Skip to content

Add ability to create IAM roles and submit policy permission requests #17

Description

@heeki

Add ability to create IAM roles and submit policy permission requests

Summary

Update the Security Administrator page to support creating new IAM roles (in addition to the existing import flow) and update the Memory Management page to allow requesting permissions for a specific role to access a specific memory resource. This connects the security and memory workflows so that builders can request the IAM permissions needed for their agents to use memory resources.

Context

The Security Administrator page currently supports importing existing IAM roles via ARN (RoleManagementPanel.tsx). The backend already supports a wizard mode on POST /api/security/roles that creates a new IAM role with a trust policy for bedrock-agentcore.amazonaws.com and attaches an inline policy (backend/app/routers/security.py:131-157, backend/app/services/security.py:40-73). However, the frontend only exposes the import mode — the wizard mode is unused.

Separately, the Memory Management page (issue #15) allows creating and managing AgentCore Memory resources. When a memory resource is created, the agent's execution role needs IAM permissions to access that specific memory resource. The permission request system already exists on the Security Administrator page (PermissionRequestsPanel.tsx), but there is no way to initiate a permission request from the Memory page context with pre-filled memory-specific actions and resources.

Backend API Reference

Method Path Description
POST /api/security/roles Create or import a managed role (supports mode: "wizard")
POST /api/security/permission-requests Create a permission request for a managed role
GET /api/security/roles List all managed roles

Existing Types

The frontend ManagedRoleCreateRequest type already supports both modes:

export interface ManagedRoleCreateRequest {
  mode: "import" | "wizard";
  role_arn?: string;        // import mode
  role_name?: string;       // wizard mode
  description?: string;     // wizard mode
  policy_document?: PolicyDocument;  // wizard mode
}

The permission request type:

export interface PermissionRequestCreateRequest {
  managed_role_id: number;
  requested_actions: string[];
  requested_resources: string[];
  justification: string;
}

Requirements

R1: Add Role Creation Flow to Security Admin Page

Update RoleManagementPanel.tsx to support creating new IAM roles in addition to importing existing ones. The current "Add Role" button opens an import-only form. Replace this with a form that lets the user choose between importing an existing role and creating a new one.

Mode Selection

Add a toggle or tab selector within the add-role form:

Mode Label Description
import Import Existing Import a role by ARN (current behavior)
wizard Create New Create a new IAM role with a trust policy for bedrock-agentcore

Create New Role Form Fields

Field Type Required Description
Role Name Text input Yes Name for the new IAM role (e.g., loom-agent-memory-role)
Description Text input No Optional description for the role

The wizard mode should call POST /api/security/roles with mode: "wizard" and the provided role_name and description. The backend handles trust policy creation and tagging. No initial policy document is needed — permissions are added later via permission requests.

UI Behavior

  • The mode toggle should default to "Import Existing" to preserve current behavior.
  • When "Create New" is selected, show the role name and description fields instead of the ARN input.
  • On successful creation, show a toast with the created role name and refresh the role list.
  • On error, display the backend error message (e.g., "Failed to create IAM role: ...").

Files to Modify

  • frontend/src/components/RoleManagementPanel.tsx — Add mode toggle and create form fields.

R2: Add Memory Permission Request to Memory Page

Update the Memory Management page to include a "Request Permissions" action for each memory resource. This action should create a permission request that grants a selected IAM role access to the specific memory resource.

Permission Request Flow

Add a "Request Permissions" button to each memory resource row (or detail view). When clicked, show an inline form or dialog with:

Field Type Required Description
IAM Role Select dropdown Yes Select from managed roles (GET /api/security/roles)
Actions Pre-filled, editable Yes Default to AgentCore memory actions (see below)
Justification Text input Yes Reason for the permission request

Default Memory Actions

Pre-fill the requested_actions with the standard AgentCore memory actions:

[
  "bedrock:InvokeModel",
  "bedrock:GetMemory",
  "bedrock:CreateMemoryEvent",
  "bedrock:DeleteMemory"
]

Default Memory Resources

Pre-fill the requested_resources with the memory resource ARN from the memory response:

[
  "<memory_response.arn>"
]

If the memory resource ARN is not yet available (e.g., status is CREATING), disable the "Request Permissions" button and show a tooltip indicating the resource must be active first.

Submission

Submit to POST /api/security/permission-requests with:

{
  managed_role_id: selectedRole.id,
  requested_actions: [...memoryActions],
  requested_resources: [memoryArn],
  justification: userJustification
}

On success, show toast.success("Permission request submitted"). On error, show toast.error(error.message).

Files to Create/Modify

  • frontend/src/components/MemoryManagementPanel.tsx — Add permission request UI per memory resource (if this file exists from issue Add memory management frontend #15).
  • frontend/src/pages/MemoryManagementPage.tsx — Alternatively add here if memory management is page-level (if this file exists from issue Add memory management frontend #15).
  • frontend/src/api/security.ts — Already has createPermissionRequest; no changes needed.
  • frontend/src/hooks/useSecurity.ts — Already has usePermissionRequests with createRequest; may need to also expose useManagedRoles for role dropdown population.

Dependencies

  • Issue Add memory management frontend #15 (Add Memory Management Frontend) must be completed first — this issue builds on the Memory Management page.
  • The backend already supports both wizard mode role creation and permission requests; no backend changes are needed.

Files to Create/Modify

Modify

  • frontend/src/components/RoleManagementPanel.tsx — Add import/create mode toggle and create-new-role form fields.
  • frontend/src/components/MemoryManagementPanel.tsx — Add "Request Permissions" button and inline form per memory resource.

No Changes Needed

  • frontend/src/api/security.ts — Already supports createManagedRole with wizard mode and createPermissionRequest.
  • frontend/src/api/types.ts — Already has ManagedRoleCreateRequest with wizard fields and PermissionRequestCreateRequest.
  • frontend/src/hooks/useSecurity.ts — Already has useManagedRoles and usePermissionRequests hooks.
  • backend/app/routers/security.py — Already supports wizard mode and permission requests.
  • backend/app/services/security.py — Already has create_iam_role_with_policy.

Acceptance Criteria

  • Security Admin "IAM Roles" tab shows a mode toggle (Import Existing / Create New) in the add-role form
  • "Import Existing" mode works identically to current behavior (ARN input)
  • "Create New" mode accepts a role name and description, calls the backend wizard mode, and creates an IAM role
  • New roles appear in the role list after creation with correct name and ARN
  • Toast notifications appear for successful role creation and errors
  • Memory Management page shows a "Request Permissions" button on each memory resource with an ACTIVE status and a non-null ARN
  • "Request Permissions" button is disabled for memory resources that are not yet active
  • Clicking "Request Permissions" shows a form with role dropdown, pre-filled actions, and justification input
  • Submitting the form creates a permission request visible on the Security Admin "Permission Requests" tab
  • No backend changes are required — all functionality uses existing API endpoints

Metadata

Metadata

Assignees

Labels

enhancementNew feature or request

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions