# This is fully refered by https://qiita.com/inoue_d/items/e38940fff7a31b8fc7c7 # リージョンは us-east-1 を指定する。As of 2025-09-07 US East (N. Virginia), US West (Oregon), Europe (Frankfurt), Asia Pacific (Sydney) are avaiable set -e -x export AWS_REGION=us-east-1 # アカウントIDの取得 export AWS_ACCOUNT_ID=$(aws sts get-caller-identity --query Account --output text) # 信頼関係 cat > agentcore-runtime-trust-policy.json << 'EOF' { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "bedrock-agentcore.amazonaws.com" }, "Action": "sts:AssumeRole" } ] } EOF # ポリシー $ cat > agentcore-runtime-execution-policy.json << EOF { "Version": "2012-10-17", "Statement": [ { "Sid": "ECRImageAccess", "Effect": "Allow", "Action": [ "ecr:BatchGetImage", "ecr:GetDownloadUrlForLayer" ], "Resource": [ "arn:aws:ecr:${AWS_REGION}:${AWS_ACCOUNT_ID}:repository/*" ] }, { "Effect": "Allow", "Action": [ "logs:DescribeLogStreams", "logs:CreateLogGroup" ], "Resource": [ "arn:aws:logs:${AWS_REGION}:${AWS_ACCOUNT_ID}:log-group:/aws/bedrock-agentcore/runtimes/*" ] }, { "Effect": "Allow", "Action": [ "logs:DescribeLogGroups" ], "Resource": [ "arn:aws:logs:${AWS_REGION}:${AWS_ACCOUNT_ID}:log-group:*" ] }, { "Effect": "Allow", "Action": [ "logs:CreateLogStream", "logs:PutLogEvents" ], "Resource": [ "arn:aws:logs:${AWS_REGION}:${AWS_ACCOUNT_ID}:log-group:/aws/bedrock-agentcore/runtimes/*:log-stream:*" ] }, { "Sid": "ECRTokenAccess", "Effect": "Allow", "Action": [ "ecr:GetAuthorizationToken" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "xray:PutTraceSegments", "xray:PutTelemetryRecords", "xray:GetSamplingRules", "xray:GetSamplingTargets" ], "Resource": [ "*" ] }, { "Effect": "Allow", "Resource": "*", "Action": "cloudwatch:PutMetricData", "Condition": { "StringEquals": { "cloudwatch:namespace": "bedrock-agentcore" } } }, { "Sid": "GetAgentAccessToken", "Effect": "Allow", "Action": [ "bedrock-agentcore:GetWorkloadAccessToken", "bedrock-agentcore:GetWorkloadAccessTokenForJWT", "bedrock-agentcore:GetWorkloadAccessTokenForUserId" ], "Resource": [ "arn:aws:bedrock-agentcore:${AWS_REGION}:${AWS_ACCOUNT_ID}:workload-identity-directory/default", "arn:aws:bedrock-agentcore:${AWS_REGION}:${AWS_ACCOUNT_ID}:workload-identity-directory/default/workload-identity/agentName-*" ] }, {"Sid": "BedrockModelInvocation", "Effect": "Allow", "Action": [ "bedrock:InvokeModel", "bedrock:InvokeModelWithResponseStream" ], "Resource": [ "arn:aws:bedrock:*::foundation-model/*", "arn:aws:bedrock:${AWS_REGION}:${AWS_ACCOUNT_ID}:*" ] } ] } EOF # IAMロールを作成 aws iam create-role \ --role-name AmazonBedrockAgentCoreRuntimeExampleRole \ --assume-role-policy-document file://agentcore-runtime-trust-policy.json # IAMポリシーを作成 aws iam create-policy \ --policy-name BedrockAgentCorePolicy \ --policy-document file://agentcore-runtime-execution-policy.json # ロールにポリシーをアタッチ aws iam attach-role-policy \ --role-name AmazonBedrockAgentCoreRuntimeExampleRole \ --policy-arn arn:aws:iam::${AWS_ACCOUNT_ID}:policy/BedrockAgentCorePolicy