From 9906289de92034c37e1d5d3ad95436c94cd0c349 Mon Sep 17 00:00:00 2001 From: Takahiro Kubo Date: Fri, 17 Oct 2025 04:42:04 +0000 Subject: [PATCH 1/2] fix: Add missing IAM permission for AgentCore service-linked role creation - Add iam:CreateServiceLinkedRole permission to Custom Resource role - Required for AWSServiceRoleForBedrockAgentCoreRuntimeIdentity creation - Fixes deployment failure since October 13, 2025 AgentCore Runtime changes Reference: https://docs.aws.amazon.com/bedrock-agentcore/latest/devguide/service-linked-roles.html --- .../cdk/lib/construct/generic-agent-core.ts | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/packages/cdk/lib/construct/generic-agent-core.ts b/packages/cdk/lib/construct/generic-agent-core.ts index c32f798ee..33fd48015 100644 --- a/packages/cdk/lib/construct/generic-agent-core.ts +++ b/packages/cdk/lib/construct/generic-agent-core.ts @@ -185,6 +185,23 @@ export class GenericAgentCore extends Construct { }) ); + // Add permission to create AgentCore service-linked role (required since Oct 13, 2025) + role.addToPolicy( + new PolicyStatement({ + sid: 'CreateBedrockAgentCoreRuntimeIdentityServiceLinkedRole', + effect: Effect.ALLOW, + actions: ['iam:CreateServiceLinkedRole'], + resources: [ + `arn:aws:iam::*:role/aws-service-role/runtime-identity.bedrock-agentcore.amazonaws.com/AWSServiceRoleForBedrockAgentCoreRuntimeIdentity`, + ], + conditions: { + StringEquals: { + 'iam:AWSServiceName': 'runtime-identity.bedrock-agentcore.amazonaws.com', + }, + }, + }) + ); + return role; } From b99a0c2472e1bb8fcc281b8b018cccd7af320aab Mon Sep 17 00:00:00 2001 From: Takahiro Kubo Date: Wed, 22 Oct 2025 00:16:36 +0000 Subject: [PATCH 2/2] Update snapshot --- .../generative-ai-use-cases.test.ts.snap | 22 +++++++++++++++++++ 1 file changed, 22 insertions(+) diff --git a/packages/cdk/test/__snapshots__/generative-ai-use-cases.test.ts.snap b/packages/cdk/test/__snapshots__/generative-ai-use-cases.test.ts.snap index 2d92004ba..026241a8d 100644 --- a/packages/cdk/test/__snapshots__/generative-ai-use-cases.test.ts.snap +++ b/packages/cdk/test/__snapshots__/generative-ai-use-cases.test.ts.snap @@ -4526,6 +4526,17 @@ exports[`GenerativeAiUseCases matches the snapshot (closed network mode) 4`] = ` "Resource": "*", "Sid": "IAMPassRolePermissions", }, + { + "Action": "iam:CreateServiceLinkedRole", + "Condition": { + "StringEquals": { + "iam:AWSServiceName": "runtime-identity.bedrock-agentcore.amazonaws.com", + }, + }, + "Effect": "Allow", + "Resource": "arn:aws:iam::*:role/aws-service-role/runtime-identity.bedrock-agentcore.amazonaws.com/AWSServiceRoleForBedrockAgentCoreRuntimeIdentity", + "Sid": "CreateBedrockAgentCoreRuntimeIdentityServiceLinkedRole", + }, ], "Version": "2012-10-17", }, @@ -25739,6 +25750,17 @@ exports[`GenerativeAiUseCases matches the snapshot 4`] = ` "Resource": "*", "Sid": "IAMPassRolePermissions", }, + { + "Action": "iam:CreateServiceLinkedRole", + "Condition": { + "StringEquals": { + "iam:AWSServiceName": "runtime-identity.bedrock-agentcore.amazonaws.com", + }, + }, + "Effect": "Allow", + "Resource": "arn:aws:iam::*:role/aws-service-role/runtime-identity.bedrock-agentcore.amazonaws.com/AWSServiceRoleForBedrockAgentCoreRuntimeIdentity", + "Sid": "CreateBedrockAgentCoreRuntimeIdentityServiceLinkedRole", + }, ], "Version": "2012-10-17", },