AWS bedrock-agentcore documentation change
Summary
Added troubleshooting section for 'iam:CreateRole' authorization errors in console with example error and resolution steps
Security assessment
This change adds documentation for resolving a permission error but doesn't indicate a security vulnerability. It improves security guidance by explaining how to properly configure IAM permissions.
Diff
diff --git a/bedrock-agentcore/latest/devguide/security_iam_troubleshoot.md b/bedrock-agentcore/latest/devguide/security_iam_troubleshoot.md index 28c9afb85..a4c955c49 100644 --- a//bedrock-agentcore/latest/devguide/security_iam_troubleshoot.md +++ b//bedrock-agentcore/latest/devguide/security_iam_troubleshoot.md @@ -7 +7 @@ -I am not authorized to perform an action in AgentCoreI am not authorized to perform iam:PassRoleI want to allow people outside of my AWS account to access my AgentCore resources +I am not authorized to perform an action in AgentCoreI am not authorized to perform iam:PassRoleI am not authorized to perform iam:CreateRole in the consoleI want to allow people outside of my AWS account to access my AgentCore resources @@ -18,0 +19,2 @@ Use the following information to help you diagnose and fix common issues that yo + * I am not authorized to perform iam:CreateRole in the console + @@ -51,0 +54,44 @@ If you need help, contact your AWS administrator. Your administrator is the pers +## I am not authorized to perform iam:CreateRole in the console + +If you receive an error that you’re not authorized to perform the `iam:CreateRole` action when creating an AgentCore resource in the AWS Management Console, you need to add additional permissions to your IAM user or role. + +The following example error occurs when you create a harness and the console attempts to auto-create the execution role on your behalf: + + + User: arn:aws:iam::123456789012:assumed-role/MyConsoleRole/user is not authorized to perform: iam:CreateRole on resource: arn:aws:iam::123456789012:role/service-role/AmazonBedrockAgentCoreHarnessDefaultServiceRole-abc12 because no identity-based policy allows the iam:CreateRole action + +To resolve this issue, do one of the following: + + * **Add an inline policy:** Add a policy to your IAM user or role that grants the necessary permissions for the console to create execution roles on your behalf: + + { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": "iam:CreateRole", + "Resource": "arn:aws:iam::123456789012:role/service-role/AmazonBedrockAgentCore*" + }, + { + "Effect": "Allow", + "Action": "iam:CreatePolicy", + "Resource": "arn:aws:iam::123456789012:policy/service-role/AmazonBedrockAgentCore*" + }, + { + "Effect": "Allow", + "Action": "iam:AttachRolePolicy", + "Resource": "arn:aws:iam::123456789012:role/service-role/AmazonBedrockAgentCore*", + "Condition": { + "ArnLike": { + "iam:PolicyARN": "arn:aws:iam::123456789012:policy/service-role/AmazonBedrockAgentCore*" + } + } + } + ] + } + + * **Create the execution role manually:** Create the role before creating the resource in the console, and then select the existing role instead of allowing the console to auto-create one. For the required trust policy and permissions, see [Execution role for running an agent in AgentCore Runtime](./runtime-permissions.html#runtime-permissions-execution). + + + +