Skip to content

agentcore deploy should support configuring resource-based policies #607

Description

@jariy17

Problem

When deploying resources with agentcore deploy, there is no way to configure resource-based policies. This means cross-account access to deployed resources fails with AccessDeniedException.

For example, invoking an agent runtime cross-account:

botocore.errorfactory.AccessDeniedException: An error occurred (AccessDeniedException) 
when calling the InvokeAgentRuntime operation: User: arn:aws:sts::ACCOUNT_A:assumed-role/Admin/user 
is not authorized to perform: bedrock-agentcore:InvokeAgentRuntime on resource: 
arn:aws:bedrock-agentcore:us-west-2:ACCOUNT_B:runtime/MyAgent because no resource-based 
policy allows the bedrock-agentcore:InvokeAgentRuntime action

This applies to any AgentCore resource that supports resource-based policies, not just agent runtimes.

Expected Behavior

The agentcore.json project spec should support an optional resource policy configuration, e.g.:

{
  "agents": [
    {
      "name": "MyAgent",
      "type": "AgentCoreRuntime",
      "allowedPrincipals": [
        "arn:aws:iam::123456789012:root"
      ]
    }
  ]
}

agentcore deploy should apply the corresponding resource-based policy after creating/updating the resource. This should be supported across all AgentCore resource types that support resource-based policies (agent runtimes, memory stores, etc.).

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type
    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions