e tests IAM policy (docs/policies/iam-policy-user.json): - Add BatchEvalAndRecommendation: StartBatchEvaluation, StartRecommendation and related Get/List actions (already had ConfigBundle and HttpGateway IAM) Test fix (e2e-tests/config-bundle-eval-rec.test.ts): - run eval uses --days not --lookback; fix the flag name Co-Authored-By: Claude Sonnet 4.6 (1M context) --- docs/policies/iam-policy-user.json | 13 +++++++++++++ e2e-tests/config-bundle-eval-rec.test.ts | 2 +- 2 files changed, 14 insertions(+), 1 deletion(-) diff --git a/docs/policies/iam-policy-user.json b/docs/policies/iam-policy-user.json index 3a41d6bfc..fbf3f31be 100644 --- a/docs/policies/iam-policy-user.json +++ b/docs/policies/iam-policy-user.json @@ -161,6 +161,19 @@ "iam:DeleteRolePolicy" ], "Resource": "arn:aws:iam::*:role/AgentCore-*" + }, + { + "Sid": "BatchEvalAndRecommendation", + "Effect": "Allow", + "Action": [ + "bedrock-agentcore:StartBatchEvaluation", + "bedrock-agentcore:GetBatchEvaluation", + "bedrock-agentcore:ListBatchEvaluations", + "bedrock-agentcore:StartRecommendation", + "bedrock-agentcore:GetRecommendation", + "bedrock-agentcore:ListRecommendations" + ], + "Resource": "*" } ] } diff --git a/e2e-tests/config-bundle-eval-rec.test.ts b/e2e-tests/config-bundle-eval-rec.test.ts index 8151ac586..e7792ebc0 100644 --- a/e2e-tests/config-bundle-eval-rec.test.ts +++ b/e2e-tests/config-bundle-eval-rec.test.ts @@ -446,7 +446,7 @@ describe.sequential('e2e: config bundles, batch evaluation, and recommendations' agentName, '--evaluator', 'Builtin.Faithfulness', - '--lookback', + '--days', '1', '--json', ]); From e812e4f617950c952d1516a17388816a516a1054 Mon Sep 17 00:00:00 2001 From: "T.J Ariyawansa" Date: Fri, 1 May 2026 21:12:59 +0000 Subject: [PATCH 3/5] docs: sync iam-policy-user.json with live e2e role Bring the documented policy fully in sync with what is deployed on the e2e-github-actions role. Adds actions that were missing from the docs: - InvokeAgentRuntimeForUser, InvokeAgentRuntimeCommand, InvokeModelWithResponseStream - DeleteApiKeyCredentialProvider, ListApiKeyCredentialProviders - Full AgentCore resource management (CreateAgentRuntime, gateways, memories, etc.) - cloudformation:*, ssm:GetParameter(s), cloudformation:GetTemplate - secretsmanager CRUD, cognito-idp for custom JWT e2e setup - HarnessManagement + HarnessPassRole - Kept ACCOUNT_ID placeholder for account-specific resources Co-Authored-By: Claude Sonnet 4.6 (1M context) --- docs/policies/iam-policy-user.json | 142 ++++++++++++++++++++++++++++- 1 file changed, 141 insertions(+), 1 deletion(-) diff --git a/docs/policies/iam-policy-user.json b/docs/policies/iam-policy-user.json index fbf3f31be..5e49fdc4f 100644 --- a/docs/policies/iam-policy-user.json +++ b/docs/policies/iam-policy-user.json @@ -62,6 +62,8 @@ "bedrock-agentcore:GetApiKeyCredentialProvider", "bedrock-agentcore:CreateApiKeyCredentialProvider", "bedrock-agentcore:UpdateApiKeyCredentialProvider", + "bedrock-agentcore:DeleteApiKeyCredentialProvider", + "bedrock-agentcore:ListApiKeyCredentialProviders", "bedrock-agentcore:GetOauth2CredentialProvider", "bedrock-agentcore:CreateOauth2CredentialProvider", "bedrock-agentcore:UpdateOauth2CredentialProvider", @@ -114,7 +116,10 @@ { "Sid": "BedrockModelInvocation", "Effect": "Allow", - "Action": "bedrock:InvokeModel", + "Action": [ + "bedrock:InvokeModel", + "bedrock:InvokeModelWithResponseStream" + ], "Resource": "*" }, { @@ -136,6 +141,141 @@ ], "Resource": "*" }, + { + "Sid": "AgentCoreResourceManagement", + "Effect": "Allow", + "Action": [ + "bedrock-agentcore:CreateAgentRuntime", + "bedrock-agentcore:UpdateAgentRuntime", + "bedrock-agentcore:DeleteAgentRuntime", + "bedrock-agentcore:ListAgentRuntimes", + "bedrock-agentcore:CreateAgentRuntimeEndpoint", + "bedrock-agentcore:CreateWorkloadIdentity", + "bedrock-agentcore:DeleteWorkloadIdentity", + "bedrock-agentcore:CreateMemory", + "bedrock-agentcore:GetMemory", + "bedrock-agentcore:UpdateMemory", + "bedrock-agentcore:DeleteMemory", + "bedrock-agentcore:ListMemories", + "bedrock-agentcore:CreateEvaluator", + "bedrock-agentcore:DeleteEvaluator", + "bedrock-agentcore:ListOnlineEvaluationConfigs", + "bedrock-agentcore:TagResource", + "bedrock-agentcore:ListTagsForResource", + "bedrock-agentcore:CreateGateway", + "bedrock-agentcore:UpdateGateway", + "bedrock-agentcore:DeleteGateway", + "bedrock-agentcore:GetGateway", + "bedrock-agentcore:ListGateways", + "bedrock-agentcore:CreateGatewayTarget", + "bedrock-agentcore:UpdateGatewayTarget", + "bedrock-agentcore:DeleteGatewayTarget", + "bedrock-agentcore:GetGatewayTarget", + "bedrock-agentcore:SynchronizeGatewayTargets" + ], + "Resource": "*" + }, + { + "Sid": "CloudFormationFull", + "Effect": "Allow", + "Action": "cloudformation:*", + "Resource": "*" + }, + { + "Sid": "SsmParameterLookup", + "Effect": "Allow", + "Action": [ + "ssm:GetParameters", + "ssm:GetParameter" + ], + "Resource": "*" + }, + { + "Sid": "CloudFormationTemplateVerification", + "Effect": "Allow", + "Action": "cloudformation:GetTemplate", + "Resource": "*" + }, + { + "Sid": "ImportTestIam", + "Effect": "Allow", + "Action": [ + "iam:GetRole", + "iam:CreateRole", + "iam:AttachRolePolicy", + "iam:PutRolePolicy" + ], + "Resource": "arn:aws:iam::ACCOUNT_ID:role/bugbash-agentcore-role" + }, + { + "Sid": "ImportTestPassRole", + "Effect": "Allow", + "Action": "iam:PassRole", + "Resource": "arn:aws:iam::ACCOUNT_ID:role/bugbash-agentcore-role", + "Condition": { + "StringEquals": { + "iam:PassedToService": "bedrock-agentcore.amazonaws.com" + } + } + }, + { + "Sid": "ImportTestS3", + "Effect": "Allow", + "Action": [ + "s3:ListBucket", + "s3:CreateBucket", + "s3:PutObject" + ], + "Resource": "*" + }, + { + "Sid": "SecretsManager", + "Effect": "Allow", + "Action": [ + "secretsmanager:GetSecretValue", + "secretsmanager:CreateSecret", + "secretsmanager:DeleteSecret" + ], + "Resource": "*" + }, + { + "Sid": "CustomJwtCognitoSetup", + "Effect": "Allow", + "Action": [ + "cognito-idp:CreateUserPool", + "cognito-idp:CreateUserPoolDomain", + "cognito-idp:CreateResourceServer", + "cognito-idp:CreateUserPoolClient", + "cognito-idp:DeleteResourceServer", + "cognito-idp:DeleteUserPoolDomain", + "cognito-idp:DeleteUserPool" + ], + "Resource": "*" + }, + { + "Sid": "HarnessManagement", + "Effect": "Allow", + "Action": [ + "bedrock-agentcore:CreateHarness", + "bedrock-agentcore:GetHarness", + "bedrock-agentcore:UpdateHarness", + "bedrock-agentcore:DeleteHarness", + "bedrock-agentcore:ListHarnesses", + "bedrock-agentcore:InvokeHarness" + ], + "Resource": "*" + }, + { + "Sid": "HarnessPassRole", + "Effect": "Allow", + "Action": "iam:PassRole", + "Resource": "arn:aws:iam::ACCOUNT_ID:role/*", + "Condition": { + "StringEquals": { + "iam:PassedToService": "bedrock-agentcore.amazonaws.com" + } + } + }, { "Sid": "ConfigBundleManagement", "Effect": "Allow", From 5d0683743b455453e553cedbabc0fb2f59dfd5b5 Mon Sep 17 00:00:00 2001 From: "T.J Ariyawansa" Date: Fri, 1 May 2026 21:23:09 +0000 Subject: [PATCH 4/5] fix: add iam:TagRole and iam:PassRole for HTTP gateway role management CreateRoleCommand passes Tags so iam:TagRole is required. After creation, the role ARN is passed to createHttpGateway() which requires iam:PassRole on the caller. Both scoped to AgentCore-* resource. Caught by agentcore-cli-automation review on PR #1092. Co-Authored-By: Claude Sonnet 4.6 (1M context) --- docs/policies/iam-policy-user.json | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/docs/policies/iam-policy-user.json b/docs/policies/iam-policy-user.json index 5e49fdc4f..26a85c68a 100644 --- a/docs/policies/iam-policy-user.json +++ b/docs/policies/iam-policy-user.json @@ -298,7 +298,9 @@ "iam:DeleteRole", "iam:GetRole", "iam:PutRolePolicy", - "iam:DeleteRolePolicy" + "iam:DeleteRolePolicy", + "iam:TagRole", + "iam:PassRole" ], "Resource": "arn:aws:iam::*:role/AgentCore-*" }, From ba544156a5fc2452063c9afdf2a481970266c694 Mon Sep 17 00:00:00 2001 From: "T.J Ariyawansa" Date: Fri, 1 May 2026 21:33:22 +0000 Subject: [PATCH 5/5] style: run prettier on iam-policy-user.json Co-Authored-By: Claude Sonnet 4.6 (1M context) --- docs/policies/iam-policy-user.json | 29 +++++------------------------ 1 file changed, 5 insertions(+), 24 deletions(-) diff --git a/docs/policies/iam-policy-user.json b/docs/policies/iam-policy-user.json index 26a85c68a..03bcafee7 100644 --- a/docs/policies/iam-policy-user.json +++ b/docs/policies/iam-policy-user.json @@ -116,10 +116,7 @@ { "Sid": "BedrockModelInvocation", "Effect": "Allow", - "Action": [ - "bedrock:InvokeModel", - "bedrock:InvokeModelWithResponseStream" - ], + "Action": ["bedrock:InvokeModel", "bedrock:InvokeModelWithResponseStream"], "Resource": "*" }, { @@ -184,10 +181,7 @@ { "Sid": "SsmParameterLookup", "Effect": "Allow", - "Action": [ - "ssm:GetParameters", - "ssm:GetParameter" - ], + "Action": ["ssm:GetParameters", "ssm:GetParameter"], "Resource": "*" }, { @@ -199,12 +193,7 @@ { "Sid": "ImportTestIam", "Effect": "Allow", - "Action": [ - "iam:GetRole", - "iam:CreateRole", - "iam:AttachRolePolicy", - "iam:PutRolePolicy" - ], + "Action": ["iam:GetRole", "iam:CreateRole", "iam:AttachRolePolicy", "iam:PutRolePolicy"], "Resource": "arn:aws:iam::ACCOUNT_ID:role/bugbash-agentcore-role" }, { @@ -221,21 +210,13 @@ { "Sid": "ImportTestS3", "Effect": "Allow", - "Action": [ - "s3:ListBucket", - "s3:CreateBucket", - "s3:PutObject" - ], + "Action": ["s3:ListBucket", "s3:CreateBucket", "s3:PutObject"], "Resource": "*" }, { "Sid": "SecretsManager", "Effect": "Allow", - "Action": [ - "secretsmanager:GetSecretValue", - "secretsmanager:CreateSecret", - "secretsmanager:DeleteSecret" - ], + "Action": ["secretsmanager:GetSecretValue", "secretsmanager:CreateSecret", "secretsmanager:DeleteSecret"], "Resource": "*" }, {