Security and access controls
The harness gives you the same security primitives as the rest of AgentCore, wired in by configuration.
-
Isolated execution. Every session runs in its own Firecracker microVM in AgentCore Runtime. No shared state, no shared filesystem.
-
IAM execution role. The harness assumes an IAM role you own, configurable to include Bedrock, ECR, CloudWatch, and the AgentCore primitives it touches. See sample execution role policy below.
-
IAM permissions model. Harness APIs require permissions on both the harness resource and the underlying AgentCore Runtime resource. For example, calling
InvokeHarnessrequires bothbedrock-agentcore:InvokeHarnessandbedrock-agentcore:InvokeAgentRuntimepermissions on the harness ARN. The same pattern applies to control plane operations:UpdateHarnessrequiresbedrock-agentcore:UpdateAgentRuntime,DeleteHarnessrequiresbedrock-agentcore:DeleteAgentRuntime, and so on. See execution role policy for the full list. -
Inbound OAuth Support. JWT configured Harness resources require callers to present a valid JWT issued by a configured identity provider before they can invoke the harness. AgentCore Identity threads the end-user identity through the agent, so downstream tools can call APIs with scoped user credentials instead of a shared service account.
-
VPC. Connect harness sessions to your VPC for private access to internal resources.
-
Policies on Gateway. When tools are served through AgentCore Gateway, Cedar-based policies can be configured to gate every call: who can call which tool, under which conditions, with which arguments.
Harness follows the AgentCore shared responsibility model
Note
SigV4 and per-user identity. When callers authenticate with SigV4 (AWS IAM), the harness does not propagate per-user identity into downstream tool calls. This means per-user credential scoping features in AgentCore Identity Token Vault - such as user-scoped OAuth token storage and on-behalf-of token exchange - are only available when callers authenticate with a Bearer JWT via the OAuth inbound path. If your use case requires per-user credential scoping for downstream tools, configure inbound OAuth on the harness. SigV4 support for per-user identity is planned for a future release.
Network configuration
By default, harness sessions run on the public network. To access private resources (databases, internal APIs, private subnets), deploy the harness in your VPC.
Example
Important
The harness pulls its application container from Amazon ECR Public at the start of each session. When running in VPC mode, your VPC must allow outbound access to public.ecr.aws. Amazon ECR Public does not support VPC endpoints, so your VPC must have a NAT gateway with a route to an internet gateway. If this connectivity is not available, sessions will fail to start due to image pull timeouts.
For additional network configuration guidance, see Configure AgentCore Runtime and built-in tools VPC configuration. For inbound API connectivity via PrivateLink, see VPC interface endpoints.
Inbound OAuth
Require callers to present a valid JWT issued by a configured identity provider before they can invoke the harness. AgentCore Identity threads the end-user identity through the agent, so downstream tools can call APIs with scoped user credentials instead of a shared service account.
Example
Learn more: AgentCore Identity · inbound JWT authorizer · outbound credentials
Gateway policies
When tools are served through AgentCore Gateway, Cedar-based policies gate every call: who can call which tool, under which conditions, with which arguments.
Learn more: AgentCore Policy · common patterns
Execution role policy
The harness assumes an IAM execution role you provide. The role’s trust policy must allow the AgentCore service principal to assume it:
{ "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Principal": {"Service": "bedrock-agentcore.amazonaws.com"}, "Action": "sts:AssumeRole" }] }
Required IAM permissions for callers
Harness APIs require permissions on both the harness resource and the underlying AgentCore Runtime resource. The following table lists the required actions for each API:
| API | Required IAM actions |
|---|---|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
All actions are scoped to the harness ARN (e.g., arn:aws:bedrock-agentcore:{region}:{account}:harness/{id}).
Sample execution role policy
{ "Version": "2012-10-17", "Statement": [ { "Sid": "BedrockModelInvocation", "Effect": "Allow", "Action": [ "bedrock:InvokeModel", "bedrock:InvokeModelWithResponseStream" ], "Resource": [ "arn:aws:bedrock:*::foundation-model/*", "arn:aws:bedrock:<region>:<accountId>:*" ] }, { "Sid": "EcrPublicTokenAccess", "Effect": "Allow", "Action": [ "ecr-public:GetAuthorizationToken" ], "Resource": "*" }, { "Sid": "StsForEcrPublicPull", "Effect": "Allow", "Action": [ "sts:GetServiceBearerToken" ], "Resource": "*" }, { "Sid": "XRayTracingAccess", "Effect": "Allow", "Action": [ "xray:PutTraceSegments", "xray:PutTelemetryRecords", "xray:GetSamplingRules", "xray:GetSamplingTargets" ], "Resource": "*" }, { "Sid": "CloudWatchLogsGroup", "Effect": "Allow", "Action": [ "logs:CreateLogGroup", "logs:DescribeLogStreams" ], "Resource": "arn:aws:logs:<region>:<accountId>:log-group:/aws/bedrock-agentcore/runtimes/*" }, { "Sid": "CloudWatchLogsDescribeGroups", "Effect": "Allow", "Action": [ "logs:DescribeLogGroups" ], "Resource": "arn:aws:logs:<region>:<accountId>:log-group:*" }, { "Sid": "CloudWatchLogsStream", "Effect": "Allow", "Action": [ "logs:CreateLogStream", "logs:PutLogEvents" ], "Resource": "arn:aws:logs:<region>:<accountId>:log-group:/aws/bedrock-agentcore/runtimes/*:log-stream:*" }, { "Sid": "CloudWatchMetricsPublish", "Effect": "Allow", "Resource": "*", "Action": "cloudwatch:PutMetricData", "Condition": { "StringEquals": { "cloudwatch:namespace": "bedrock-agentcore" } } }, { "Sid": "AgentCoreWorkloadIdentity", "Effect": "Allow", "Action": [ "bedrock-agentcore:GetWorkloadAccessToken", "bedrock-agentcore:GetWorkloadAccessTokenForJWT" ], "Resource": [ "arn:aws:bedrock-agentcore:<region>:<accountId>:workload-identity-directory/default", "arn:aws:bedrock-agentcore:<region>:<accountId>:workload-identity-directory/default/workload-identity/harness_<agentName>-*" ] }, { "Sid": "AgentCoreBrowserDefault", "Effect": "Allow", "Action": [ "bedrock-agentcore:StartBrowserSession", "bedrock-agentcore:StopBrowserSession", "bedrock-agentcore:GetBrowserSession", "bedrock-agentcore:ListBrowserSessions", "bedrock-agentcore:UpdateBrowserStream", "bedrock-agentcore:ConnectBrowserAutomationStream", "bedrock-agentcore:ConnectBrowserLiveViewStream" ], "Resource": "arn:aws:bedrock-agentcore:<region>:aws:browser/*" }, { "Sid": "AgentCoreCodeInterpreterDefault", "Effect": "Allow", "Action": [ "bedrock-agentcore:StartCodeInterpreterSession", "bedrock-agentcore:StopCodeInterpreterSession", "bedrock-agentcore:GetCodeInterpreterSession", "bedrock-agentcore:ListCodeInterpreterSessions", "bedrock-agentcore:InvokeCodeInterpreter" ], "Resource": "arn:aws:bedrock-agentcore:<region>:aws:code-interpreter/*" } ] }
The AgentCore CLI creates a role with these permissions automatically when you scaffold a harness project. The policy above is for cases where you create the role yourself.
Note
The BedrockModelInvocation sample statement above allows invocation of all foundation models across all regions and all Bedrock resources in your account. To scope this down, replace the resource ARNs with specific inference profiles, which let you route requests across models and regions with a single ARN. For example: arn:aws:bedrock:<destination_regions>:<accountId>:inference-profile/<profileId> paired with all allowed regions arn:aws:bedrock:<region>:<accountId>:foundation-model/<modelId>.
For production workloads, scope Resource values down to the specific ARNs your harness needs rather than using "*".
Additional permissions for optional features
Below are sample policies you can append to your execution role based on the features your harness uses. Follow the principle of least privilege - grant your harness agent only the specific tools and credentials it needs for inference. See Placeholder reference for placeholder definitions.
Private ECR access (custom container images)
Add this policy when your harness uses a private ECR image for a custom container.
{ "Version": "2012-10-17", "Statement": [ { "Sid": "ECRImageAccess", "Effect": "Allow", "Action": [ "ecr:GetDownloadUrlForLayer", "ecr:BatchGetImage" ], "Resource": "arn:aws:ecr:<ecrRegion>:<ecrAccountId>:repository/<ecrRepoName>" }, { "Sid": "ECRTokenAccess", "Effect": "Allow", "Action": "ecr:GetAuthorizationToken", "Resource": "*" } ] }
AgentCore Memory
Add this policy when your harness uses a customer-owned memory instance.
{ "Version": "2012-10-17", "Statement": [ { "Sid": "AgentCoreMemory", "Effect": "Allow", "Action": [ "bedrock-agentcore:CreateEvent", "bedrock-agentcore:DeleteEvent", "bedrock-agentcore:GetEvent", "bedrock-agentcore:ListEvents", "bedrock-agentcore:RetrieveMemoryRecords" ], "Resource": "arn:aws:bedrock-agentcore:<region>:<accountId>:memory/<memoryId>" } ] }
AgentCore Browser (custom)
Add this policy when your harness uses a customer-owned custom browser resource.
{ "Version": "2012-10-17", "Statement": [ { "Sid": "AgentCoreBrowserCustom", "Effect": "Allow", "Action": [ "bedrock-agentcore:StartBrowserSession", "bedrock-agentcore:StopBrowserSession", "bedrock-agentcore:GetBrowserSession", "bedrock-agentcore:ListBrowserSessions", "bedrock-agentcore:UpdateBrowserStream", "bedrock-agentcore:ConnectBrowserAutomationStream", "bedrock-agentcore:ConnectBrowserLiveViewStream" ], "Resource": "arn:aws:bedrock-agentcore:<region>:<accountId>:browser-custom/<browserCustomId>" } ] }
AgentCore Code Interpreter (custom)
Add this policy when your harness uses a customer-owned custom code interpreter.
