serverless-bedrock-agentcore-plugin 0.3.0 → 0.5.0

package/CHANGELOG.md

@@ -7,6 +7,16 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+### Added
+
+- Resource-based policy support for AgentCore Runtime
+  - Enable cross-account access to agent runtimes
+  - Standard IAM policy document format
+  - Support for multiple principals and statements
+- New example: `cross-account-access` demonstrating resource policy usage
+- Schema validation for `resourcePolicy` configuration
+- Test coverage for resource policy builder functions
+
 ## [0.2.0] - 2025-12-19
 
 ### Added

package/README.md

@@ -87,29 +87,56 @@ agents:
         - X-User-Id
         - X-Session-Id
         - Authorization
+    # Optional: Resource-based policy for cross-account access
+    resourcePolicy:
+      Version: '2012-10-17'
+      Statement:
+        - Sid: AllowCrossAccountInvoke
+          Effect: Allow
+          Principal:
+            AWS: arn:aws:iam::123456789012:role/MyRole
+          Action:
+            - bedrock-agentcore:InvokeAgentRuntime
+          Resource: '*'
 ```
 
-| Property                                         | Required | Description                              |
-| ------------------------------------------------ | -------- | ---------------------------------------- |
-| `type`                                           | Yes      | `runtime`                                |
-| `artifact.docker.path`                           | Yes\*    | Docker build context path                |
-| `artifact.docker.file`                           | No       | Dockerfile name (default: Dockerfile)    |
-| `artifact.docker.repository`                     | No       | ECR repository name                      |
-| `artifact.containerImage`                        | Yes\*    | Pre-built container image URI            |
-| `protocol`                                       | No       | `HTTP`, `MCP`, or `A2A`                  |
-| `network.networkMode`                            | No       | `PUBLIC` or `VPC`                        |
-| `authorizer.customJwtAuthorizer`                 | No       | JWT authorizer config (omit for no auth) |
-| `authorizer.customJwtAuthorizer.discoveryUrl`    | Yes\*\*  | OIDC discovery URL                       |
-| `authorizer.customJwtAuthorizer.allowedAudience` | No       | Array of allowed audience values         |
-| `authorizer.customJwtAuthorizer.allowedClients`  | No       | Array of allowed client IDs              |
-| `requestHeaders.allowlist`                       | No       | Headers to pass to runtime (max 20)      |
-| `description`                                    | No       | Runtime description                      |
-| `roleArn`                                        | No       | Custom IAM role ARN                      |
+| Property                                         | Required  | Description                              |
+| ------------------------------------------------ | --------- | ---------------------------------------- |
+| `type`                                           | Yes       | `runtime`                                |
+| `artifact.docker.path`                           | Yes\*     | Docker build context path                |
+| `artifact.docker.file`                           | No        | Dockerfile name (default: Dockerfile)    |
+| `artifact.docker.repository`                     | No        | ECR repository name                      |
+| `artifact.containerImage`                        | Yes\*     | Pre-built container image URI            |
+| `protocol`                                       | No        | `HTTP`, `MCP`, or `A2A`                  |
+| `network.networkMode`                            | No        | `PUBLIC` or `VPC`                        |
+| `authorizer.customJwtAuthorizer`                 | No        | JWT authorizer config (omit for no auth) |
+| `authorizer.customJwtAuthorizer.discoveryUrl`    | Yes\*\*   | OIDC discovery URL                       |
+| `authorizer.customJwtAuthorizer.allowedAudience` | No        | Array of allowed audience values         |
+| `authorizer.customJwtAuthorizer.allowedClients`  | No        | Array of allowed client IDs              |
+| `requestHeaders.allowlist`                       | No        | Headers to pass to runtime (max 20)      |
+| `resourcePolicy`                                 | No        | Resource-based policy (IAM policy doc)   |
+| `resourcePolicy.Statement`                       | Yes\*\*\* | Array of policy statements               |
+| `description`                                    | No        | Runtime description                      |
+| `roleArn`                                        | No        | Custom IAM role ARN                      |
 
 \*Either `artifact.docker` or `artifact.containerImage` is required
 
 \*\*Required when using `customJwtAuthorizer`
 
+\*\*\*Required when using `resourcePolicy`
+
+#### Resource-Based Policies
+
+Resource-based policies allow you to grant cross-account or cross-principal access to invoke your AgentCore runtime. This is useful when you need to allow another AWS account or service to invoke your agent.
+
+Example use cases:
+
+- **Cross-account access**: Allow an ECS task in another account to invoke your agent
+- **Service-to-service**: Grant specific IAM roles permission to invoke the runtime
+- **Multi-tenant architectures**: Control access across different AWS accounts
+
+The `resourcePolicy` follows standard IAM policy document format with `Version` (defaults to `2012-10-17`) and `Statement` array.
+
 ### Memory
 
 Store conversation history with semantic search and summarization.

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "serverless-bedrock-agentcore-plugin",
-  "version": "0.3.0",
+  "version": "0.5.0",
   "description": "Serverless Framework plugin for AWS Bedrock AgentCore - deploy Runtime, Memory, and Gateway resources",
   "main": "src/index.js",
   "engines": {

package/src/compilers/runtime.js

@@ -182,6 +182,26 @@ function buildRequestHeaderConfiguration(requestHeaders) {
