yokawasa · September 7, 2025 06:37 · Sep 7, 2025 · Sep 7, 2025 · Sep 7, 2025
diff --git a/setup-iam-role-bedrock-agentcore-runtime.sh b/setup-iam-role-bedrock-agentcore-runtime.sh
@@ -24,7 +24,7 @@ cat > agentcore-runtime-trust-policy.json << 'EOF'
 EOF
 
 # ポリシー
-$ cat > agentcore-runtime-execution-policy.json << EOF
+cat > agentcore-runtime-execution-policy.json << EOF
 {
     "Version": "2012-10-17",
     "Statement": [

diff --git a/setup-iam-role-bedrock-agentcore-runtime.sh b/setup-iam-role-bedrock-agentcore-runtime.sh
@@ -1,5 +1,6 @@
 # This is fully refered by https://qiita.com/inoue_d/items/e38940fff7a31b8fc7c7
 # リージョンは us-east-1 を指定する。As of 2025-09-07 US East (N. Virginia), US West (Oregon), Europe (Frankfurt), Asia Pacific (Sydney) are avaiable
+set -e -x
 
 export AWS_REGION=us-east-1
 

diff --git a/setup-iam-role-bedrock-agentcore-runtime.sh b/setup-iam-role-bedrock-agentcore-runtime.sh
@@ -0,0 +1,139 @@
+# This is fully refered by https://qiita.com/inoue_d/items/e38940fff7a31b8fc7c7
+# リージョンは us-east-1 を指定する。As of 2025-09-07 US East (N. Virginia), US West (Oregon), Europe (Frankfurt), Asia Pacific (Sydney) are avaiable
+
+export AWS_REGION=us-east-1
+
+# アカウントIDの取得
+export AWS_ACCOUNT_ID=$(aws sts get-caller-identity --query Account --output text)
+
+# 信頼関係
+cat > agentcore-runtime-trust-policy.json << 'EOF'
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Effect": "Allow",
+      "Principal": {
+        "Service": "bedrock-agentcore.amazonaws.com"
+      },
+      "Action": "sts:AssumeRole"
+    }
+  ]
+}
+EOF
+
+# ポリシー
+$ cat > agentcore-runtime-execution-policy.json << EOF
+{
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Sid": "ECRImageAccess",
+            "Effect": "Allow",
+            "Action": [
+                "ecr:BatchGetImage",
+                "ecr:GetDownloadUrlForLayer"
+            ],
+            "Resource": [
+                "arn:aws:ecr:${AWS_REGION}:${AWS_ACCOUNT_ID}:repository/*"
+            ]        
+        },
+        {
+            "Effect": "Allow",
+            "Action": [
+                "logs:DescribeLogStreams",
+                "logs:CreateLogGroup"
+            ],
+            "Resource": [
+                "arn:aws:logs:${AWS_REGION}:${AWS_ACCOUNT_ID}:log-group:/aws/bedrock-agentcore/runtimes/*"
+            ]
+        },
+        {
+            "Effect": "Allow",
+            "Action": [
+                "logs:DescribeLogGroups"
+            ],
+            "Resource": [
+                "arn:aws:logs:${AWS_REGION}:${AWS_ACCOUNT_ID}:log-group:*"
+            ]
+        },
+        {
+            "Effect": "Allow",
+            "Action": [
+                "logs:CreateLogStream",
+                "logs:PutLogEvents"
+            ],
+            "Resource": [
+                "arn:aws:logs:${AWS_REGION}:${AWS_ACCOUNT_ID}:log-group:/aws/bedrock-agentcore/runtimes/*:log-stream:*"
+            ]
+        },
+        {
+            "Sid": "ECRTokenAccess",
+            "Effect": "Allow",
+            "Action": [
+                "ecr:GetAuthorizationToken"
+            ],
+            "Resource": "*"
+        },
+        {
+        "Effect": "Allow", 
+        "Action": [ 
+            "xray:PutTraceSegments", 
+            "xray:PutTelemetryRecords", 
+            "xray:GetSamplingRules", 
+            "xray:GetSamplingTargets"
+            ],
+         "Resource": [ "*" ] 
+         },
+         {
+            "Effect": "Allow",
+            "Resource": "*",
+            "Action": "cloudwatch:PutMetricData",
+            "Condition": {
+                "StringEquals": {
+                    "cloudwatch:namespace": "bedrock-agentcore"
+                }
+            }
+        },
+        {
+            "Sid": "GetAgentAccessToken",
+            "Effect": "Allow",
+            "Action": [
+                "bedrock-agentcore:GetWorkloadAccessToken",
+                "bedrock-agentcore:GetWorkloadAccessTokenForJWT",
+                "bedrock-agentcore:GetWorkloadAccessTokenForUserId"
+            ],
+            "Resource": [
+              "arn:aws:bedrock-agentcore:${AWS_REGION}:${AWS_ACCOUNT_ID}:workload-identity-directory/default",
+              "arn:aws:bedrock-agentcore:${AWS_REGION}:${AWS_ACCOUNT_ID}:workload-identity-directory/default/workload-identity/agentName-*"
+            ]
+        },
+         {"Sid": "BedrockModelInvocation", 
+         "Effect": "Allow", 
+         "Action": [ 
+                "bedrock:InvokeModel", 
+                "bedrock:InvokeModelWithResponseStream"
+              ], 
+        "Resource": [
+            "arn:aws:bedrock:*::foundation-model/*",
+            "arn:aws:bedrock:${AWS_REGION}:${AWS_ACCOUNT_ID}:*"
+        ]
+        }
+    ]
+}
+EOF
+
+# IAMロールを作成
+aws iam create-role \
+    --role-name AmazonBedrockAgentCoreRuntimeExampleRole \
+    --assume-role-policy-document file://agentcore-runtime-trust-policy.json
+
+# IAMポリシーを作成
+aws iam create-policy \
+    --policy-name BedrockAgentCorePolicy \
+    --policy-document file://agentcore-runtime-execution-policy.json
+
+# ロールにポリシーをアタッチ
+aws iam attach-role-policy \
+    --role-name AmazonBedrockAgentCoreRuntimeExampleRole \
+    --policy-arn arn:aws:iam::${AWS_ACCOUNT_ID}:policy/BedrockAgentCorePolicy