Amazon Bedrock Agentcore (bedrock-agentcore)

Additions

Actions

• AllowVendedLogDeliveryForResource
  
  • Description:  Grants permission to configure vended telemetry for a resource
  • Access:  Permissions management
  • Resources: 

    Name: memory

    Required: Yes

• ConnectBrowserAutomationStream
  
  • Description:  Grants permission to connect to a browser automation stream
  • Access:  Read
• ConnectBrowserLiveViewStream
  
  • Description:  Grants permission to connect to a browser live view stream
  • Access:  Read
• CreateAgentRuntime
  
  • Description:  Grants permission to create a new agent runtime
  • Access:  Write
  • Dependents: 

    iam:PassRole

• CreateAgentRuntimeEndpoint
  
  • Description:  Grants permission to create a new agent endpoint
  • Access:  Write
• CreateApiKeyCredentialProvider
  
  • Description:  Grants permission to create a new API Key Credential Provider
  • Access:  Write
• CreateBrowser
  
  • Description:  Grants permission to create a new custom browser
  • Access:  Write
• CreateCodeInterpreter
  
  • Description:  Grants permission to create a new custom code interpreter
  • Access:  Write
• CreateEvent
  
  • Description:  Grants permission to create an Event
  • Access:  Write
  • Resources: 

    Name: memory

    Required: Yes

  • Conditions: 

    bedrock-agentcore:sessionId

    bedrock-agentcore:actorId

• CreateGateway
  
  • Description:  Grants permission to create a new gateway
  • Access:  Write
  • Dependents: 

    iam:PassRole

• CreateGatewayTarget
  
  • Description:  Grants permission to create a new target in an existing gateway
  • Access:  Write
  • Resources: 

    Name: gateway

    Required: Yes

• CreateMemory
  
  • Description:  Grants permission to create a Memory resource
  • Access:  Write
  • Dependents: 

    iam:PassRole

• CreateOauth2CredentialProvider
  
  • Description:  Grants permission to create a new Credential Provider to access external resources with OAuth2 protocol
  • Access:  Write
• CreateWorkloadIdentity
  
  • Description:  Grants permission to create a new Workload Identity
  • Access:  Write
• DeleteAgentRuntime
  
  • Description:  Grants permission to delete an agent runtime
  • Access:  Write
  • Resources: 

    Name: runtime

    Required: Yes

• DeleteAgentRuntimeEndpoint
  
  • Description:  Grants permission to delete an agent endpoint
  • Access:  Write
  • Resources: 

    Name: runtime

    Required: Yes

    Name: runtime-endpoint

    Required: Yes

• DeleteApiKeyCredentialProvider
  
  • Description:  Grants permission to delete a registered API Key Credential Provider
  • Access:  Write
• DeleteBrowser
  
  • Description:  Grants permission to delete a custom browser
  • Access:  Write
  • Resources: 

    Name: browser-custom

    Required: Yes

• DeleteCodeInterpreter
  
  • Description:  Grants permission to delete a custom code interpreter
  • Access:  Write
  • Resources: 

    Name: code-interpreter-custom

    Required: Yes

• DeleteEvent
  
  • Description:  Grants permission to delete an Event
  • Access:  Write
  • Resources: 

    Name: memory

    Required: Yes

  • Conditions: 

    bedrock-agentcore:sessionId

    bedrock-agentcore:actorId

• DeleteGateway
  
  • Description:  Grants permission to delete an existing gateway
  • Access:  Write
  • Resources: 

    Name: gateway

    Required: Yes

• DeleteGatewayTarget
  
  • Description:  Grants permission to delete an existing gateway target
  • Access:  Write
  • Resources: 

    Name: gateway

    Required: Yes

• DeleteMemory
  
  • Description:  Grants permission to delete a Memory resource
  • Access:  Write
  • Resources: 

    Name: memory

    Required: Yes

• DeleteMemoryRecord
  
  • Description:  Grants permission to delete a Memory Record
  • Access:  Write
  • Resources: 

