Amazon Bedrock AgentCore is in preview release and is subject to change.
IAM Permissions for AgentCore Runtime
The following are IAM permissions you need to create an agent in an AgentCore Runtime and the execution role permissions that an agent needs to run in an AgentCore Runtime
Topics
Use Amazon Bedrock AgentCore
To use Amazon Bedrock AgentCore, you can attach the BedrockAgentCoreFullAccess AWS managed policy to your IAM user or IAM. role. This AWS managed policy grants broad permissions. We recommend creating a custom policy with only the permissions your application requires by copying the relevant statements and restricting the resources to your specific use case. To use the starter toolkit, you need additional permissions.
Use the starter toolkit
To use the Amazon Bedrock AgentCore starter toolkit, attach the following IAM policy to your IAM user or role. To change IAM permissions, see Change permissions for an IAM user.
Execution role for running an agent in AgentCore Runtime
To run agent or tool in AgentCore Runtime you need an AWS Identity and Access Management execution role. For information about creating an IAM role, see IAM role creation.
AgentCore Runtime execution role
The AgentCore Runtime execution role is an IAM role that AgentCore Runtime assumes to run an agent. Replace the following:
-
us-east-1
with the AWS Region that you are using -
123456789012
with your AWS account ID -
agentName
with the name of your agent. You'll need to decide the agent name before creating the role and AgentCore Runtime.
AgentCore Runtime trust policy
The trust relationship for the AgentCore Runtime execution role should allow AgentCore Runtime to assume the role:
Replace the following:
-
us-east-1
with the AWS Region that you are using -
123456789012
with your AWS account ID