feat(bedrock-agentcore-alpha): update resources on grantInvokeXXX for runtime (#35864)

### Issue # (if applicable)

### Reason for this change

The `grantInvoke`, `grantInvokeRuntime`, and `grantInvokeRuntimeForUser` methods in the BedrockAgentRuntime were only granting permissions to the runtime ARN itself, but not to its sub-resources. This caused permission issues when trying to invoke runtime endpoints from an AWS resource like lambda, as the actual invocation happens on sub-resources (e.g., arn:aws:bedrock-agentcore:region:account:runtime/runtime-id/*).

### Description of changes

Updated the `resourceArns` parameter in three grant methods within `runtime-base.ts`:

### Describe any new or updated permissions being added

The IAM permissions granted by these methods now include:

- `bedrock-agentcore:InvokeAgentRuntime` on both the runtime ARN and its sub-resources
- `bedrock-agentcore:InvokeAgentRuntimeForUser` on both the runtime ARN and its sub-resources

### Description of how you validated changes

Manual and Integration test

### Checklist
- [X ] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md)

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

Author: dineshSajwan

packages/@aws-cdk/aws-bedrock-agentcore-alpha/README.md

@@ -580,6 +580,54 @@ runtime.connections.allowTo(databaseSecurityGroup, ec2.Port.tcp(5432), 'Allow Po
 runtime.connections.allowToAnyIpv4(ec2.Port.tcp(443), 'Allow HTTPS outbound');
 ```
 
+### Runtime IAM Permissions
+
+The Runtime construct provides convenient methods for granting IAM permissions to principals that need to invoke the runtime or manage its execution role.
+
+```typescript fixture=default
+const repository = new ecr.Repository(this, "TestRepository", {
+  repositoryName: "test-agent-runtime",
+});
+const agentRuntimeArtifact = agentcore.AgentRuntimeArtifact.fromEcrRepository(repository, "v1.0.0");
+
+// Create a runtime
+const runtime = new agentcore.Runtime(this, "MyRuntime", {
+  runtimeName: "my_runtime",
+  agentRuntimeArtifact: agentRuntimeArtifact,
+});
+
+// Create a Lambda function that needs to invoke the runtime
+const invokerFunction = new lambda.Function(this, "InvokerFunction", {
+  runtime: lambda.Runtime.PYTHON_3_12,
+  handler: "index.handler",
+  code: lambda.Code.fromInline(`
+import boto3
+def handler(event, context):
+    client = boto3.client('bedrock-agentcore')
+    # Invoke the runtime...
+  `),
+});
+
+// Grant permission to invoke the runtime directly
+runtime.grantInvokeRuntime(invokerFunction);
+
+// Grant permission to invoke the runtime on behalf of a user
+// (requires X-Amzn-Bedrock-AgentCore-Runtime-User-Id header)
+runtime.grantInvokeRuntimeForUser(invokerFunction);
+
+// Grant both invoke permissions (most common use case)
+runtime.grantInvoke(invokerFunction);
+
+// Grant specific custom permissions to the runtime's execution role
+runtime.grant(['bedrock:InvokeModel'], ['arn:aws:bedrock:*:*:*']);
+
+// Add a policy statement to the runtime's execution role
+runtime.addToRolePolicy(new iam.PolicyStatement({
+  actions: ['s3:GetObject'],
+  resources: ['arn:aws:s3:::my-bucket/*'],
+}));
+```
+
 ### Other configuration
 
 #### Lifecycle configuration

packages/@aws-cdk/aws-bedrock-agentcore-alpha/lib/runtime/runtime-base.ts

@@ -258,7 +258,7 @@ export abstract class RuntimeBase extends Resource implements IBedrockAgentRunti
     return iam.Grant.addToPrincipal({
       grantee,
       actions: RUNTIME_INVOKE_PERMS,
-      resourceArns: [this.agentRuntimeArn],
+      resourceArns: [this.agentRuntimeArn, `${this.agentRuntimeArn}/*`], // * is needed because it invoke the endpoint as subresource
     });
   }
 
@@ -272,7 +272,7 @@ export abstract class RuntimeBase extends Resource implements IBedrockAgentRunti
     return iam.Grant.addToPrincipal({
       grantee,
       actions: RUNTIME_INVOKE_USER_PERMS,
-      resourceArns: [this.agentRuntimeArn],
+      resourceArns: [this.agentRuntimeArn, `${this.agentRuntimeArn}/*`],
     });
   }
 
@@ -285,7 +285,7 @@ export abstract class RuntimeBase extends Resource implements IBedrockAgentRunti
     return iam.Grant.addToPrincipal({
       grantee,
       actions: [...RUNTIME_INVOKE_PERMS, ...RUNTIME_INVOKE_USER_PERMS],
-      resourceArns: [this.agentRuntimeArn],
+      resourceArns: [this.agentRuntimeArn, `${this.agentRuntimeArn}/*`],
     });
   }
 

packages/@aws-cdk/aws-bedrock-agentcore-alpha/test/agentcore/runtime/integ.runtime.js.snapshot/aws-cdk-bedrock-agentcore-runtime.assets.json

@@ -310,6 +310,122 @@
     "Description": "Version 2 endpoint",
     "Name": "v2_endpoint"
    }
+  },
+  "TestInvokerFunctionServiceRole08233DAF": {
+   "Type": "AWS::IAM::Role",
+   "Properties": {
+    "AssumeRolePolicyDocument": {
+     "Statement": [
+      {
+       "Action": "sts:AssumeRole",
+       "Effect": "Allow",
+       "Principal": {
+        "Service": "lambda.amazonaws.com"
+       }
+      }
+     ],
+     "Version": "2012-10-17"
+    },
+    "ManagedPolicyArns": [
+     {
+      "Fn::Join": [
+       "",
+       [
+        "arn:",
+        {
+         "Ref": "AWS::Partition"
+        },
+        ":iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
+       ]
+      ]
+     }
+    ]
+   }
+  },
+  "TestInvokerFunctionServiceRoleDefaultPolicyC6DC62B6": {
+   "Type": "AWS::IAM::Policy",
+   "Properties": {
+    "PolicyDocument": {
+     "Statement": [
+      {
+       "Action": [
+        "bedrock-agentcore:InvokeAgentRuntime",
+        "bedrock-agentcore:InvokeAgentRuntimeForUser"
+       ],
+       "Effect": "Allow",
+       "Resource": [
+        {
+         "Fn::GetAtt": [
+          "TestRuntime65042BB5",
+          "AgentRuntimeArn"
+         ]
+        },
+        {
+         "Fn::Join": [
+          "",
+          [
+           {
+            "Fn::GetAtt": [
+             "TestRuntime65042BB5",
+             "AgentRuntimeArn"
+            ]
+           },
+           "/*"
+          ]
+         ]
+        }
+       ]
+      }
+     ],
+     "Version": "2012-10-17"
+    },
+    "PolicyName": "TestInvokerFunctionServiceRoleDefaultPolicyC6DC62B6",
+    "Roles": [
+     {
+      "Ref": "TestInvokerFunctionServiceRole08233DAF"
+     }
+    ]
+   }
+  },
+  "TestInvokerFunction6708F5AE": {
+   "Type": "AWS::Lambda::Function",
+   "Properties": {
+    "Code": {
+     "ZipFile": "def handler(event, context): return {\"statusCode\": 200}"
+    },
+    "Description": "Test function to verify runtime grant permissions with sub-resources",
+    "Handler": "index.handler",
+    "Role": {
+     "Fn::GetAtt": [
+      "TestInvokerFunctionServiceRole08233DAF",
+      "Arn"
+     ]
+    },
+    "Runtime": "python3.12"
+   },
+   "DependsOn": [
+    "TestInvokerFunctionServiceRoleDefaultPolicyC6DC62B6",
+    "TestInvokerFunctionServiceRole08233DAF"
+   ]
+  },
+  "TestInvokerFunctionLogGroup003396AB": {
+   "Type": "AWS::Logs::LogGroup",
+   "Properties": {
+    "LogGroupName": {
+     "Fn::Join": [
+      "",
+      [
+       "/aws/lambda/",
+       {
+        "Ref": "TestInvokerFunction6708F5AE"
+       }
+      ]
+     ]
+    },
+    "RetentionInDays": 731
+   },
+   "UpdateReplacePolicy": "Retain",
+   "DeletionPolicy": "Retain"
   }
  },
  "Outputs": {