AWSTemplateFormatVersion: '2010-09-09' Transform: AWS::Serverless-2016-10-31 Description: MCP Tool Lambda for Bedrock AgentCore Gateway MCP testing # Note: This template uses the bedrock-agentcore.amazonaws.com service principal # instead of a hardcoded service account ID for better maintainability and security Parameters: Environment: Type: String Default: prod Description: Environment name for CloudFormation tags only Globals: Function: Timeout: 900 # 15 minutes MemorySize: 3008 # Maximum memory for performance Resources: # Bedrock AgentCore Gateway Execution Role - Role that Bedrock AgentCore Gateway assumes to invoke Lambda functions BedrockAgentCoreGatewayExecutionRole: Type: AWS::IAM::Role Properties: RoleName: bac-gateway-execution-role AssumeRolePolicyDocument: Version: '2012-10-17' Statement: # Production Bedrock AgentCore Gateway - Bedrock AgentCore service principal with required conditions - Effect: Allow Principal: Service: bedrock-agentcore.amazonaws.com Action: sts:AssumeRole Condition: StringEquals: aws:SourceAccount: !Ref AWS::AccountId ArnLike: aws:SourceArn: !Sub "arn:aws:bedrock-agentcore:${AWS::Region}:${AWS::AccountId}:gateway/bac-gtw-*" Policies: - PolicyName: BedrockAgentCoreGatewayExecutionPolicy PolicyDocument: Version: '2012-10-17' Statement: - Sid: InvokeLambdaFunctions Effect: Allow Action: - lambda:InvokeFunction Resource: '*' - Sid: BedrockAgentCorePermissions Effect: Allow Action: - bedrock-agentcore:* - iam:PassRole Resource: '*' - Sid: S3Permissions Effect: Allow Action: - s3:GetObject - s3:PutObject - s3:DeleteObject - s3:ListBucket - s3:GetBucketLocation Resource: '*' - Sid: CloudWatchLogsPermissions Effect: Allow Action: - logs:CreateLogGroup - logs:CreateLogStream - logs:PutLogEvents - logs:DescribeLogGroups - logs:DescribeLogStreams Resource: '*' Tags: - Key: Project Value: lambda-adaptor-bedrock-agentcore - Key: Component Value: bedrock-agentcore-gateway-execution - Key: Environment Value: !Ref Environment - Key: ManagedBy Value: SAM # Custom Lambda Execution Role with Bedrock AgentCore Trust and AWS Service Permissions MCPToolFunctionRole: Type: AWS::IAM::Role Properties: AssumeRolePolicyDocument: Version: '2012-10-17' Statement: # Allow Lambda service to assume this role - Effect: Allow Principal: Service: lambda.amazonaws.com Action: sts:AssumeRole # Allow Bedrock AgentCore service to assume this role - Effect: Allow Principal: Service: bedrock-agentcore.amazonaws.com Action: sts:AssumeRole ManagedPolicyArns: - arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole - arn:aws:iam::aws:policy/ReadOnlyAccess Policies: - PolicyName: BedrockInvokePolicy PolicyDocument: Version: '2012-10-17' Statement: - Effect: Allow Action: - bedrock:InvokeModel - bedrock:InvokeModelWithResponseStream Resource: '*' - PolicyName: CostExplorerPolicy PolicyDocument: Version: '2012-10-17' Statement: - Effect: Allow Action: - ce:GetCostAndUsage - ce:GetUsageReport - ce:GetReservationCoverage - ce:GetReservationPurchaseRecommendation - ce:GetReservationUtilization - ce:GetDimensionValues - ce:GetMetricValues - ce:ListCostCategoryDefinitions - ce:GetCostCategories - ce:GetRightsizingRecommendation - ce:GetSavingsPlansUtilization - ce:GetSavingsPlansUtilizationDetails - ce:GetSavingsPlansCoverage - ce:GetSavingsPlansUsage - ce:GetUsageForecast - ce:GetCostForecast Resource: '*' - PolicyName: CloudWatchLogsPolicy PolicyDocument: Version: '2012-10-17' Statement: - Effect: Allow Action: - logs:CreateLogGroup - logs:CreateLogStream - logs:PutLogEvents Resource: !Sub "arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/lambda/bac-mcp-tool:*" Tags: - Key: Project Value: lambda-adaptor-bedrock-agentcore - Key: Component Value: mcp-tool-lambda - Key: Environment Value: !Ref Environment # MCP Tool Lambda Function MCPToolFunction: Type: AWS::Serverless::Function Properties: FunctionName: "bac-mcp-tool" PackageType: Image ImageUri: mcp-tool-lambda:latest Description: MCP Tool Lambda for Bedrock AgentCore Gateway MCP testing Role: !GetAtt MCPToolFunctionRole.Arn # Environment variables Environment: Variables: ENVIRONMENT: !Ref Environment LOG_LEVEL: INFO # Tracing Tracing: Active Tags: Project: lambda-adaptor-bedrock-agentcore Component: mcp-tool-lambda Environment: !Ref Environment ManagedBy: SAM Metadata: DockerTag: "bac-mcp-tool" DockerContext: ./lambda Dockerfile: Dockerfile # CloudWatch Log Group MCPToolLogGroup: Type: AWS::Logs::LogGroup Properties: LogGroupName: "/aws/lambda/bac-mcp-tool" RetentionInDays: 14 Outputs: MCPToolFunctionArn: Description: MCP Tool Lambda Function ARN Value: !GetAtt MCPToolFunction.Arn Export: Name: !Sub "${AWS::StackName}-MCPToolFunctionArn" MCPToolFunctionName: Description: MCP Tool Lambda Function Name Value: !Ref MCPToolFunction Export: Name: !Sub "${AWS::StackName}-MCPToolFunctionName" MCPToolFunctionRoleArn: Description: MCP Tool Lambda Function Role ARN Value: !GetAtt MCPToolFunctionRole.Arn Export: Name: !Sub "${AWS::StackName}-MCPToolFunctionRoleArn" BedrockAgentCoreGatewayExecutionRoleArn: Description: Bedrock AgentCore Gateway Execution Role ARN - Use this role when creating Bedrock AgentCore Gateway targets Value: !GetAtt BedrockAgentCoreGatewayExecutionRole.Arn Export: Name: !Sub "${AWS::StackName}-BedrockAgentCoreGatewayExecutionRoleArn" BedrockAgentCoreGatewayExecutionRoleName: Description: Bedrock AgentCore Gateway Execution Role Name Value: !Ref BedrockAgentCoreGatewayExecutionRole Export: Name: !Sub "${AWS::StackName}-BedrockAgentCoreGatewayExecutionRoleName"