fix(iam): grant bedrock-agentcore:* to the screenshot processor

isadeks · claude · isadeks · commit fbf0de08fdd5 · 2026-05-20T18:43:28.000-07:00
The minimal IAM I shipped earlier (`StartBrowserSession`, `StopBrowserSession`, `GetBrowserSession`, `UpdateBrowserStream`) wasn't enough — the WSS automation-stream connect requires an additional `ConnectBrowserAutomationStream`-flavored action that isn't in the public CLI command list. Lambda invocations were opening sessions cleanly but 403'ing on the WSS upgrade. Widen to `bedrock-agentcore:*` to unblock the e2e flow. Followup: scope back down to the specific connect action once it's documented or surfaced via CloudTrail decoded-message-on-deny. Smoke verified: PR #1 on isadeks/vercel-abca-linear now receives a screenshot comment within ~7s of the deployment_status webhook. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
diff --git a/cdk/src/constructs/github-screenshot-integration.ts b/cdk/src/constructs/github-screenshot-integration.ts
@@ -149,16 +149,15 @@ export class GitHubScreenshotIntegration extends Construct {
     this.screenshotBucket.bucket.grantPut(this.webhookProcessorFn);
     props.githubTokenSecret.grantRead(this.webhookProcessorFn);
 
-    // AgentCore Browser session lifecycle. The data-plane API doesn't
-    // support per-resource ARNs (sessions are ephemeral), so wildcards
-    // are required — annotated with a cdk-nag suppression below.
+    // AgentCore Browser session lifecycle + automation-stream connect.
+    // The data-plane API doesn't support per-resource ARNs (sessions
+    // are ephemeral), so wildcards are required — annotated with a
+    // cdk-nag suppression below. The wildcard set covers
+    // `ConnectBrowserAutomationStream` (the SigV4-presigned WSS dial)
+    // which lives under the same prefix but isn't visible in the
+    // public CLI command list.
     this.webhookProcessorFn.addToRolePolicy(new iam.PolicyStatement({
-      actions: [
-        'bedrock-agentcore:StartBrowserSession',
-        'bedrock-agentcore:StopBrowserSession',
-        'bedrock-agentcore:GetBrowserSession',
-        'bedrock-agentcore:UpdateBrowserStream',
-      ],
+      actions: ['bedrock-agentcore:*'],
       resources: ['*'],
     }));
 
