Skip to content

Developer Policy (docs/policies/iam-policy-user.json) grants many more permissions than described #1683

Description

@asherkhb

Description

In docs/PERMISSIONS.md -> Setting up permissions -> Developer policy, the referenced role is described as:

Attach this to every IAM user or role that will run AgentCore CLI commands. The provided iam-policy-user.json covers everything. At a high level, it grants:

  • sts:AssumeRole on the four CDK bootstrap roles (deploy, file-publishing, image-publishing, lookup)
  • sts:GetCallerIdentity, cloudformation:DescribeStacks, tag:GetResources for basic operations
  • ec2:DescribeSecurityGroups and ec2:DescribeSubnets for validating VPC network configuration when deploying agents with EFS or S3 filesystem mounts (optional, see Scoping down by feature)
  • bedrock-agentcore:Invoke*, bedrock-agentcore:Get*, bedrock-agentcore:List* for invoking agents and checking status
  • Credential provider and token vault actions for deploy when the project uses identity features
  • Payment credential provider and payment session actions for deploy, status, and invoke when the project uses payment connectors
  • CloudWatch Logs, X-Ray, and Application Signals actions for logs, traces, and observability setup
  • Bedrock actions for agent import and AI-assisted code generation (optional, see Scoping down by feature)

The actual policy (docs/policies/iam-policy-user.json) grants extensive permissions beyond this scope, including...

Very broad IAM:

{
      "Sid": "HttpGatewayIamRoleManagement",
      "Effect": "Allow",
      "Action": [
        "iam:CreateRole",
        "iam:DeleteRole",
        "iam:GetRole",
        "iam:PutRolePolicy",
        "iam:DeleteRolePolicy",
        "iam:TagRole",
        "iam:PassRole"
      ],
      "Resource": "arn:aws:iam::*:role/AgentCore-*"
    },

Very broad Secrets:

    {
      "Sid": "SecretsManager",
      "Effect": "Allow",
      "Action": ["secretsmanager:GetSecretValue", "secretsmanager:CreateSecret", "secretsmanager:DeleteSecret"],
      "Resource": "*"
    },

etc, etc

Steps to Reproduce

  1. Read docs/PERMISSIONS.md.
  2. Read docs/policies/iam-policy-user.json.
  3. Observe the discrepencies.
  4. Don't create the policy!

Expected Behavior

I would expect the documentation outlining the required permissions to match with the policy document

Actual Behavior

User groups with the attached policy would have a clear path to Admin-level escalation

CLI Version

No response

Operating System

macOS

Additional Context

No response

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugSomething isn't working

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions