The OTEL entrypoint dance, IAM PassRole, ECR build, and AgentCore CreateAgentRuntime — all auto-generated.
Entry-point + OTEL wrapper
AgentCore Runtime requires the entrypoint to be wrapped by aws-opentelemetry-distro for cold-start tracing and CloudWatch metrics to flow correctly. Without it, you get cold-start regressions and missing traces. We always emit the wrapper.
entryPoint: ["opentelemetry-instrument", "python", "main.py"]
IAM role + PassRole
Each AgentCore runtime needs a runtime IAM role with bedrock-agentcore.amazonaws.com trust + scoped Secrets Manager + S3 + Bedrock permissions. Plus the Lambda that creates the runtime needs iam:PassRole on the runtime role. We provision both per-account.
# Trust policy on agentdepot-runtime-{accountId}
{
"Effect": "Allow",
"Principal": { "Service": "bedrock-agentcore.amazonaws.com" },
"Action": "sts:AssumeRole"
}
# Permissions
- bedrock:InvokeModel*
- secretsmanager:GetSecretValue on agentdepot/{accountId}/*
- s3:GetObject on agentdepot-public-catalog/*
- logs:CreateLogStream, logs:PutLogEventsECR build + push
AWS CodeBuild project agentdepot-runtime-builder runs on every import. Triggered when DDB record flips to queued_for_build. Pushes to ECR repo agentdepot-imports/{accountId}/{importSlug}:{commitSha}. ARM64 by default (cheaper); x86_64 available on request.
AgentCore CreateAgentRuntime
Our existing agentdepot-deployer Lambda is invoked with the new ECR image URI. It calls bedrock-agentcore-control:CreateAgentRuntime, sets the IAM role, wires environment variables (Secrets Manager ARNs and Composio connection IDs), and waits for the runtime to reach status=READY before flipping the import record to status=live.