bedrock-agentcore: runtime with imported role fails to deploy #35845
Description
Describe the bug
Runtime L2 Construct with an imported role fails to deploy.
At first, permissions for ECR must be attached to the role before the Runtime is created. Otherwise, deployment will fail.
ROLLBACK_COMPLETE: Resource handler returned message: "Invalid request provided: Access denied while validating ECR URI '123456789012.dkr.ecr.us-east-1.amazonaws.com/cdk-hnb659fds-container-assets-123456789012-us-east-1:abcdefghijklmn'. The execution role requires permissions for ecr:GetAuthorizationToken, ecr:BatchGetImage, and ecr:GetDownloadUrlForLayer operations. (Service: BedrockAgentCoreControl, Status Code: 400, Request ID: 123456-1234-1234-a5d6-9deae6db742d) (SDK Attempt Count: 1)" (RequestToken: 123456-1234-1234-8044-7e188d566e8d, HandlerErrorCode: InvalidRequest)
On the other hand, in the constructor for the Runtime construct, this.runtimeResource.node.addDependency(this.role) is called.
However, this doesn't work for policies in the case where the role is imported, because the policies have not been created yet when the addDependency method is executed in that case.
The ECR permissions are granted in the bind method of the AgentRuntimeArtifact, and the bind method is called in the Runtime's renderAgentRuntimeArtifact method. However, this method is called in the constructor via the Lazy method.
The Lazy method is resolved during the Synthesize phase at the end of the CDK application lifecycle, while the addDependency method is executed during the Prepare phase, which comes before the Synthesize phase. Therefore, the grant method for ECR permissions is not called when the addDependency method is executed in this case. Other grant methods are also not called, so no policies have been created at that point and no dependencies for policies are added.
However, this issue only occurs with imported roles. For roles created within the construct, there is no problem.
This is because permissions other than ECR are granted to the policy without Lazy within the construct, so a policy is created in advance, dependencies are added to that policy at the time addDependency is executed, and finally the ECR permissions are added to the policy via Lazy. (However, in future implementation changes, this issue could potentially occur even for non-imported roles, as this currently works only by coincidence due to the definition order.)
Therefore, in this case, we need to add an explicit dependency on policies added to the imported role within the bind method that is executed via the Lazy method.
Regression Issue
- Select this option if this issue appears to be a regression.
Last Known Working CDK Library Version
No response
Expected Behavior
The deployment succeeds.
Current Behavior
The deployment fails.
Reproduction Steps
const app = new cdk.App();
const stack = new cdk.Stack(app, 'aws-cdk-bedrock-agentcore-runtime-with-imported-role');
const runtimeArtifact = agentcore.AgentRuntimeArtifact.fromAsset(
path.join(__dirname, 'testArtifact'),
);
const role = new iam.Role(stack, 'ExecutionRole', {
assumedBy: new iam.ServicePrincipal('bedrock-agentcore.amazonaws.com'),
});
const imported = iam.Role.fromRoleArn(stack, 'ImportedRole', role.roleArn);
const runtime = new agentcore.Runtime(stack, 'TestRuntime', {
runtimeName: 'integ_test_runtime',
agentRuntimeArtifact: runtimeArtifact,
executionRole: imported,
});Possible Solution
Add an explicit dependency on the policies added to the role within the bind method that is executed via the Lazy method.
I considered removing the use of Lazy since I was unsure whether it was truly necessary, but decided against it due to concerns about potentially causing unexpected impacts on other parts of the existing implementation.
Additional Information/Context
No response
AWS CDK Library version (aws-cdk-lib)
v2.221.0
AWS CDK CLI version
2.1030.0
Node.js Version
v22.14.0
OS
Mac
Language
TypeScript
Language Version
No response
Other information
No response