@cloud-copilot/iam-data
Version:
1,918 lines • 98.9 kB
JSON
{
"allowvendedlogdeliveryforresource": {
"name": "AllowVendedLogDeliveryForResource",
"isPermissionOnly": true,
"description": "Grants permission to configure vended telemetry for a resource",
"accessLevel": "Permissions management",
"resourceTypes": [
{
"name": "memory",
"required": true,
"conditionKeys": [],
"dependentActions": []
},
{
"name": "payment-manager",
"required": false,
"conditionKeys": [],
"dependentActions": []
}
],
"conditionKeys": [],
"dependentActions": []
},
"authorizeaction": {
"name": "AuthorizeAction",
"isPermissionOnly": true,
"description": "Grants permission to evaluate Cedar policies for authorization requests",
"accessLevel": "Permissions management",
"resourceTypes": [
{
"name": "gateway",
"required": true,
"conditionKeys": [],
"dependentActions": []
},
{
"name": "policy-engine",
"required": true,
"conditionKeys": [],
"dependentActions": []
}
],
"conditionKeys": [],
"dependentActions": []
},
"batchcreatememoryrecords": {
"name": "BatchCreateMemoryRecords",
"description": "Grants permission to create one or more memory records",
"accessLevel": "Write",
"resourceTypes": [
{
"name": "memory",
"required": true,
"conditionKeys": [],
"dependentActions": []
}
],
"conditionKeys": [
"bedrock-agentcore:namespace"
],
"dependentActions": []
},
"batchdeletememoryrecords": {
"name": "BatchDeleteMemoryRecords",
"description": "Grants permission to delete one or more memory records",
"accessLevel": "Write",
"resourceTypes": [
{
"name": "memory",
"required": true,
"conditionKeys": [],
"dependentActions": []
}
],
"conditionKeys": [],
"dependentActions": []
},
"batchupdatememoryrecords": {
"name": "BatchUpdateMemoryRecords",
"description": "Grants permission to update one or more memory records",
"accessLevel": "Write",
"resourceTypes": [
{
"name": "memory",
"required": true,
"conditionKeys": [],
"dependentActions": []
}
],
"conditionKeys": [
"bedrock-agentcore:namespace"
],
"dependentActions": []
},
"completeresourcetokenauth": {
"name": "CompleteResourceTokenAuth",
"description": "Grants permission to retrieve access token with OAuth2 for 3LO flow to access external resource",
"accessLevel": "Read",
"resourceTypes": [
{
"name": "oauth2credentialprovider",
"required": true,
"conditionKeys": [],
"dependentActions": []
},
{
"name": "token-vault",
"required": true,
"conditionKeys": [],
"dependentActions": []
},
{
"name": "workload-identity",
"required": true,
"conditionKeys": [],
"dependentActions": []
},
{
"name": "workload-identity-directory",
"required": true,
"conditionKeys": [],
"dependentActions": []
}
],
"conditionKeys": [
"bedrock-agentcore:InboundJwtClaim/iss",
"bedrock-agentcore:InboundJwtClaim/sub",
"bedrock-agentcore:InboundJwtClaim/aud",
"bedrock-agentcore:InboundJwtClaim/scope",
"bedrock-agentcore:InboundJwtClaim/client_id",
"bedrock-agentcore:userid"
],
"dependentActions": []
},
"connectbrowserautomationstream": {
"name": "ConnectBrowserAutomationStream",
"description": "Grants permission to connect to a browser automation stream",
"accessLevel": "Read",
"resourceTypes": [],
"conditionKeys": [],
"dependentActions": []
},
"connectbrowserliveviewstream": {
"name": "ConnectBrowserLiveViewStream",
"description": "Grants permission to connect to a browser live view stream",
"accessLevel": "Read",
"resourceTypes": [],
"conditionKeys": [],
"dependentActions": []
},
"createabtest": {
"name": "CreateABTest",
"description": "Grants permission to create an A/B test",
"accessLevel": "Write",
"resourceTypes": [],
"conditionKeys": [],
"dependentActions": [
"iam:PassRole"
]
},
"createagentruntime": {
"name": "CreateAgentRuntime",
"description": "Grants permission to create a new agent runtime",
"accessLevel": "Write",
"resourceTypes": [],
"conditionKeys": [
"aws:RequestTag/${TagKey}",
"aws:TagKeys",
"bedrock-agentcore:subnets",
"bedrock-agentcore:securityGroups",
"bedrock-agentcore:RuntimeAuthorizerType"
],
"dependentActions": [
"iam:PassRole"
]
},
"createagentruntimeendpoint": {
"name": "CreateAgentRuntimeEndpoint",
"description": "Grants permission to create a new agent runtime endpoint",
"accessLevel": "Write",
"resourceTypes": [
{
"name": "runtime",
"required": true,
"conditionKeys": [],
"dependentActions": []
}
],
"conditionKeys": [
"aws:RequestTag/${TagKey}",
"aws:TagKeys"
],
"dependentActions": []
},
"createapikeycredentialprovider": {
"name": "CreateApiKeyCredentialProvider",
"description": "Grants permission to create a new API Key Credential Provider",
"accessLevel": "Write",
"resourceTypes": [
{
"name": "apikeycredentialprovider",
"required": true,
"conditionKeys": [],
"dependentActions": []
},
{
"name": "token-vault",
"required": true,
"conditionKeys": [],
"dependentActions": []
}
],
"conditionKeys": [
"aws:RequestTag/${TagKey}",
"aws:TagKeys"
],
"dependentActions": []
},
"createbrowser": {
"name": "CreateBrowser",
"description": "Grants permission to create a new custom browser",
"accessLevel": "Write",
"resourceTypes": [],
