From c41c9629b29e5831625239a640eb52532b7efd99 Mon Sep 17 00:00:00 2001
From: Shintaro Okamoto <shintaok@amazon.com>
Date: Wed, 20 May 2026 16:45:35 +0900
Subject: [PATCH] fix: add AWS Marketplace permissions to AgentCore runtime
 role

Add aws-marketplace:ViewSubscriptions and aws-marketplace:Subscribe
to resolve AccessDeniedException when calling ConverseStream with
marketplace-subscribed models.
---
 infra/lib/runtime-stack.ts | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/infra/lib/runtime-stack.ts b/infra/lib/runtime-stack.ts
index 53d64b40..d1e5004f 100644
--- a/infra/lib/runtime-stack.ts
+++ b/infra/lib/runtime-stack.ts
@@ -164,6 +164,17 @@ export class RuntimeStack extends cdk.Stack {
       })
     );
 
+    // --- AWS Marketplace permissions (required for Bedrock model subscriptions) ---
+    runtimeRole.addToPolicy(
+      new iam.PolicyStatement({
+        actions: [
+          "aws-marketplace:ViewSubscriptions",
+          "aws-marketplace:Subscribe",
+        ],
+        resources: ["*"],
+      })
+    );
+
     // --- KB permissions (Amazon Titan Embed + S3 Vectors + Amazon Bedrock Retrieve) ---
     if (props.vectorBucketName) {
       runtimeRole.addToPolicy(