Viewing docs for AWS v7.32.0
published on Friday, May 29, 2026 by Pulumi
published on Friday, May 29, 2026 by Pulumi
Viewing docs for AWS v7.32.0
published on Friday, May 29, 2026 by Pulumi
published on Friday, May 29, 2026 by Pulumi
Manages an AWS Bedrock Agent Core Resource Policy. Resource-based policies in Amazon Bedrock Agent Core allow you to control which principals (AWS accounts, IAM users, or IAM roles) can invoke and manage your Amazon Bedrock Agent Core Runtime and Gateway resources.
Example Usage
Basic Usage
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
const exampleAgentcoreAgentRuntime = new aws.bedrock.AgentcoreAgentRuntime("example", {});
const example = aws.iam.getPolicyDocument({
statements: [{
sid: "AllowOAuthFromVPC",
effect: "Allow",
actions: ["bedrock-agentcore:InvokeAgentRuntime"],
principals: [{
type: "*",
identifiers: ["*"],
}],
resources: [agentRuntime.example.agentRuntimeArn],
conditions: [{
test: "StringEquals",
variable: "aws:SourceVpc",
values: ["vpc-1a2b3c4d"],
}],
}],
});
const exampleAgentcoreResourcePolicy = new aws.bedrock.AgentcoreResourcePolicy("example", {
policy: example.then(example => example.json),
resourceArn: exampleAgentcoreAgentRuntime.agentRuntimeArn,
});
import pulumi
import pulumi_aws as aws
example_agentcore_agent_runtime = aws.bedrock.AgentcoreAgentRuntime("example")
example = aws.iam.get_policy_document(statements=[{
"sid": "AllowOAuthFromVPC",
"effect": "Allow",
"actions": ["bedrock-agentcore:InvokeAgentRuntime"],
"principals": [{
"type": "*",
"identifiers": ["*"],
}],
"resources": [agent_runtime["example"]["agentRuntimeArn"]],
"conditions": [{
"test": "StringEquals",
"variable": "aws:SourceVpc",
"values": ["vpc-1a2b3c4d"],
}],
}])
example_agentcore_resource_policy = aws.bedrock.AgentcoreResourcePolicy("example",
policy=example.json,
resource_arn=example_agentcore_agent_runtime.agent_runtime_arn)
package main
import (
"github.com/pulumi/pulumi-aws/sdk/v7/go/aws/bedrock"
"github.com/pulumi/pulumi-aws/sdk/v7/go/aws/iam"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
exampleAgentcoreAgentRuntime, err := bedrock.NewAgentcoreAgentRuntime(ctx, "example", nil)
if err != nil {
return err
}
example, err := iam.GetPolicyDocument(ctx, &iam.GetPolicyDocumentArgs{
Statements: []iam.GetPolicyDocumentStatement{
{
Sid: pulumi.StringRef("AllowOAuthFromVPC"),
Effect: pulumi.StringRef("Allow"),
Actions: []string{
"bedrock-agentcore:InvokeAgentRuntime",
},
Principals: []iam.GetPolicyDocumentStatementPrincipal{
{
Type: "*",
Identifiers: []string{
"*",
},
},
},
Resources: pulumi.StringArray{
agentRuntime.Example.AgentRuntimeArn,
},
Conditions: []iam.GetPolicyDocumentStatementCondition{
{
Test: "StringEquals",
Variable: "aws:SourceVpc",
Values: []string{
"vpc-1a2b3c4d",
},
},
},
},
},
}, nil)
if err != nil {
return err
}
_, err = bedrock.NewAgentcoreResourcePolicy(ctx, "example", &bedrock.AgentcoreResourcePolicyArgs{
Policy: pulumi.String(pulumi.String(example.Json)),
ResourceArn: exampleAgentcoreAgentRuntime.AgentRuntimeArn,
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Aws = Pulumi.Aws;
return await Deployment.RunAsync(() =>
{
var exampleAgentcoreAgentRuntime = new Aws.Bedrock.AgentcoreAgentRuntime("example");
var example = Aws.Iam.GetPolicyDocument.Invoke(new()
{
Statements = new[]
{
new Aws.Iam.Inputs.GetPolicyDocumentStatementInputArgs
{
Sid = "AllowOAuthFromVPC",
Effect = "Allow",
Actions = new[]
{
"bedrock-agentcore:InvokeAgentRuntime",
},
Principals = new[]
{
new Aws.Iam.Inputs.GetPolicyDocumentStatementPrincipalInputArgs
{
Type = "*",
Identifiers = new[]
{
"*",
},
},
},
Resources = new[]
{
agentRuntime.Example.AgentRuntimeArn,
},
Conditions = new[]
{
new Aws.Iam.Inputs.GetPolicyDocumentStatementConditionInputArgs
{
Test = "StringEquals",
Variable = "aws:SourceVpc",
Values = new[]
{
"vpc-1a2b3c4d",
},
},
},
},
},
});
var exampleAgentcoreResourcePolicy = new Aws.Bedrock.AgentcoreResourcePolicy("example", new()
{
Policy = example.Apply(getPolicyDocumentResult => getPolicyDocumentResult.Json),
ResourceArn = exampleAgentcoreAgentRuntime.AgentRuntimeArn,
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.bedrock.AgentcoreAgentRuntime;
import com.pulumi.aws.iam.IamFunctions;
import com.pulumi.aws.iam.inputs.GetPolicyDocumentArgs;
import com.pulumi.aws.bedrock.AgentcoreResourcePolicy;
import com.pulumi.aws.bedrock.AgentcoreResourcePolicyArgs;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var exampleAgentcoreAgentRuntime = new AgentcoreAgentRuntime("exampleAgentcoreAgentRuntime");
final var example = IamFunctions.getPolicyDocument(GetPolicyDocumentArgs.builder()
.statements(GetPolicyDocumentStatementArgs.builder()
.sid("AllowOAuthFromVPC")
.effect("Allow")
.actions("bedrock-agentcore:InvokeAgentRuntime")
.principals(GetPolicyDocumentStatementPrincipalArgs.builder()
.type("*")
.identifiers("*")
.build())
.resources(agentRuntime.example().agentRuntimeArn())
.conditions(GetPolicyDocumentStatementConditionArgs.builder()
.test("StringEquals")
.variable("aws:SourceVpc")
.values("vpc-1a2b3c4d")
.build())
.build())
.build());
var exampleAgentcoreResourcePolicy = new AgentcoreResourcePolicy("exampleAgentcoreResourcePolicy", AgentcoreResourcePolicyArgs.builder()
.policy(example.json())
.resourceArn(exampleAgentcoreAgentRuntime.agentRuntimeArn())
.build());
}
}
resources:
exampleAgentcoreAgentRuntime:
type: aws:bedrock:AgentcoreAgentRuntime
name: example
exampleAgentcoreResourcePolicy:
type: aws:bedrock:AgentcoreResourcePolicy
name: example
properties:
policy: ${example.json}
resourceArn: ${exampleAgentcoreAgentRuntime.agentRuntimeArn}
variables:
example:
fn::invoke:
function: aws:iam:getPolicyDocument
arguments:
statements:
- sid: AllowOAuthFromVPC
effect: Allow
actions:
- bedrock-agentcore:InvokeAgentRuntime
principals:
- type: '*'
identifiers:
- '*'
resources:
- ${agentRuntime.example.agentRuntimeArn}
conditions:
- test: StringEquals
variable: aws:SourceVpc
values:
- vpc-1a2b3c4d
pulumi {
required_providers {
aws = {
source = "pulumi/aws"
}
}
}
data "aws_iam_getpolicydocument" "example" {
statements {
sid = "AllowOAuthFromVPC"
effect = "Allow"
actions = ["bedrock-agentcore:InvokeAgentRuntime"]
principals {
type = "*"
identifiers = ["*"]
}
resources = [agentRuntime.example.agentRuntimeArn]
conditions {
test = "StringEquals"
variable = "aws:SourceVpc"
values = ["vpc-1a2b3c4d"]
}
}
}
resource "aws_bedrock_agentcoreagentruntime" "example" {
}
resource "aws_bedrock_agentcoreresourcepolicy" "example" {
policy = data.aws_iam_getpolicydocument.example.json
resource_arn = aws_bedrock_agentcoreagentruntime.example.agent_runtime_arn
}
Create AgentcoreResourcePolicy Resource
Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.
Constructor syntax
new AgentcoreResourcePolicy(name: string, args: AgentcoreResourcePolicyArgs, opts?: CustomResourceOptions);@overload
def AgentcoreResourcePolicy(resource_name: str,
args: AgentcoreResourcePolicyArgs,
opts: Optional[ResourceOptions] = None)
@overload
def AgentcoreResourcePolicy(resource_name: str,
opts: Optional[ResourceOptions] = None,
policy: Optional[str] = None,
resource_arn: Optional[str] = None,
region: Optional[str] = None)func NewAgentcoreResourcePolicy(ctx *Context, name string, args AgentcoreResourcePolicyArgs, opts ...ResourceOption) (*AgentcoreResourcePolicy, error)public AgentcoreResourcePolicy(string name, AgentcoreResourcePolicyArgs args, CustomResourceOptions? opts = null)
public AgentcoreResourcePolicy(String name, AgentcoreResourcePolicyArgs args)
public AgentcoreResourcePolicy(String name, AgentcoreResourcePolicyArgs args, CustomResourceOptions options)
type: aws:bedrock:AgentcoreResourcePolicy
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.
resource "aws_bedrock_agentcoreresourcepolicy" "name" {
# resource properties
}Parameters
- name string
- The unique name of the resource.
- args AgentcoreResourcePolicyArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- resource_name str
- The unique name of the resource.
- args AgentcoreResourcePolicyArgs
- The arguments to resource properties.
- opts ResourceOptions
- Bag of options to control resource's behavior.
- ctx Context
- Context object for the current deployment.
- name string
- The unique name of the resource.
- args AgentcoreResourcePolicyArgs
- The arguments to resource properties.
- opts ResourceOption
- Bag of options to control resource's behavior.
- name string
- The unique name of the resource.
- args AgentcoreResourcePolicyArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- name String
- The unique name of the resource.
- args AgentcoreResourcePolicyArgs
- The arguments to resource properties.
- options CustomResourceOptions
- Bag of options to control resource's behavior.
Constructor example
The following reference example uses placeholder values for all input properties.
var agentcoreResourcePolicyResource = new Aws.Bedrock.AgentcoreResourcePolicy("agentcoreResourcePolicyResource", new()
{
Policy = "string",
ResourceArn = "string",
Region = "string",
});
example, err := bedrock.NewAgentcoreResourcePolicy(ctx, "agentcoreResourcePolicyResource", &bedrock.AgentcoreResourcePolicyArgs{
Policy: pulumi.String("string"),
ResourceArn: pulumi.String("string"),
Region: pulumi.String("string"),
})
resource "aws_bedrock_agentcoreresourcepolicy" "agentcoreResourcePolicyResource" {
policy = "string"
resource_arn = "string"
region = "string"
}
var agentcoreResourcePolicyResource = new AgentcoreResourcePolicy("agentcoreResourcePolicyResource", AgentcoreResourcePolicyArgs.builder()
.policy("string")
.resourceArn("string")
.region("string")
.build());
agentcore_resource_policy_resource = aws.bedrock.AgentcoreResourcePolicy("agentcoreResourcePolicyResource",
policy="string",
resource_arn="string",
region="string")
const agentcoreResourcePolicyResource = new aws.bedrock.AgentcoreResourcePolicy("agentcoreResourcePolicyResource", {
policy: "string",
resourceArn: "string",
region: "string",
});
type: aws:bedrock:AgentcoreResourcePolicy
properties:
policy: string
region: string
resourceArn: string
AgentcoreResourcePolicy Resource Properties
To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.
Inputs
In Python, inputs that are objects can be passed either as argument classes or as dictionary literals.
The AgentcoreResourcePolicy resource accepts the following input properties:
- Policy string
- Resource policy definition
- Resource
Arn string Amazon Resource Name (ARN) of the resource for which to create or update the resource policy.
The following arguments are optional:
- Region string
- Region where this resource will be managed. Defaults to the Region set in the provider configuration.
- Policy string
- Resource policy definition
- Resource
Arn string Amazon Resource Name (ARN) of the resource for which to create or update the resource policy.
The following arguments are optional:
- Region string
- Region where this resource will be managed. Defaults to the Region set in the provider configuration.
- policy string
- Resource policy definition
- resource_
arn string Amazon Resource Name (ARN) of the resource for which to create or update the resource policy.
The following arguments are optional:
- region string
- Region where this resource will be managed. Defaults to the Region set in the provider configuration.
- policy String
- Resource policy definition
- resource
Arn String Amazon Resource Name (ARN) of the resource for which to create or update the resource policy.
The following arguments are optional:
- region String
- Region where this resource will be managed. Defaults to the Region set in the provider configuration.
- policy string
- Resource policy definition
- resource
Arn string Amazon Resource Name (ARN) of the resource for which to create or update the resource policy.
The following arguments are optional:
- region string
- Region where this resource will be managed. Defaults to the Region set in the provider configuration.
- policy str
- Resource policy definition
- resource_
arn str Amazon Resource Name (ARN) of the resource for which to create or update the resource policy.
The following arguments are optional:
- region str
- Region where this resource will be managed. Defaults to the Region set in the provider configuration.
- policy String
- Resource policy definition
- resource
Arn String Amazon Resource Name (ARN) of the resource for which to create or update the resource policy.
The following arguments are optional:
- region String
- Region where this resource will be managed. Defaults to the Region set in the provider configuration.
Outputs
All input properties are implicitly available as output properties. Additionally, the AgentcoreResourcePolicy resource produces the following output properties:
- Id string
- The provider-assigned unique ID for this managed resource.
- Id string
- The provider-assigned unique ID for this managed resource.
- id string
- The provider-assigned unique ID for this managed resource.
- id String
- The provider-assigned unique ID for this managed resource.
- id string
- The provider-assigned unique ID for this managed resource.
- id str
- The provider-assigned unique ID for this managed resource.
- id String
- The provider-assigned unique ID for this managed resource.
Look up Existing AgentcoreResourcePolicy Resource
Get an existing AgentcoreResourcePolicy resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.
public static get(name: string, id: Input<ID>, state?: AgentcoreResourcePolicyState, opts?: CustomResourceOptions): AgentcoreResourcePolicy@staticmethod
def get(resource_name: str,
id: str,
opts: Optional[ResourceOptions] = None,
policy: Optional[str] = None,
region: Optional[str] = None,
resource_arn: Optional[str] = None) -> AgentcoreResourcePolicyfunc GetAgentcoreResourcePolicy(ctx *Context, name string, id IDInput, state *AgentcoreResourcePolicyState, opts ...ResourceOption) (*AgentcoreResourcePolicy, error)public static AgentcoreResourcePolicy Get(string name, Input<string> id, AgentcoreResourcePolicyState? state, CustomResourceOptions? opts = null)public static AgentcoreResourcePolicy get(String name, Output<String> id, AgentcoreResourcePolicyState state, CustomResourceOptions options)resources: _: type: aws:bedrock:AgentcoreResourcePolicy get: id: ${id}import {
to = aws_bedrock_agentcoreresourcepolicy.example
id = "${id}"
}
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- resource_name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- Policy string
- Resource policy definition
- Region string
- Region where this resource will be managed. Defaults to the Region set in the provider configuration.
- Resource
Arn string Amazon Resource Name (ARN) of the resource for which to create or update the resource policy.
The following arguments are optional:
- Policy string
- Resource policy definition
- Region string
- Region where this resource will be managed. Defaults to the Region set in the provider configuration.
- Resource
Arn string Amazon Resource Name (ARN) of the resource for which to create or update the resource policy.
The following arguments are optional:
- policy string
- Resource policy definition
- region string
- Region where this resource will be managed. Defaults to the Region set in the provider configuration.
- resource_
arn string Amazon Resource Name (ARN) of the resource for which to create or update the resource policy.
The following arguments are optional:
- policy String
- Resource policy definition
- region String
- Region where this resource will be managed. Defaults to the Region set in the provider configuration.
- resource
Arn String Amazon Resource Name (ARN) of the resource for which to create or update the resource policy.
The following arguments are optional:
- policy string
- Resource policy definition
- region string
- Region where this resource will be managed. Defaults to the Region set in the provider configuration.
- resource
Arn string Amazon Resource Name (ARN) of the resource for which to create or update the resource policy.
The following arguments are optional:
- policy str
- Resource policy definition
- region str
- Region where this resource will be managed. Defaults to the Region set in the provider configuration.
- resource_
arn str Amazon Resource Name (ARN) of the resource for which to create or update the resource policy.
The following arguments are optional:
- policy String
- Resource policy definition
- region String
- Region where this resource will be managed. Defaults to the Region set in the provider configuration.
- resource
Arn String Amazon Resource Name (ARN) of the resource for which to create or update the resource policy.
The following arguments are optional:
Import
Identity Schema
Required
resourceArn- ARN of the resource to which the Resource Policy is attached.
Using pulumi import, import Bedrock Agent Core Resource Policy using the resourceArn. For example:
$ pulumi import aws:bedrock/agentcoreResourcePolicy:AgentcoreResourcePolicy example arn:aws:bedrock-agentcore:us-west-2:012345678901:runtime/abcd1234
To learn more about importing existing cloud resources, see Importing resources.
Package Details
- Repository
- AWS Classic pulumi/pulumi-aws
- License
- Apache-2.0
- Notes
- This Pulumi package is based on the
awsTerraform Provider.
Viewing docs for AWS v7.32.0
published on Friday, May 29, 2026 by Pulumi
published on Friday, May 29, 2026 by Pulumi