"conditionKeys": [
"aws:RequestTag/${TagKey}",
"aws:TagKeys",
"bedrock-agentcore:subnets",
"bedrock-agentcore:securityGroups"
],
"dependentActions": []
},
"createbrowserprofile": {
"name": "CreateBrowserProfile",
"description": "Grants permission to create a new browser profile",
"accessLevel": "Write",
"resourceTypes": [],
"conditionKeys": [
"aws:RequestTag/${TagKey}",
"aws:TagKeys"
],
"dependentActions": []
},
"createcodeinterpreter": {
"name": "CreateCodeInterpreter",
"description": "Grants permission to create a new custom code interpreter",
"accessLevel": "Write",
"resourceTypes": [],
"conditionKeys": [
"aws:RequestTag/${TagKey}",
"aws:TagKeys",
"bedrock-agentcore:subnets",
"bedrock-agentcore:securityGroups"
],
"dependentActions": []
},
"createconfigurationbundle": {
"name": "CreateConfigurationBundle",
"description": "Grants permission to create a new configuration bundle",
"accessLevel": "Write",
"resourceTypes": [],
"conditionKeys": [],
"dependentActions": []
},
"createevaluator": {
"name": "CreateEvaluator",
"description": "Grants permission to create a new evaluator",
"accessLevel": "Write",
"resourceTypes": [],
"conditionKeys": [
"aws:RequestTag/${TagKey}",
"aws:ResourceTag/${TagKey}",
"aws:TagKeys"
],
"dependentActions": []
},
"createevent": {
"name": "CreateEvent",
"description": "Grants permission to create an Event",
"accessLevel": "Write",
"resourceTypes": [
{
"name": "memory",
"required": true,
"conditionKeys": [],
"dependentActions": []
}
],
"conditionKeys": [
"bedrock-agentcore:sessionId",
"bedrock-agentcore:actorId"
],
"dependentActions": []
},
"creategateway": {
"name": "CreateGateway",
"description": "Grants permission to create a new gateway",
"accessLevel": "Write",
"resourceTypes": [],
"conditionKeys": [
"aws:RequestTag/${TagKey}",
"aws:TagKeys"
],
"dependentActions": [
"iam:PassRole"
]
},
"creategatewayrule": {
"name": "CreateGatewayRule",
"description": "Grants permission to create a new rule in an existing gateway",
"accessLevel": "Write",
"resourceTypes": [
{
"name": "gateway",
"required": true,
"conditionKeys": [],
"dependentActions": []
}
],
"conditionKeys": [],
"dependentActions": []
},
"creategatewaytarget": {
"name": "CreateGatewayTarget",
"description": "Grants permission to create a new target in an existing gateway",
"accessLevel": "Write",
"resourceTypes": [
{
"name": "gateway",
"required": true,
"conditionKeys": [],
"dependentActions": []
}
],
"conditionKeys": [],
"dependentActions": []
},
"createharness": {
"name": "CreateHarness",
"description": "Grants permission to create a new harness",
"accessLevel": "Write",
"resourceTypes": [],
"conditionKeys": [
"aws:RequestTag/${TagKey}",
"aws:TagKeys"
],
"dependentActions": [
"bedrock-agentcore:CreateAgentRuntime",
"bedrock-agentcore:GetAgentRuntime",
"iam:PassRole"
]
},
"creatememory": {
"name": "CreateMemory",
"description": "Grants permission to create a Memory resource",
"accessLevel": "Write",
"resourceTypes": [],
"conditionKeys": [
"aws:RequestTag/${TagKey}",
"aws:TagKeys",
"bedrock-agentcore:KmsKeyArn"
],
"dependentActions": [
"iam:PassRole"
]
},
"createoauth2credentialprovider": {
"name": "CreateOauth2CredentialProvider",
"description": "Grants permission to create a new Credential Provider to access external resources with OAuth2 protocol",
"accessLevel": "Write",
"resourceTypes": [
{
"name": "oauth2credentialprovider",
"required": true,
"conditionKeys": [],
"dependentActions": []
},
{
"name": "token-vault",
"required": true,
"conditionKeys": [],
"dependentActions": []
}
],
"conditionKeys": [
"aws:RequestTag/${TagKey}",
"aws:TagKeys"
],
"dependentActions": []
},
"createonlineevaluationconfig": {
"name": "CreateOnlineEvaluationConfig",
"description": "Grants permission to create a new online evaluation configuration",
"accessLevel": "Write",
"resourceTypes": [],
"conditionKeys": [
"aws:RequestTag/${TagKey}",
"aws:ResourceTag/${TagKey}",
"aws:TagKeys"
],
"dependentActions": [
"iam:PassRole"
]
},
"createpaymentconnector": {
"name": "CreatePaymentConnector",
"description": "Grants permission to create a new payment connector under a payment manager",
"accessLevel": "Write",
"resourceTypes": [
{
"name": "payment-manager",
"required": true,
"conditionKeys": [],
"dependentActions": []
}
],
"conditionKeys": [],
"dependentActions": []
},
"createpaymentcredentialprovider": {
"name": "CreatePaymentCredentialProvider",
"description": "Grants permission to create a new Payment Credential Provider",
"accessLevel": "Write",
"resourceTypes": [
{
"name": "paymentcredentialprovider",
"required": true,
"conditionKeys": [],
"dependentActions": []
},
{
"name": "token-vault",
"required": true,
"conditionKeys": [],
"dependentActions": []
}
],
"conditionKeys": [
"aws:RequestTag/${TagKey}",
"aws:TagKeys"
],
"dependentActions": []
},
"createpaymentinstrument": {
"name": "CreatePaymentInstrument",
"description": "Grants permission to create a new payment instrument",
"accessLevel": "Write",
"resourceTypes": [
{
"name": "payment-manager",
