Skip to content

Commit c9af45d

Browse files
author
Yuriy Bezsonov
committed
feat(java-on-aws-infra): add AI Agent AgentCore runtime role and expand IAM permissions
1 parent 0d99e05 commit c9af45d

2 files changed

Lines changed: 39 additions & 3 deletions

File tree

infra/cdk/src/main/java/sample/com/WorkshopStack.java

Lines changed: 33 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -168,6 +168,39 @@ public WorkshopStack(final Construct scope, final String id, final StackProps pr
168168

169169
// java-spring-ai-agents specific resources
170170
if (isSpringAi) {
171+
// AI Agent Runtime role for AgentCore deployment
172+
software.amazon.awscdk.services.iam.Role aiAgentRuntimeRole = software.amazon.awscdk.services.iam.Role.Builder.create(this, "AiAgentRuntimeRole")
173+
.roleName("aiagent-agentcore-runtime-role")
174+
.assumedBy(software.amazon.awscdk.services.iam.ServicePrincipal.Builder.create("bedrock-agentcore.amazonaws.com")
175+
.conditions(java.util.Map.of(
176+
"StringEquals", java.util.Map.of("aws:SourceAccount", this.getAccount()),
177+
"ArnLike", java.util.Map.of("aws:SourceArn", "arn:aws:bedrock-agentcore:" + this.getRegion() + ":" + this.getAccount() + ":*")
178+
))
179+
.build())
180+
.description("Role for AI Agent AgentCore Runtime")
181+
.inlinePolicies(java.util.Map.of("AgentCoreExecutionPolicy",
182+
software.amazon.awscdk.services.iam.PolicyDocument.Builder.create()
183+
.statements(java.util.List.of(
184+
software.amazon.awscdk.services.iam.PolicyStatement.Builder.create()
185+
.effect(software.amazon.awscdk.services.iam.Effect.ALLOW)
186+
.actions(java.util.List.of("bedrock:*", "bedrock-agentcore:*"))
187+
.resources(java.util.List.of("*"))
188+
.build(),
189+
software.amazon.awscdk.services.iam.PolicyStatement.Builder.create()
190+
.effect(software.amazon.awscdk.services.iam.Effect.ALLOW)
191+
.actions(java.util.List.of("ecr:*", "logs:*", "xray:*", "cloudwatch:*"))
192+
.resources(java.util.List.of("*"))
193+
.build(),
194+
software.amazon.awscdk.services.iam.PolicyStatement.Builder.create()
195+
.effect(software.amazon.awscdk.services.iam.Effect.ALLOW)
196+
.actions(java.util.List.of("aws-marketplace:Subscribe", "aws-marketplace:Unsubscribe", "aws-marketplace:ViewSubscriptions"))
197+
.resources(java.util.List.of("*"))
198+
.build()
199+
))
200+
.build()
201+
))
202+
.build();
203+
171204
// AI Agent EKS Pod Identity role with Bedrock access
172205
software.amazon.awscdk.services.iam.Role aiAgentEksRole = software.amazon.awscdk.services.iam.Role.Builder.create(this, "AiAgentEksRole")
173206
.roleName("ai-agent-eks-pod-role")

infra/cdk/src/main/resources/iam-policy.json

Lines changed: 6 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -31,6 +31,8 @@
3131
"bedrock:*",
3232
"bedrock-agentcore:*",
3333
"apigateway:*",
34+
"cloudfront:*",
35+
"cognito-idp:*",
3436
"application-autoscaling:*",
3537
"application-signals:*",
3638
"cloudformation:*",
@@ -47,6 +49,7 @@
4749
"logs:*",
4850
"rds:*",
4951
"s3:*",
52+
"s3vectors:*",
5053
"secretsmanager:*",
5154
"ssm:*",
5255
"sts:*",
@@ -66,9 +69,9 @@
6669
"arn:aws:iam::{{.AccountId}}:role/unicorn*",
6770
"arn:aws:iam::{{.AccountId}}:role/service-role/unicorn*",
6871
"arn:aws:iam::{{.AccountId}}:role/ai-jvm-analyzer*",
69-
"arn:aws:iam::{{.AccountId}}:role/workshop-*",
70-
"arn:aws:iam::{{.AccountId}}:role/ai-agent*",
71-
"arn:aws:iam::{{.AccountId}}:role/mcp-server*"
72+
"arn:aws:iam::{{.AccountId}}:role/workshop*",
73+
"arn:aws:iam::{{.AccountId}}:role/aiagent*",
74+
"arn:aws:iam::{{.AccountId}}:role/mcpserver*"
7275
]
7376
},
7477
{

0 commit comments

Comments
 (0)