Description
In docs/PERMISSIONS.md -> Setting up permissions -> Developer policy, the referenced role is described as:
Attach this to every IAM user or role that will run AgentCore CLI commands. The provided iam-policy-user.json covers everything. At a high level, it grants:
- sts:AssumeRole on the four CDK bootstrap roles (deploy, file-publishing, image-publishing, lookup)
- sts:GetCallerIdentity, cloudformation:DescribeStacks, tag:GetResources for basic operations
- ec2:DescribeSecurityGroups and ec2:DescribeSubnets for validating VPC network configuration when deploying agents with EFS or S3 filesystem mounts (optional, see Scoping down by feature)
- bedrock-agentcore:Invoke*, bedrock-agentcore:Get*, bedrock-agentcore:List* for invoking agents and checking status
- Credential provider and token vault actions for deploy when the project uses identity features
- Payment credential provider and payment session actions for deploy, status, and invoke when the project uses payment connectors
- CloudWatch Logs, X-Ray, and Application Signals actions for logs, traces, and observability setup
- Bedrock actions for agent import and AI-assisted code generation (optional, see Scoping down by feature)
The actual policy (docs/policies/iam-policy-user.json) grants extensive permissions beyond this scope, including...
Very broad IAM:
{
"Sid": "HttpGatewayIamRoleManagement",
"Effect": "Allow",
"Action": [
"iam:CreateRole",
"iam:DeleteRole",
"iam:GetRole",
"iam:PutRolePolicy",
"iam:DeleteRolePolicy",
"iam:TagRole",
"iam:PassRole"
],
"Resource": "arn:aws:iam::*:role/AgentCore-*"
},
Very broad Secrets:
{
"Sid": "SecretsManager",
"Effect": "Allow",
"Action": ["secretsmanager:GetSecretValue", "secretsmanager:CreateSecret", "secretsmanager:DeleteSecret"],
"Resource": "*"
},
etc, etc
Steps to Reproduce
- Read
docs/PERMISSIONS.md.
- Read
docs/policies/iam-policy-user.json.
- Observe the discrepencies.
- Don't create the policy!
Expected Behavior
I would expect the documentation outlining the required permissions to match with the policy document
Actual Behavior
User groups with the attached policy would have a clear path to Admin-level escalation
CLI Version
No response
Operating System
macOS
Additional Context
No response
Description
In
docs/PERMISSIONS.md-> Setting up permissions -> Developer policy, the referenced role is described as:The actual policy (
docs/policies/iam-policy-user.json) grants extensive permissions beyond this scope, including...Very broad IAM:
Very broad Secrets:
etc, etc
Steps to Reproduce
docs/PERMISSIONS.md.docs/policies/iam-policy-user.json.Expected Behavior
I would expect the documentation outlining the required permissions to match with the policy document
Actual Behavior
User groups with the attached policy would have a clear path to Admin-level escalation
CLI Version
No response
Operating System
macOS
Additional Context
No response