IAM Permissions

July 7, 2026 · View on GitHub

This guide covers how to configure AWS IAM for the AgentCore CLI. The first half is written for platform administrators who provision roles and policies in environments where access is tightly controlled. The second half is a complete action-by-action reference. Developers who just need to get unblocked can skip to What developers need.

Ready-to-use policy documents are provided at iam-policy-user.json, iam-policy-cfn-execution.json, and iam-policy-boundary.json. Replace ACCOUNT_ID placeholders with your AWS account number before deploying.

How the CLI uses AWS

The CLI interacts with your AWS account in two fundamentally different ways, and understanding the distinction is the key to setting up permissions correctly.

Direct API calls. The CLI itself makes SDK calls for things like invoking agents, tailing logs, checking deployment status, and managing credential providers. These calls use the developer's own IAM credentials, so those credentials need the corresponding permissions.

CDK deployments. When a developer runs agentcore deploy, the CLI uses AWS CDK to synthesize a CloudFormation template and hand it off to the CloudFormation service. CloudFormation then assumes a separate IAM role (the "CFN execution role") to actually create and manage the infrastructure: runtimes, gateways, ECR repositories, IAM roles for the agents themselves, and so on. The developer's credentials are not used for this part. They only need permission to assume the CDK bootstrap roles that kick off the deployment.

This separation is what makes least-privilege feasible. Developers get a narrow policy for the SDK calls they make directly, while the broad infrastructure permissions live on a role that only CloudFormation can assume.

Setting up permissions

1. Developer policy (direct SDK calls + CDK role assumption)

Attach this to every IAM user or role that will run AgentCore CLI commands. The provided iam-policy-user.json covers everything. At a high level, it grants:

  • sts:AssumeRole on the four CDK bootstrap roles (deploy, file-publishing, image-publishing, lookup)
  • sts:GetCallerIdentity, cloudformation:DescribeStacks, tag:GetResources for basic operations
  • ec2:DescribeSecurityGroups and ec2:DescribeSubnets for validating VPC network configuration when deploying agents with EFS or S3 filesystem mounts (optional, see Scoping down by feature)
  • bedrock-agentcore:Invoke*, bedrock-agentcore:Get*, bedrock-agentcore:List* for invoking agents and checking status
  • bedrock-agentcore create/update/delete actions for runtimes, memories, gateways, gateway targets, evaluators, workload identities, and configuration bundles (see AgentCore resource management)
  • Credential provider and token vault actions for deploy when the project uses identity features
  • Payment credential provider and payment session actions for deploy, status, and invoke when the project uses payment connectors
  • CloudWatch Logs, X-Ray, and Application Signals actions for logs, traces, and observability setup
  • Bedrock actions for agent import and AI-assisted code generation (optional, see Scoping down by feature)
  • cloudformation:* for the full deploy/diff/destroy stack lifecycle the CLI drives directly
  • iam:CreateRole/DeleteRole/PutRolePolicy/PassRole scoped to role/AgentCore-* for HTTP gateway role management, plus iam:PassRole (scoped to bedrock-agentcore.amazonaws.com) for passing execution roles to the service
  • secretsmanager and cognito-idp actions used by identity and custom-JWT setup flows

To create this policy:

aws iam create-policy \
  --policy-name AgentCoreCLIUser \
  --policy-document file://docs/policies/iam-policy-user.json

Then attach it to your developer role or group:

aws iam attach-role-policy \
  --role-name MyDeveloperRole \
  --policy-arn arn:aws:iam::ACCOUNT:policy/AgentCoreCLIUser

2. CloudFormation execution role (infrastructure provisioning)

This is the role that CloudFormation assumes during agentcore deploy to create and update the actual infrastructure. It is part of the CDK bootstrap stack (CDKToolkit) and is named cdk-*-cfn-exec-role-*.

If your account uses the default CDK bootstrap, this role already has AdministratorAccess and you do not need to do anything.

If your organization scopes down the execution role (common in enterprise environments), you need to ensure it has permissions for every resource type AgentCore deploys. The provided iam-policy-cfn-execution.json is a ready-to-use policy for this. It covers:

  • All bedrock-agentcore:* actions for runtime, memory, gateway, evaluator, and policy engine resources
  • IAM role and policy management (CloudFormation creates execution roles for each deployed resource)
  • S3 for CDK asset staging
  • KMS for encryption keys
  • ECR and CodeBuild for container-based builds
  • Lambda for MCP Lambda compute and CDK custom resources
  • CloudWatch Logs for log group management
  • CloudFormation stack operations
  • SSM Parameter Store for CDK bootstrap version lookups
  • Secrets Manager for credential provider secret storage

To create the scoped-down execution policy:

aws iam create-policy \
  --policy-name AgentCoreCFNExecution \
  --policy-document file://docs/policies/iam-policy-cfn-execution.json

Then pass it to CDK bootstrap (see next section).

