Description
The AgentCore CLI currently creates the Harness IAM execution role automatically during agentcore create project scaffolding. This works well for users building agents directly with the CLI. For integrations that consume the Harness API without scaffolding a CLI project (for example, the n8n community node @aws/n8n-nodes-agentcore), users have to copy the trust and permissions policy from AWS docs and run aws iam create-role and aws iam put-role-policy themselves.
A standalone command that creates the role without a project in the working directory would let these integrations point their users at one repeatable step and get an ARN to paste into their tool’s credential UI.
Suggested shape:
agentcore iam create-execution-role \
--role-name MyHarnessExecutionRole \
[--region us-west-2] \
[--output text|json]
The command should reuse the same underlying role construct the CLI already uses during project scaffolding so there’s one source of truth for the policy.
Acceptance Criteria
• Command works in any directory, with or without an existing agentcore project
• Generated trust policy and permissions policy match what the CLI produces during project scaffolding (single source of truth)
• Role ARN written to stdout (plain text by default, JSON with --output json) so callers can pipe it
• Idempotent on --role-name: re-running returns the existing role’s ARN rather than failing or duplicating
• --region flag honored; falls back to AWS_REGION and configured profile region
• Help text describes the use case for integrations that don’t scaffold a CLI project
• README updated with a section showing how integrations should call the command
Additional Context
• Reference for the role’s trust and permissions policy: https://docs.aws.amazon.com/bedrock-agentcore/latest/devguide/harness-security.html
• Driving use case: the n8n community node — npm: [[npm link](https://www.npmjs.com/package/@aws/n8n-nodes-agentcore)], repo: [[repo link](https://github.com/aws/n8n-nodes-agentcore)]
• Same pattern would help other low-code/no-code integrations (Zapier, Make.com) and CI/CD pipelines that need to provision Harness resources programmatically
• A CloudFormation quick-create template wrapping the same underlying construct would be a useful companion for fully no-code audiences, but the CLI command is the immediate ask
Description
The AgentCore CLI currently creates the Harness IAM execution role automatically during agentcore create project scaffolding. This works well for users building agents directly with the CLI. For integrations that consume the Harness API without scaffolding a CLI project (for example, the n8n community node @aws/n8n-nodes-agentcore), users have to copy the trust and permissions policy from AWS docs and run
aws iam create-roleandaws iam put-role-policythemselves.A standalone command that creates the role without a project in the working directory would let these integrations point their users at one repeatable step and get an ARN to paste into their tool’s credential UI.
Suggested shape:
The command should reuse the same underlying role construct the CLI already uses during project scaffolding so there’s one source of truth for the policy.
Acceptance Criteria
Additional Context