Skip to content

Commit 94c46b9

Browse files
committed
fix: add CheckAuthorizePermissions to Gateway Role for Policy Engine attachment
- Add bedrock-agentcore:CheckAuthorizePermissions action (newly enforced by AgentCore) - Add /policy-engines/* resource pattern to match compound ARN format
1 parent 902ab4d commit 94c46b9

1 file changed

Lines changed: 4 additions & 1 deletion

File tree

infra-cdk/lib/backend-stack.ts

Lines changed: 4 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -723,13 +723,16 @@ export class BackendStack extends cdk.NestedStack {
723723
// Policy Engine access — required for the Gateway to verify and evaluate Cedar policies.
724724
// AuthorizeAction is needed on both the policy engine (to query policy decisions)
725725
// and the gateway itself (to apply those decisions to incoming requests).
726+
// CheckAuthorizePermissions uses a compound resource ARN format
727+
// (/policy-engines/{id}/target-resource/{gateway-arn}) requiring the /policy-engines/* pattern.
726728
gatewayRole.addToPolicy(
727729
new iam.PolicyStatement({
728730
effect: iam.Effect.ALLOW,
729-
actions: ["bedrock-agentcore:GetPolicyEngine", "bedrock-agentcore:AuthorizeAction", "bedrock-agentcore:PartiallyAuthorizeActions"],
731+
actions: ["bedrock-agentcore:GetPolicyEngine", "bedrock-agentcore:AuthorizeAction", "bedrock-agentcore:PartiallyAuthorizeActions", "bedrock-agentcore:CheckAuthorizePermissions"],
730732
resources: [
731733
`arn:aws:bedrock-agentcore:${this.region}:${this.account}:policy-engine/*`,
732734
`arn:aws:bedrock-agentcore:${this.region}:${this.account}:gateway/*`,
735+
`arn:aws:bedrock-agentcore:${this.region}:${this.account}:/policy-engines/*`,
733736
],
734737
})
735738
)

0 commit comments

Comments
 (0)