Bootstrapping CDK

CDK needs to be bootstrapped once per account/region combination before the first agentcore deploy. The CLI normally handles this automatically, but in locked-down environments an administrator may need to run it manually.

Bootstrap creates a CDKToolkit CloudFormation stack containing several IAM roles:

Bootstrap RolePurpose
cdk-*-deploy-role-*Assumed by the CLI user to trigger deployments
cdk-*-cfn-exec-role-*Assumed by CloudFormation to create/update/delete resources
cdk-*-file-publishing-role-*Assumed by the CLI to upload code assets to S3
cdk-*-image-publishing-role-*Assumed by the CLI to push container images to ECR
cdk-*-lookup-role-*Assumed by the CLI to look up VPCs, AZs, etc. during synthesis

CloudFormation assumes the CFN execution role to provision infrastructure, not your user's credentials. This means your IAM principal only needs sts:AssumeRole on the bootstrap roles, plus permissions for the direct SDK calls. The broad infrastructure permissions (creating IAM roles, ECR repos, Lambda functions, etc.) live on the CFN execution role instead.

Default bootstrap (quick start)

By default, CDK bootstrap grants AdministratorAccess to the CFN execution role. In this configuration CloudFormation can create any resource, and you only need the user permissions listed below.

npx cdk bootstrap aws://ACCOUNT_ID/REGION

Scoped-down bootstrap (enterprise)

Organizations often restrict the CFN execution role to a least-privilege policy. If your account does this, the execution role must include permissions for every resource type that AgentCore deploys. See CFN execution role permissions for the full list.

To restrict the CFN execution role to only the permissions AgentCore requires, pass a custom policy during bootstrap:

npx cdk bootstrap aws://ACCOUNT_ID/REGION \
  --cloudformation-execution-policies arn:aws:iam::ACCOUNT_ID:policy/AgentCoreCFNExecution

If you need to update the execution policy later (for example, when a new AgentCore release introduces new resource types), update the policy and re-run the bootstrap command. CDK bootstrap is idempotent. For full details, see the AWS CDK Bootstrap documentation.

Trust policy for the CDK bootstrap roles

The CDK bootstrap roles need to be assumable by your developers. By default, bootstrap configures them to trust the entire account. If your organization restricts trust policies, ensure the four bootstrap roles (cdk-*-deploy-role-*, cdk-*-file-publishing-role-*, cdk-*-image-publishing-role-*, cdk-*-lookup-role-*) have a trust policy that allows your developer roles to assume them:

{
  "Effect": "Allow",
  "Principal": {
    "AWS": "arn:aws:iam::ACCOUNT_ID:role/MyDeveloperRole"
  },
  "Action": "sts:AssumeRole"
}

Scoping down by feature

The policy files provided cover every AgentCore feature. If your team only uses a subset, you can remove the corresponding statements to further tighten the policies. This table maps features to the policy statements that can be safely removed:

If your team does not use...Remove from user policyRemove from CFN execution policy
Container builds (CodeZip only)(no change)EcrContainerBuilds, CodeBuildContainerBuilds
MCP Lambda compute(no change)LambdaMcpAndCustomResources (keep if using container builds, which need Lambda for custom resources)
Agent import from BedrockBedrockAgentImport(no change)
Filesystem mounts (EFS/S3)FilesystemNetworkValidation(no change)
AI-assisted code generationBedrockModelInvocation(no change)
Identity/credential providersIdentityCredentialManagement, TokenVaultKmsKeyCreationSecretsManagerForCredentials
Payment connectorsPaymentCredentialManagement, PaymentCredentialSecrets(no change)
Policy enginePolicyGenerationRemove *PolicyEngine* and *Policy actions from BedrockAgentCoreResources
Online evaluationsRemove UpdateOnlineEvaluationConfig from AgentCoreResourceStatusRemove *OnlineEvaluationConfig* actions from BedrockAgentCoreResources
HTTP gatewaysHttpGatewayIamRoleManagement(no change)
Custom JWT / Cognito authorizerCustomJwtCognitoSetup(no change)
HarnessesHarnessManagement, HarnessPassRole(no change)
Configuration bundlesConfigBundleManagement(no change)
End-to-end testingImportTestIam, ImportTestPassRole, ImportTestS3, SecretsManager(no change)

Reducing to least privilege. Beyond the per-feature removals above, the developer policy also grants AgentCoreResourceManagement (direct resource create/update/delete) and CloudFormationFull (cloudformation:*). These exist because the policy doubles as the end-to-end test permission set. For a real developer, most resource creation happens through CloudFormation, so you can move AgentCoreResourceManagement onto the CFN execution role and narrow cloudformation:* toward the specific actions listed under CloudFormation.

