feat(runtime): Add Runtime, Memory and Identity permissions for auto-created execution role (#132)

Author: tonyseetonydo

src/bedrock_agentcore_starter_toolkit/utils/runtime/entrypoint.py

@@ -32,47 +32,6 @@ def parse_entrypoint(entrypoint: str) -> Tuple[Path, str]:
     return file_path, file_name
 
 
-def handle_requirements_file(
-    requirements_file: Optional[str] = None, build_dir: Optional[Path] = None
-) -> Optional[str]:
-    """Handle requirements file selection and validation.
-
-    Args:
-        requirements_file: Optional path to requirements file
-        build_dir: Build directory, defaults to current directory
-
-    Returns:
-        Validated requirements file path or None
-
-    Raises:
-        ValueError: If specified requirements file is invalid
-    """
-    if build_dir is None:
-        build_dir = Path.cwd()
-
-    if requirements_file:
-        log.info("Validating requirements file: %s", requirements_file)
-        # Validate provided requirements file
-        try:
-            deps = validate_requirements_file(build_dir, requirements_file)
-            log.info("Requirements file validated: %s", requirements_file)
-            return requirements_file
-        except (FileNotFoundError, ValueError) as e:
-            log.error("Requirements file validation failed: %s", e)
-            raise ValueError(str(e)) from e
-
-    # Auto-detect dependencies (no validation needed, just detection)
-    log.info("Auto-detecting dependencies in: %s", build_dir)
-    deps = detect_dependencies(build_dir)
-
-    if deps.found:
-        log.info("Dependencies detected: %s", deps.file)
-        return None  # Let operations handle the detected file
-    else:
-        log.info("No dependency files found")
-        return None  # No file found or specified
-
-
 @dataclass
 class DependencyInfo:
     """Information about project dependencies."""

src/bedrock_agentcore_starter_toolkit/utils/runtime/templates/execution_role_policy.json.j2

@@ -70,7 +70,71 @@
       }
     },
     {
-      "Sid": "GetAgentAccessToken",
+      "Sid": "BedrockAgentCoreRuntime",
+      "Effect": "Allow",
+      "Action": [
+        "bedrock-agentcore:InvokeAgentRuntime"
+      ],
+      "Resource": [
+        "arn:aws:bedrock-agentcore:{{ region }}:{{ account_id }}:runtime/*"
+      ]
+    },
+    {
+      "Sid": "BedrockAgentCoreMemoryCreateMemory",
+      "Effect": "Allow",
+      "Action": [
+        "bedrock-agentcore:CreateMemory"
+      ],
+      "Resource": "*"
+    },
+    {
+      "Sid": "BedrockAgentCoreMemory",
+      "Effect": "Allow",
+      "Action": [
+        "bedrock-agentcore:CreateEvent",
+        "bedrock-agentcore:GetEvent",
+        "bedrock-agentcore:GetMemory",
+        "bedrock-agentcore:GetMemoryRecord",
+        "bedrock-agentcore:ListActors",
+        "bedrock-agentcore:ListEvents",
+        "bedrock-agentcore:ListMemoryRecords",
+        "bedrock-agentcore:ListSessions",
+        "bedrock-agentcore:DeleteEvent",
+        "bedrock-agentcore:DeleteMemoryRecord",
+        "bedrock-agentcore:RetrieveMemoryRecords"
+      ],
+      "Resource": [
+        "arn:aws:bedrock-agentcore:{{ region }}:{{ account_id }}:memory/*"
+      ]
+    },
+    {
+      "Sid": "BedrockAgentCoreIdentityGetResourceApiKey",
+      "Effect": "Allow",
+      "Action": [
+        "bedrock-agentcore:GetResourceApiKey"
+      ],
+      "Resource": [
+        "arn:aws:bedrock-agentcore:{{ region }}:{{ account_id }}:token-vault/default",
+        "arn:aws:bedrock-agentcore:{{ region }}:{{ account_id }}:token-vault/default/apikeycredentialprovider/*",
+        "arn:aws:bedrock-agentcore:{{ region }}:{{ account_id }}:workload-identity-directory/default",
+        "arn:aws:bedrock-agentcore:{{ region }}:{{ account_id }}:workload-identity-directory/default/workload-identity/{{ agent_name }}-*"
+      ]
+    },
+    {
+      "Sid": "BedrockAgentCoreIdentityGetResourceOauth2Token",
+      "Effect": "Allow",
+      "Action": [
+        "bedrock-agentcore:GetResourceOauth2Token"
+      ],
+      "Resource": [
+        "arn:aws:bedrock-agentcore:{{ region }}:{{ account_id }}:token-vault/default",
+        "arn:aws:bedrock-agentcore:{{ region }}:{{ account_id }}:token-vault/default/oauth2credentialprovider/*",
+        "arn:aws:bedrock-agentcore:{{ region }}:{{ account_id }}:workload-identity-directory/default",
+        "arn:aws:bedrock-agentcore:{{ region }}:{{ account_id }}:workload-identity-directory/default/workload-identity/{{ agent_name }}-*"
+      ]
+    },
+    {
+      "Sid": "BedrockAgentCoreIdentityGetWorkloadAccessToken",
       "Effect": "Allow",
       "Action": [
         "bedrock-agentcore:GetWorkloadAccessToken",

tests/utils/runtime/test_entrypoint.py

@@ -8,7 +8,6 @@
 from bedrock_agentcore_starter_toolkit.utils.runtime.entrypoint import (
     detect_dependencies,
     get_python_version,
-    handle_requirements_file,
     parse_entrypoint,
     validate_requirements_file,
 )
@@ -34,71 +33,6 @@ def test_parse_entrypoint_file_not_found(self):
             parse_entrypoint("nonexistent.py")
 
 
-class TestHandleRequirementsFile:
-    """Test handle_requirements_file function."""
-
-    def test_handle_requirements_file_with_file(self, tmp_path):
-        """Test with provided requirements file."""
-        req_file = tmp_path / "requirements.txt"
-        req_file.write_text("requests==2.25.1")
-
-        with patch(
-            "bedrock_agentcore_starter_toolkit.utils.runtime.entrypoint.validate_requirements_file"
-        ) as mock_validate:
-            mock_deps = Mock()
-            mock_validate.return_value = mock_deps
-
-            result = handle_requirements_file(str(req_file), tmp_path)
-            assert result == str(req_file)
-            mock_validate.assert_called_once_with(tmp_path, str(req_file))
-
-    def test_handle_requirements_file_validation_fails(self, tmp_path):
-        """Test with invalid requirements file."""
-        with patch(
-            "bedrock_agentcore_starter_toolkit.utils.runtime.entrypoint.validate_requirements_file",
-            side_effect=ValueError("Invalid file"),
-        ):
-            with pytest.raises(ValueError, match="Invalid file"):
-                handle_requirements_file("invalid.txt", tmp_path)
-
-    def test_handle_requirements_file_auto_detect_found(self, tmp_path):
-        """Test auto-detection when dependencies are found."""
-        with patch("bedrock_agentcore_starter_toolkit.utils.runtime.entrypoint.detect_dependencies") as mock_detect:
-            mock_deps = Mock()
-            mock_deps.found = True
-            mock_deps.file = "requirements.txt"
-            mock_detect.return_value = mock_deps
-
-            result = handle_requirements_file(None, tmp_path)
-            assert result is None  # Should return None to let operations handle it
-            mock_detect.assert_called_once_with(tmp_path)
-
-    def test_handle_requirements_file_auto_detect_not_found(self, tmp_path):
-        """Test auto-detection when no dependencies are found."""
-        with patch("bedrock_agentcore_starter_toolkit.utils.runtime.entrypoint.detect_dependencies") as mock_detect:
-            mock_deps = Mock()
-            mock_deps.found = False
-            mock_detect.return_value = mock_deps
-
-            result = handle_requirements_file(None, tmp_path)
-            assert result is None
-            mock_detect.assert_called_once_with(tmp_path)
-
-    def test_handle_requirements_file_default_build_dir(self):
-        """Test with default build directory."""
-        with patch("bedrock_agentcore_starter_toolkit.utils.runtime.entrypoint.Path.cwd") as mock_cwd:
-            mock_cwd.return_value = Path("/current/dir")
-
-            with patch("bedrock_agentcore_starter_toolkit.utils.runtime.entrypoint.detect_dependencies") as mock_detect:
-                mock_deps = Mock()
-                mock_deps.found = False
-                mock_detect.return_value = mock_deps
-
-                result = handle_requirements_file(None, None)
-                assert result is None
-                mock_detect.assert_called_once_with(Path("/current/dir"))
-
-
 class TestDependencies:
     """Test dependency detection functionality."""
 

tests_integ/memory/test_create_memory.py

@@ -0,0 +1,29 @@
+from bedrock_agentcore import BedrockAgentCoreApp
+from bedrock_agentcore.memory import MemoryClient
+from random import randint
+
+app = BedrockAgentCoreApp()
+client = MemoryClient(region_name="us-west-2")
+
+@app.entrypoint
+def entrypoint(_payload):
+    print("Receiving payload:", _payload)
+    memory_id = create_memory()
+
+    return {"memory_id": memory_id}
+
+def create_memory():
+    name = "CustomerSupportAgentMemory" + str(randint(1, 10000))
+    description="Memory for customer support conversations"
+
+    memory = client.create_memory(
+        name=name,
+        description=description,
+    )
+
+    print(f"Memory ID: {memory.get('id')}")
+    print(f"Memory: {memory}")
+
+    return memory.get('id')
+
+app.run()