AWS Security ChangesHomeSearch

AWS bedrock-agentcore documentation change

Service: bedrock-agentcore · 2026-05-25 · Documentation low

File: bedrock-agentcore/latest/devguide/security_iam_troubleshoot.md

Summary

Added troubleshooting section for 'iam:CreateRole' authorization errors in console with example error and resolution steps

Security assessment

This change adds documentation for resolving a permission error but doesn't indicate a security vulnerability. It improves security guidance by explaining how to properly configure IAM permissions.

Diff

diff --git a/bedrock-agentcore/latest/devguide/security_iam_troubleshoot.md b/bedrock-agentcore/latest/devguide/security_iam_troubleshoot.md
index 28c9afb85..a4c955c49 100644
--- a//bedrock-agentcore/latest/devguide/security_iam_troubleshoot.md
+++ b//bedrock-agentcore/latest/devguide/security_iam_troubleshoot.md
@@ -7 +7 @@
-I am not authorized to perform an action in AgentCoreI am not authorized to perform iam:PassRoleI want to allow people outside of my AWS account to access my AgentCore resources
+I am not authorized to perform an action in AgentCoreI am not authorized to perform iam:PassRoleI am not authorized to perform iam:CreateRole in the consoleI want to allow people outside of my AWS account to access my AgentCore resources
@@ -18,0 +19,2 @@ Use the following information to help you diagnose and fix common issues that yo
+  * I am not authorized to perform iam:CreateRole in the console
+
@@ -51,0 +54,44 @@ If you need help, contact your AWS administrator. Your administrator is the pers
+## I am not authorized to perform iam:CreateRole in the console
+
+If you receive an error that you’re not authorized to perform the `iam:CreateRole` action when creating an AgentCore resource in the AWS Management Console, you need to add additional permissions to your IAM user or role.
+
+The following example error occurs when you create a harness and the console attempts to auto-create the execution role on your behalf:
+    
+    
+    User: arn:aws:iam::123456789012:assumed-role/MyConsoleRole/user is not authorized to perform: iam:CreateRole on resource: arn:aws:iam::123456789012:role/service-role/AmazonBedrockAgentCoreHarnessDefaultServiceRole-abc12 because no identity-based policy allows the iam:CreateRole action
+
+To resolve this issue, do one of the following:
+
+  * **Add an inline policy:** Add a policy to your IAM user or role that grants the necessary permissions for the console to create execution roles on your behalf:
+    
+        {
+    "Version": "2012-10-17",
+      "Statement": [
+        {
+          "Effect": "Allow",
+          "Action": "iam:CreateRole",
+          "Resource": "arn:aws:iam::123456789012:role/service-role/AmazonBedrockAgentCore*"
+        },
+        {
+          "Effect": "Allow",
+          "Action": "iam:CreatePolicy",
+          "Resource": "arn:aws:iam::123456789012:policy/service-role/AmazonBedrockAgentCore*"
+        },
+        {
+          "Effect": "Allow",
+          "Action": "iam:AttachRolePolicy",
+          "Resource": "arn:aws:iam::123456789012:role/service-role/AmazonBedrockAgentCore*",
+          "Condition": {
+            "ArnLike": {
+              "iam:PolicyARN": "arn:aws:iam::123456789012:policy/service-role/AmazonBedrockAgentCore*"
+            }
+          }
+        }
+      ]
+    }
+
+  * **Create the execution role manually:** Create the role before creating the resource in the console, and then select the existing role instead of allowing the console to auto-create one. For the required trust policy and permissions, see [Execution role for running an agent in AgentCore Runtime](./runtime-permissions.html#runtime-permissions-execution).
+
+
+
+