Change log of AWS IAM permissions

2026-05-07

27 new actions, 2 new resources | 3 updated actions

Additions

Actions

CreatePaymentConnector
- Description: Grants permission to create a new payment connector under a payment manager
- Access: Write
- Resources:
  Name: payment-manager
  
  Required: Yes
CreatePaymentCredentialProvider
- Description: Grants permission to create a new Payment Credential Provider
- Access: Write
- Resources:
  Name: paymentcredentialprovider
  
  Required: Yes
  
  Name: token-vault
  
  Required: Yes
- Conditions:
  aws:RequestTag/${TagKey}
  
  aws:TagKeys
CreatePaymentInstrument
- Description: Grants permission to create a new payment instrument
- Access: Write
- Resources:
  Name: payment-manager
  
  Required: Yes
CreatePaymentManager
- Description: Grants permission to create a new payment manager
- Access: Write
- Conditions:
  aws:RequestTag/${TagKey}
  
  aws:TagKeys
- Dependents:
  iam:PassRole
CreatePaymentSession
- Description: Grants permission to create a new payment session
- Access: Write
- Resources:
  Name: payment-manager
  
  Required: Yes
DeletePaymentConnector
- Description: Grants permission to delete a payment connector
- Access: Write
- Resources:
  Name: payment-manager
  
  Required: Yes
DeletePaymentCredentialProvider
- Description: Grants permission to delete a registered Payment Credential Provider
- Access: Write
- Resources:
  Name: paymentcredentialprovider
  
  Required: Yes
  
  Name: token-vault
  
  Required: Yes
DeletePaymentInstrument
- Description: Grants permission to delete a payment instrument
- Access: Write
- Resources:
  Name: payment-manager
  
  Required: Yes
DeletePaymentManager
- Description: Grants permission to delete a payment manager
- Access: Write
- Resources:
  Name: payment-manager
  
  Required: Yes
DeletePaymentSession
- Description: Grants permission to delete a payment session
- Access: Write
- Resources:
  Name: payment-manager
  
  Required: Yes
GetPaymentConnector
- Description: Grants permission to retrieve details of a payment connector
- Access: Read
- Resources:
  Name: payment-manager
  
  Required: Yes
GetPaymentCredentialProvider
- Description: Grants permission to fetch a registered Payment Credential Provider by its name
- Access: Read
- Resources:
  Name: paymentcredentialprovider
  
  Required: Yes
  
  Name: token-vault
  
  Required: Yes
GetPaymentInstrument
- Description: Grants permission to retrieve details of a payment instrument
- Access: Read
- Resources:
  Name: payment-manager
  
  Required: Yes
GetPaymentInstrumentBalance
- Description: Grants permission to retrieve the balance of a payment instrument
- Access: Read
- Resources:
  Name: payment-manager
  
  Required: Yes
GetPaymentManager
- Description: Grants permission to retrieve details of a payment manager
- Access: Read
- Resources:
  Name: payment-manager
  
  Required: Yes
GetPaymentSession
- Description: Grants permission to retrieve details of a payment session
- Access: Read
- Resources:
  Name: payment-manager
  
  Required: Yes
GetResourcePaymentToken
- Description: Grants permission to retrieve a payment authentication token associated with a Payment Credential Provider
- Access: Read
- Resources:
  Name: paymentcredentialprovider
  
  Required: Yes
  
  Name: token-vault
  
  Required: Yes
  
  Name: workload-identity
  
  Required: Yes
  
  Name: workload-identity-directory
  
  Required: Yes
ListPaymentConnectors
- Description: Grants permission to list payment connectors under a payment manager
- Access: List
- Resources:
  Name: payment-manager
  
  Required: Yes
ListPaymentCredentialProviders
- Description: Grants permission to list all Payment Credential Providers in the Token Vault
- Access: List
- Resources:
  Name: paymentcredentialprovider
  
  Required: Yes
  
  Name: token-vault
  
  Required: Yes
ListPaymentInstruments
- Description: Grants permission to list payment instruments
- Access: List
- Resources:
  Name: payment-manager
  
  Required: Yes
ListPaymentManagers
- Description: Grants permission to list payment managers
- Access: List
ListPaymentSessions
- Description: Grants permission to list payment sessions
- Access: List
- Resources:
  Name: payment-manager
  
  Required: Yes
ProcessPayment
- Description: Grants permission to process a payment transaction
- Access: Write
- Resources:
  Name: payment-manager
  
  Required: Yes
UpdatePaymentConnector
- Description: Grants permission to update an existing payment connector
- Access: Write
- Resources:
  Name: payment-manager
  
  Required: Yes
UpdatePaymentCredentialProvider
- Description: Grants permission to update an existing Payment Credential Provider
- Access: Write
- Resources:
  Name: paymentcredentialprovider
  
  Required: Yes
  
  Name: token-vault
  
  Required: Yes
UpdatePaymentManager
- Description: Grants permission to update an existing payment manager
- Access: Write
- Resources:
  Name: payment-manager
  
  Required: Yes
- Dependents:
  iam:PassRole
UpdatePaymentSession
- Description: Grants permission to update an existing payment session
- Access: Write
- Resources:
  Name: payment-manager
  
  Required: Yes

Resources

payment-manager
- Arn: arn:${Partition}:bedrock-agentcore:${Region}:${Account}:payment-manager/${PaymentManagerId}
- Conditions:
  aws:ResourceTag/${TagKey}
paymentcredentialprovider
- Arn: arn:${Partition}:bedrock-agentcore:${Region}:${Account}:token-vault/${TokenVaultId}/paymentcredentialprovider/${Name}
- Conditions:
  aws:ResourceTag/${TagKey}

Updates

Actions

UpdateGatewayRule
- Read ⟶ Write
AllowVendedLogDeliveryForResource
- ＋ payment-manager
TagResource
- ＋ payment-manager
- ＋ paymentcredentialprovider

Amazon Bedrock Agentcore (bedrock-agentcore)

Additions

Updates