# IAM Permissions
<a name="registry-iam-permissions"></a>

## Registry actions
<a name="registry-iam-actions"></a>

For an identity to be able to create, manage, or use Registries, you need to attach an identity-based policy to the IAM identity to allow it to perform [Amazon Bedrock AgentCore-related actions](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonbedrockagentcore.html) . For comprehensive permissions, you can use the [BedrockAgentCoreFullAccess](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/BedrockAgentCoreFullAccess.html) managed policy.

For greater security and control, you can create your own custom policy by reducing the permissions in the full access policy.

## Registry control plane actions
<a name="registry-iam-control-plane"></a>


| Action | Description | Access level | 
| --- | --- | --- | 
|   `bedrock-agentcore:CreateRegistry`   |  Grants permission to create a registry  |  Write  | 
|   `bedrock-agentcore:GetRegistry`   |  Grants permission to get a registry  |  Read  | 
|   `bedrock-agentcore:UpdateRegistry`   |  Grants permission to update a registry  |  Write  | 
|   `bedrock-agentcore:DeleteRegistry`   |  Grants permission to delete a registry  |  Write  | 
|   `bedrock-agentcore:ListRegistries`   |  Grants permission to list registries  |  List  | 

## Registry record control plane actions
<a name="registry-iam-record-control-plane"></a>


| Action | Description | Access level | 
| --- | --- | --- | 
|   `bedrock-agentcore:CreateRegistryRecord`   |  Grants permission to create a registry record  |  Write  | 
|   `bedrock-agentcore:GetRegistryRecord`   |  Grants permission to get a registry record  |  Read  | 
|   `bedrock-agentcore:UpdateRegistryRecord`   |  Grants permission to update a registry record  |  Write  | 
|   `bedrock-agentcore:DeleteRegistryRecord`   |  Grants permission to delete a registry record  |  Write  | 
|   `bedrock-agentcore:ListRegistryRecords`   |  Grants permission to list registry records  |  List  | 
|   `bedrock-agentcore:SubmitRegistryRecordForApproval`   |  Grants permission to submit a registry record for approval  |  Write  | 
|   `bedrock-agentcore:UpdateRegistryRecordStatus`   |  Grants permission to approve, reject, or deprecate a registry record  |  Write  | 

## Registry data plane actions
<a name="registry-iam-data-plane"></a>


| Action | Description | Access level | 
| --- | --- | --- | 
|   `bedrock-agentcore:SearchRegistryRecords`   |  Grants permission to search registry records  |  Read  | 
|   `bedrock-agentcore:InvokeRegistryMcp`   |  Grants permission to invoke the registry MCP endpoint  |  Read  | 

**Note**  
For Invoking the MCP Server, you will need both SearchRegistryRecords and InvokeRegistryMcp IAM Permissions.

## Registry resource types
<a name="registry-iam-resource-types"></a>

The following resource types are defined for AWS Agent Registry:


| Resource type | ARN format | 
| --- | --- | 
|  Registry  |   `arn:aws:bedrock-agentcore:{region}:{account}:registry/{registryId}`   | 
|  Registry record  |   `arn:aws:bedrock-agentcore:{region}:{account}:registry/{registryId}/record/{recordId}`   |