"required": true,
"conditionKeys": [],
"dependentActions": []
}
],
"conditionKeys": [],
"dependentActions": []
},
"createpaymentmanager": {
"name": "CreatePaymentManager",
"description": "Grants permission to create a new payment manager",
"accessLevel": "Write",
"resourceTypes": [],
"conditionKeys": [
"aws:RequestTag/${TagKey}",
"aws:TagKeys"
],
"dependentActions": [
"iam:PassRole"
]
},
"createpaymentsession": {
"name": "CreatePaymentSession",
"description": "Grants permission to create a new payment session",
"accessLevel": "Write",
"resourceTypes": [
{
"name": "payment-manager",
"required": true,
"conditionKeys": [],
"dependentActions": []
}
],
"conditionKeys": [],
"dependentActions": []
},
"createpolicy": {
"name": "CreatePolicy",
"description": "Grants permission to create a new policy within a policy engine",
"accessLevel": "Write",
"resourceTypes": [
{
"name": "policy-engine",
"required": true,
"conditionKeys": [],
"dependentActions": []
}
],
"conditionKeys": [],
"dependentActions": []
},
"createpolicyengine": {
"name": "CreatePolicyEngine",
"description": "Grants permission to create a new policy engine",
"accessLevel": "Write",
"resourceTypes": [],
"conditionKeys": [
"aws:RequestTag/${TagKey}",
"aws:TagKeys"
],
"dependentActions": []
},
"createregistry": {
"name": "CreateRegistry",
"description": "Grants permission to create a new registry",
"accessLevel": "Write",
"resourceTypes": [],
"conditionKeys": [],
"dependentActions": []
},
"createregistryrecord": {
"name": "CreateRegistryRecord",
"description": "Grants permission to create a new registry record",
"accessLevel": "Write",
"resourceTypes": [
{
"name": "registry",
"required": true,
"conditionKeys": [],
"dependentActions": []
}
],
"conditionKeys": [],
"dependentActions": []
},
"createworkloadidentity": {
"name": "CreateWorkloadIdentity",
"description": "Grants permission to create a new Workload Identity",
"accessLevel": "Write",
"resourceTypes": [
{
"name": "workload-identity",
"required": true,
"conditionKeys": [],
"dependentActions": []
},
{
"name": "workload-identity-directory",
"required": true,
"conditionKeys": [],
"dependentActions": []
}
],
"conditionKeys": [
"aws:RequestTag/${TagKey}",
"aws:TagKeys"
],
"dependentActions": []
},
"deleteabtest": {
"name": "DeleteABTest",
"description": "Grants permission to delete an A/B test",
"accessLevel": "Write",
"resourceTypes": [
{
"name": "ab-test",
"required": true,
"conditionKeys": [],
"dependentActions": []
}
],
"conditionKeys": [],
"dependentActions": []
},
"deleteagentruntime": {
"name": "DeleteAgentRuntime",
"description": "Grants permission to delete an agent runtime",
"accessLevel": "Write",
"resourceTypes": [
{
"name": "runtime",
"required": true,
"conditionKeys": [],
"dependentActions": []
}
],
"conditionKeys": [],
"dependentActions": []
},
"deleteagentruntimeendpoint": {
"name": "DeleteAgentRuntimeEndpoint",
"description": "Grants permission to delete an agent runtime endpoint",
"accessLevel": "Write",
"resourceTypes": [
{
"name": "runtime",
"required": true,
"conditionKeys": [],
"dependentActions": []
},
{
"name": "runtime-endpoint",
"required": true,
"conditionKeys": [],
"dependentActions": []
}
],
"conditionKeys": [],
"dependentActions": []
},
"deleteapikeycredentialprovider": {
"name": "DeleteApiKeyCredentialProvider",
"description": "Grants permission to delete a registered API Key Credential Provider",
"accessLevel": "Write",
"resourceTypes": [
{
"name": "apikeycredentialprovider",
"required": true,
"conditionKeys": [],
"dependentActions": []
},
{
"name": "token-vault",
"required": true,
"conditionKeys": [],
"dependentActions": []
}
],
"conditionKeys": [],
"dependentActions": []
},
"deletebatchevaluation": {
"name": "DeleteBatchEvaluation",
"description": "Grants permission to delete a batch evaluation",
"accessLevel": "Write",
"resourceTypes": [
{
"name": "batch-evaluate",
"required": true,
"conditionKeys": [],
"dependentActions": []
}
],
"conditionKeys": [],
"dependentActions": []
},
"deletebrowser": {
"name": "DeleteBrowser",
"description": "Grants permission to delete a custom browser",
"accessLevel": "Write",
"resourceTypes": [
{
"name": "browser-custom",
"required": true,
"conditionKeys": [],
"dependentActions": []
}
],
"conditionKeys": [],
"dependentActions": []
},
"deletebrowserprofile": {
"name": "DeleteBrowserProfile",
"description": "Grants permission to delete a browser profile",
"accessLevel": "Write",
"resourceTypes": [
{
"name": "browser-profile",
"required": true,
"conditionKeys": [],
"dependentActions": []
}
],
"conditionKeys": [],
"dependentActions": []
},
"deletecodeinterpreter": {
"name": "DeleteCodeInterpreter",
"description": "Grants permission to delete a custom code interpreter",
"accessLevel": "Write",
"resourceTypes": [
{
"name": "code-interpreter-custom",
"required": true,
"conditionKeys": [],
"dependentActions": []
}
],
"conditionKeys": [],
"dependentActions": []
},
"deleteconfigurationbundle": {
"name": "DeleteConfigurationBundle",