    Name: memory

    Required: Yes

• DeleteOauth2CredentialProvider
  
  • Description:  Grants permission to delete a registered OAuth2 Credential Provider
  • Access:  Write
• DeleteWorkloadIdentity
  
  • Description:  Grants permission to delete a registered Workload Identity
  • Access:  Write
• GetAgentRuntime
  
  • Description:  Grants permission to get details of an agent runtime
  • Access:  Read
  • Resources: 

    Name: runtime

    Required: Yes

• GetAgentRuntimeEndpoint
  
  • Description:  Grants permission to get details of an agent endpoint
  • Access:  Read
  • Resources: 

    Name: runtime

    Required: Yes

    Name: runtime-endpoint

    Required: Yes

• GetApiKeyCredentialProvider
  
  • Description:  Grants permission to fetch a registered API Key Credential Provider by its name
  • Access:  Read
• GetBrowser
  
  • Description:  Grants permission to get details of a browser
  • Access:  Read
  • Resources: 

    Name: browser-custom

    Required: Yes

• GetBrowserSession
  
  • Description:  Grants permission to get details of a browser session
  • Access:  Read
  • Resources: 

    Name: browser

    Required: Yes

    Name: browser-custom

    Required: Yes

• GetCodeInterpreter
  
  • Description:  Grants permission to get details of a code interpreter
  • Access:  Read
  • Resources: 

    Name: code-interpreter-custom

    Required: Yes

• GetCodeInterpreterSession
  
  • Description:  Grants permission to get details of a code interpreter session
  • Access:  Read
  • Resources: 

    Name: code-interpreter

    Required: Yes

    Name: code-interpreter-custom

    Required: Yes

• GetEvent
  
  • Description:  Grants permission to fetch an Event
  • Access:  Read
  • Resources: 

    Name: memory

    Required: Yes

  • Conditions: 

    bedrock-agentcore:sessionId

    bedrock-agentcore:actorId

• GetGateway
  
  • Description:  Grants permission to retrieve an existing gateway
  • Access:  Read
  • Resources: 

    Name: gateway

    Required: Yes

• GetGatewayTarget
  
  • Description:  Grants permission to retrieve an existing gateway target
  • Access:  Read
  • Resources: 

    Name: gateway

    Required: Yes

• GetMemory
  
  • Description:  Grants permission to fetch details for a Memory resource
  • Access:  Read
  • Resources: 

    Name: memory

    Required: Yes

• GetMemoryRecord
  
  • Description:  Grants permission to fetch a Memory Record
  • Access:  Read
  • Resources: 

    Name: memory

    Required: Yes

• GetOauth2CredentialProvider
  
  • Description:  Grants permission to fetch a registered OAuth2 Credential Provider by its name
  • Access:  Read
• GetResourceApiKey
  
  • Description:  Grants permission to retrieve an API Key associated with an Api Key Credential Provider
  • Access:  Read
• GetResourceOauth2Token
  
  • Description:  Grants permission to retrieve access token with OAuth2 2LO or 3LO flow to access external resource
  • Access:  Read
• GetTokenVault
  
  • Description:  Grants permission to fetch the current configuration of the TokenVault, including encryption settings
  • Access:  Read
• GetWorkloadAccessToken
  
  • Description:  Grants permission to retrieve an Workload access token for agentic workloads not acting on behalf of a user
  • Access:  Write
• GetWorkloadAccessTokenForJWT
  
  • Description:  Grants permission to retrieve an Workload access token for agentic workloads acting on behalf of user with JWT token
  • Access:  Write
• GetWorkloadAccessTokenForUserId
  
  • Description:  Grants permission to retrieve an Workload access token for agentic workloads acting on behalf of user with User Id
  • Access:  Write
• GetWorkloadIdentity
  
  • Description:  Grants permission to fetch details for a specific Workload identity, including its name and allowed OAuth2 return URLs
  • Access:  Read
• InvokeAgentRuntimeEndpoint
  
  • Description:  Grants permission to invoke an agent endpoint
  • Access:  Write
  • Resources: 

    Name: runtime

    Required: Yes

    Name: runtime-endpoint

    Required: Yes

• InvokeCodeInterpreter
  
  • Description:  Grants permission to invoke a code interpreter session
  • Access:  Write
  • Resources: 

