Amazon Bedrock AgentCore Setup Confusion: Which IAM Role Do I Need?

Source: Dev.to

Introduction

If you’re trying to deploy an agent into Amazon Bedrock AgentCore Runtime and you see a CLI flag like:

agentcore configure --entrypoint my_agent.py -er 

it’s easy to get stuck. The “ is not your IAM user or SSO role—it’s a separate Execution Role that AgentCore Runtime assumes to run your agent. Once you create that role correctly, deployment becomes straightforward.

This guide follows the official AWS documentation for AgentCore Runtime permissions: IAM Permissions for AgentCore Runtime.

What you actually need (2 identities)

1. Your “caller identity”

• IAM User or
• SSO Role (IAM Identity Center)

This identity needs permission to deploy/configure the agent and often the PassRole permission.

2. The “AgentCore Runtime execution role” (the important one)

• Pull images from ECR (if applicable)
• Write logs to CloudWatch
• Send traces to X‑Ray
• Publish metrics
• Call Bedrock models
• Get workload access tokens

The ARN of this role is what you pass via -er.

Step 1 — Create the Role

1. Open the AWS Console → IAM.
2. Click Roles → Create role.
3. Choose Custom trust policy and paste the following (replace 123456789012 and us-east-1 with your account ID and region):

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "AssumeRolePolicy",
      "Effect": "Allow",
      "Principal": {
        "Service": "bedrock-agentcore.amazonaws.com"
      },
      "Action": "sts:AssumeRole",
      "Condition": {
        "StringEquals": {
          "aws:SourceAccount": "123456789012"
        },
        "ArnLike": {
          "aws:SourceArn": "arn:aws:bedrock-agentcore:us-east-1:123456789012:*"
        }
      }
    }
  ]
}

4. Give the role a clear name, e.g., AgentCoreRuntimeExecutionRole-.
5. Create the role.

Step 2 — Attach the correct permissions policy

1. Open the role you just created.
2. Go to the Permissions tab → Add permissions → Create inline policy.
3. Choose the JSON editor and paste the policy below (again, replace the account ID and region as needed):

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "ECRImageAccess",
            "Effect": "Allow",
            "Action": [
                "ecr:BatchGetImage",
                "ecr:GetDownloadUrlForLayer"
            ],
            "Resource": [
                "arn:aws:ecr:us-east-1:123456789012:repository/*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "logs:DescribeLogStreams",
                "logs:CreateLogGroup"
            ],
            "Resource": [
                "arn:aws:logs:us-east-1:123456789012:log-group:/aws/bedrock-agentcore/runtimes/*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "logs:DescribeLogGroups"
            ],
            "Resource": [
                "arn:aws:logs:us-east-1:123456789012:log-group:*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "logs:CreateLogStream",
                "logs:PutLogEvents"
            ],
            "Resource": [
                "arn:aws:logs:us-east-1:123456789012:log-group:/aws/bedrock-agentcore/runtimes/*:log-stream:*"
            ]
        },
        {
            "Sid": "ECRTokenAccess",
            "Effect": "Allow",
            "Action": [
                "ecr:GetAuthorizationToken"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "xray:PutTraceSegments",
                "xray:PutTelemetryRecords",
                "xray:GetSamplingRules",
                "xray:GetSamplingTargets"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": "cloudwatch:PutMetricData",
            "Resource": "*",
            "Condition": {
                "StringEquals": {
                    "cloudwatch:namespace": "bedrock-agentcore"
                }
            }
        },
        {
            "Sid": "GetAgentAccessToken",
            "Effect": "Allow",
            "Action": [
                "bedrock-agentcore:GetWorkloadAccessToken",
                "bedrock-agentcore:GetWorkloadAccessTokenForJWT",
                "bedrock-agentcore:GetWorkloadAccessTokenForUserId"
            ],
            "Resource": [
                "arn:aws:bedrock-agentcore:us-east-1:123456789012:workload-identity-directory/default",
                "arn:aws:bedrock-agentcore:us-east-1:123456789012:workload-identity-directory/default/workload-identity/agentName-*"
            ]
        },
        {
            "Sid": "BedrockModelInvocation",
            "Effect": "Allow",
            "Action": [
                "bedrock:InvokeModel",
                "bedrock:InvokeModelWithResponseStream"
            ],
            "Resource": [
                "arn:aws:bedrock:*::foundation-model/*",
                "arn:aws:bedrock:us-east-1:123456789012:*"
            ]
        }
    ]
}

4. Click Next, give the policy a name (e.g., AgentCoreRuntimeExecutionPolicy), and save it.

Step 3 — Copy the Role ARN (this is what -er needs)

1. In the IAM console, open the role you created and copy its ARN.
2. Deploy your agent using that ARN:

agentcore configure --entrypoint my_agent.py -er YOUR-ROLE_ARN

Note: Replace my_agent.py with the entry file where you define your AgentCore setup.

Summary

• -er expects the AgentCore Runtime execution role ARN.
• Once the role exists with the proper trust relationship and the “AgentCore Runtime execution role” policy attached, deployment works smoothly.