feat(bedrock-agentcore-alpha): update resources on grantInvokeXXX for runtime

[dineshSajwan]

Issue # (if applicable)

Reason for this change

The grantInvoke, grantInvokeRuntime, and grantInvokeRuntimeForUser methods in the BedrockAgentRuntime were only granting permissions to the runtime ARN itself, but not to its sub-resources. This caused permission issues when trying to invoke runtime endpoints from an AWS resource like lambda, as the actual invocation happens on sub-resources (e.g., arn:aws:bedrock-agentcore:region:account:runtime/runtime-id/*).

Description of changes

Updated the resourceArns parameter in three grant methods within runtime-base.ts:

Describe any new or updated permissions being added

The IAM permissions granted by these methods now include:

• bedrock-agentcore:InvokeAgentRuntime on both the runtime ARN and its sub-resources
• bedrock-agentcore:InvokeAgentRuntimeForUser on both the runtime ARN and its sub-resources

Description of how you validated changes

Manual and Integration test

Checklist

• [X ] My code adheres to the CONTRIBUTING GUIDE and DESIGN GUIDELINES

---

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

[aws-cdk-automation]

(This review is outdated)

[Abogical]

This change is not needed.

[dineshSajwan]

Ack.

[aws-cdk-automation]

This PR has been in the CHANGES REQUESTED state for 3 weeks, and looks abandoned. Note that PRs with failing linting check or builds are not reviewed, please ensure your build is passing

To prevent automatic closure:

• Resume work on the PR
• OR request an exemption by adding a comment containing 'Exemption Request' with justification e.x "Exemption Request: "
• OR request clarification by adding a comment containing 'Clarification Request' with a question e.x "Clarification Request: "

This PR will automatically close in 14 days if no action is taken.

✅ Updated pull request passes all PRLinter validations. Dismissing previous PRLinter review.

Pull request has been modified.

[mergify]

Merge Queue Status

✅ The pull request has been merged

This pull request spent 1 hour 20 minutes 28 seconds in the queue, including 29 minutes 28 seconds waiting for CI.
The checks were run in-place.

Required conditions to merge

• #approved-reviews-by >= 1 [🛡 GitHub branch protection]
  • feat(bedrock-agentcore-alpha): update resources on grantInvokeXXX for runtime #35864
• #changes-requested-reviews-by = 0 [🛡 GitHub branch protection]
  • feat(bedrock-agentcore-alpha): update resources on grantInvokeXXX for runtime #35864
• any of [🛡 GitHub branch protection]:
  • check-success = validate-pr
  • check-neutral = validate-pr
  • check-skipped = validate-pr
• any of [🛡 GitHub branch protection]:
  • check-success = build
  • check-neutral = build
  • check-skipped = build

[mergify]

Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

[mergify]

Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

[mergify]

Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

[github-actions]

Comments on closed issues and PRs are hard for our team to see.
If you need help, please open a new issue that references this one.