Hardening with permission boundaries

The CFN execution role policy includes iam:CreateRole with Resource: "*". Without further constraints, CloudFormation could theoretically create a role with AdministratorAccess and a trust policy allowing the developer to assume it. This is a well-known CDK privilege escalation pattern.

IAM permission boundaries close this gap. A permission boundary caps the effective permissions of any role it is attached to, regardless of what identity policies that role carries. Even if someone attaches AdministratorAccess to an execution role, the boundary limits what the role can actually do.

The setup has three parts: creating the boundary policy, adding deny statements to the CFN execution role so it is forced to apply the boundary, and scoping the user policy to a single account.

Step 1: Create the execution role boundary

This policy defines the maximum permissions any AgentCore execution role (runtime, memory, gateway, etc.) can have at runtime. Create it once per account.

The provided iam-policy-boundary.json allows:

  • bedrock:InvokeModel and bedrock:InvokeModelWithResponseStream for model access
  • CloudWatch Logs scoped to /aws/bedrock-agentcore/* log groups
  • X-Ray trace submission
  • CloudWatch metrics scoped to the bedrock-agentcore namespace
  • bedrock-agentcore:GetWorkloadAccessToken* for identity federation
aws iam create-policy \
  --policy-name AgentCoreExecutionRoleBoundary \
  --policy-document file://docs/policies/iam-policy-boundary.json

Step 2: Add deny statements to the CFN execution role

The provided iam-policy-cfn-execution.json includes three deny statements that close the escalation paths. Replace ACCOUNT_ID with your account number before deploying.

StatementWhat it blocks
ForceExecutionRoleBoundaryDenies iam:CreateRole unless the boundary is attached. Any role CloudFormation creates must carry AgentCoreExecutionRoleBoundary.
PreventBoundaryRemovalDenies iam:DeleteRolePermissionsBoundary and iam:PutRolePermissionsBoundary. Prevents removing or swapping the boundary after role creation.
PreventBoundaryPolicyTamperingDenies iam:CreatePolicyVersion, iam:DeletePolicy, etc. on the boundary policy itself. Prevents widening the boundary to bypass it.

Together these ensure that even though iam:CreateRole targets Resource: "*", every created role is capped by the boundary, and neither the boundary nor its attachment can be tampered with.

Note: These deny statements require a corresponding update to the AgentCore CDK constructs. The constructs do not currently attach a permissionsBoundary to the IAM roles they create (runtime, memory, gateway, etc.), so CloudFormation will fail to create those roles when ForceExecutionRoleBoundary is active. Until the CDK constructs are updated to accept and apply a permission boundary ARN, treat this section as a recommended future configuration. You can still create the boundary policy (Step 1) and scope the user policy (Step 3) today.

Step 3: Scope the user policy to your account

The provided iam-policy-user.json uses ACCOUNT_ID placeholders in the CDK bootstrap role ARNs. Replace these with your actual account ID before deploying:

arn:aws:iam::ACCOUNT_ID:role/cdk-*-deploy-role-*

This prevents the developer from assuming CDK bootstrap roles in other accounts.

What about the developer's own role?

The developer policy from iam-policy-user.json does not include iam:CreateRole or any IAM write actions. Developers interact with IAM only indirectly through CloudFormation, which is constrained by the boundary. If your organization applies permission boundaries to all IAM principals, you can use the developer policy itself as the boundary, but make sure sts:AssumeRole on the CDK bootstrap roles is allowed through it.

What developers need

If you are a developer (not an admin setting up the account), here is what you need to get started:

  1. AWS credentials configured in your environment (aws configure, environment variables, or SSO). Your admin should have attached the AgentCore user policy to your IAM role.

  2. CDK bootstrap must have been run in your target account and region. If you see an error about the CDKToolkit stack not existing when you run agentcore deploy, ask your admin to bootstrap the account or do it yourself if you have the required permissions.

  3. That's it. The CLI handles the rest. Run agentcore create to start a new project and agentcore deploy to ship it.

Troubleshooting

"Access Denied" on sts:AssumeRole during deploy. The developer's policy is missing the CDK bootstrap role assumption statement, or the bootstrap roles have a trust policy that does not include the developer's role. Check both sides.

"Access Denied" during CloudFormation stack creation/update. The CFN execution role is scoped down but missing a required permission. Check the DescribeStackEvents output to see which specific API call failed, then add it to the execution policy and re-bootstrap.

"CDKToolkit stack not found." CDK has not been bootstrapped in this account/region. Run cdk bootstrap (or ask your admin to) as described above.