"description": "Grants permission to delete a configuration bundle",
"accessLevel": "Write",
"resourceTypes": [
{
"name": "configuration-bundle",
"required": true,
"conditionKeys": [],
"dependentActions": []
}
],
"conditionKeys": [],
"dependentActions": []
},
"deleteevaluator": {
"name": "DeleteEvaluator",
"description": "Grants permission to delete an evaluator",
"accessLevel": "Write",
"resourceTypes": [
{
"name": "evaluator",
"required": true,
"conditionKeys": [],
"dependentActions": []
}
],
"conditionKeys": [],
"dependentActions": []
},
"deleteevent": {
"name": "DeleteEvent",
"description": "Grants permission to delete an Event",
"accessLevel": "Write",
"resourceTypes": [
{
"name": "memory",
"required": true,
"conditionKeys": [],
"dependentActions": []
}
],
"conditionKeys": [
"bedrock-agentcore:sessionId",
"bedrock-agentcore:actorId"
],
"dependentActions": []
},
"deletegateway": {
"name": "DeleteGateway",
"description": "Grants permission to delete an existing gateway",
"accessLevel": "Write",
"resourceTypes": [
{
"name": "gateway",
"required": true,
"conditionKeys": [],
"dependentActions": []
}
],
"conditionKeys": [],
"dependentActions": []
},
"deletegatewayrule": {
"name": "DeleteGatewayRule",
"description": "Grants permission to delete an existing gateway rule",
"accessLevel": "Write",
"resourceTypes": [
{
"name": "gateway",
"required": true,
"conditionKeys": [],
"dependentActions": []
}
],
"conditionKeys": [],
"dependentActions": []
},
"deletegatewaytarget": {
"name": "DeleteGatewayTarget",
"description": "Grants permission to delete an existing gateway target",
"accessLevel": "Write",
"resourceTypes": [
{
"name": "gateway",
"required": true,
"conditionKeys": [],
"dependentActions": []
}
],
"conditionKeys": [],
"dependentActions": []
},
"deleteharness": {
"name": "DeleteHarness",
"description": "Grants permission to delete a harness",
"accessLevel": "Write",
"resourceTypes": [
{
"name": "harness",
"required": true,
"conditionKeys": [],
"dependentActions": []
}
],
"conditionKeys": [],
"dependentActions": [
"bedrock-agentcore:DeleteAgentRuntime",
"bedrock-agentcore:GetAgentRuntime",
"iam:PassRole"
]
},
"deletememory": {
"name": "DeleteMemory",
"description": "Grants permission to delete a Memory resource",
"accessLevel": "Write",
"resourceTypes": [
{
"name": "memory",
"required": true,
"conditionKeys": [],
"dependentActions": []
}
],
"conditionKeys": [],
"dependentActions": []
},
"deletememoryrecord": {
"name": "DeleteMemoryRecord",
"description": "Grants permission to delete a Memory Record",
"accessLevel": "Write",
"resourceTypes": [
{
"name": "memory",
"required": true,
"conditionKeys": [],
"dependentActions": []
}
],
"conditionKeys": [],
"dependentActions": []
},
"deleteoauth2credentialprovider": {
"name": "DeleteOauth2CredentialProvider",
"description": "Grants permission to delete a registered OAuth2 Credential Provider",
"accessLevel": "Write",
"resourceTypes": [
{
"name": "oauth2credentialprovider",
"required": true,
"conditionKeys": [],
"dependentActions": []
},
{
"name": "token-vault",
"required": true,
"conditionKeys": [],
"dependentActions": []
}
],
"conditionKeys": [],
"dependentActions": []
},
"deleteonlineevaluationconfig": {
"name": "DeleteOnlineEvaluationConfig",
"description": "Grants permission to delete an online evaluation configuration",
"accessLevel": "Write",
"resourceTypes": [
{
"name": "online-evaluation-config",
"required": true,
"conditionKeys": [],
"dependentActions": []
}
],
"conditionKeys": [],
"dependentActions": []
},
"deletepaymentconnector": {
"name": "DeletePaymentConnector",
"description": "Grants permission to delete a payment connector",
"accessLevel": "Write",
"resourceTypes": [
{
"name": "payment-manager",
"required": true,
"conditionKeys": [],
"dependentActions": []
}
],
"conditionKeys": [],
"dependentActions": []
},
"deletepaymentcredentialprovider": {
"name": "DeletePaymentCredentialProvider",
"description": "Grants permission to delete a registered Payment Credential Provider",
"accessLevel": "Write",
"resourceTypes": [
{
"name": "paymentcredentialprovider",
"required": true,
"conditionKeys": [],
"dependentActions": []
},
{
"name": "token-vault",
"required": true,
"conditionKeys": [],
"dependentActions": []
}
],
"conditionKeys": [],
"dependentActions": []
},
"deletepaymentinstrument": {
"name": "DeletePaymentInstrument",
"description": "Grants permission to delete a payment instrument",
"accessLevel": "Write",
"resourceTypes": [
{
"name": "payment-manager",
"required": true,
"conditionKeys": [],
"dependentActions": []
}
],
"conditionKeys": [],
"dependentActions": []
},
"deletepaymentmanager": {
"name": "DeletePaymentManager",
"description": "Grants permission to delete a payment manager",
"accessLevel": "Write",
"resourceTypes": [
{
"name": "payment-manager",
"required": true,
"conditionKeys": [],
"dependentActions": []
}
],
"conditionKeys": [],
"dependentActions": []
},
"deletepaymentsession": {
"name": "DeletePaymentSession",
"description": "Grants permission to delete a payment session",
"accessLevel": "Write",
"resourceTypes": [
{
"name": "payment-manager",
"required": true,
"conditionKeys": [],
"dependentActions": []
}
],
"conditionKeys": [],
"dependentActions": []
},
"deletepolicy": {
"name": "DeletePolicy",
"description": "Grants permission to delete a policy",
"accessLevel": "Write",
"resourceTypes": [
{
"name": "policy",
"required": true,
"conditionKeys": [],
"dependentActions": []
},
{
"name": "policy-engine",
"required": true,
"conditionKeys": [],
"dependentActions": []
}
],
"conditionKeys": [],
"dependentActions": []
},
"deletepolicyengine": {
"name": "DeletePolicyEngine",
"description": "Grants permission to delete a policy engine",
"accessLevel": "Write",
"resourceTypes": [
{
"name": "policy-engine",
"required": true,
"conditionKeys": [],
"dependentActions": []
}
],
"conditionKeys": [],
"dependentActions": []
},
"deleterecommendation": {
"name": "DeleteRecommendation",
"description": "Grants permission to delete a recommendation",
"accessLevel": "Write",
"resourceTypes": [
{
"name": "recommendation",
"required": true,
"conditionKeys": [],
"dependentActions": []
}
],
"conditionKeys": [],
"dependentActions": []
},
"deleteregistry": {
"name": "DeleteRegistry",
"description": "Grants permission to delete an existing registry",
"accessLevel": "Write",
"resourceTypes": [
{
"name": "registry",
"required": true,
"conditionKeys": [],
"dependentActions": []
}
],
"conditionKeys": [],
"dependentActions": []
},
"deleteregistryrecord": {
"name": "DeleteRegistryRecord",
"description": "Grants permission to delete an existing registry record",
"accessLevel": "Write",
"resourceTypes": [
{
"name": "registry-record",
"required": true,
"conditionKeys": [],
"dependentActions": []
}
],
"conditionKeys": [],
"dependentActions": []
},
"deleteresourcepolicy": {
"name": "DeleteResourcePolicy",
"description": "Grants permission to delete the resource-based policy for a Bedrock resource",
"accessLevel": "Write",
"resourceTypes": [
{
"name": "gateway",
"required": false,
"conditionKeys": [],
"dependentActions": []
},
{
"name": "runtime",
"required": false,
"conditionKeys": [],
"dependentActions": []
},
{
"name": "runtime-endpoint",
"required": false,
"conditionKeys": [],
"dependentActions": []
}
],
"conditionKeys": [],
"dependentActions": []
},
"deleteworkloadidentity": {
"name": "DeleteWorkloadIdentity",
"description": "Grants permission to delete a registered Workload Identity",
"accessLevel": "Write",
"resourceTypes": [
{
"name": "workload-identity",
"required": true,
"conditionKeys": [],
"dependentActions": []
},
{
"name": "workload-identity-directory",
"required": true,
"conditionKeys": [],
"dependentActions": []
}
],
"conditionKeys": [],
"dependentActions": []
},
"evaluate": {
"name": "Evaluate",
"description": "Grants permission to run an evaluation using an evaluator",
"accessLevel": "Write",
"resourceTypes": [
{
"name": "evaluator",
"required": true,
"conditionKeys": [],
"dependentActions": []
}
],
"conditionKeys": [],
"dependentActions": []
},
"getabtest": {
"name": "GetABTest",
"description": "Grants permission to get details of an A/B test",
"accessLevel": "Read",
"resourceTypes": [
{
"name": "ab-test",
"required": true,
"conditionKeys": [],
"dependentActions": []
}
],
"conditionKeys": [],
"dependentActions": []
},
"getagentcard": {
"name": "GetAgentCard",
"description": "Grants permission to retrieve an agent card for A2A",
"accessLevel": "Read",
"resourceTypes": [
{
"name": "runtime",
"required": true,
"conditionKeys": [],
"dependentActions": []
},
{
"name": "runtime-endpoint",
"required": true,
"conditionKeys": [],
"dependentActions": []
}
],
"conditionKeys": [],
"dependentActions": []
},
"getagentruntime": {
"name": "GetAgentRuntime",
"description": "Grants permission to get details of an agent runtime",
"accessLevel": "Read",
"resourceTypes": [
{
"name": "runtime",
"required": true,
"conditionKeys": [],
"dependentActions": []
}
],
"conditionKeys": [],
"dependentActions": []
},
"getagentruntimeendpoint": {
"name": "GetAgentRuntimeEndpoint",
"description": "Grants permission to get details of an agent runtime endpoint",
"accessLevel": "Read",
"resourceTypes": [
{
"name": "runtime",
"required": true,
"conditionKeys": [],
"dependentActions": []
},
{
"name": "runtime-endpoint",
"required": true,
"conditionKeys": [],
"dependentActions": []
}
],
"conditionKeys": [],
"dependentActions": []
},
"getapikeycredentialprovider": {
"name": "GetApiKeyCredentialProvider",
"description": "Grants permission to fetch a registered API Key Credential Provider by its name",
"accessLevel": "Read",
"resourceTypes": [
{
"name": "apikeycredentialprovider",
"required": true,
"conditionKeys": [],
"dependentActions": []
},
{
"name": "token-vault",
"required": true,
"conditionKeys": [],
"dependentActions": []
}
],
"conditionKeys": [],
"dependentActions": []
},
"getbatchevaluation": {
"name": "GetBatchEvaluation",
"description": "Grants permission to get details of a batch evaluation",
"accessLevel": "Read",
"resourceTypes": [
{
"name": "batch-evaluate",
"required": true,
"conditionKeys": [],
"dependentActions": []
}
],
"conditionKeys": [],
"dependentActions": []
},
"getbrowser": {
"name": "GetBrowser",
"description": "Grants permission to get details of a browser",
"accessLevel": "Read",
"resourceTypes": [
{
"name": "browser-custom",
"required": true,
"conditionKeys": [],
"dependentActions": []
}
],
"conditionKeys": [],
"dependentActions": []
},
"getbrowserprofile": {
"name": "GetBrowserProfile",
"description": "Grants permission to get details of a browser profile",
"accessLevel": "Read",
"resourceTypes": [
{
"name": "browser-profile",
"required": true,
"conditionKeys": [],
"dependentActions": []
}
],
"conditionKeys": [],
"dependentActions": []
},
"getbrowsersession": {
"name": "GetBrowserSession",
"description": "Grants permission to get details of a browser session",
"accessLevel": "Read",
"resourceTypes": [
{
"name": "browser",
"required": true,
"conditionKeys": [],
"dependentActions": []
},
{
"name": "browser-custom",
"required": true,
"conditionKeys": [],
"dependentActions": []
}
],
"conditionKeys": [],
"dependentActions": []
},
"getcodeinterpreter": {
"name": "GetCodeInterpreter",
"description": "Grants permission to get details of a code interpreter",
"accessLevel": "Read",
"resourceTypes": [
{
"name": "code-interpreter-custom",
"required": true,
"conditionKeys": [],
"dependentActions": []
}
],
"conditionKeys": [],
"dependentActions": []
},
"getcodeinterpretersession": {
"name": "GetCodeInterpreterSession",
"description": "Grants permission to get details of a code interpreter session",
"accessLevel": "Read",
"resourceTypes": [
{
"name": "code-interpreter",
"required": true,
"conditionKeys": [],
"dependentActions": []
},
{
"name": "code-interpreter-custom",
"required": true,
"conditionKeys": [],
"dependentActions": []
}
],
"conditionKeys": [],
"dependentActions": []
},
"getconfigurationbundle": {
"name": "GetConfigurationBundle",
"description": "Grants permission to get details of a configuration bundle",
"accessLevel": "Read",
"resourceTypes": [
{
"name": "configuration-bundle",
"required": true,
"conditionKeys": [],
"dependentActions": []
}
],
"conditionKeys": [],
"dependentActions": []
},
"getconfigurationbundleversion": {
"name": "GetConfigurationBundleVersion",
"description": "Grants permission to get a specific version of a configuration bundle",
"accessLevel": "Read",
"resourceTypes": [
{
"name": "configuration-bundle",
"required": true,
"conditionKeys": [],
"dependentActions": []
}
],
"conditionKeys": [],
"dependentActions": []
},
"getevaluator": {
"name": "GetEvaluator",
"description": "Grants permission to get details of an evaluator",
"accessLevel": "Read",
"resourceTypes": [
{
"name": "evaluator",
"required": true,
"conditionKeys": [],
"dependentActions": []
}
],
"conditionKeys": [],
"dependentActions": []
},
"getevent": {
"name": "GetEvent",
"description": "Grants permission to fetch an Event",
"accessLevel": "Read",
"resourceTypes": [
{
"name": "memory",
"required": true,
"conditionKeys": [],
"dependentActions": []
}
],
"conditionKeys": [
"bedrock-agentcore:sessionId",
"bedrock-agentcore:actorId"
],
"dependentActions": []
},
"getgateway": {
"name": "GetGateway",
"description": "Grants permission to retrieve an existing gateway",
"accessLevel": "Read",
"resourceTypes": [
{
"name": "gateway",
"required": true,
"conditionKeys": [],
"dependentActions": []
}
],
"conditionKeys": [],
"dependentActions": []
},
"getgatewayrule": {
"name": "GetGatewayRule",
"description": "Grants permission to retrieve an existing gateway rule",
"accessLevel": "Read",
"resourceTypes": [
{
"name": "gateway",
"required": true,
"conditionKeys": [],
"dependentActions": []
}
],
"conditionKeys": [],
"dependentActions": []
},
"getgatewaytarget": {
"name": "GetGatewayTarget",
"description": "Grants permission to retrieve an existing gateway target",
"accessLevel": "Read",
"resourceTypes": [
{
"name": "gateway",
"required": true,
"conditionKeys": [],
"dependentActions": []
}
],
"conditionKeys": [],
"dependentActions": []
},
"getharness": {
"name": "GetHarness",
"description": "Grants permission to get details of a harness",
"accessLevel": "Read",
"resourceTypes": [
{
"name": "harness",
"required": true,
"conditionKeys": [],
"dependentActions": []
}
],
"conditionKeys": [],
"dependentActions": []
},
"getmemory": {
"name": "GetMemory",
"description": "Grants permission to fetch details for a Memory resource",
"accessLevel": "Read",
"resourceTypes": [
{
"name": "memory",
"required": true,
"conditionKeys": [],
"dependentActions": []
}
],
"conditionKeys": [],
"dependentActions": []
},
"getmemoryrecord": {
"name": "GetMemoryRecord",
"description": "Grants permission to fetch a Memory Record",
"accessLevel": "Read",
"resourceTypes": [
{
"name": "memory",
"required": true,
"conditionKeys": [],
"dependentActions": []
}
],
"conditionKeys": [],
"dependentActions": []
},
"getoauth2credentialprovider": {
