Skip to content

fix(agentcore): addToRolePolicy for runtime with imported role destroys and recreates policies on every deployment #35842

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 9 commits into from
Oct 30, 2025
Merged

fix(agentcore): addToRolePolicy for runtime with imported role destroys and recreates policies on every deployment #35842

merged 9 commits into from
Oct 30, 2025

Conversation

@go-to-k
Copy link
Contributor

@go-to-k go-to-k commented Oct 25, 2025
edited by Abogical
Loading

Issue # (if applicable)

Closes #35844

Reason for this change

The current addToRolePolicy for Runtime with imported role destroys and recreates policies on every deployment.

The reason is that Date.now() is used for a construct ID of a new Policy in the situation:

https://github.com/aws/aws-cdk/blob/v2.221.0/packages/%40aws-cdk/aws-bedrock-agentcore-alpha/agentcore/runtime/runtime-base.ts#L253

  public addToRolePolicy(statement: iam.PolicyStatement): IBedrockAgentRuntime {
    // Check if role is a concrete Role instance
    if (this.role instanceof iam.Role) {
      this.role.addToPolicy(statement);
    } else {
      // For imported roles (IRole), we need to attach via a new policy
      const policy = new iam.Policy(this, `CustomPolicy${Date.now()}`, {
        statements: [statement],
      });

Reproduction

  1. Deploy your stack with the following CDK code:
const app = new cdk.App();
const stack = new cdk.Stack(app, 'aws-cdk-bedrock-agentcore-runtime-with-imported-role');

const runtimeArtifact = agentcore.AgentRuntimeArtifact.fromAsset(
  path.join(__dirname, 'testArtifact'),
);

const role = new iam.Role(stack, 'ExecutionRole', {
  assumedBy: new iam.ServicePrincipal('bedrock-agentcore.amazonaws.com'),
});
const imported = iam.Role.fromRoleArn(stack, 'ImportedRole', role.roleArn);

const runtime = new agentcore.Runtime(stack, 'TestRuntime', {
  runtimeName: 'integ_test_runtime',
  agentRuntimeArtifact: runtimeArtifact,
  executionRole: imported,
});

runtime.addToRolePolicy(new iam.PolicyStatement({
  actions: ['dynamodb:Query'],
  resources: ['arn:aws:dynamodb:us-east-1:123456789012:table/my-table'],
}));

  1. Deploy or diff the stack with the same CDK code again.

  2. The change will occur:

      [-] AWS::IAM::Policy TestRuntimeCustomPolicy1761380931769044921D2 destroy
      [+] AWS::IAM::Policy TestRuntimeCustomPolicy1761381522330E0DC0D40

Description of changes

Use addToPrincipalPolicy directly instead.

Describe any new or updated permissions being added

Description of how you validated changes

Both unit tests and an integ test.

Checklist

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

@aws-cdk-automation aws-cdk-automation requested a review from a team October 25, 2025 08:23
@github-actions github-actions bot added p2 distinguished-contributor [Pilot] contributed 50+ PRs to the CDK labels Oct 25, 2025
@go-to-k go-to-k changed the title fix(agentcore): addToRolePolicy for Runtime recreates policies on every deployment with imported roles fix(agentcore): addToRolePolicy for Runtime destroys and recreates policies on every deployment with imported roles Oct 25, 2025
@go-to-k go-to-k changed the title fix(agentcore): addToRolePolicy for Runtime destroys and recreates policies on every deployment with imported roles fix(agentcore): addToRolePolicy for Runtime with imported roles destroys and recreates policies on every deployment Oct 25, 2025
@go-to-k go-to-k changed the title fix(agentcore): addToRolePolicy for Runtime with imported roles destroys and recreates policies on every deployment fix(agentcore): addToRolePolicy for Runtime with imported role destroys and recreates policies on every deployment Oct 25, 2025
@go-to-k go-to-k changed the title fix(agentcore): addToRolePolicy for Runtime with imported role destroys and recreates policies on every deployment fix(agentcore): addToRolePolicy for runtime with imported role destroys and recreates policies on every deployment Oct 25, 2025
@go-to-k go-to-k marked this pull request as draft October 25, 2025 10:55
@go-to-k go-to-k marked this pull request as ready for review October 25, 2025 11:19
@go-to-k go-to-k changed the title fix(agentcore): addToRolePolicy for runtime with imported role destroys and recreates policies on every deployment fix(agentcore): addToRolePolicy for Runtime with imported role destroys and recreates policies on every deployment Oct 25, 2025
@aws-cdk-automation aws-cdk-automation added the pr/needs-community-review This PR needs a review from a Trusted Community Member or Core Team Member. label Oct 25, 2025
@go-to-k go-to-k changed the title fix(agentcore): addToRolePolicy for Runtime with imported role destroys and recreates policies on every deployment fix(agentcore): addToRolePolicy for runtime with imported role destroys and recreates policies on every deployment Oct 25, 2025
@go-to-k go-to-k marked this pull request as draft October 25, 2025 14:26
@go-to-k go-to-k marked this pull request as ready for review October 25, 2025 14:49
@github-actions github-actions bot added the bug This issue is a bug. label Oct 25, 2025
@aws-cdk-automation aws-cdk-automation added pr/needs-maintainer-review This PR needs a review from a Core Team Member and removed pr/needs-community-review This PR needs a review from a Trusted Community Member or Core Team Member. labels Oct 27, 2025
dineshSajwan
dineshSajwan approved these changes Oct 27, 2025
View reviewed changes
Copy link
Contributor

@dineshSajwan dineshSajwan left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you @go-to-k .
LGTM.

Abogical
Abogical previously requested changes Oct 27, 2025
View reviewed changes
packages/@aws-cdk/aws-bedrock-agentcore-alpha/agentcore/runtime/runtime-base.ts Outdated
const policy = new iam.Policy(this, `CustomPolicy${this._policyCounter++}`, {
statements: [statement],
});
this.role.attachInlinePolicy(policy);
Copy link
Member

@Abogical Abogical Oct 27, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There is no need to create a new Policyobject, just use addtoPrincipalPolicy()

Suggested change
this.role.attachInlinePolicy(policy);
this.role.addToPrincipalPolicy(statement);

Copy link
Contributor Author

@go-to-k go-to-k Oct 28, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Summarized it like this. Many other Constructs are done this way. How about it?

  public addToRolePolicy(statement: iam.PolicyStatement): IBedrockAgentRuntime {
-    // Check if role is a concrete Role instance
-    if (this.role instanceof iam.Role) {
-      this.role.addToPolicy(statement);
-    } else {
-      // For imported roles (IRole), we need to attach via a new policy
-      const policy = new iam.Policy(this, `CustomPolicy${Date.now()}`, {
-        statements: [statement],
-      });
-      this.role.attachInlinePolicy(policy);
-    }
+    this.role.addToPrincipalPolicy(statement);
    return this;
  }

@aws-cdk-automation aws-cdk-automation removed the pr/needs-maintainer-review This PR needs a review from a Core Team Member label Oct 27, 2025
@Abogical Abogical self-assigned this Oct 27, 2025
@pahud pahud mentioned this pull request Oct 27, 2025
Closed
1 task
@mergify mergify bot dismissed Abogical’s stale review October 28, 2025 08:39

Pull request has been modified.

@go-to-k go-to-k force-pushed the fix-agentcore-policy branch from e72f80e to ef4b0c0 Compare October 28, 2025 08:40
@aws-cdk-automation aws-cdk-automation added the pr/needs-maintainer-review This PR needs a review from a Core Team Member label Oct 28, 2025
Abogical
Abogical reviewed Oct 28, 2025
View reviewed changes
Copy link
Member

@Abogical Abogical left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks! I have asked for a security review for this.