Deploy succeeds but invoke fails with "Access Denied". The developer policy is missing the bedrock-agentcore:InvokeAgentRuntime action (or InvokeAgentRuntimeForUser if passing a user ID). Update the user policy.

KMS key creation fails during deploy. If the project uses identity/credential features, the CLI creates a KMS key for the token vault. The developer policy needs kms:CreateKey and kms:TagResource. If your organization restricts KMS key creation, have an admin pre-create the key and configure it via the token vault settings.


Permissions Reference

The tables below list every IAM action the CLI requires, organized by category. Each entry notes which CLI commands use the action and why.

User permissions

These permissions are required on your IAM principal (user or role). They cover everything the CLI calls directly, outside of CloudFormation.

CDK bootstrap role assumption

Required for all deployment operations (deploy, status, diff).

ActionResource
sts:AssumeRolearn:aws:iam::ACCOUNT_ID:role/cdk-*-deploy-role-*
sts:AssumeRolearn:aws:iam::ACCOUNT_ID:role/cdk-*-file-publishing-role-*
sts:AssumeRolearn:aws:iam::ACCOUNT_ID:role/cdk-*-image-publishing-role-*
sts:AssumeRolearn:aws:iam::ACCOUNT_ID:role/cdk-*-lookup-role-*

Core

ActionCLI CommandsPurpose
sts:GetCallerIdentityAllValidate AWS credentials, resolve account ID
cloudformation:DescribeStacksdeploy, statusCheck bootstrap status, stack status, read outputs
tag:GetResourcesstatus, deploy, invoke, logsDiscover deployed stacks by project tags

Filesystem network validation

Required only when deploying an agent with EFS or S3 filesystem mounts and a VPC network configuration. The CLI runs a preflight check that the agent's subnets and security groups are correctly set up for NFS (port 2049) before deploying. These EC2 and EFS Describe* actions do not support resource-level scoping, so Resource must be *.

ActionCLI CommandsPurpose
ec2:DescribeSecurityGroupscreate, deployValidate agent/mount-target security groups allow NFS (port 2049)
ec2:DescribeSubnetscreate, deploy, importValidate mount-target subnets are in the agent's VPC and AZs; resolve the VPC ID for Container+VPC builds (see note below)
elasticfilesystem:DescribeAccessPointscreate, deployResolve the EFS access point and its file system
elasticfilesystem:DescribeMountTargetscreate, deployFind the EFS mount targets to validate against the agent's subnets
elasticfilesystem:DescribeMountTargetSecurityGroupscreate, deployCheck mount-target security groups allow NFS from the agent
s3files:ListMountTargetscreate, deployList the S3 Files access point's mount targets

Container builds in VPC mode also require ec2:DescribeSubnets. A Container build (agent or dockerfile/prebuilt-image harness) that deploys in VPC mode needs an explicit VPC ID — CodeBuild's CreateProject cannot infer the VPC from subnets. When the VPC ID is not already in the config (e.g. import of a deployed Container+VPC runtime, export of a container harness, or deploy of a project created before the VPC ID field existed), the CLI resolves it from the first subnet via ec2:DescribeSubnets. Grant this action for import, export, and deploy if you use Container builds in VPC mode, even without filesystem mounts. | s3files:GetMountTarget | create, deploy | Inspect an S3 Files mount target's subnet/network configuration |

Agent invocation

ActionCLI CommandsPurpose
bedrock-agentcore:InvokeAgentRuntimeinvokeInvoke deployed agents (HTTP, MCP, and A2A protocols)
bedrock-agentcore:InvokeAgentRuntimeForUserinvokeInvoke agents with a user ID (requires X-Amzn-Bedrock-AgentCore-Runtime-User-Id header)
bedrock-agentcore:InvokeAgentRuntimeCommandinvoke --execExecute shell commands in a runtime container
bedrock-agentcore:StopRuntimeSessioninvokeEnd an agent runtime session

Runtime and resource status

ActionCLI CommandsPurpose
bedrock-agentcore:GetAgentRuntimestatusCheck agent runtime deployment status
bedrock-agentcore:ListGatewayTargetsstatusCheck MCP gateway target sync status
bedrock-agentcore:GetEvaluatorstatus, run evalsGet evaluator details
bedrock-agentcore:ListEvaluatorsrun evalsList available evaluators
bedrock-agentcore:GetOnlineEvaluationConfigstatusGet online eval config status

Evaluation

ActionCLI CommandsPurpose
bedrock-agentcore:Evaluaterun evalsRun on-demand evaluation against agent traces
bedrock-agentcore:UpdateOnlineEvaluationConfigpause online-eval, resume online-evalPause or resume online evaluation

