Updated agentcore gateway execution role

webarch-ai · webarch-ai · commit b47b69dcb67a · 2025-12-08T19:27:58.000-05:00
diff --git a/src/lambda/agentcore_gateway_manager/index.py b/src/lambda/agentcore_gateway_manager/index.py
@@ -96,6 +96,7 @@ def create_gateway(props, gateway_name, client):
     lambda_arn = props['LambdaArn']
     user_pool_id = props['UserPoolId']
     client_id = props['ClientId']
+    execution_role_arn = props.get('ExecutionRoleArn')
 
     # Create JWT authorizer config using existing Cognito resources
     authorizer_config = {
@@ -108,7 +109,7 @@ def create_gateway(props, gateway_name, client):
     # Create gateway
     gateway = client.create_mcp_gateway(
         name=gateway_name,
-        role_arn=None,
+        role_arn=execution_role_arn,
         authorizer_config=authorizer_config,
         enable_semantic_search=True,
     )
@@ -121,38 +122,6 @@ def create_gateway(props, gateway_name, client):
     logger.info("Waiting for IAM propagation...")
     time.sleep(30)
 
-    # Override trust policy to support all regions
-    gateway_role_arn = gateway.get('executionRoleArn')
-    if gateway_role_arn:
-        role_name = gateway_role_arn.split('/')[-1]
-        logger.info(f"Updating trust policy for role: {role_name}")
-        
-        iam_client = boto3.client('iam')
-        sts_client = boto3.client('sts')
-        account_id = sts_client.get_caller_identity()['Account']
-        
-        try:
-            iam_client.update_assume_role_policy(
-                RoleName=role_name,
-                PolicyDocument=json.dumps({
-                    "Version": "2012-10-17",
-                    "Statement": [{
-                        "Effect": "Allow",
-                        "Principal": {"Service": "bedrock-agentcore.amazonaws.com"},
-                        "Action": "sts:AssumeRole",
-                        "Condition": {
-                            "StringEquals": {"aws:SourceAccount": account_id},
-                            "ArnLike": {"aws:SourceArn": f"arn:aws:bedrock-agentcore:*:{account_id}:*"}
-                        }
-                    }]
-                })
-            )
-            logger.info("Trust policy updated successfully to support all regions")
-        except Exception as e:
-            logger.warning(f"Failed to update trust policy: {e}")
-    else:
-        logger.warning("Gateway executionRoleArn not found, skipping trust policy update")
-
     # Add analytics Lambda target
     logger.info("Adding analytics Lambda target...")
     client.create_mcp_gateway_target(
diff --git a/template.yaml b/template.yaml
@@ -1162,13 +1162,46 @@ Resources:
       KmsKeyId: !GetAtt CustomerManagedEncryptionKey.Arn
       RetentionInDays: !Ref LogRetentionDays
 
+  AgentCoreGatewayExecutionRole:
+    Type: AWS::IAM::Role
+    Condition: CreateAgentCoreLambda
+    Properties:
+      RoleName: !Sub "${AWS::StackName}-AgentCoreGatewayExecutionRole"
+      Description: Execution role for AgentCore Gateway
+      AssumeRolePolicyDocument:
+        Version: "2012-10-17"
+        Statement:
+          - Effect: Allow
+            Principal:
+              Service: !Sub "bedrock-agentcore.${AWS::URLSuffix}"
+            Action: sts:AssumeRole
+            Condition:
+              StringEquals:
+                aws:SourceAccount: !Ref AWS::AccountId
+              ArnLike:
+                aws:SourceArn: !Sub "arn:${AWS::Partition}:bedrock-agentcore:${AWS::Region}:${AWS::AccountId}:*"
+      Policies:
+        - PolicyName: InvokeLambdaPolicy
+          PolicyDocument:
+            Version: "2012-10-17"
+            Statement:
+              - Effect: Allow
+                Action: lambda:InvokeFunction
+                Resource: !GetAtt AgentCoreAnalyticsLambdaFunction.Arn
+      ManagedPolicyArns:
+        - !Sub "arn:${AWS::Partition}:iam::aws:policy/CloudWatchLogsFullAccess"
+      Tags:
+        - Key: Name
+          Value: !Sub "${AWS::StackName}-AgentCoreGatewayExecutionRole"
+
   AgentCoreGateway:
     Type: Custom::AgentCoreGateway
     Condition: CreateAgentCoreLambda
     DependsOn:
       - AgentCoreAnalyticsLambdaFunction
       - ExternalAppClient
       - UserPool
+      - AgentCoreGatewayExecutionRole
     Properties:
       ServiceToken: !GetAtt AgentCoreGatewayManagerFunction.Arn
       StackName: !Ref AWS::StackName
@@ -1177,20 +1210,9 @@ Resources:
       UserPoolId: !Ref UserPool
       ClientId: !Ref ExternalAppClient
       ClientSecret: !GetAtt ExternalAppClient.ClientSecret
+      ExecutionRoleArn: !GetAtt AgentCoreGatewayExecutionRole.Arn
       SourceCodeHash: <LAMBDA_HASH_TOKEN>
 
-  AgentCoreAnalyticsLambdaInvokePermission:
-    Type: AWS::Lambda::Permission
-    Condition: CreateAgentCoreLambda
-    DependsOn:
-      - AgentCoreGateway
-      - AgentCoreAnalyticsLambdaFunction
-    Properties:
-      FunctionName: !Ref AgentCoreAnalyticsLambdaFunction
-      Action: lambda:InvokeFunction
-      Principal: !Sub "bedrock-agentcore.${AWS::URLSuffix}"
-      SourceArn: !GetAtt AgentCoreGateway.GatewayArn
-
   ##########################################################################
   # Nested stack for selected pattern
   ##########################################################################
