fix(stepfunctions-tasks): map bedrockagent service to bedrock IAM prefix (#35147)

pahud · web-flow · commit 86638f6daca6 · 2025-08-22T10:14:53.000Z
Add `bedrockagent: 'bedrock'` mapping to iamServiceMap in CallAwsService to ensure correct IAM permissions are generated. Without this mapping, Step Functions tasks using service='bedrockagent' would generate incorrect 'bedrockagent:action' IAM permissions instead of the correct 'bedrock:action' format required by AWS IAM. Fixes issue where Bedrock Agent actions like startIngestionJob and getIngestionJob would fail with access denied errors due to incorrect IAM policy generation. ### Issue # (if applicable) Closes #35146 ### Reason for this change The CDK's Step Functions SDK integration (`CallAwsService`) generates incorrect IAM permissions for Amazon Bedrock Agent actions. When using `service="bedrockagent"` with actions like `startIngestionJob` and `getIngestionJob`, the auto-generated IAM policy incorrectly uses the `bedrockagent:` service prefix instead of the correct `bedrock:` prefix. This causes Step Functions executions to fail with access denied errors because AWS IAM uses `bedrock:` as the service prefix for all Bedrock-related actions, including Bedrock Agent operations. ### Description of changes **Core Change:** - Added `bedrockagent: 'bedrock'` mapping to the existing `iamServiceMap` object in `CallAwsService` class - This follows the established pattern used by 6 other service mappings (e.g., `mwaa: 'airflow'`, `sfn: 'states'`) **Test Coverage:** - Added comprehensive test case `'IAM policy for bedrockagent'` following existing test patterns - Verifies that `service: 'bedrockagent'` generates correct `bedrock:startIngestionJob` IAM action - Ensures no regressions in existing service mappings **Files Modified:** - `packages/aws-cdk-lib/aws-stepfunctions-tasks/lib/aws-sdk/call-aws-service.ts` - Added mapping - `packages/aws-cdk-lib/aws-stepfunctions-tasks/test/aws-sdk/call-aws-service.test.ts` - Added test **Design Decision:** This approach was chosen because it follows the existing architecture pattern and requires minimal code changes while maintaining backward compatibility. Alternative approaches like modifying the IAM action generation logic would be more invasive and risky. ### Describe any new or updated permissions being added No new permissions are being added. This change corrects the IAM service prefix from `bedrockagent:` to `bedrock:` for existing Bedrock Agent actions. The actions themselves (`startIngestionJob`, `getIngestionJob`, etc.) remain the same. ### Description of how you validated changes **Unit Tests:** - Added new test case `'IAM policy for bedrockagent'` that verifies correct IAM policy generation - All existing tests pass, confirming no regressions - Test follows established pattern used by other service mapping tests **Manual Testing:** - Verified that `CallAwsService` with `service: 'bedrockagent'` now generates `bedrock:startIngestionJob` instead of `bedrockagent:startIngestionJob` - Confirmed IAM policy structure matches expected format **Test Results:** - New test: `IAM policy for bedrockagent` - PASSED - All 15 existing tests - PASSED - No regressions detected ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
diff --git a/packages/aws-cdk-lib/aws-stepfunctions-tasks/lib/aws-sdk/call-aws-service.ts b/packages/aws-cdk-lib/aws-stepfunctions-tasks/lib/aws-sdk/call-aws-service.ts
@@ -122,6 +122,7 @@ export class CallAwsService extends sfn.TaskStateBase {
     }
 
     const iamServiceMap: Record<string, string> = {
+      bedrockagent: 'bedrock',
       cloudwatchlogs: 'logs',
       efs: 'elasticfilesystem',
       elasticloadbalancingv2: 'elasticloadbalancing',
diff --git a/packages/aws-cdk-lib/aws-stepfunctions-tasks/test/aws-sdk/call-aws-service.test.ts b/packages/aws-cdk-lib/aws-stepfunctions-tasks/test/aws-sdk/call-aws-service.test.ts
@@ -371,6 +371,38 @@ test('IAM policy for mediapackagevod', () => {
   });
 });
 
+test('IAM policy for bedrockagent', () => {
+  // WHEN
+  const task = new tasks.CallAwsService(stack, 'StartIngestionJob', {
+    service: 'bedrockagent',
+    action: 'startIngestionJob',
+    parameters: {
+      DataSourceId: 'test-datasource-id',
+      KnowledgeBaseId: 'test-kb-id',
+    },
+    resultPath: sfn.JsonPath.DISCARD,
+    iamResources: ['*'],
+  });
+
+  new sfn.StateMachine(stack, 'StateMachine', {
+    definitionBody: sfn.DefinitionBody.fromChainable(task),
+  });
+
+  // THEN
+  Template.fromStack(stack).hasResourceProperties('AWS::IAM::Policy', {
+    PolicyDocument: {
+      Statement: [
+        {
+          Action: 'bedrock:startIngestionJob',
+          Effect: 'Allow',
+          Resource: '*',
+        },
+      ],
+      Version: '2012-10-17',
+    },
+  });
+});
+
 test('IAM policy for mwaa', () => {
   // WHEN
   const task = new tasks.CallAwsService(stack, 'ListMWAAEnvironments', {

Original file line number	Diff line number	Diff line change
`@@ -122,6 +122,7 @@ export class CallAwsService extends sfn.TaskStateBase {`
`122`	`122`	`}`
`123`	`123`
`124`	`124`	`const iamServiceMap: Record<string, string> = {`
	`125`	`+ bedrockagent: 'bedrock',`
`125`	`126`	`cloudwatchlogs: 'logs',`
`126`	`127`	`efs: 'elasticfilesystem',`
`127`	`128`	`elasticloadbalancingv2: 'elasticloadbalancing',`