bedrock: Agents requiring inference profile fail to deploy

[mccauleyp]

Describe the bug

This is a continuation of this ticket: #796

That ticket was resolved after support for inference profiles were added, but I'm still seeing failures in deploying agents that require inference profiles. I create an agent in this way following the updated documentation:

from cdklabs.generative_ai_cdk_constructs import bedrock

...

        self.my_agent = bedrock.Agent(
            scope,
            "MyAgent",
            name="my-agent,
            instruction="My agent's instruction",
            description="my agent's description",
            foundation_model=bedrock.CrossRegionInferenceProfile.from_config(
                geo_region=bedrock.CrossRegionInferenceProfileRegion.US,
                model=bedrock.BedrockFoundationModel.ANTHROPIC_CLAUDE_3_5_SONNET_V2_0,
            ),
        )

The produces the following error on cdk deploy:

(MyAgent5B6CA2F0) Resource handler returned message: "Access denied for operation 'AWS::Bedrock::Agent'." (RequestToken: {token}, HandlerErrorCode: AccessDenied)

Here are the CloudFormation logs:

From there it looks like the policy isn't fully created by the time that the agent creation is attempted, which leads to the failure. Usually CDK is pretty good about making sure things are deployed in the right order, so not sure what's going on here exactly but my guess is that initial role may be created but the additional policy to use the inference profile hasn't been attached yet. I'm not sure why you wouldn't have seen this during your testing but potentially it could be because you tried with models that support inference profiles but don't require them in the way the Sonnet 3.5 V2 and Haiku 3.5 do.

I saw the same issue during my testing noted in the previous ticket and needed to add an explicit Cfn dependency in the snippet I showed there. I can fix this deployment error by doing that again here, and something similar could probably work for you too:

from aws_cdk import aws_bedrock, aws_iam

...

    @staticmethod
    def _patch_agent_construct_dependencies(agent: bedrock.Agent) -> None:
        """Patch to ensure that agent role is fully created before the agent."""
        cfn_agent: aws_bedrock.CfnAgent = agent.node.find_child("Agent")  # type: ignore[assignment]
        cfn_role: aws_iam.CfnRole = agent.node.find_child("Role")  # type: ignore[assignment]
        cfn_agent.node.add_dependency(cfn_role)

And then I call:

       self._patch_agent_construct_dependencies(self.my_agent)

Then the deployment succeeds.

Expected Behavior

Should be able to deploy an inference-profile agent using the pattern from the docs.

Current Behavior

Deployment fails, I think because the agent role doesn't have sufficient permissions to invoke the inference policy.

Reproduction Steps

See description or follow docs to try creating an agent that requires an inference profile (e.g., Claude Sonnet 3.5 V2).

Possible Solution

No response

Additional Information/Context

No response

CDK CLI Version

2.176.0

Framework Version

0.1.289

Node.js Version

v22.13.0

OS

OSX

Language

Python

Language Version

No response

Region experiencing the issue

us-east-1

Code modification

See above

Other information

No response

Service quota

• I have reviewed the service quotas for this construct

[krokoko]

Hi @mccauleyp , thank you for raising this issue and we are sorry that you are experiencing this bug. I remember your previous ticket and this shouldn't happen. I will investigate this and update the ticket.