import boto3 import json import time from boto3.session import Session def create_agentcore_role(agent_name): iam_client = boto3.client('iam') agentcore_role_name = f'agentcore-{agent_name}-role' boto_session = Session() region = boto_session.region_name account_id = boto3.client("sts").get_caller_identity()["Account"] role_policy = { "Version": "2012-10-17", "Statement": [ { "Sid": "BedrockPermissions", "Effect": "Allow", "Action": [ "bedrock:InvokeModel", "bedrock:InvokeModelWithResponseStream" ], "Resource": "*" }, { "Sid": "ECRImageAccess", "Effect": "Allow", "Action": [ "ecr:BatchGetImage", "ecr:GetDownloadUrlForLayer" ], "Resource": [ f"arn:aws:ecr:{region}:{account_id}:repository/*" ] }, { "Effect": "Allow", "Action": [ "logs:DescribeLogStreams", "logs:CreateLogGroup" ], "Resource": [ f"arn:aws:logs:{region}:{account_id}:log-group:/aws/bedrock-agentcore/runtimes/*" ] }, { "Effect": "Allow", "Action": [ "logs:DescribeLogGroups" ], "Resource": [ f"arn:aws:logs:{region}:{account_id}:log-group:*" ] }, { "Effect": "Allow", "Action": [ "logs:CreateLogStream", "logs:PutLogEvents" ], "Resource": [ f"arn:aws:logs:{region}:{account_id}:log-group:/aws/bedrock-agentcore/runtimes/*:log-stream:*" ] }, { "Sid": "ECRTokenAccess", "Effect": "Allow", "Action": [ "ecr:GetAuthorizationToken" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "xray:PutTraceSegments", "xray:PutTelemetryRecords", "xray:GetSamplingRules", "xray:GetSamplingTargets" ], "Resource": [ "*" ] }, { "Effect": "Allow", "Resource": "*", "Action": "cloudwatch:PutMetricData", "Condition": { "StringEquals": { "cloudwatch:namespace": "bedrock-agentcore" } } }, { "Sid": "GetAgentAccessToken", "Effect": "Allow", "Action": [ "bedrock-agentcore:GetWorkloadAccessToken", "bedrock-agentcore:GetWorkloadAccessTokenForJWT", "bedrock-agentcore:GetWorkloadAccessTokenForUserId" ], "Resource": [ f"arn:aws:bedrock-agentcore:{region}:{account_id}:workload-identity-directory/default", f"arn:aws:bedrock-agentcore:{region}:{account_id}:workload-identity-directory/default/workload-identity/{agent_name}*" ] } ] } assume_role_policy_document = { "Version": "2012-10-17", "Statement": [ { "Sid": "AssumeRolePolicy", "Effect": "Allow", "Principal": { "Service": "bedrock-agentcore.amazonaws.com" }, "Action": "sts:AssumeRole", "Condition": { "StringEquals": { "aws:SourceAccount": f"{account_id}" }, "ArnLike": { "aws:SourceArn": f"arn:aws:bedrock-agentcore:{region}:{account_id}:*" } } } ] } assume_role_policy_document_json = json.dumps( assume_role_policy_document ) role_policy_document = json.dumps(role_policy) # Create IAM Role for the Lambda function try: agentcore_iam_role = iam_client.create_role( RoleName=agentcore_role_name, AssumeRolePolicyDocument=assume_role_policy_document_json ) # Pause to make sure role is created time.sleep(10) except iam_client.exceptions.EntityAlreadyExistsException: print("Role already exists -- deleting and creating it again") policies = iam_client.list_role_policies( RoleName=agentcore_role_name, MaxItems=100 ) print("policies:", policies) for policy_name in policies['PolicyNames']: iam_client.delete_role_policy( RoleName=agentcore_role_name, PolicyName=policy_name ) print(f"deleting {agentcore_role_name}") iam_client.delete_role( RoleName=agentcore_role_name ) print(f"recreating {agentcore_role_name}") agentcore_iam_role = iam_client.create_role( RoleName=agentcore_role_name, AssumeRolePolicyDocument=assume_role_policy_document_json ) # Attach the AWSLambdaBasicExecutionRole policy print(f"attaching role policy {agentcore_role_name}") try: iam_client.put_role_policy( PolicyDocument=role_policy_document, PolicyName="AgentCorePolicy", RoleName=agentcore_role_name ) except Exception as e: print(e) return agentcore_iam_role