Skip to content

Instantly share code, notes, and snippets.

@yokawasa

yokawasa/setup-iam-role-bedrock-agentcore-runtime.sh

Last active September 7, 2025 06:37
Show Gist options
  • Save yokawasa/4a9dbd06a5019f20fe3f12b70b999b48 to your computer and use it in GitHub Desktop.
Save yokawasa/4a9dbd06a5019f20fe3f12b70b999b48 to your computer and use it in GitHub Desktop.
Download ZIP
IAM role for Bedrock Agent Runtime
Raw
setup-iam-role-bedrock-agentcore-runtime.sh
# This is fully refered by https://qiita.com/inoue_d/items/e38940fff7a31b8fc7c7
# リージョンは us-east-1 を指定する。As of 2025-09-07 US East (N. Virginia), US West (Oregon), Europe (Frankfurt), Asia Pacific (Sydney) are avaiable
set -e -x
export AWS_REGION=us-east-1
# アカウントIDの取得
export AWS_ACCOUNT_ID=$(aws sts get-caller-identity --query Account --output text)
# 信頼関係
cat > agentcore-runtime-trust-policy.json << 'EOF'
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "bedrock-agentcore.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
EOF
# ポリシー
cat > agentcore-runtime-execution-policy.json << EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "ECRImageAccess",
"Effect": "Allow",
"Action": [
"ecr:BatchGetImage",
"ecr:GetDownloadUrlForLayer"
],
"Resource": [
"arn:aws:ecr:${AWS_REGION}:${AWS_ACCOUNT_ID}:repository/*"
]
},
{
"Effect": "Allow",
"Action": [
"logs:DescribeLogStreams",
"logs:CreateLogGroup"
],
"Resource": [
"arn:aws:logs:${AWS_REGION}:${AWS_ACCOUNT_ID}:log-group:/aws/bedrock-agentcore/runtimes/*"
]
},
{
"Effect": "Allow",
"Action": [
"logs:DescribeLogGroups"
],
"Resource": [
"arn:aws:logs:${AWS_REGION}:${AWS_ACCOUNT_ID}:log-group:*"
]
},
{
"Effect": "Allow",
"Action": [
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Resource": [
"arn:aws:logs:${AWS_REGION}:${AWS_ACCOUNT_ID}:log-group:/aws/bedrock-agentcore/runtimes/*:log-stream:*"
]
},
{
"Sid": "ECRTokenAccess",
"Effect": "Allow",
"Action": [
"ecr:GetAuthorizationToken"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"xray:PutTraceSegments",
"xray:PutTelemetryRecords",
"xray:GetSamplingRules",
"xray:GetSamplingTargets"
],
"Resource": [ "*" ]
},
{
"Effect": "Allow",
"Resource": "*",
"Action": "cloudwatch:PutMetricData",
"Condition": {
"StringEquals": {
"cloudwatch:namespace": "bedrock-agentcore"
}
}
},
{
"Sid": "GetAgentAccessToken",
"Effect": "Allow",
"Action": [
"bedrock-agentcore:GetWorkloadAccessToken",
"bedrock-agentcore:GetWorkloadAccessTokenForJWT",
"bedrock-agentcore:GetWorkloadAccessTokenForUserId"
],
"Resource": [
"arn:aws:bedrock-agentcore:${AWS_REGION}:${AWS_ACCOUNT_ID}:workload-identity-directory/default",
"arn:aws:bedrock-agentcore:${AWS_REGION}:${AWS_ACCOUNT_ID}:workload-identity-directory/default/workload-identity/agentName-*"
]
},
{"Sid": "BedrockModelInvocation",
"Effect": "Allow",
"Action": [
"bedrock:InvokeModel",
"bedrock:InvokeModelWithResponseStream"
],
"Resource": [
"arn:aws:bedrock:*::foundation-model/*",
"arn:aws:bedrock:${AWS_REGION}:${AWS_ACCOUNT_ID}:*"
]
}
]
}
EOF
# IAMロールを作成
aws iam create-role \
--role-name AmazonBedrockAgentCoreRuntimeExampleRole \
--assume-role-policy-document file://agentcore-runtime-trust-policy.json
# IAMポリシーを作成
aws iam create-policy \
--policy-name BedrockAgentCorePolicy \
--policy-document file://agentcore-runtime-execution-policy.json
# ロールにポリシーをアタッチ
aws iam attach-role-policy \
--role-name AmazonBedrockAgentCoreRuntimeExampleRole \
--policy-arn arn:aws:iam::${AWS_ACCOUNT_ID}:policy/BedrockAgentCorePolicy
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment