serverless-bedrock-agentcore-plugin 0.3.0 → 0.4.0

package/CHANGELOG.md

@@ -7,6 +7,16 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+### Added
+
+- Resource-based policy support for AgentCore Runtime
+  - Enable cross-account access to agent runtimes
+  - Standard IAM policy document format
+  - Support for multiple principals and statements
+- New example: `cross-account-access` demonstrating resource policy usage
+- Schema validation for `resourcePolicy` configuration
+- Test coverage for resource policy builder functions
+
 ## [0.2.0] - 2025-12-19
 
 ### Added

package/README.md

@@ -87,29 +87,56 @@ agents:
         - X-User-Id
         - X-Session-Id
         - Authorization
+    # Optional: Resource-based policy for cross-account access
+    resourcePolicy:
+      Version: '2012-10-17'
+      Statement:
+        - Sid: AllowCrossAccountInvoke
+          Effect: Allow
+          Principal:
+            AWS: arn:aws:iam::123456789012:role/MyRole
+          Action:
+            - bedrock-agentcore:InvokeAgentRuntime
+          Resource: '*'
 ```
 
-| Property                                         | Required | Description                              |
-| ------------------------------------------------ | -------- | ---------------------------------------- |
-| `type`                                           | Yes      | `runtime`                                |
-| `artifact.docker.path`                           | Yes\*    | Docker build context path                |
-| `artifact.docker.file`                           | No       | Dockerfile name (default: Dockerfile)    |
-| `artifact.docker.repository`                     | No       | ECR repository name                      |
-| `artifact.containerImage`                        | Yes\*    | Pre-built container image URI            |
-| `protocol`                                       | No       | `HTTP`, `MCP`, or `A2A`                  |
-| `network.networkMode`                            | No       | `PUBLIC` or `VPC`                        |
-| `authorizer.customJwtAuthorizer`                 | No       | JWT authorizer config (omit for no auth) |
-| `authorizer.customJwtAuthorizer.discoveryUrl`    | Yes\*\*  | OIDC discovery URL                       |
-| `authorizer.customJwtAuthorizer.allowedAudience` | No       | Array of allowed audience values         |
-| `authorizer.customJwtAuthorizer.allowedClients`  | No       | Array of allowed client IDs              |
-| `requestHeaders.allowlist`                       | No       | Headers to pass to runtime (max 20)      |
-| `description`                                    | No       | Runtime description                      |
-| `roleArn`                                        | No       | Custom IAM role ARN                      |
+| Property                                         | Required  | Description                              |
+| ------------------------------------------------ | --------- | ---------------------------------------- |
+| `type`                                           | Yes       | `runtime`                                |
+| `artifact.docker.path`                           | Yes\*     | Docker build context path                |
+| `artifact.docker.file`                           | No        | Dockerfile name (default: Dockerfile)    |
+| `artifact.docker.repository`                     | No        | ECR repository name                      |
+| `artifact.containerImage`                        | Yes\*     | Pre-built container image URI            |
+| `protocol`                                       | No        | `HTTP`, `MCP`, or `A2A`                  |
+| `network.networkMode`                            | No        | `PUBLIC` or `VPC`                        |
+| `authorizer.customJwtAuthorizer`                 | No        | JWT authorizer config (omit for no auth) |
+| `authorizer.customJwtAuthorizer.discoveryUrl`    | Yes\*\*   | OIDC discovery URL                       |
+| `authorizer.customJwtAuthorizer.allowedAudience` | No        | Array of allowed audience values         |
+| `authorizer.customJwtAuthorizer.allowedClients`  | No        | Array of allowed client IDs              |
+| `requestHeaders.allowlist`                       | No        | Headers to pass to runtime (max 20)      |
+| `resourcePolicy`                                 | No        | Resource-based policy (IAM policy doc)   |
+| `resourcePolicy.Statement`                       | Yes\*\*\* | Array of policy statements               |
+| `description`                                    | No        | Runtime description                      |
+| `roleArn`                                        | No        | Custom IAM role ARN                      |
 
 \*Either `artifact.docker` or `artifact.containerImage` is required
 
 \*\*Required when using `customJwtAuthorizer`
 
+\*\*\*Required when using `resourcePolicy`
+
+#### Resource-Based Policies
+
+Resource-based policies allow you to grant cross-account or cross-principal access to invoke your AgentCore runtime. This is useful when you need to allow another AWS account or service to invoke your agent.
+
+Example use cases:
+
+- **Cross-account access**: Allow an ECS task in another account to invoke your agent
+- **Service-to-service**: Grant specific IAM roles permission to invoke the runtime
+- **Multi-tenant architectures**: Control access across different AWS accounts
+
+The `resourcePolicy` follows standard IAM policy document format with `Version` (defaults to `2012-10-17`) and `Statement` array.
+
 ### Memory
 
 Store conversation history with semantic search and summarization.

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "serverless-bedrock-agentcore-plugin",
-  "version": "0.3.0",
+  "version": "0.4.0",
   "description": "Serverless Framework plugin for AWS Bedrock AgentCore - deploy Runtime, Memory, and Gateway resources",
   "main": "src/index.js",
   "engines": {

package/src/compilers/runtime.js

@@ -182,6 +182,26 @@ function buildRequestHeaderConfiguration(requestHeaders) {
   };
 }
 
+/**
+ * Build resource-based policy for the runtime
+ * Allows cross-account or cross-principal access to invoke the agent
+ *
+ * @param {Object} resourcePolicy - The resource policy configuration from serverless.yml
+ * @returns {Object|null} CloudFormation ResourcePolicy or null
+ */
+function buildResourcePolicy(resourcePolicy) {
+  if (!resourcePolicy || !resourcePolicy.Statement || resourcePolicy.Statement.length === 0) {
+    return null;
+  }
+
+  // CloudFormation expects the policy as a JSON object
+  // The policy should be in standard IAM policy document format
+  return {
+    Version: resourcePolicy.Version || '2012-10-17',
+    Statement: resourcePolicy.Statement,
+  };
+}
+
 /**
  * Compile a Runtime resource to CloudFormation
  *
@@ -203,6 +223,7 @@ function compileRuntime(name, config, context, tags) {
   const protocolConfig = buildProtocolConfiguration(config.protocol);
   const envVars = buildEnvironmentVariables(config.environment);
   const requestHeaderConfig = buildRequestHeaderConfiguration(config.requestHeaders);
+  const resourcePolicy = buildResourcePolicy(config.resourcePolicy);
 
   return {
     Type: 'AWS::BedrockAgentCore::Runtime',
@@ -217,6 +238,7 @@ function compileRuntime(name, config, context, tags) {
       ...(protocolConfig && { ProtocolConfiguration: protocolConfig }),
       ...(envVars && { EnvironmentVariables: envVars }),
       ...(requestHeaderConfig && { RequestHeaderConfiguration: requestHeaderConfig }),
+      ...(resourcePolicy && { ResourcePolicy: resourcePolicy }),
       ...(Object.keys(tags).length > 0 && { Tags: tags }),
     },
   };
@@ -231,4 +253,5 @@ module.exports = {
   buildProtocolConfiguration,
   buildEnvironmentVariables,
   buildRequestHeaderConfiguration,
+  buildResourcePolicy,
 };

package/src/validators/schema.js

@@ -101,6 +101,57 @@ function defineAgentsSchema(serverless) {
             maxConcurrency: { type: 'number' },
           },
         },
+        resourcePolicy: {
+          type: 'object',
+          properties: {
+            Version: { type: 'string' },
+            Statement: {
+              type: 'array',
+              items: {
+                type: 'object',
+                properties: {
+                  Sid: { type: 'string' },
+                  Effect: {
+                    type: 'string',
+                    enum: ['Allow', 'Deny'],
+                  },
+                  Principal: { type: 'object' },
+                  Action: {
+                    oneOf: [
+                      { type: 'string' },
+                      {
+                        type: 'array',
+                        items: { type: 'string' },
+                      },
+                    ],
+                  },
+                  Resource: {
+                    oneOf: [
+                      { type: 'string' },
+                      {
+                        type: 'array',
+                        items: { type: 'string' },
+                      },
+                    ],
+                  },
+                  Condition: { type: 'object' },
+                },
+                required: ['Effect', 'Principal', 'Action'],
+              },
+            },
+          },
+          required: ['Statement'],
+        },
+        requestHeaders: {
+          type: 'object',
+          properties: {
+            allowlist: {
+              type: 'array',
+              items: { type: 'string' },
+              maxItems: 20,
+            },
+          },
+        },
         endpoints: {
           type: 'array',
           items: {