@Abogical Abogical added the pr/needs-further-review PR requires additional review from our team specialists due to the scope or complexity of changes. label Oct 28, 2025
@github-actions github-actions bot added the effort/medium Medium work item – several days of effort label Oct 28, 2025
@Abogical Abogical removed the pr/needs-further-review PR requires additional review from our team specialists due to the scope or complexity of changes. label Oct 28, 2025
@mergify
Copy link
Contributor

mergify bot commented Oct 29, 2025

Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

@mergify
Copy link
Contributor

mergify bot commented Oct 29, 2025

This pull request has been removed from the queue for the following reason: pull request branch update failed.

The pull request can't be updated

For security reasons, Mergify can't update this pull request. Try updating locally.
GitHub response: refusing to allow a GitHub App to create or update workflow .github/workflows/pr-build.yml without workflows permission.

You should update or rebase your pull request manually. If you do, this pull request will automatically be requeued once the queue conditions match again.
If you think this was a flaky issue, you can requeue the pull request, without updating it, by posting a @mergifyio requeue comment.

@mergify mergify bot dismissed stale reviews from Abogical and gasolima October 29, 2025 10:47

Pull request has been modified.

@mergify
Copy link
Contributor

mergify bot commented Oct 29, 2025

Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

@Abogical
Copy link
Member

Abogical commented Oct 29, 2025

@Mergifyio rebase

@mergify
Copy link
Contributor

mergify bot commented Oct 29, 2025

rebase

✅ Branch has been successfully rebased

@Abogical Abogical force-pushed the fix-agentcore-policy branch from 9e2cd39 to 63fe336 Compare October 29, 2025 17:19
@mergify
Copy link
Contributor

mergify bot commented Oct 29, 2025

Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

@go-to-k
Copy link
Contributor Author

go-to-k commented Oct 30, 2025

@Mergifyio update

@mergify
Copy link
Contributor

mergify bot commented Oct 30, 2025

update

✅ Branch has been successfully updated

@mergify
Copy link
Contributor

mergify bot commented Oct 30, 2025

Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

@go-to-k
Copy link
Contributor Author

go-to-k commented Oct 30, 2025

@Mergifyio update

@mergify
Copy link
Contributor

mergify bot commented Oct 30, 2025

update

☑️ Nothing to do, the required conditions are not met

  • #commits-behind > 0 [📌 update requirement]
  • -closed [📌 update requirement]
  • -conflict [📌 update requirement]
  • queue-position = -1 [📌 update requirement]

@Abogical
Copy link
Member

Abogical commented Oct 30, 2025

@Mergifyio requeue

@mergify
Copy link
Contributor

mergify bot commented Oct 30, 2025

requeue

✅ The queue state of this pull request has been cleaned. It can be re-embarked automatically

@mergify mergify bot merged commit 92525e4 into aws:main Oct 30, 2025
20 of 21 checks passed
@github-actions
Copy link
Contributor

github-actions bot commented Oct 30, 2025

Comments on closed issues and PRs are hard for our team to see.
If you need help, please open a new issue that references this one.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Oct 30, 2025
@go-to-k go-to-k deleted the fix-agentcore-policy branch October 30, 2025 09:25
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

@Abogical Abogical Abogical approved these changes

@gasolima gasolima gasolima left review comments

+2 more reviewers

@dineshSajwan dineshSajwan dineshSajwan approved these changes

@mazyu36 mazyu36 mazyu36 approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

@Abogical Abogical

Labels

bug This issue is a bug. distinguished-contributor [Pilot] contributed 50+ PRs to the CDK effort/medium Medium work item – several days of effort p2

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

bedrock-agentcore: addToRolePolicy for runtime with imported role destroys and recreates policies on every deployment

6 participants

@go-to-k @Abogical @dineshSajwan @mazyu36 @gasolima @aws-cdk-automation