Batch evaluation and recommendations

ActionCLI CommandsPurpose
bedrock-agentcore:StartBatchEvaluationrun batch-evaluationStart a batch evaluation job
bedrock-agentcore:GetBatchEvaluationrun batch-evaluationPoll batch evaluation status
bedrock-agentcore:ListBatchEvaluationsevals historyList past batch evaluations
bedrock-agentcore:StopBatchEvaluationrun batch-evaluationStop an in-progress batch eval
bedrock-agentcore:DeleteBatchEvaluationrun batch-evaluationDelete a batch evaluation
bedrock-agentcore:StartRecommendationrun recommendationStart a recommendation job
bedrock-agentcore:GetRecommendationrun recommendationPoll recommendation status
bedrock-agentcore:ListRecommendationsrun recommendationList past recommendations
bedrock-agentcore:DeleteRecommendationrun recommendationStop/delete a recommendation

Identity and credential management

ActionCLI CommandsPurpose
bedrock-agentcore:GetApiKeyCredentialProviderdeployCheck if API key provider exists
bedrock-agentcore:CreateApiKeyCredentialProviderdeployCreate API key credential provider
bedrock-agentcore:UpdateApiKeyCredentialProviderdeployUpdate API key with new value
bedrock-agentcore:GetOauth2CredentialProviderdeployCheck if OAuth2 provider exists
bedrock-agentcore:CreateOauth2CredentialProviderdeployCreate OAuth2 credential provider
bedrock-agentcore:UpdateOauth2CredentialProviderdeployUpdate OAuth2 provider
bedrock-agentcore:GetTokenVaultdeployCheck token vault KMS configuration
bedrock-agentcore:CreateTokenVaultdeployCreate token vault for credential storage
bedrock-agentcore:SetTokenVaultCMKdeployConfigure KMS encryption for token vault
kms:CreateKeydeployCreate KMS key for token vault encryption
kms:TagResourcedeployTag the created KMS key

Payment credential management

Required only when the project defines payment managers and connectors (the payments block in the project spec). The CLI calls the Payment control-plane and data-plane APIs directly with the developer's credentials; both are signed under the bedrock-agentcore service.

ActionCLI CommandsPurpose
bedrock-agentcore:GetPaymentCredentialProviderdeployCheck if a payment credential provider already exists
bedrock-agentcore:CreatePaymentCredentialProviderdeployCreate a payment credential provider from connector secrets
bedrock-agentcore:UpdatePaymentCredentialProviderdeployUpdate a payment credential provider with new secret values
bedrock-agentcore:DeletePaymentCredentialProviderdeployRemove a payment credential provider when a connector is removed
bedrock-agentcore:GetPaymentManagerstatusLook up payment manager status
bedrock-agentcore:ListPaymentSessionsinvokeFind an existing active payment session before creating a new one
bedrock-agentcore:CreatePaymentSessioninvokeCreate a payment session with a default budget for invoke auto-pay

Creating or updating a payment credential provider also writes the connector secrets into a service-managed Secrets Manager secret (named bedrock-agentcore-identity!default/payment/*). Unlike API key and OAuth2 providers, the Payment API performs these Secrets Manager operations with the caller's credentials, so the developer policy must allow them directly. These actions are scoped to the managed payment secret prefix.

ActionCLI CommandsPurpose
secretsmanager:CreateSecretdeployCreate the managed secret backing a new payment credential
secretsmanager:PutSecretValuedeployWrite updated connector secret values when a credential changes
secretsmanager:GetSecretValuedeployRead the managed secret during provider create/update
secretsmanager:DescribeSecretdeployInspect the managed secret metadata
secretsmanager:TagResourcedeployTag the managed secret on creation
secretsmanager:DeleteSecretdeployRemove the managed secret when a payment connector is removed

Policy generation

ActionCLI CommandsPurpose
bedrock-agentcore:StartPolicyGenerationPolicy generationStart Cedar policy generation
bedrock-agentcore:GetPolicyGenerationPolicy generationPoll generation status
bedrock-agentcore:ListPolicyGenerationAssetsPolicy generationRetrieve generated policy assets

Logging, traces, and observability

ActionCLI CommandsPurpose
logs:StartLiveTaillogsStream agent logs in real-time
logs:FilterLogEventslogsSearch agent logs
logs:StartQuerytraces list, traces get, run evalsRun CloudWatch Logs Insights queries
logs:GetQueryResultstraces list, traces get, run evalsRetrieve query results
logs:DescribeResourcePoliciesdeployCheck for X-Ray log resource policy
logs:PutResourcePolicydeployCreate resource policy for X-Ray trace access
logs:DescribeLogGroupsrun batch-evaluation, run recommendationDiscover runtime log groups for evaluation data sources
logs:CreateLogGrouprun batch-evaluationCreate log group for batch evaluation results output
logs:CreateLogStreamrun batch-evaluationCreate log stream for batch evaluation results
logs:PutLogEventsrun batch-evaluationWrite batch evaluation results to CloudWatch Logs
logs:PutRetentionPolicyrun batch-evaluationSet retention policy on batch evaluation results log group

Transaction search setup

Called during deploy to enable CloudWatch Transaction Search for tracing.

