fix(agentcore): custom execution role policy for runtime lacks proper permissions (#35849)

### Issue # (if applicable)

Closes #35852 .

### Reason for this change



ECR permissions are attached even when the role is a custom role or an imported role. (https://github.com/aws/aws-cdk/blob/v2.221.0/packages/%40aws-cdk/aws-bedrock-agentcore-alpha/agentcore/runtime/runtime-artifact.ts#L65)

However, the other required permissions are only granted to a policy for an auto-generated role. (https://github.com/aws/aws-cdk/blob/v2.221.0/packages/%40aws-cdk/aws-bedrock-agentcore-alpha/agentcore/runtime/runtime.ts#L252-L259)

In constructs of other common modules, permissions are attached even when a custom role is passed.

- https://github.com/aws/aws-cdk/blob/v2.221.0/packages/aws-cdk-lib/aws-codepipeline/lib/pipeline.ts#L693
- https://github.com/aws/aws-cdk/blob/v2.221.0/packages/aws-cdk-lib/aws-lambda/lib/function.ts#L1468
- https://github.com/aws/aws-cdk/blob/v2.221.0/packages/aws-cdk-lib/aws-ecs/lib/base/base-service.ts#L1161

So this PR adds the permissions to the custom role.

FYI: If you avoid to add the permissions to the custom role, you can use `withoutPolicyUpdates()` method for Role.

### Description of changes



Add the permissions to the custom role.

### Describe any new or updated permissions being added




### Description of how you validated changes



Both unit tests and an integ test.

### Checklist
- [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md)

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

Author: go-to-k

packages/@aws-cdk/aws-bedrock-agentcore-alpha/agentcore/runtime/runtime.ts

@@ -255,8 +255,13 @@ export class Runtime extends RuntimeBase {
         this.validateRoleArn(props.executionRole.roleArn);
       }
     } else {
-      this.role = this.createExecutionRole();
+      this.role = new iam.Role(this, 'ExecutionRole', {
+        assumedBy: new iam.ServicePrincipal('bedrock-agentcore.amazonaws.com'),
+        description: 'Execution role for Bedrock Agent Core Runtime',
+        maxSessionDuration: Duration.hours(8),
+      });
     }
+    this.addExecutionRolePermissions();
 
     this.grantPrincipal = this.role;
     this.agentRuntimeArtifact = props.agentRuntimeArtifact;
@@ -320,53 +325,47 @@ export class Runtime extends RuntimeBase {
   }
 
   /**
-   * Creates an execution role for the agent runtime with proper permissions
+   * Adds proper permissions to the execution role for the agent runtime
    * Based on: https://docs.aws.amazon.com/bedrock-agentcore/latest/devguide/runtime-permissions.html
    */
-  private createExecutionRole(): iam.Role {
-    const role = new iam.Role(this, 'ExecutionRole', {
-      assumedBy: new iam.ServicePrincipal('bedrock-agentcore.amazonaws.com'),
-      description: 'Execution role for Bedrock Agent Core Runtime',
-      maxSessionDuration: Duration.hours(8),
-    });
-
+  private addExecutionRolePermissions() {
     const region = Stack.of(this).region;
     const account = Stack.of(this).account;
 
     // CloudWatch Logs - Log Group operations
-    role.addToPolicy(new iam.PolicyStatement({
+    this.role.addToPrincipalPolicy(new iam.PolicyStatement({
       sid: 'LogGroupAccess',
       effect: iam.Effect.ALLOW,
       actions: RUNTIME_LOGS_GROUP_ACTIONS,
       resources: [`arn:${Stack.of(this).partition}:logs:${region}:${account}:log-group:/aws/bedrock-agentcore/runtimes/*`],
     }));
 
     // CloudWatch Logs - Describe all log groups
-    role.addToPolicy(new iam.PolicyStatement({
+    this.role.addToPrincipalPolicy(new iam.PolicyStatement({
       sid: 'DescribeLogGroups',
       effect: iam.Effect.ALLOW,
       actions: RUNTIME_LOGS_DESCRIBE_ACTIONS,
       resources: [`arn:${Stack.of(this).partition}:logs:${region}:${account}:log-group:*`],
     }));
 
     // CloudWatch Logs - Log Stream operations
-    role.addToPolicy(new iam.PolicyStatement({
+    this.role.addToPrincipalPolicy(new iam.PolicyStatement({
       sid: 'LogStreamAccess',
       effect: iam.Effect.ALLOW,
       actions: RUNTIME_LOGS_STREAM_ACTIONS,
       resources: [`arn:${Stack.of(this).partition}:logs:${region}:${account}:log-group:/aws/bedrock-agentcore/runtimes/*:log-stream:*`],
     }));
 
     // X-Ray Tracing - must be * for tracing
-    role.addToPolicy(new iam.PolicyStatement({
+    this.role.addToPrincipalPolicy(new iam.PolicyStatement({
       sid: 'XRayAccess',
       effect: iam.Effect.ALLOW,
       actions: RUNTIME_XRAY_ACTIONS,
       resources: ['*'],
     }));
 
     // CloudWatch Metrics - scoped to bedrock-agentcore namespace
-    role.addToPolicy(new iam.PolicyStatement({
+    this.role.addToPrincipalPolicy(new iam.PolicyStatement({
       sid: 'CloudWatchMetrics',
       effect: iam.Effect.ALLOW,
       actions: RUNTIME_CLOUDWATCH_METRICS_ACTIONS,
@@ -380,7 +379,7 @@ export class Runtime extends RuntimeBase {
 
     // Bedrock AgentCore Workload Identity Access
     // Note: The agent name will be determined at runtime, so we use a wildcard pattern
-    role.addToPolicy(new iam.PolicyStatement({
+    this.role.addToPrincipalPolicy(new iam.PolicyStatement({
       sid: 'GetAgentAccessToken',
       effect: iam.Effect.ALLOW,
       actions: RUNTIME_WORKLOAD_IDENTITY_ACTIONS,
@@ -389,7 +388,6 @@ export class Runtime extends RuntimeBase {
         `arn:${Stack.of(this).partition}:bedrock-agentcore:${region}:${account}:workload-identity-directory/default/workload-identity/*`,
       ],
     }));
-    return role;
   }
 
   /**