docs: add IAM permissions guide and policy files#689
Merged
Conversation
Add PERMISSIONS.md covering enterprise IAM setup for the AgentCore CLI, including admin setup instructions, CDK bootstrap configuration, permission boundaries, feature-based scoping, and a full action-by-action reference. Includes ready-to-use JSON policy documents for both the developer role and the CloudFormation execution role.
Contributor
Coverage Report
|
Hweinstock
reviewed
Mar 27, 2026
Contributor
Hweinstock
left a comment
Hweinstock
left a comment
There was a problem hiding this comment.
After thinking about a bit, we really do require some crazy permissions atm.
- Add iam-policy-boundary.json for execution role permission boundaries - Add deny statements to CFN execution role policy (ForceExecutionRoleBoundary, PreventBoundaryRemoval, PreventBoundaryPolicyTampering) - Scope CDK bootstrap role ARNs to single account (ACCOUNT_ID placeholder) - Expand permission boundaries section with step-by-step enterprise hardening guide
Contributor
Package Tarballaws-agentcore-0.3.0-preview.8.0.tgz How to installnpm install https://github.com/aws/agentcore-cli/releases/download/pr-689-tarball/aws-agentcore-0.3.0-preview.8.0.tgz |
…ct changes The CDK constructs don't currently attach permissionsBoundary to IAM roles they create, so the ForceExecutionRoleBoundary deny statement would block deployments. Mark Step 2 as a recommended future configuration until the constructs are updated.
Hweinstock
approved these changes
Mar 27, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
docs/PERMISSIONS.mdcovering enterprise IAM setup for the AgentCore CLI. The first half is a setup guide for platform admins (role creation, CDK bootstrap, permission boundaries, feature-based scoping, troubleshooting). The second half is a complete action-by-action reference of every IAM permission the CLI requires.docs/policies/: one for the developer role (direct SDK calls + CDK role assumption) and one for the CloudFormation execution role (infrastructure provisioning).Test plan