   };
 }
 
+/**
+ * Build resource-based policy for the runtime
+ * Allows cross-account or cross-principal access to invoke the agent
+ *
+ * @param {Object} resourcePolicy - The resource policy configuration from serverless.yml
+ * @returns {Object|null} IAM policy document or null
+ */
+function buildResourcePolicy(resourcePolicy) {
+  if (!resourcePolicy || !resourcePolicy.Statement || resourcePolicy.Statement.length === 0) {
+    return null;
+  }
+
+  // Return standard IAM policy document format
+  // Applied via bedrock-agentcore-control put-resource-policy API after deploy
+  return {
+    Version: resourcePolicy.Version || '2012-10-17',
+    Statement: resourcePolicy.Statement,
+  };
+}
+
 /**
  * Compile a Runtime resource to CloudFormation
  *
@@ -204,6 +224,10 @@ function compileRuntime(name, config, context, tags) {
   const envVars = buildEnvironmentVariables(config.environment);
   const requestHeaderConfig = buildRequestHeaderConfiguration(config.requestHeaders);
 
+  // Note: resourcePolicy is NOT included in CFN properties.
+  // CloudFormation doesn't support ResourcePolicy on AWS::BedrockAgentCore::Runtime.
+  // It is applied via the bedrock-agentcore-control put-resource-policy API after deploy.
+
   return {
     Type: 'AWS::BedrockAgentCore::Runtime',
     Properties: {
@@ -231,4 +255,5 @@ module.exports = {
   buildProtocolConfiguration,
   buildEnvironmentVariables,
   buildRequestHeaderConfiguration,
+  buildResourcePolicy,
 };

package/src/index.js

@@ -1,6 +1,6 @@
 'use strict';
 
-const { compileRuntime } = require('./compilers/runtime');
+const { compileRuntime, buildResourcePolicy } = require('./compilers/runtime');
 const { compileRuntimeEndpoint } = require('./compilers/runtimeEndpoint');
 const { compileMemory } = require('./compilers/memory');
 const { compileGateway } = require('./compilers/gateway');
@@ -137,8 +137,11 @@ class ServerlessBedrockAgentCore {
       'after:package:compileFunctions': () => this.compileAgentCoreResources(),
       'before:package:finalize': () => this.compileAgentCoreResources(),
 
-      // Post-deploy info
-      'after:deploy:deploy': () => this.displayDeploymentInfo(),
+      // Post-deploy: apply resource policies, then display info
+      'after:deploy:deploy': async () => {
+        await this.applyResourcePolicies();
+        await this.displayDeploymentInfo();
+      },
 
       // Custom commands
       'agentcore:info:info': () => this.showInfo(),
@@ -972,6 +975,54 @@ class ServerlessBedrockAgentCore {
     }
   }
 
+  /**
+   * Apply resource policies to runtimes after deployment.
+   * CloudFormation doesn't support ResourcePolicy on AWS::BedrockAgentCore::Runtime,
+   * so we apply it via the bedrock-agentcore-control put-resource-policy API after deploy.
+   */
+  async applyResourcePolicies() {
+    const agents = this.getAgentsConfig();
+
+    if (!agents || Object.keys(agents).length === 0) {
+      return;
+    }
+
+    const agentsWithPolicies = Object.entries(agents).filter(
+      ([, config]) => config.type === 'runtime' && config.resourcePolicy
+    );
+
+    if (agentsWithPolicies.length === 0) {
+      return;
+    }
+
+    this.log.info(`Applying resource policies for ${agentsWithPolicies.length} runtime(s)...`);
+
+    for (const [name, config] of agentsWithPolicies) {
+      try {
+        this.log.info(`  Applying resource policy for '${name}'...`);
+
+        const runtimeArn = await this.getRuntimeArn(name);
+        const policyDocument = buildResourcePolicy(config.resourcePolicy);
+
+        if (!policyDocument) {
+          this.log.warning(`  Skipping '${name}': resource policy has no statements`);
+          continue;
+        }
+
+        await this.provider.request('BedrockAgentCoreControl', 'putResourcePolicy', {
+          resourceArn: runtimeArn,
+          policy: JSON.stringify(policyDocument),
+        });
+
+        this.log.info(`  Resource policy applied successfully for '${name}'`);
+      } catch (error) {
+        throw new this.serverless.classes.Error(
+          `Failed to apply resource policy for '${name}': ${error.message}`
+        );
+      }
+    }
+  }
+
   /**
    * Show information about AgentCore resources
    */

package/src/validators/schema.js

@@ -101,6 +101,57 @@ function defineAgentsSchema(serverless) {
             maxConcurrency: { type: 'number' },
           },
         },
+        resourcePolicy: {
+          type: 'object',
+          properties: {
+            Version: { type: 'string' },
+            Statement: {
+              type: 'array',
+              items: {
+                type: 'object',
+                properties: {
+                  Sid: { type: 'string' },
+                  Effect: {
+                    type: 'string',
+                    enum: ['Allow', 'Deny'],
+                  },
+                  Principal: { type: 'object' },
+                  Action: {
+                    oneOf: [
+                      { type: 'string' },
+                      {
+                        type: 'array',
+                        items: { type: 'string' },
+                      },
+                    ],
+                  },
+                  Resource: {
+                    oneOf: [
+                      { type: 'string' },
+                      {
+                        type: 'array',
+                        items: { type: 'string' },
+                      },
+                    ],
+                  },
+                  Condition: { type: 'object' },
+                },
+                required: ['Effect', 'Principal', 'Action'],
+              },
+            },
+          },
+          required: ['Statement'],
+        },
+        requestHeaders: {
+          type: 'object',
+          properties: {
+            allowlist: {
+              type: 'array',
+              items: { type: 'string' },
+              maxItems: 20,
+            },
+          },
+        },
         endpoints: {
           type: 'array',
           items: {