agentcore_role.py
1 """IAM role for AgentCore Runtime execution.""" 2 3 from constructs import Construct 4 from aws_cdk import aws_iam as iam 5 6 7 class AgentCoreRole(Construct): 8 """Creates an IAM execution role for the AgentCore Runtime.""" 9 10 def __init__(self, scope: Construct, construct_id: str, **kwargs) -> None: 11 super().__init__(scope, construct_id, **kwargs) 12 13 self.role = iam.Role( 14 self, 15 "AgentCoreExecutionRole", 16 assumed_by=iam.ServicePrincipal("bedrock-agentcore.amazonaws.com"), 17 managed_policies=[ 18 iam.ManagedPolicy.from_aws_managed_policy_name("CloudWatchLogsFullAccess"), 19 iam.ManagedPolicy.from_aws_managed_policy_name("AWSXRayDaemonWriteAccess"), 20 iam.ManagedPolicy.from_aws_managed_policy_name("AmazonEC2ContainerRegistryReadOnly"), 21 ], 22 ) 23 24 self.role.add_to_policy( 25 iam.PolicyStatement( 26 actions=[ 27 "bedrock:InvokeModel", 28 "bedrock:InvokeModelWithResponseStream", 29 "bedrock:GetFoundationModel", 30 "bedrock:ListFoundationModels", 31 ], 32 resources=["*"], 33 ) 34 ) 35 36 self.role.add_to_policy( 37 iam.PolicyStatement( 38 actions=[ 39 "bedrock-agentcore:InvokeAgentRuntime", 40 "bedrock-agentcore:CreateEvent", 41 "bedrock-agentcore:GetEvent", 42 "bedrock-agentcore:ListEvents", 43 "bedrock-agentcore:RetrieveMemoryRecords", 44 "bedrock-agentcore:ListMemoryRecords", 45 "bedrock-agentcore:ListSessions", 46 "bedrock-agentcore:ListActors", 47 "bedrock-agentcore:DeleteMemoryRecord", 48 ], 49 resources=["*"], 50 ) 51 ) 52 53 self.role.add_to_policy( 54 iam.PolicyStatement( 55 actions=[ 56 "aws-marketplace:ViewSubscriptions", 57 "aws-marketplace:Subscribe", 58 ], 59 resources=["*"], 60 ) 61 ) 62 63 self.role.add_to_policy( 64 iam.PolicyStatement( 65 actions=[ 66 "logs:CreateLogGroup", 67 "logs:CreateLogStream", 68 "logs:PutLogEvents", 69 ], 70 resources=["*"], 71 ) 72 ) 73 74 self.role.add_to_policy( 75 iam.PolicyStatement( 76 actions=["ssm:GetParameter"], 77 resources=["arn:aws:ssm:*:*:parameter/agentcore/*"], 78 ) 79 )