Skip to content

stepfunctions-tasks: Step Functions SDK Integration generates incorrect IAM permissions for Bedrock Agent actions #35146

New issue
New issue
Open
#35147
Open
stepfunctions-tasks: Step Functions SDK Integration generates incorrect IAM permissions for Bedrock Agent actions#35146
#35147
Labels
@aws-cdk/aws-stepfunctions-tasksbugThis issue is a bug.effort/mediumMedium work item – several days of effortp2
@pahud

Description

@pahud
pahud
opened on Aug 4, 2025

Describe the bug

The CDK's Step Functions SDK integration (CallAwsService) generates incorrect IAM permissions for Amazon Bedrock Agent actions. When using service="bedrockagent" with actions like startIngestionJob and getIngestionJob, the auto-generated IAM policy uses the wrong service prefix.

Regression Issue

  • Select this option if this issue appears to be a regression.

Last Known Working CDK Library Version

No response

Expected Behavior

The CDK should generate:

{
    "Action": [
        "bedrock:GetIngestionJob",
        "bedrock:StartIngestionJob"
    ],
    "Resource": "*",
    "Effect": "Allow"
}

Current Behavior

{
    "Action": [
        "bedrockagent:getIngestionJob",
        "bedrockagent:startIngestionJob"
    ],
    "Resource": "*",
    "Effect": "Allow"
}

Reproduction Steps

import * as tasks from 'aws-cdk-lib/aws-stepfunctions-tasks';

const startJobTask = tasks.CallAwsService(
    this,
    "StartIngestionJob",
    {
        service: "bedrockagent",
        action: "startIngestionJob",
        parameters: {
            "KnowledgeBaseId.$": "$.datasource.knowledgeBaseId",
            "DataSourceId.$": "$.datasource.dataSourceId", 
        },
        iam_resources: ["*"],
        result_path: "$.startJobResult"
    }
);

Possible Solution

No response

Additional Information/Context

Evidence

According to the AWS Service Authorization Reference for Amazon Bedrock:

  1. Service prefix: Amazon Bedrock uses the service prefix bedrock for ALL IAM actions
  2. Specific actions: Both StartIngestionJob and GetIngestionJob are listed as bedrock:StartIngestionJob and bedrock:GetIngestionJob
  3. CLI mapping: While the AWS CLI uses aws bedrock-agent start-ingestion-job, the IAM permissions still use the bedrock: prefix

Impact

• Step Functions executions fail with access denied errors
• Users must manually override IAM policies as a workaround
• Inconsistent behavior between CLI service names and IAM action prefixes

Workaround

Manually add the correct permissions to the execution role:

executionRole.addToPolicy(new iam.PolicyStatement({
    effect: iam.Effect.ALLOW,
    actions: [
        "bedrock:StartIngestionJob",
        "bedrock:GetIngestionJob"
    ],
    resources: ["*"]
}));

AWS CDK Library version (aws-cdk-lib)

2.196.1

AWS CDK CLI version

2.1021.0 (build 059c862)

Node.js Version

v22.11.0

OS

mac os x

Language

TypeScript

Language Version

No response

Other information

No response

Metadata

Metadata

Assignees

No one assigned

    Labels

    @aws-cdk/aws-stepfunctions-tasksbugThis issue is a bug.effort/mediumMedium work item – several days of effortp2

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions