fix: Add missing IAM permission for AgentCore service-linked role creation (#1327)

icoxfog417 · web-flow · commit fd2938f6c708 · 2025-10-22T18:38:38.000+09:00
TY!
diff --git a/packages/cdk/lib/construct/generic-agent-core.ts b/packages/cdk/lib/construct/generic-agent-core.ts
@@ -185,6 +185,23 @@ export class GenericAgentCore extends Construct {
       })
     );
 
+    // Add permission to create AgentCore service-linked role (required since Oct 13, 2025)
+    role.addToPolicy(
+      new PolicyStatement({
+        sid: 'CreateBedrockAgentCoreRuntimeIdentityServiceLinkedRole',
+        effect: Effect.ALLOW,
+        actions: ['iam:CreateServiceLinkedRole'],
+        resources: [
+          `arn:aws:iam::*:role/aws-service-role/runtime-identity.bedrock-agentcore.amazonaws.com/AWSServiceRoleForBedrockAgentCoreRuntimeIdentity`,
+        ],
+        conditions: {
+          StringEquals: {
+            'iam:AWSServiceName': 'runtime-identity.bedrock-agentcore.amazonaws.com',
+          },
+        },
+      })
+    );
+
     return role;
   }
 
diff --git a/packages/cdk/test/__snapshots__/generative-ai-use-cases.test.ts.snap b/packages/cdk/test/__snapshots__/generative-ai-use-cases.test.ts.snap
@@ -4526,6 +4526,17 @@ exports[`GenerativeAiUseCases matches the snapshot (closed network mode) 4`] = `
               "Resource": "*",
               "Sid": "IAMPassRolePermissions",
             },
+            {
+              "Action": "iam:CreateServiceLinkedRole",
+              "Condition": {
+                "StringEquals": {
+                  "iam:AWSServiceName": "runtime-identity.bedrock-agentcore.amazonaws.com",
+                },
+              },
+              "Effect": "Allow",
+              "Resource": "arn:aws:iam::*:role/aws-service-role/runtime-identity.bedrock-agentcore.amazonaws.com/AWSServiceRoleForBedrockAgentCoreRuntimeIdentity",
+              "Sid": "CreateBedrockAgentCoreRuntimeIdentityServiceLinkedRole",
+            },
           ],
           "Version": "2012-10-17",
         },
@@ -25739,6 +25750,17 @@ exports[`GenerativeAiUseCases matches the snapshot 4`] = `
               "Resource": "*",
               "Sid": "IAMPassRolePermissions",
             },
+            {
+              "Action": "iam:CreateServiceLinkedRole",
+              "Condition": {
+                "StringEquals": {
+                  "iam:AWSServiceName": "runtime-identity.bedrock-agentcore.amazonaws.com",
+                },
+              },
+              "Effect": "Allow",
+              "Resource": "arn:aws:iam::*:role/aws-service-role/runtime-identity.bedrock-agentcore.amazonaws.com/AWSServiceRoleForBedrockAgentCoreRuntimeIdentity",
+              "Sid": "CreateBedrockAgentCoreRuntimeIdentityServiceLinkedRole",
+            },
           ],
           "Version": "2012-10-17",
         },
