fix(stepfunctions-tasks): map bedrockagent service to bedrock IAM prefix

[pahud]

Add bedrockagent: 'bedrock' mapping to iamServiceMap in CallAwsService to ensure correct IAM permissions are generated. Without this mapping, Step Functions tasks using service='bedrockagent' would generate incorrect 'bedrockagent:action' IAM permissions instead of the correct 'bedrock:action' format required by AWS IAM.

Fixes issue where Bedrock Agent actions like startIngestionJob and getIngestionJob would fail with access denied errors due to incorrect IAM policy generation.

Issue # (if applicable)

Closes #35146

Reason for this change

The CDK's Step Functions SDK integration (CallAwsService) generates incorrect IAM permissions for Amazon Bedrock Agent actions. When using service="bedrockagent" with actions like startIngestionJob and getIngestionJob, the auto-generated IAM policy incorrectly uses the bedrockagent: service prefix instead of the correct bedrock: prefix.

This causes Step Functions executions to fail with access denied errors because AWS IAM uses bedrock: as the service prefix for all Bedrock-related actions, including Bedrock Agent operations.

Description of changes

Core Change:

• Added bedrockagent: 'bedrock' mapping to the existing iamServiceMap object in CallAwsService class
• This follows the established pattern used by 6 other service mappings (e.g., mwaa: 'airflow', sfn: 'states')

Test Coverage:

• Added comprehensive test case 'IAM policy for bedrockagent' following existing test patterns
• Verifies that service: 'bedrockagent' generates correct bedrock:startIngestionJob IAM action
• Ensures no regressions in existing service mappings

Files Modified:

• packages/aws-cdk-lib/aws-stepfunctions-tasks/lib/aws-sdk/call-aws-service.ts - Added mapping
• packages/aws-cdk-lib/aws-stepfunctions-tasks/test/aws-sdk/call-aws-service.test.ts - Added test

Design Decision:
This approach was chosen because it follows the existing architecture pattern and requires minimal code changes while maintaining backward compatibility. Alternative approaches like modifying the IAM action generation logic would be more invasive and risky.

Describe any new or updated permissions being added

No new permissions are being added. This change corrects the IAM service prefix from bedrockagent: to bedrock: for existing Bedrock Agent actions. The actions themselves (startIngestionJob, getIngestionJob, etc.) remain the same.

Description of how you validated changes

Unit Tests:

• Added new test case 'IAM policy for bedrockagent' that verifies correct IAM policy generation
• All existing tests pass, confirming no regressions
• Test follows established pattern used by other service mapping tests

Manual Testing:

• Verified that CallAwsService with service: 'bedrockagent' now generates bedrock:startIngestionJob instead of bedrockagent:startIngestionJob
• Confirmed IAM policy structure matches expected format

Test Results:

• New test: IAM policy for bedrockagent - PASSED
• All 15 existing tests - PASSED
• No regressions detected

Checklist

• My code adheres to the CONTRIBUTING GUIDE and DESIGN GUIDELINES

---

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

[aws-cdk-automation]

(This review is outdated)

[pahud]

Exemption Request

Unit tests are sufficient - They verify the IAM policy generation works correctly
Time/Resource efficiency - Integration tests are expensive and this is a low-risk change
AWS CDK practices - Similar service mapping PRs typically don't require integration test runs

[aws-cdk-automation]

AWS CodeBuild CI Report

• CodeBuild project: AutoBuildv2Project1C6BFA3F-wQm2hXv2jqQv
• Commit ID: 99dfd0c
• Result: SUCCEEDED
• Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

[Abogical]

Hi @pahud! I will request a security review for this, I'll come back to this when I have an update.

[Abogical]

Thank you!

✅ Updated pull request passes all PRLinter validations. Dismissing previous PRLinter review.

[mergify]

Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

[mergify]

Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

[github-actions]

Comments on closed issues and PRs are hard for our team to see.
If you need help, please open a new issue that references this one.