"name": "GetOauth2CredentialProvider",
"description": "Grants permission to fetch a registered OAuth2 Credential Provider by its name",
"accessLevel": "Read",
"resourceTypes": [
{
"name": "oauth2credentialprovider",
"required": true,
"conditionKeys": [],
"dependentActions": []
},
{
"name": "token-vault",
"required": true,
"conditionKeys": [],
"dependentActions": []
}
],
"conditionKeys": [],
"dependentActions": []
},
"getonlineevaluationconfig": {
"name": "GetOnlineEvaluationConfig",
"description": "Grants permission to get details of an online evaluation configuration",
"accessLevel": "Read",
"resourceTypes": [
{
"name": "online-evaluation-config",
"required": true,
"conditionKeys": [],
"dependentActions": []
}
],
"conditionKeys": [],
"dependentActions": []
},
"getpaymentconnector": {
"name": "GetPaymentConnector",
"description": "Grants permission to retrieve details of a payment connector",
"accessLevel": "Read",
"resourceTypes": [
{
"name": "payment-manager",
"required": true,
"conditionKeys": [],
"dependentActions": []
}
],
"conditionKeys": [],
"dependentActions": []
},
"getpaymentcredentialprovider": {
"name": "GetPaymentCredentialProvider",
"description": "Grants permission to fetch a registered Payment Credential Provider by its name",
"accessLevel": "Read",
"resourceTypes": [
{
"name": "paymentcredentialprovider",
"required": true,
"conditionKeys": [],
"dependentActions": []
},
{
"name": "token-vault",
"required": true,
"conditionKeys": [],
"dependentActions": []
}
],
"conditionKeys": [],
"dependentActions": []
},
"getpaymentinstrument": {
"name": "GetPaymentInstrument",
"description": "Grants permission to retrieve details of a payment instrument",
"accessLevel": "Read",
"resourceTypes": [
{
"name": "payment-manager",
"required": true,
"conditionKeys": [],
"dependentActions": []
}
],
"conditionKeys": [],
"dependentActions": []
},
"getpaymentinstrumentbalance": {
"name": "GetPaymentInstrumentBalance",
"description": "Grants permission to retrieve the balance of a payment instrument",
"accessLevel": "Read",
"resourceTypes": [
{
"name": "payment-manager",
"required": true,
"conditionKeys": [],
"dependentActions": []
}
],
"conditionKeys": [],
"dependentActions": []
},
"getpaymentmanager": {
"name": "GetPaymentManager",
"description": "Grants permission to retrieve details of a payment manager",
"accessLevel": "Read",
"resourceTypes": [
{
"name": "payment-manager",
"required": true,
"conditionKeys": [],
"dependentActions": []
}
],
"conditionKeys": [],
"dependentActions": []
},
"getpaymentsession": {
"name": "GetPaymentSession",
"description": "Grants permission to retrieve details of a payment session",
"accessLevel": "Read",
"resourceTypes": [
{
"name": "payment-manager",
"required": true,
"conditionKeys": [],
"dependentActions": []
}
],
"conditionKeys": [],
"dependentActions": []
},
"getpolicy": {
"name": "GetPolicy",
"description": "Grants permission to retrieve a policy",
"accessLevel": "Read",
"resourceTypes": [
{
"name": "policy",
"required": true,
"conditionKeys": [],
"dependentActions": []
},
{
"name": "policy-engine",
"required": true,
"conditionKeys": [],
"dependentActions": []
}
],
"conditionKeys": [],
"dependentActions": []
},
"getpolicyengine": {
"name": "GetPolicyEngine",
"description": "Grants permission to retrieve a policy engine",
"accessLevel": "Read",
"resourceTypes": [
{
"name": "policy-engine",
"required": true,
"conditionKeys": [],
"dependentActions": []
}
],
"conditionKeys": [],
"dependentActions": []
},
"getpolicyenginesummary": {
"name": "GetPolicyEngineSummary",
"description": "Grants permission to retrieve a summary of a policy engine",
"accessLevel": "Read",
"resourceTypes": [
{
"name": "policy-engine",
"required": true,
"conditionKeys": [],
"dependentActions": []
}
],
"conditionKeys": [],
"dependentActions": []
},
"getpolicygeneration": {
"name": "GetPolicyGeneration",
"description": "Grants permission to retrieve status and results of a policy generation request",
"accessLevel": "Read",
"resourceTypes": [
{
"name": "policy-engine",
"required": true,
"conditionKeys": [],
"dependentActions": []
},
{
"name": "policy-generation",
"required": true,
"conditionKeys": [],
"dependentActions": []
}
],
"conditionKeys": [],
"dependentActions": []
},
"getpolicygenerationsummary": {
"name": "GetPolicyGenerationSummary",
"description": "Grants permission to retrieve a summary of a policy generation request",
"accessLevel": "Read",
"resourceTypes": [
{
"name": "policy-engine",
"required": true,
"conditionKeys": [],
"dependentActions": []
},
{
"name": "policy-generation",
"required": true,
"conditionKeys": [],
"dependentActions": []
}
],
"conditionKeys": [],
"dependentActions": []
},
"getpolicysummary": {
"name": "GetPolicySummary",
"description": "Grants permission to retrieve a summary of a policy",
"accessLevel": "Read",
"resourceTypes": [
{
"name": "policy",
"required": true,
"conditionKeys": [],
"dependentActions": []
},
{
"name": "policy-engine",
"required": true,
"conditionKeys": [],