ActionCLI CommandsPurpose
application-signals:StartDiscoverydeployEnable Application Signals discovery
xray:GetTraceSegmentDestinationdeployCheck current trace destination
xray:UpdateTraceSegmentDestinationdeployRoute traces to CloudWatch Logs
xray:UpdateIndexingRuledeploySet trace indexing sampling rate

Bedrock agent import

Only required when using agentcore add agent --type import to import an existing Bedrock Agent.

ActionCLI CommandsPurpose
bedrock:GetFoundationModeladd agent --type importGet model metadata
bedrock:GetGuardrailadd agent --type importGet guardrail configuration
bedrock:ListAgentsadd agent --type importList Bedrock Agents in region
bedrock:ListAgentAliasesadd agent --type importList agent aliases
bedrock:GetAgentadd agent --type importGet agent configuration
bedrock:GetAgentAliasadd agent --type importGet alias details
bedrock:ListAgentActionGroupsadd agent --type importList agent action groups
bedrock:GetAgentActionGroupadd agent --type importGet action group details
bedrock:ListAgentKnowledgeBasesadd agent --type importList knowledge bases
bedrock:GetKnowledgeBaseadd agent --type importGet knowledge base details
bedrock:ListAgentCollaboratorsadd agent --type importList collaborator agents
s3:GetObjectadd agent --type importFetch S3-stored API schemas

Bedrock model invocation

ActionCLI CommandsPurpose
bedrock:InvokeModeladd (code generation)Invoke Claude for AI-assisted code generation
bedrock:InvokeModelWithResponseStreamadd (code generation)Stream Claude responses during generation
bedrock:CountTokensadd (code generation)Count tokens for context-window budgeting

AgentCore resource management

The developer policy grants direct create/update/delete access to AgentCore resources. Most of these resources are normally provisioned by CloudFormation through the CFN execution role during deploy; they are also granted directly on the developer principal so the CLI (and its end-to-end test suite) can manage resources outside of a stack. If you scope this policy down for production, consider moving these to the CFN execution role instead.

ActionPurpose
bedrock-agentcore:CreateAgentRuntime, UpdateAgentRuntime, DeleteAgentRuntime, ListAgentRuntimesManage agent runtimes
bedrock-agentcore:CreateAgentRuntimeEndpointCreate runtime endpoints
bedrock-agentcore:CreateWorkloadIdentity, DeleteWorkloadIdentityManage workload identities
bedrock-agentcore:CreateMemory, GetMemory, UpdateMemory, DeleteMemory, ListMemoriesManage memories
bedrock-agentcore:CreateEvaluator, DeleteEvaluator, ListOnlineEvaluationConfigsManage evaluators and online eval configs
bedrock-agentcore:CreateGateway, UpdateGateway, DeleteGateway, GetGateway, ListGatewaysManage gateways
bedrock-agentcore:CreateGatewayTarget, UpdateGatewayTarget, DeleteGatewayTarget, GetGatewayTargetManage gateway targets
bedrock-agentcore:SynchronizeGatewayTargetsSync gateway targets
bedrock-agentcore:TagResource, ListTagsForResourceTag and read tags on AgentCore resources

Configuration bundle management

ActionPurpose
bedrock-agentcore:CreateConfigurationBundle, UpdateConfigurationBundle, DeleteConfigurationBundleManage configuration bundles
bedrock-agentcore:GetConfigurationBundle, GetConfigurationBundleVersion, ListConfigurationBundles, ListConfigurationBundleVersionsRead configuration bundles

Harness management

Used by the CLI's harness workflows (dockerfile/prebuilt-image harnesses and the end-to-end test suite).

ActionPurpose
bedrock-agentcore:CreateHarness, GetHarness, UpdateHarness, DeleteHarness, ListHarnesses, InvokeHarnessManage and invoke harnesses
iam:PassRole (role/*, scoped to bedrock-agentcore.amazonaws.com)Pass an execution role to the AgentCore service when invoking

CloudFormation (full lifecycle)

The developer principal drives the full CloudFormation stack lifecycle directly during deploy, diff, and remove all, so the policy grants cloudformation:*.

