Description
Using the default CLI scaffold with memory enabled, RetrieveMemoryRecords calls fail at runtime with:
AccessDeniedException: User: arn:aws:sts::XXXX:assumed-role/AgentCore-.../BedrockAgentCore-...
is not authorized to perform: bedrock-agentcore:RetrieveMemoryRecords on resource:
arn:aws:bedrock-agentcore:eu-central-1:XXXX:memory/...
because no identity-based policy allows the bedrock-agentcore:RetrieveMemoryRecords action
Potential root cause (ai generated):
AgentCoreMemory.grant() calls collectNamespaces() which returns patterns derived from strategy namespaceTemplates. When namespaces are present, grantAccess() creates a policy for RetrieveMemoryRecords with a StringLike condition on bedrock-agentcore:namespace:
{
"Effect": "Allow",
"Action": ["bedrock-agentcore:ListMemoryRecords", "bedrock-agentcore:RetrieveMemoryRecords"],
"Resource": "arn:aws:bedrock-agentcore:...:memory/...",
"Condition": {
"StringLike": {
"bedrock-agentcore:namespace": ["/users/*/facts", "/users/*/preferences", "/summaries/*/*", "/episodes/*/*"]
}
}
}This is the only statement granting RetrieveMemoryRecords. The condition appears to not be evaluated/matched by the service during authorization, so the action is never allowed.
By comparison, wireMemoriesToHarnesses() grants the same actions without a condition and works fine.
Steps to Reproduce
- agentcore init with memory enabled (default setup)
- agentcore deploy
- Invoke the agent — memory retrieval fails immediately
- Errors in CloudWatch
Expected Behavior
Memory retrieval should work out of the box with the default scaffold.
Actual Behavior
Errors in cloud watch.
CLI Version
0.14.2
Operating System
macOS
Additional Context
No response
Description
Using the default CLI scaffold with memory enabled, RetrieveMemoryRecords calls fail at runtime with:
Potential root cause (ai generated):
AgentCoreMemory.grant() calls collectNamespaces() which returns patterns derived from strategy namespaceTemplates. When namespaces are present, grantAccess() creates a policy for RetrieveMemoryRecords with a StringLike condition on bedrock-agentcore:namespace:
{ "Effect": "Allow", "Action": ["bedrock-agentcore:ListMemoryRecords", "bedrock-agentcore:RetrieveMemoryRecords"], "Resource": "arn:aws:bedrock-agentcore:...:memory/...", "Condition": { "StringLike": { "bedrock-agentcore:namespace": ["/users/*/facts", "/users/*/preferences", "/summaries/*/*", "/episodes/*/*"] } } }This is the only statement granting RetrieveMemoryRecords. The condition appears to not be evaluated/matched by the service during authorization, so the action is never allowed.
By comparison, wireMemoriesToHarnesses() grants the same actions without a condition and works fine.
Steps to Reproduce
Expected Behavior
Memory retrieval should work out of the box with the default scaffold.
Actual Behavior
Errors in cloud watch.
CLI Version
0.14.2
Operating System
macOS
Additional Context
No response