Skip to content

fix: Add missing IAM permission for AgentCore service-linked role creation #1327

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Oct 22, 2025
Merged

fix: Add missing IAM permission for AgentCore service-linked role creation #1327

merged 2 commits into from
Oct 22, 2025

Conversation

@icoxfog417
Copy link
Contributor

Problem

GenU deployment fails when creating AgentCore Runtime with error:
Failed creating service linked role. Please verify that the calling role has sufficient permissions to create a service linked role.

Root Cause

Starting October 13, 2025, AgentCore Runtime creation requires the AWSServiceRoleForBedrockAgentCoreRuntimeIdentity service-linked role. The Custom Resource Lambda lacks iam:CreateServiceLinkedRole permission.

Solution

Added missing IAM permission to Custom Resource role for Runtime Identity service-linked role creation.

Reference

https://docs.aws.amazon.com/bedrock-agentcore/latest/devguide/service-linked-roles.html

Testing

  • Verified permission matches AWS managed policy BedrockAgentCoreFullAccess
  • Confirmed only Runtime Identity role needed (PUBLIC network mode)
  • Added proper IAM conditions for security

@icoxfog417
fix: Add missing IAM permission for AgentCore service-linked role cre…
9906289 
…ation

- Add iam:CreateServiceLinkedRole permission to Custom Resource role
- Required for AWSServiceRoleForBedrockAgentCoreRuntimeIdentity creation
- Fixes deployment failure since October 13, 2025 AgentCore Runtime changes

Reference: https://docs.aws.amazon.com/bedrock-agentcore/latest/devguide/service-linked-roles.html
@icoxfog417 icoxfog417 force-pushed the fix/agentcore-deployment branch from d571928 to 9906289 Compare October 17, 2025 04:42
@icoxfog417
Copy link
Contributor Author

After the deployment experiment 1) AgentCore deployment is succeeded without policy for service-linked role creation. 2) Both GenU and one click deployment are successful without this permission.

We have observed some customers faced this service linked role related issues. Therefore we close this pull request but will apply this if we could find out the conditions for this issue.

@icoxfog417 icoxfog417 closed this Oct 17, 2025
@kazuhitogo
Copy link
Collaborator

kazuhitogo commented Oct 17, 2025
edited
Loading

【memo】再現しなかったので、一旦クローズ
エラーが発生した場合は以下が出る

creating service linked role. 
Please verify that the calling role has sufficient permissions to create a service linked role. 
Logs: /aws/lambda/AgentCoreRuntime-AgentCoreStackdev-B8F5E892 
 at de_AccessDeniedExceptionRes (/var/task/node_modules/@aws-sdk/client-bedrock-agentcore-control/dist-cjs/protocols/Aws_restJson1.js:1793:23) 
 at de_CommandError (/var/task/node_modules/@aws-sdk/client-bedrock-agentcore-control/dist-cjs/protocols/Aws_restJson1.js:1736:25) 
 at process.processTicksAndRejections (node:internal/process/task_queues:105:5) 
 at async /var/task/node_modules/@smithy/middleware-serde/dist-cjs/index.js:36:20 
 at async /var/task/node_modules/@smithy/core/dist-cjs/index.js:193:18 
 at async /var/task/node_modules/@smithy/middleware-retry/dist-cjs/index.js:320:38 
 at async /var/task/node_modules/@aws-sdk/middleware-logger/dist-cjs/index.js:33:22 
 at async createAgentRuntime (/var/task/index.js:55:20) at async Runtime.handler (/var/task/index.js:148:53) 
(RequestId: 70f9412d-3908-45f9-93ef-e6e5120b4f8a)

@icoxfog417 icoxfog417 reopened this Oct 20, 2025
@icoxfog417
Copy link
Contributor Author

Reopen the PR because we have observed multiple issues.

@kazuhitogo kazuhitogo requested review from kazuhitogo and tbrand and removed request for tbrand October 22, 2025 09:24
kazuhitogo
kazuhitogo approved these changes Oct 22, 2025
View reviewed changes
Copy link
Collaborator

@kazuhitogo kazuhitogo left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@kazuhitogo kazuhitogo merged commit fd2938f into aws-samples:main Oct 22, 2025
2 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@kazuhitogo kazuhitogo kazuhitogo approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@icoxfog417 @kazuhitogo