{ "Version": "2012-10-17", "Statement": [ { "Sid": "AgentCoreCodeInterpreterCustom", "Effect": "Allow", "Action": [ "bedrock-agentcore:StartCodeInterpreterSession", "bedrock-agentcore:StopCodeInterpreterSession", "bedrock-agentcore:GetCodeInterpreterSession", "bedrock-agentcore:ListCodeInterpreterSessions", "bedrock-agentcore:InvokeCodeInterpreter" ], "Resource": "arn:aws:bedrock-agentcore:<region>:<accountId>:code-interpreter-custom/<codeInterpreterCustomId>" } ] }
AgentCore Gateway
Add this policy when your harness uses a gateway configured with SigV4 inbound authentication.
{ "Version": "2012-10-17", "Statement": [ { "Sid": "AgentCoreGatewayAccess", "Effect": "Allow", "Action": "bedrock-agentcore:InvokeGateway", "Resource": "arn:aws:bedrock-agentcore:<region>:<accountId>:gateway/<gatewayId>" } ] }
API key credential provider (OpenAI, Gemini, or MCP header ARN references)
Add this policy when your harness uses an API key credential provider for model providers such as OpenAI or Gemini.
{ "Version": "2012-10-17", "Statement": [ { "Sid": "AgentCoreApiKeyTokenVaultDefault", "Effect": "Allow", "Action": "bedrock-agentcore:GetResourceApiKey", "Resource": [ "arn:aws:bedrock-agentcore:<region>:<accountId>:token-vault/default", "arn:aws:bedrock-agentcore:<region>:<accountId>:workload-identity-directory/default", "arn:aws:bedrock-agentcore:<region>:<accountId>:workload-identity-directory/default/workload-identity/harness_<agentName>-*" ] }, { "Sid": "AgentCoreApiKeyTokenVaultPerKey", "Effect": "Allow", "Action": "bedrock-agentcore:GetResourceApiKey", "Resource": "arn:aws:bedrock-agentcore:<region>:<accountId>:token-vault/default/apikeycredentialprovider/<apiKeyName>" }, { "Sid": "AgentCoreApiKeySecret", "Effect": "Allow", "Action": "secretsmanager:GetSecretValue", "Resource": "arn:aws:secretsmanager:<region>:<accountId>:secret:bedrock-agentcore-identity!default/apikey/<apiKeyName>-*" } ] }
OAuth2 credential provider (OAuth-protected Gateway)
Add this policy when your harness uses an OAuth2 credential provider for OAuth-protected gateway tools.
{ "Version": "2012-10-17", "Statement": [ { "Sid": "AgentCoreOAuth2TokenVaultDefault", "Effect": "Allow", "Action": "bedrock-agentcore:GetResourceOauth2Token", "Resource": [ "arn:aws:bedrock-agentcore:<region>:<accountId>:token-vault/default", "arn:aws:bedrock-agentcore:<region>:<accountId>:workload-identity-directory/default", "arn:aws:bedrock-agentcore:<region>:<accountId>:workload-identity-directory/default/workload-identity/harness_<agentName>-*" ] }, { "Sid": "AgentCoreOAuth2TokenVaultPerProvider", "Effect": "Allow", "Action": "bedrock-agentcore:GetResourceOauth2Token", "Resource": "arn:aws:bedrock-agentcore:<region>:<accountId>:token-vault/default/oauth2credentialprovider/<oauthProviderName>" }, { "Sid": "AgentCoreOAuth2Secret", "Effect": "Allow", "Action": "secretsmanager:GetSecretValue", "Resource": "arn:aws:secretsmanager:<region>:<accountId>:secret:bedrock-agentcore-identity!default/oauth2/<oauthProviderName>-*" } ] }
Placeholder reference
Replace the following placeholders in the policies above with values specific to your environment:
| Placeholder | Description |
|---|---|
|
|
The AWS Region where your resource is deployed. |
|
|
Your AWS account ID. |
|
|
The name of your harness agent. |
|
|
The ID of your AgentCore memory resource. |
|
|
The ID of your custom browser resource. |
|
|
The ID of your custom code interpreter resource. |
|
|
The ID of your AgentCore Gateway resource. |
|
|
The name of your API key credential provider. |
|
|
The name of your OAuth2 credential provider. |
|
|
The region where your ECR repository is hosted. |
|
|
The AWS account ID that owns the ECR repository. |
|
|
The name of your ECR repository. |
Note
The trailing -* on Secrets Manager resources accounts for the random suffix that Secrets Manager appends to secret ARNs.
Related topics
-
Connect to tools - tool types and allowedTools patterns
-
Environment and Skills - custom environments and ECR permissions
-
Control cost with limits - execution limits to control cost