"dependentActions": []
}
],
"conditionKeys": [],
"dependentActions": []
},
"getrecommendation": {
"name": "GetRecommendation",
"description": "Grants permission to get details of a recommendation",
"accessLevel": "Read",
"resourceTypes": [
{
"name": "recommendation",
"required": true,
"conditionKeys": [],
"dependentActions": []
}
],
"conditionKeys": [],
"dependentActions": []
},
"getregistry": {
"name": "GetRegistry",
"description": "Grants permission to retrieve an existing registry",
"accessLevel": "Read",
"resourceTypes": [
{
"name": "registry",
"required": true,
"conditionKeys": [],
"dependentActions": []
}
],
"conditionKeys": [],
"dependentActions": []
},
"getregistryrecord": {
"name": "GetRegistryRecord",
"description": "Grants permission to retrieve an existing registry record",
"accessLevel": "Read",
"resourceTypes": [
{
"name": "registry-record",
"required": true,
"conditionKeys": [],
"dependentActions": []
}
],
"conditionKeys": [],
"dependentActions": []
},
"getresourceapikey": {
"name": "GetResourceApiKey",
"description": "Grants permission to retrieve an API Key associated with an Api Key Credential Provider",
"accessLevel": "Read",
"resourceTypes": [
{
"name": "apikeycredentialprovider",
"required": true,
"conditionKeys": [],
"dependentActions": []
},
{
"name": "token-vault",
"required": true,
"conditionKeys": [],
"dependentActions": []
},
{
"name": "workload-identity",
"required": true,
"conditionKeys": [],
"dependentActions": []
},
{
"name": "workload-identity-directory",
"required": true,
"conditionKeys": [],
"dependentActions": []
}
],
"conditionKeys": [],
"dependentActions": []
},
"getresourceoauth2token": {
"name": "GetResourceOauth2Token",
"description": "Grants permission to retrieve access token with OAuth2 2LO or 3LO flow to access external resource",
"accessLevel": "Read",
"resourceTypes": [
{
"name": "oauth2credentialprovider",
"required": true,
"conditionKeys": [],
"dependentActions": []
},
{
"name": "token-vault",
"required": true,
"conditionKeys": [],
"dependentActions": []
},
{
"name": "workload-identity",
"required": true,
"conditionKeys": [],
"dependentActions": []
},
{
"name": "workload-identity-directory",
"required": true,
"conditionKeys": [],
"dependentActions": []
}
],
"conditionKeys": [],
"dependentActions": []
},
"getresourcepaymenttoken": {
"name": "GetResourcePaymentToken",
"description": "Grants permission to retrieve a payment authentication token associated with a Payment Credential Provider",
"accessLevel": "Read",
"resourceTypes": [
{
"name": "paymentcredentialprovider",
"required": true,
"conditionKeys": [],
"dependentActions": []
},
{
"name": "token-vault",
"required": true,
"conditionKeys": [],
"dependentActions": []
},
{
"name": "workload-identity",
"required": true,
"conditionKeys": [],
"dependentActions": []
},
{
"name": "workload-identity-directory",
"required": true,
"conditionKeys": [],
"dependentActions": []
}
],
"conditionKeys": [],
"dependentActions": []
},
"getresourcepolicy": {
"name": "GetResourcePolicy",
"description": "Grants permission to retrieve the resource-based policy for a Bedrock resource",
"accessLevel": "Read",
"resourceTypes": [
{
"name": "gateway",
"required": false,
"conditionKeys": [],
"dependentActions": []
},
{
"name": "runtime",
"required": false,
"conditionKeys": [],
"dependentActions": []
},
{
"name": "runtime-endpoint",
"required": false,
"conditionKeys": [],
"dependentActions": []
}
],
"conditionKeys": [],
"dependentActions": []
},
"gettokenvault": {
"name": "GetTokenVault",
"description": "Grants permission to fetch the current configuration of the TokenVault, including encryption settings",
"accessLevel": "Read",
"resourceTypes": [
{
"name": "token-vault",
"required": true,
"conditionKeys": [],
"dependentActions": []
}
],
"conditionKeys": [],
"dependentActions": []
},
"getworkloadaccesstoken": {
"name": "GetWorkloadAccessToken",
"description": "Grants permission to retrieve an Workload access token for agentic workloads not acting on behalf of a user",
"accessLevel": "Write",
"resourceTypes": [
{
"name": "workload-identity",
"required": true,
"conditionKeys": [],
"dependentActions": []
},
{
"name": "workload-identity-directory",
"required": true,
"conditionKeys": [],
"dependentActions": []
}
],
"conditionKeys": [],
"dependentActions": []
},
"getworkloadaccesstokenforjwt": {
"name": "GetWorkloadAccessTokenForJWT",
"description": "Grants permission to retrieve an Workload access token for agentic workloads acting on behalf of user with JWT token",
"accessLevel": "Write",
"resourceTypes": [
{
"name": "workload-identity",
"required": true,
"conditionKeys": [],
"dependentActions": []
},
{
"name": "workload-identity-directory",
"required": true,
"conditionKeys": [],
"dependentActions": []
}
],
"conditionKeys": [
"bedrock-agentcore:InboundJwtClaim/iss",
"bedrock-agentcore:InboundJwtClaim/sub",
"bedrock-agentcore:InboundJwtClaim/aud",
"bedrock-agentcore:InboundJwtClaim/scope",
"bedrock-agentcore:InboundJwtClaim/client_id"