Skip to content

docs(permissions): update permissions role to include new permissions BYOF#1483

Merged
jariy17 merged 1 commit into
aws:mainfrom
Hweinstock:docs/update-permissions
Jun 8, 2026
Merged

docs(permissions): update permissions role to include new permissions BYOF#1483
jariy17 merged 1 commit into
aws:mainfrom
Hweinstock:docs/update-permissions

Conversation

@Hweinstock

@Hweinstock Hweinstock commented Jun 8, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

Problem

e2e test role is missing a ton of permissions for the new BYOF feature.
#1441

Solution

  • add the permissions, verify by running locally with new role.
  • add permissions to documentation.

Testing

 ✓  e2e  e2e-tests/strands-bedrock-byo-filesystem.test.ts > e2e: Strands/Bedrock — create → deploy → invoke > deploys to AWS successfully 92212ms
 ✓  e2e  e2e-tests/strands-bedrock-byo-filesystem.test.ts > e2e: Strands/Bedrock — create → deploy → invoke > invokes the deployed agent 21953ms
 ✓  e2e  e2e-tests/strands-bedrock-byo-filesystem.test.ts > e2e: Strands/Bedrock — create → deploy → invoke > status shows the deployed agent 9952ms
 ✓  e2e  e2e-tests/strands-bedrock-byo-filesystem.test.ts > e2e: Strands/Bedrock — create → deploy → invoke > status looks up agent runtime by ID 9495ms
 ✓  e2e  e2e-tests/strands-bedrock-byo-filesystem.test.ts > e2e: Strands/Bedrock — create → deploy → invoke > logs returns entries from the invocation 10068ms
 ✓  e2e  e2e-tests/strands-bedrock-byo-filesystem.test.ts > e2e: Strands/Bedrock — create → deploy → invoke > logs supports level filtering 10224ms
 ✓  e2e  e2e-tests/strands-bedrock-byo-filesystem.test.ts > e2e: Strands/Bedrock — create → deploy → invoke > traces list succeeds after invocation 2582ms

 Test Files  1 passed (1)
      Tests  7 passed (7)
   Start at  20:45:06
   Duration  262.03s (transform 142ms, setup 0ms, import 829ms, tests 261.10s, environment 0ms)

@github-actions github-actions Bot added the size/s PR size: S label Jun 8, 2026
@github-actions github-actions Bot added the agentcore-harness-reviewing AgentCore Harness review in progress label Jun 8, 2026
@agentcore-devx-automation agentcore-devx-automation Bot added the claude-security-reviewing Claude Code /security-review in progress label Jun 8, 2026
@agentcore-devx-automation

agentcore-devx-automation Bot commented Jun 8, 2026

Copy link
Copy Markdown
Contributor

Claude Security Review: no high-confidence findings. (run)

@agentcore-devx-automation agentcore-devx-automation Bot removed the claude-security-reviewing Claude Code /security-review in progress label Jun 8, 2026
@github-actions

github-actions Bot commented Jun 8, 2026

Copy link
Copy Markdown
Contributor

Package Tarball

aws-agentcore-0.18.0.tgz

How to install

gh release download pr-1483-tarball --repo aws/agentcore-cli --pattern "*.tgz" --dir /tmp/pr-tarball
npm install -g /tmp/pr-tarball/aws-agentcore-0.18.0.tgz

agentcore-cli-automation
agentcore-cli-automation approved these changes Jun 8, 2026
View reviewed changes

@agentcore-cli-automation agentcore-cli-automation left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Reviewed the diff against the BYOF code paths in src/cli/commands/shared/filesystem-utils.ts, src/cli/primitives/AgentPrimitive.tsx, src/cli/tui/screens/agent/useAddAgent.ts, and src/cli/tui/screens/create/useCreateFlow.ts. Each of the seven permissions added to the FilesystemNetworkValidation Sid maps directly to a real SDK call:

  • ec2:DescribeSecurityGroupsDescribeSecurityGroupsCommand (filesystem-utils.ts:214, 348)
  • ec2:DescribeSubnetsDescribeSubnetsCommand (filesystem-utils.ts:317, 417; AgentPrimitive.tsx:386; useAddAgent.ts:230)
  • elasticfilesystem:DescribeAccessPointsDescribeAccessPointsCommand (filesystem-utils.ts:174)
  • elasticfilesystem:DescribeMountTargetsDescribeMountTargetsCommand (filesystem-utils.ts:248)
  • elasticfilesystem:DescribeMountTargetSecurityGroupsDescribeMountTargetSecurityGroupsCommand (filesystem-utils.ts:253)
  • s3files:ListMountTargetsListMountTargetsCommand (filesystem-utils.ts:193, 274)
  • s3files:GetMountTargetGetMountTargetCommand (filesystem-utils.ts:279)

JSON is valid, the new Sid is also referenced from the "Scoping down by feature" table, and the e2e run in the PR description confirms the policy works end-to-end. No code changes needed. LGTM.

@github-actions github-actions Bot removed the agentcore-harness-reviewing AgentCore Harness review in progress label Jun 8, 2026
@Hweinstock Hweinstock marked this pull request as ready for review June 8, 2026 21:08
@Hweinstock Hweinstock requested a review from a team June 8, 2026 21:08
@jariy17 jariy17 merged commit 9c41832 into aws:main Jun 8, 2026
28 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jariy17 jariy17 jariy17 approved these changes

+1 more reviewer

@agentcore-cli-automation agentcore-cli-automation agentcore-cli-automation approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

size/s PR size: S

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@Hweinstock @jariy17 @agentcore-cli-automation