    Name: code-interpreter

    Required: Yes

    Name: code-interpreter-custom

    Required: Yes

• ListActors
  
  • Description:  Grants permission to list Actors
  • Access:  List
  • Resources: 

    Name: memory

    Required: Yes

• ListAgentRuntimeEndpoints
  
  • Description:  Grants permission to list agent endpoints
  • Access:  List
• ListAgentRuntimeVersions
  
  • Description:  Grants permission to list agent runtime versions
  • Access:  List
• ListAgentRuntimes
  
  • Description:  Grants permission to list agent runtimes
  • Access:  List
• ListApiKeyCredentialProviders
  
  • Description:  Grants permission to list all API Key Credential Providers in the Token Vault
  • Access:  Read
• ListBrowserSessions
  
  • Description:  Grants permission to list browser sessions
  • Access:  List
• ListBrowsers
  
  • Description:  Grants permission to list browsers
  • Access:  List
• ListCodeInterpreterSessions
  
  • Description:  Grants permission to list code interpreter sessions
  • Access:  List
  • Resources: 

    Name: code-interpreter

    Required: Yes

    Name: code-interpreter-custom

    Required: Yes

• ListCodeInterpreters
  
  • Description:  Grants permission to list code interpreters
  • Access:  List
• ListEvents
  
  • Description:  Grants permission to list events
  • Access:  List
  • Resources: 

    Name: memory

    Required: Yes

  • Conditions: 

    bedrock-agentcore:sessionId

    bedrock-agentcore:actorId

• ListGatewayTargets
  
  • Description:  Grants permission to list existing gateway targets
  • Access:  List
  • Resources: 

    Name: gateway

    Required: Yes

• ListGateways
  
  • Description:  Grants permission to list existing gateways
  • Access:  List
• ListMemories
  
  • Description:  Grants permission to list memory resources
  • Access:  List
• ListMemoryRecords
  
  • Description:  Grants permission to list memory records
  • Access:  List
  • Resources: 

    Name: memory

    Required: Yes

  • Conditions: 

    bedrock-agentcore:namespace

    bedrock-agentcore:strategyId

• ListOauth2CredentialProviders
  
  • Description:  Grants permission to list all OAuth2 Credential Providers in the Token Vault
  • Access:  Read
• ListSessions
  
  • Description:  Grants permission to list sessions
  • Access:  List
  • Resources: 

    Name: memory

    Required: Yes

  • Conditions: 

    bedrock-agentcore:actorId

• ListWorkloadIdentities
  
  • Description:  Grants permission to list all Workload Identities in the caller's AWS account
  • Access:  Read
• RetrieveMemoryRecords
  
  • Description:  Grants permission to retrieve memory records through sematic query
  • Access:  List
  • Resources: 

    Name: memory

    Required: Yes

  • Conditions: 

    bedrock-agentcore:namespace

    bedrock-agentcore:strategyId

• SetTokenVaultCMK
  
  • Description:  Grants permission to associate a Customer Managed Key (CMK) or a Service Managed Key with a specific TokenVault
  • Access:  Read
• StartBrowserSession
  
  • Description:  Grants permission to starts a new browser session
  • Access:  Write
  • Resources: 

    Name: browser

    Required: Yes

    Name: browser-custom

    Required: Yes

• StartCodeInterpreterSession
  
  • Description:  Grants permission to start a new code interpreter session
  • Access:  Write
  • Resources: 

    Name: code-interpreter

    Required: Yes

    Name: code-interpreter-custom

    Required: Yes

• StopBrowserSession
  
  • Description:  Grants permission to stop a browser session
  • Access:  Write
  • Resources: 

    Name: browser

    Required: Yes

    Name: browser-custom

    Required: Yes

• StopCodeInterpreterSession
  
  • Description:  Grants permission to stop a code interpreter session
  • Access:  Write
  • Resources: 

    Name: code-interpreter

    Required: Yes

    Name: code-interpreter-custom

    Required: Yes

• SynchronizeGatewayTargets
  
  • Description:  Grants permission to enable search on gateways
  • Access:  Permissions management
  • Resources: 

