use addToPrincipalPolicy

Author: go-to-k

packages/@aws-cdk/aws-bedrock-agentcore-alpha/agentcore/runtime/runtime-base.ts

@@ -219,12 +219,6 @@ export abstract class RuntimeBase extends Resource implements IBedrockAgentRunti
    */
   protected _connections: ec2.Connections | undefined;
 
-  /**
-   * Counter for policies attached to imported roles
-   * @internal
-   */
-  private _policyCounter: number = 0;
-
   constructor(scope: Construct, id: string) {
     super(scope, id);
   }
@@ -251,16 +245,7 @@ export abstract class RuntimeBase extends Resource implements IBedrockAgentRunti
    * @returns The runtime instance for chaining
    */
   public addToRolePolicy(statement: iam.PolicyStatement): IBedrockAgentRuntime {
-    // Check if role is a concrete Role instance
-    if (this.role instanceof iam.Role) {
-      this.role.addToPolicy(statement);
-    } else {
-      // For imported roles (IRole), we need to attach via a new policy
-      const policy = new iam.Policy(this, `CustomPolicy${this._policyCounter++}`, {
-        statements: [statement],
-      });
-      this.role.attachInlinePolicy(policy);
-    }
+    this.role.addToPrincipalPolicy(statement);
     return this;
   }
 

packages/@aws-cdk/aws-bedrock-agentcore-alpha/test/agentcore/runtime/integ.runtime-with-imported-role.js.snapshot/aws-cdk-bedrock-agentcore-runtime-with-imported-role.assets.json

@@ -5,6 +5,16 @@
    "Properties": {
     "PolicyDocument": {
      "Statement": [
+      {
+       "Action": "s3:GetObject",
+       "Effect": "Allow",
+       "Resource": "arn:aws:s3:::my-bucket/my-object"
+      },
+      {
+       "Action": "dynamodb:Query",
+       "Effect": "Allow",
+       "Resource": "arn:aws:dynamodb:us-east-1:123456789012:table/my-table"
+      },
       {
        "Action": [
         "ecr:BatchCheckLayerAvailability",
@@ -110,89 +120,10 @@
     "RoleArn": {
      "Fn::ImportValue": "pre-stack:ExportsOutputFnGetAttExecutionRole605A040BArnA891DEDE"
     }
-   }
-  },
-  "TestRuntimeCustomPolicy0BD35B9F3": {
-   "Type": "AWS::IAM::Policy",
-   "Properties": {
-    "PolicyDocument": {
-     "Statement": [
-      {
-       "Action": "s3:GetObject",
-       "Effect": "Allow",
-       "Resource": "arn:aws:s3:::my-bucket/my-object"
-      }
-     ],
-     "Version": "2012-10-17"
-    },
-    "PolicyName": "TestRuntimeCustomPolicy0BD35B9F3",
-    "Roles": [
-     {
-      "Fn::Select": [
-       1,
-       {
-        "Fn::Split": [
-         "/",
-         {
-          "Fn::Select": [
-           5,
-           {
-            "Fn::Split": [
-             ":",
-             {
-              "Fn::ImportValue": "pre-stack:ExportsOutputFnGetAttExecutionRole605A040BArnA891DEDE"
-             }
-            ]
-           }
-          ]
-         }
-        ]
-       }
-      ]
-     }
-    ]
-   }
-  },
-  "TestRuntimeCustomPolicy16EAF0B5F": {
-   "Type": "AWS::IAM::Policy",
-   "Properties": {
-    "PolicyDocument": {
-     "Statement": [
-      {
-       "Action": "dynamodb:Query",
-       "Effect": "Allow",
-       "Resource": "arn:aws:dynamodb:us-east-1:123456789012:table/my-table"
-      }
-     ],
-     "Version": "2012-10-17"
-    },
-    "PolicyName": "TestRuntimeCustomPolicy16EAF0B5F",
-    "Roles": [
-     {
-      "Fn::Select": [
-       1,
-       {
-        "Fn::Split": [
-         "/",
-         {
-          "Fn::Select": [
-           5,
-           {
-            "Fn::Split": [
-             ":",
-             {
-              "Fn::ImportValue": "pre-stack:ExportsOutputFnGetAttExecutionRole605A040BArnA891DEDE"
-             }
-            ]
-           }
-          ]
-         }
-        ]
-       }
-      ]
-     }
-    ]
-   }
+   },
+   "DependsOn": [
+    "ImportedRolePolicyawscdkbedrockagentcoreruntimewithimportedroleImportedRole261507D78EB91FCC"
+   ]
   }
  },
  "Parameters": {