Fixed agentcore gateway policy to support multi-region deployment

webarch-ai · webarch-ai · commit 63bbafe7a6b1 · 2025-12-08T16:11:46.000-05:00
diff --git a/src/lambda/agentcore_gateway_manager/index.py b/src/lambda/agentcore_gateway_manager/index.py
@@ -121,6 +121,38 @@ def create_gateway(props, gateway_name, client):
     logger.info("Waiting for IAM propagation...")
     time.sleep(30)
 
+    # Override trust policy to support all regions
+    gateway_role_arn = gateway.get('executionRoleArn')
+    if gateway_role_arn:
+        role_name = gateway_role_arn.split('/')[-1]
+        logger.info(f"Updating trust policy for role: {role_name}")
+        
+        iam_client = boto3.client('iam')
+        sts_client = boto3.client('sts')
+        account_id = sts_client.get_caller_identity()['Account']
+        
+        try:
+            iam_client.update_assume_role_policy(
+                RoleName=role_name,
+                PolicyDocument=json.dumps({
+                    "Version": "2012-10-17",
+                    "Statement": [{
+                        "Effect": "Allow",
+                        "Principal": {"Service": "bedrock-agentcore.amazonaws.com"},
+                        "Action": "sts:AssumeRole",
+                        "Condition": {
+                            "StringEquals": {"aws:SourceAccount": account_id},
+                            "ArnLike": {"aws:SourceArn": f"arn:aws:bedrock-agentcore:*:{account_id}:*"}
+                        }
+                    }]
+                })
+            )
+            logger.info("Trust policy updated successfully to support all regions")
+        except Exception as e:
+            logger.warning(f"Failed to update trust policy: {e}")
+    else:
+        logger.warning("Gateway executionRoleArn not found, skipping trust policy update")
+
     # Add analytics Lambda target
     logger.info("Adding analytics Lambda target...")
     client.create_mcp_gateway_target(
diff --git a/template.yaml b/template.yaml
@@ -1134,6 +1134,12 @@ Resources:
                 - logs:CreateLogGroup
                 - logs:PutLogEvents
                 - logs:DeleteLogGroup
+                - logs:PutDeliverySource
+                - logs:DeleteDeliverySource
+                - logs:PutDeliveryDestination
+                - logs:DeleteDeliveryDestination
+                - logs:DescribeDeliveryDestinations
+                - logs:DescribeDeliverySources
                 - iam:PassRole
                 - iam:CreateRole
                 - iam:AttachRolePolicy
@@ -1173,6 +1179,18 @@ Resources:
       ClientSecret: !GetAtt ExternalAppClient.ClientSecret
       SourceCodeHash: <LAMBDA_HASH_TOKEN>
 
+  AgentCoreAnalyticsLambdaInvokePermission:
+    Type: AWS::Lambda::Permission
+    Condition: CreateAgentCoreLambda
+    DependsOn:
+      - AgentCoreGateway
+      - AgentCoreAnalyticsLambdaFunction
+    Properties:
+      FunctionName: !Ref AgentCoreAnalyticsLambdaFunction
+      Action: lambda:InvokeFunction
+      Principal: !Sub "bedrock-agentcore.${AWS::URLSuffix}"
+      SourceArn: !GetAtt AgentCoreGateway.GatewayArn
+
   ##########################################################################
   # Nested stack for selected pattern
   ##########################################################################
@@ -5208,7 +5226,7 @@ Resources:
         - profile
       CallbackURLs:
         - !Sub "https://${GetDomain.OutputString}.auth.${AWS::Region}.amazoncognito.com"
-        - "https://us-east-1.quicksight.aws.amazon.com/sn/oauthcallback"
+        - !Sub "https://${AWS::Region}.quicksight.aws.amazon.com/sn/oauthcallback"
         - !Sub "https://${CloudFrontDistribution.DomainName}/"
       LogoutURLs:
         - !Sub "https://${GetDomain.OutputString}.auth.${AWS::Region}.amazoncognito.com"