    Name: gateway

    Required: Yes

• UpdateAgentRuntime
  
  • Description:  Grants permission to update an agent runtime
  • Access:  Write
  • Resources: 

    Name: runtime

    Required: Yes

  • Dependents: 

    iam:PassRole

• UpdateAgentRuntimeEndpoint
  
  • Description:  Grants permission to update an agent endpoint
  • Access:  Write
  • Resources: 

    Name: runtime

    Required: Yes

    Name: runtime-endpoint

    Required: Yes

• UpdateApiKeyCredentialProvider
  
  • Description:  Grants permission to update an existing API Key Credential Provider
  • Access:  Write
• UpdateBrowserStream
  
  • Description:  Grants permission to update the status of browser session stream
  • Access:  Write
  • Resources: 

    Name: browser

    Required: Yes

    Name: browser-custom

    Required: Yes

• UpdateGateway
  
  • Description:  Grants permission to update an existing gateway
  • Access:  Write
  • Resources: 

    Name: gateway

    Required: Yes

  • Dependents: 

    iam:PassRole

• UpdateGatewayTarget
  
  • Description:  Grants permission to update an existing gateway target
  • Access:  Write
  • Resources: 

    Name: gateway

    Required: Yes

• UpdateMemory
  
  • Description:  Grants permission to update a Memory resource
  • Access:  Write
  • Resources: 

    Name: memory

    Required: Yes

  • Dependents: 

    iam:PassRole

• UpdateOauth2CredentialProvider
  
  • Description:  Grants permission to update an existing OAuth2 Credential Provider
  • Access:  Write
• UpdateWorkloadIdentity
  
  • Description:  Grants permission to update the metadata of an existing Workload Identity
  • Access:  Write

Resources

• memory
  
  • Arn:  arn:${Partition}:bedrock-agentcore:${Region}:${Account}:memory/${MemoryId}
• gateway
  
  • Arn:  arn:${Partition}:bedrock-agentcore:${Region}:${Account}:gateway/${GatewayId}
• workload-identity
  
  • Arn:  arn:${Partition}:bedrock-agentcore:${Region}:${Account}:workload-identity-directory/${DirectoryId}/workload-identity/${WorkloadIdentityName}
• oauth2credentialprovider
  
  • Arn:  arn:${Partition}:bedrock-agentcore:${Region}:${Account}:token-vault/${TokenVaultId}/oauth2credentialprovider/${Name}
• apikeycredentialprovider
  
  • Arn:  arn:${Partition}:bedrock-agentcore:${Region}:${Account}:token-vault/${TokenVaultId}/apikeycredentialprovider/${Name}
• runtime
  
  • Arn:  arn:${Partition}:bedrock-agentcore:${Region}:${Account}:runtime/${RuntimeId}
• runtime-endpoint
  
  • Arn:  arn:${Partition}:bedrock-agentcore:${Region}:${Account}:runtime/${RuntimeId}/runtime-endpoint/${Name}
• code-interpreter-custom
  
  • Arn:  arn:${Partition}:bedrock-agentcore:${Region}:${Account}:code-interpreter-custom/${CodeInterpreterId}
• code-interpreter
  
  • Arn:  arn:${Partition}:bedrock-agentcore:${Region}:aws:code-interpreter/${CodeInterpreterId}
• browser-custom
  
  • Arn:  arn:${Partition}:bedrock-agentcore:${Region}:${Account}:browser-custom/${BrowserId}
• browser
  
  • Arn:  arn:${Partition}:bedrock-agentcore:${Region}:aws:browser/${BrowserId}

Conditions

• bedrock-agentcore:actorId
  
  • Description:  Filters access by Actor Id
  • Type:  String
• bedrock-agentcore:namespace
  
  • Description:  Filters access by namespace
  • Type:  String
• bedrock-agentcore:sessionId
  
  • Description:  Filters access by Session Id
  • Type:  String
• bedrock-agentcore:strategyId
  
  • Description:  Filters access by Memory Strategy Id
  • Type:  String