ActionCLI CommandsPurpose
cloudformation:*deploy, diff, destroyCreate, update, describe, and delete deploy stacks
ssm:GetParameters, ssm:GetParameterdeployCDK bootstrap version lookup (/cdk-bootstrap/*/version)

HTTP gateway IAM role management

When deploying an HTTP gateway, the CLI creates and manages the gateway's execution role directly. These IAM actions are scoped to roles named AgentCore-*.

ActionCLI CommandsPurpose
iam:CreateRole, iam:DeleteRole, iam:GetRole, iam:TagRoledeployCreate and manage the gateway execution role
iam:PutRolePolicy, iam:DeleteRolePolicydeployAttach/remove the gateway role's inline policy
iam:PassRole (role/AgentCore-*)deployPass the gateway role to the service

Privilege-escalation note. Because this statement allows iam:CreateRole and iam:PutRolePolicy on role/AgentCore-* (and HarnessManagement allows iam:PassRole on role/*), a principal with the developer policy can create an IAM role and grant it permissions. In production, prefer letting CloudFormation create these roles via the CFN execution role — constrained by a permission boundary — rather than granting IAM write actions on the developer.

Custom JWT / Cognito setup

Used when configuring a custom JWT authorizer backed by an Amazon Cognito user pool.

ActionCLI CommandsPurpose
cognito-idp:CreateUserPool, CreateUserPoolDomain, CreateResourceServer, CreateUserPoolClientcreate, deployProvision the Cognito user pool for JWT
cognito-idp:DeleteResourceServer, DeleteUserPoolDomain, DeleteUserPoolremoveTear down the Cognito user pool

Secrets Manager (broad)

In addition to the payment-scoped Secrets Manager statement, the policy includes a broad secretsmanager grant on Resource: "*" used by credential-provider setup flows.

ActionCLI CommandsPurpose
secretsmanager:GetSecretValue, CreateSecret, DeleteSecret (*)deployRead/create/delete secrets for credentials

End-to-end test statements

The following statements exist because this policy doubles as the permission set for the project's end-to-end test suite. They are not required for normal CLI use and can be removed when scoping the policy for real developers.

SidActionPurpose
ImportTestIamiam:GetRole, CreateRole, AttachRolePolicy, PutRolePolicy (role/bugbash-agentcore-role)Set up the test agent execution role
ImportTestPassRoleiam:PassRole (role/bugbash-agentcore-role, to bedrock-agentcore.amazonaws.com)Pass the test role to the service
ImportTestS3s3:ListBucket, CreateBucket, PutObjectStage test import artifacts in S3

CFN execution role permissions

These permissions are needed on the CloudFormation execution role (cdk-*-cfn-exec-role-*), not on your user. If your account uses the default CDK bootstrap with AdministratorAccess, this section is informational only.

If your organization scopes down the execution role, include the following. Note that the provided iam-policy-cfn-execution.json uses bedrock-agentcore:* as a convenience so you don't need to update the policy each time a new AgentCore resource type is added. The tables below list the specific actions used today.

Bedrock AgentCore resources

ActionResource Type Created
bedrock-agentcore:CreateRuntime, UpdateRuntime, DeleteRuntime, GetRuntimeAWS::BedrockAgentCore::Runtime
bedrock-agentcore:CreateMemory, UpdateMemory, DeleteMemory, GetMemoryAWS::BedrockAgentCore::Memory
bedrock-agentcore:CreateGateway, UpdateGateway, DeleteGateway, GetGatewayAWS::BedrockAgentCore::Gateway
bedrock-agentcore:CreateGatewayTarget, UpdateGatewayTarget, DeleteGatewayTarget, GetGatewayTargetAWS::BedrockAgentCore::GatewayTarget
bedrock-agentcore:CreateEvaluator, UpdateEvaluator, DeleteEvaluator, GetEvaluatorAWS::BedrockAgentCore::Evaluator
bedrock-agentcore:CreateOnlineEvaluationConfig, UpdateOnlineEvaluationConfig, DeleteOnlineEvaluationConfig, GetOnlineEvaluationConfigAWS::BedrockAgentCore::OnlineEvaluationConfig
bedrock-agentcore:CreatePolicyEngine, UpdatePolicyEngine, DeletePolicyEngine, GetPolicyEngineAWS::BedrockAgentCore::PolicyEngine
bedrock-agentcore:CreatePolicy, UpdatePolicy, DeletePolicy, GetPolicyAWS::BedrockAgentCore::Policy

IAM

ActionPurpose
iam:CreateRole, iam:DeleteRole, iam:GetRoleExecution roles for runtimes, memories, gateways, evaluators
iam:PassRoleAllow services to assume created roles
iam:PutRolePolicy, iam:DeleteRolePolicy, iam:GetRolePolicyInline policies on execution roles
iam:AttachRolePolicy, iam:DetachRolePolicyManaged policies (e.g., AWSLambdaBasicExecutionRole)
iam:TagRole, iam:UpdateAssumeRolePolicyRole tagging and trust policy updates

S3 (CDK asset staging)

ActionPurpose
s3:CreateBucket, s3:PutBucketPolicy, s3:PutBucketVersioningBootstrap bucket setup
s3:PutEncryptionConfiguration, s3:PutLifecycleConfigurationBucket configuration
s3:PutBucketPublicAccessBlockSecurity configuration
s3:GetBucketLocation, s3:GetObject, s3:PutObjectAsset upload and retrieval
s3:ListBucket, s3:DeleteObjectAsset management

KMS

ActionPurpose
kms:CreateKey, kms:CreateAlias, kms:DescribeKeyEncryption keys for ECR repos and S3
kms:PutKeyPolicy, kms:GetKeyPolicyKey policy management
kms:Encrypt, kms:Decrypt, kms:GenerateDataKeyCryptographic operations
kms:TagResource, kms:ScheduleKeyDeletion, kms:EnableKeyRotationKey lifecycle

CloudFormation

ActionPurpose
cloudformation:CreateStack, cloudformation:UpdateStack, cloudformation:DeleteStackStack lifecycle
cloudformation:DescribeStacks, cloudformation:DescribeStackEventsStack status
cloudformation:GetTemplateTemplate retrieval
cloudformation:CreateChangeSet, cloudformation:ExecuteChangeSet, cloudformation:DeleteChangeSet, cloudformation:DescribeChangeSetChange set operations
cloudformation:ListStacksStack discovery

SSM Parameter Store

ActionPurpose
ssm:GetParametersCDK bootstrap version lookup (/cdk-bootstrap/*/version)

ECR (container builds only)

ActionPurpose
ecr:CreateRepository, ecr:DeleteRepository, ecr:DescribeRepositoriesRepository lifecycle
ecr:GetAuthorizationTokenDocker authentication
ecr:BatchGetImage, ecr:BatchCheckLayerAvailability, ecr:GetDownloadUrlForLayerImage pull
ecr:PutImage, ecr:InitiateLayerUpload, ecr:UploadLayerPart, ecr:CompleteLayerUploadImage push
ecr:SetRepositoryPolicy, ecr:PutLifecyclePolicy, ecr:PutImageScanningConfigurationRepository configuration
ecr:TagResourceTagging

CodeBuild (container builds only)

ActionPurpose
codebuild:CreateProject, codebuild:DeleteProject, codebuild:UpdateProjectBuild project lifecycle
codebuild:StartBuild, codebuild:BatchGetBuilds, codebuild:BatchGetProjectsBuild execution

Lambda (MCP Lambda compute and container build orchestration)

ActionPurpose
lambda:CreateFunction, lambda:DeleteFunctionFunction lifecycle
lambda:UpdateFunctionCode, lambda:UpdateFunctionConfigurationFunction updates
lambda:GetFunction, lambda:GetFunctionConfigurationFunction reads
lambda:InvokeFunctionCustom resource handler invocation
lambda:AddPermission, lambda:RemovePermissionResource-based policies
lambda:TagResourceTagging

CloudWatch Logs

ActionPurpose
logs:CreateLogGroup, logs:DeleteLogGroupLog group lifecycle
logs:CreateLogStream, logs:PutLogEventsLog writing
logs:DescribeLogGroups, logs:PutRetentionPolicyLog group configuration
logs:TagResourceTagging

Secrets Manager

ActionPurpose
secretsmanager:CreateSecret, secretsmanager:DeleteSecretSecret lifecycle for credential providers
secretsmanager:DescribeSecret, secretsmanager:GetSecretValueSecret reads
secretsmanager:PutSecretValueSecret writes
secretsmanager:TagResourceTagging

Policy JSON files

Ready-to-use IAM policy documents are provided alongside this guide:

  • iam-policy-user.json -- Attach to your IAM user or role. Covers all direct SDK calls and CDK bootstrap role assumption. Replace ACCOUNT_ID with your account number.
  • iam-policy-cfn-execution.json -- Use as the CloudFormation execution role policy if your organization scopes down the default AdministratorAccess. Includes deny statements to enforce permission boundaries. Replace ACCOUNT_ID with your account number. Pass it during bootstrap with --cloudformation-execution-policies.
  • iam-policy-boundary.json -- Permission boundary for execution roles created during deployment. Caps what agent runtimes, memories, and gateways can do at runtime (model access, logging, tracing). Replace ACCOUNT_ID with your account number. See Hardening with permission boundaries.