Skip to content

fix(iam): grant bedrock-agentcore:GetMemory to app-api + runtime roles#530

Merged
colinmxs merged 1 commit into
developfrom
hotfix/agentcore-memory-getmemory-permission
Jul 1, 2026
Merged

fix(iam): grant bedrock-agentcore:GetMemory to app-api + runtime roles#530
colinmxs merged 1 commit into
developfrom
hotfix/agentcore-memory-getmemory-permission

Conversation

@colinmxs

@colinmxs colinmxs commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

AgentCore Memory strategy discovery (MemoryClient.get_memory_strategies) calls bedrock-agentcore:GetMemory, but neither the App API task role nor the AgentCore Runtime execution role allowed it — every other memory data-plane action was granted. The denied GetMemory made strategy discovery fail silently:

  • App API: GET /memory returned empty facts/preferences with 200, so the Settings memories/preferences page rendered blank despite stored records.
  • Runtime: _discover_strategy_ids() failed, leaving retrieval config empty, so the agent kept writing events (CreateEvent) but never recalled long-term memories.

Add bedrock-agentcore:GetMemory to the AgentCoreMemoryAccess statement on both roles (app-api scoped to the memory ARN; runtime scoped to memory/*). No other actions changed. Validated against the AWS Service Authorization Reference (GetMemory = Read on the memory resource type) and the live AccessDenied in app-api logs.

Bumps VERSION to 1.0.4 + brief RELEASE_NOTES/CHANGELOG entries. Infra (IAM) change — deploys via the platform (CDK) pipeline.

AgentCore Memory strategy discovery (MemoryClient.get_memory_strategies)
calls bedrock-agentcore:GetMemory, but neither the App API task role nor the
AgentCore Runtime execution role allowed it — every other memory data-plane
action was granted. The denied GetMemory made strategy discovery fail
silently:

- App API: GET /memory returned empty facts/preferences with 200, so the
  Settings memories/preferences page rendered blank despite stored records.
- Runtime: _discover_strategy_ids() failed, leaving retrieval config empty, so
  the agent kept writing events (CreateEvent) but never recalled long-term
  memories.

Add bedrock-agentcore:GetMemory to the AgentCoreMemoryAccess statement on both
roles (app-api scoped to the memory ARN; runtime scoped to memory/*). No other
actions changed. Validated against the AWS Service Authorization Reference
(GetMemory = Read on the memory resource type) and the live AccessDenied in
app-api logs.

Bumps VERSION to 1.0.4 + brief RELEASE_NOTES/CHANGELOG entries. Infra (IAM)
change — deploys via the platform (CDK) pipeline.
@colinmxs colinmxs merged commit 5d677e3 into develop Jul 1, 2026
15 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant