You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Add ability to create IAM roles and submit policy permission requests
Summary
Update the Security Administrator page to support creating new IAM roles (in addition to the existing import flow) and update the Memory Management page to allow requesting permissions for a specific role to access a specific memory resource. This connects the security and memory workflows so that builders can request the IAM permissions needed for their agents to use memory resources.
Context
The Security Administrator page currently supports importing existing IAM roles via ARN (RoleManagementPanel.tsx). The backend already supports a wizard mode on POST /api/security/roles that creates a new IAM role with a trust policy for bedrock-agentcore.amazonaws.com and attaches an inline policy (backend/app/routers/security.py:131-157, backend/app/services/security.py:40-73). However, the frontend only exposes the import mode — the wizard mode is unused.
Separately, the Memory Management page (issue #15) allows creating and managing AgentCore Memory resources. When a memory resource is created, the agent's execution role needs IAM permissions to access that specific memory resource. The permission request system already exists on the Security Administrator page (PermissionRequestsPanel.tsx), but there is no way to initiate a permission request from the Memory page context with pre-filled memory-specific actions and resources.
Backend API Reference
Method
Path
Description
POST
/api/security/roles
Create or import a managed role (supports mode: "wizard")
POST
/api/security/permission-requests
Create a permission request for a managed role
GET
/api/security/roles
List all managed roles
Existing Types
The frontend ManagedRoleCreateRequest type already supports both modes:
Update RoleManagementPanel.tsx to support creating new IAM roles in addition to importing existing ones. The current "Add Role" button opens an import-only form. Replace this with a form that lets the user choose between importing an existing role and creating a new one.
Mode Selection
Add a toggle or tab selector within the add-role form:
Mode
Label
Description
import
Import Existing
Import a role by ARN (current behavior)
wizard
Create New
Create a new IAM role with a trust policy for bedrock-agentcore
Create New Role Form Fields
Field
Type
Required
Description
Role Name
Text input
Yes
Name for the new IAM role (e.g., loom-agent-memory-role)
Description
Text input
No
Optional description for the role
The wizard mode should call POST /api/security/roles with mode: "wizard" and the provided role_name and description. The backend handles trust policy creation and tagging. No initial policy document is needed — permissions are added later via permission requests.
UI Behavior
The mode toggle should default to "Import Existing" to preserve current behavior.
When "Create New" is selected, show the role name and description fields instead of the ARN input.
On successful creation, show a toast with the created role name and refresh the role list.
On error, display the backend error message (e.g., "Failed to create IAM role: ...").
Files to Modify
frontend/src/components/RoleManagementPanel.tsx — Add mode toggle and create form fields.
R2: Add Memory Permission Request to Memory Page
Update the Memory Management page to include a "Request Permissions" action for each memory resource. This action should create a permission request that grants a selected IAM role access to the specific memory resource.
Permission Request Flow
Add a "Request Permissions" button to each memory resource row (or detail view). When clicked, show an inline form or dialog with:
Field
Type
Required
Description
IAM Role
Select dropdown
Yes
Select from managed roles (GET /api/security/roles)
Actions
Pre-filled, editable
Yes
Default to AgentCore memory actions (see below)
Justification
Text input
Yes
Reason for the permission request
Default Memory Actions
Pre-fill the requested_actions with the standard AgentCore memory actions:
Pre-fill the requested_resources with the memory resource ARN from the memory response:
[
"<memory_response.arn>"
]
If the memory resource ARN is not yet available (e.g., status is CREATING), disable the "Request Permissions" button and show a tooltip indicating the resource must be active first.
Submission
Submit to POST /api/security/permission-requests with:
On success, show toast.success("Permission request submitted"). On error, show toast.error(error.message).
Files to Create/Modify
frontend/src/components/MemoryManagementPanel.tsx — Add permission request UI per memory resource (if this file exists from issue Add memory management frontend #15).
frontend/src/pages/MemoryManagementPage.tsx — Alternatively add here if memory management is page-level (if this file exists from issue Add memory management frontend #15).
frontend/src/api/security.ts — Already has createPermissionRequest; no changes needed.
frontend/src/hooks/useSecurity.ts — Already has usePermissionRequests with createRequest; may need to also expose useManagedRoles for role dropdown population.
Dependencies
Issue Add memory management frontend #15 (Add Memory Management Frontend) must be completed first — this issue builds on the Memory Management page.
The backend already supports both wizard mode role creation and permission requests; no backend changes are needed.
Files to Create/Modify
Modify
frontend/src/components/RoleManagementPanel.tsx — Add import/create mode toggle and create-new-role form fields.
frontend/src/components/MemoryManagementPanel.tsx — Add "Request Permissions" button and inline form per memory resource.
No Changes Needed
frontend/src/api/security.ts — Already supports createManagedRole with wizard mode and createPermissionRequest.
frontend/src/api/types.ts — Already has ManagedRoleCreateRequest with wizard fields and PermissionRequestCreateRequest.
frontend/src/hooks/useSecurity.ts — Already has useManagedRoles and usePermissionRequests hooks.
backend/app/routers/security.py — Already supports wizard mode and permission requests.
backend/app/services/security.py — Already has create_iam_role_with_policy.
Acceptance Criteria
Security Admin "IAM Roles" tab shows a mode toggle (Import Existing / Create New) in the add-role form
"Import Existing" mode works identically to current behavior (ARN input)
"Create New" mode accepts a role name and description, calls the backend wizard mode, and creates an IAM role
New roles appear in the role list after creation with correct name and ARN
Toast notifications appear for successful role creation and errors
Memory Management page shows a "Request Permissions" button on each memory resource with an ACTIVE status and a non-null ARN
"Request Permissions" button is disabled for memory resources that are not yet active
Clicking "Request Permissions" shows a form with role dropdown, pre-filled actions, and justification input
Submitting the form creates a permission request visible on the Security Admin "Permission Requests" tab
No backend changes are required — all functionality uses existing API endpoints
Add ability to create IAM roles and submit policy permission requests
Summary
Update the Security Administrator page to support creating new IAM roles (in addition to the existing import flow) and update the Memory Management page to allow requesting permissions for a specific role to access a specific memory resource. This connects the security and memory workflows so that builders can request the IAM permissions needed for their agents to use memory resources.
Context
The Security Administrator page currently supports importing existing IAM roles via ARN (
RoleManagementPanel.tsx). The backend already supports awizardmode onPOST /api/security/rolesthat creates a new IAM role with a trust policy forbedrock-agentcore.amazonaws.comand attaches an inline policy (backend/app/routers/security.py:131-157,backend/app/services/security.py:40-73). However, the frontend only exposes theimportmode — thewizardmode is unused.Separately, the Memory Management page (issue #15) allows creating and managing AgentCore Memory resources. When a memory resource is created, the agent's execution role needs IAM permissions to access that specific memory resource. The permission request system already exists on the Security Administrator page (
PermissionRequestsPanel.tsx), but there is no way to initiate a permission request from the Memory page context with pre-filled memory-specific actions and resources.Backend API Reference
POST/api/security/rolesmode: "wizard")POST/api/security/permission-requestsGET/api/security/rolesExisting Types
The frontend
ManagedRoleCreateRequesttype already supports both modes:The permission request type:
Requirements
R1: Add Role Creation Flow to Security Admin Page
Update
RoleManagementPanel.tsxto support creating new IAM roles in addition to importing existing ones. The current "Add Role" button opens an import-only form. Replace this with a form that lets the user choose between importing an existing role and creating a new one.Mode Selection
Add a toggle or tab selector within the add-role form:
importwizardCreate New Role Form Fields
loom-agent-memory-role)The wizard mode should call
POST /api/security/roleswithmode: "wizard"and the providedrole_nameanddescription. The backend handles trust policy creation and tagging. No initial policy document is needed — permissions are added later via permission requests.UI Behavior
Files to Modify
frontend/src/components/RoleManagementPanel.tsx— Add mode toggle and create form fields.R2: Add Memory Permission Request to Memory Page
Update the Memory Management page to include a "Request Permissions" action for each memory resource. This action should create a permission request that grants a selected IAM role access to the specific memory resource.
Permission Request Flow
Add a "Request Permissions" button to each memory resource row (or detail view). When clicked, show an inline form or dialog with:
GET /api/security/roles)Default Memory Actions
Pre-fill the
requested_actionswith the standard AgentCore memory actions:Default Memory Resources
Pre-fill the
requested_resourceswith the memory resource ARN from the memory response:[ "<memory_response.arn>" ]If the memory resource ARN is not yet available (e.g., status is
CREATING), disable the "Request Permissions" button and show a tooltip indicating the resource must be active first.Submission
Submit to
POST /api/security/permission-requestswith:On success, show
toast.success("Permission request submitted"). On error, showtoast.error(error.message).Files to Create/Modify
frontend/src/components/MemoryManagementPanel.tsx— Add permission request UI per memory resource (if this file exists from issue Add memory management frontend #15).frontend/src/pages/MemoryManagementPage.tsx— Alternatively add here if memory management is page-level (if this file exists from issue Add memory management frontend #15).frontend/src/api/security.ts— Already hascreatePermissionRequest; no changes needed.frontend/src/hooks/useSecurity.ts— Already hasusePermissionRequestswithcreateRequest; may need to also exposeuseManagedRolesfor role dropdown population.Dependencies
wizardmode role creation and permission requests; no backend changes are needed.Files to Create/Modify
Modify
frontend/src/components/RoleManagementPanel.tsx— Add import/create mode toggle and create-new-role form fields.frontend/src/components/MemoryManagementPanel.tsx— Add "Request Permissions" button and inline form per memory resource.No Changes Needed
frontend/src/api/security.ts— Already supportscreateManagedRolewith wizard mode andcreatePermissionRequest.frontend/src/api/types.ts— Already hasManagedRoleCreateRequestwith wizard fields andPermissionRequestCreateRequest.frontend/src/hooks/useSecurity.ts— Already hasuseManagedRolesandusePermissionRequestshooks.backend/app/routers/security.py— Already supports wizard mode and permission requests.backend/app/services/security.py— Already hascreate_iam_role_with_policy.Acceptance Criteria