Skip to content

agentcore deploy should support configuring resource-based policies #607

New issue
New issue
Open
Open
agentcore deploy should support configuring resource-based policies#607
@jariy17

Description

@jariy17
jariy17
opened on Mar 23, 2026

Problem

When deploying resources with agentcore deploy, there is no way to configure resource-based policies. This means cross-account access to deployed resources fails with AccessDeniedException.

For example, invoking an agent runtime cross-account:

botocore.errorfactory.AccessDeniedException: An error occurred (AccessDeniedException) 
when calling the InvokeAgentRuntime operation: User: arn:aws:sts::ACCOUNT_A:assumed-role/Admin/user 
is not authorized to perform: bedrock-agentcore:InvokeAgentRuntime on resource: 
arn:aws:bedrock-agentcore:us-west-2:ACCOUNT_B:runtime/MyAgent because no resource-based 
policy allows the bedrock-agentcore:InvokeAgentRuntime action

This applies to any AgentCore resource that supports resource-based policies, not just agent runtimes.

Expected Behavior

The agentcore.json project spec should support an optional resource policy configuration, e.g.:

{
  "agents": [
    {
      "name": "MyAgent",
      "type": "AgentCoreRuntime",
      "allowedPrincipals": [
        "arn:aws:iam::123456789012:root"
      ]
    }
  ]
}

agentcore deploy should apply the corresponding resource-based policy after creating/updating the resource. This should be supported across all AgentCore resource types that support resource-based policies (agent runtimes, memory stores, etc.).

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions