AgentCore IAM Permissions Setup (BYOC - Bring Your Own Cloud)

This guide is for enterprise customers who want to use their own AWS account for Bedrock model invocations instead of Vell's infrastructure. This is an optional enterprise feature.

Which Guide Do I Need?

• 🏢 You're a Vell platform operator running the SaaS app? → Use Platform Operator Guide
• 🏛️ You're an enterprise customer wanting to use your own AWS account? → You're in the right place!

What is BYOC?

BYOC (Bring Your Own Cloud) allows enterprise customers to: - Use their own AWS account for Bedrock invocations - Pay AWS directly (no markup) - Maintain data sovereignty and compliance - Control service quotas and limits - Audit all Bedrock invocations in their CloudTrail

---

Overview

This setup creates a cross-account IAM role that allows Vell's platform to invoke Bedrock models in your AWS account on your behalf.

Time Required: 10-15 minutes Technical Level: AWS IAM and CloudFormation knowledge Prerequisites: AWS account with IAM permissions

What is AgentCore?

AgentCore is an agentic workflow system that powers: - AI Agents - Multi-step content generation workflows with Brand Voice - Co-Sell Matching - AI-powered partner discovery and compatibility analysis - Joint GTM Planning - Automated campaign planning for partner collaboration - Partner Intelligence - LinkedIn graph analysis and relationship mapping - AWS CleanRooms Analysis - Privacy-preserving account overlap analysis

All of these features use AWS Bedrock to invoke Claude and Amazon Nova models.

Required IAM Permissions

AgentCore requires permissions to invoke foundation models via AWS Bedrock:

Models Used by AgentCore

Model Family	Model IDs	Use Case
Claude 3.5	anthropic.claude-3-5-sonnet-* anthropic.claude-3-5-haiku-*	Multi-step planning, content generation, analysis
Claude 3	anthropic.claude-3-sonnet-* anthropic.claude-3-haiku-* anthropic.claude-3-opus-*	Legacy agent workflows
Amazon Nova	amazon.nova-micro-v1:0 amazon.nova-lite-v1:0 amazon.nova-pro-v1:0 amazon.nova-premier-v1:0	Fast inference, cost-optimized workflows
Stable Diffusion	stability.stable-diffusion-xl-v1	Image generation for content assets

IAM Policy

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "BedrockModelInvocation",
      "Effect": "Allow",
      "Action": [
        "bedrock:InvokeModel",
        "bedrock:InvokeModelWithResponseStream"
      ],
      "Resource": [
        "arn:aws:bedrock:*::foundation-model/anthropic.claude-*",
        "arn:aws:bedrock:*::foundation-model/amazon.nova-*",
        "arn:aws:bedrock:*::foundation-model/stability.stable-diffusion-*"
      ]
    },
    {
      "Sid": "BedrockModelAccess",
      "Effect": "Allow",
      "Action": [
        "bedrock:ListFoundationModels",
        "bedrock:GetFoundationModel"
      ],
      "Resource": "*"
    }
  ]
}

Deployment Options

You have two options for deploying AgentCore IAM permissions:

Option 1: CloudFormation (Recommended)

Use our pre-built CloudFormation template for one-click deployment:

Download CloudFormation Template

Benefits: - ✅ One-click deployment - ✅ Least privilege permissions - ✅ Easy to update and revoke - ✅ Audit trail via CloudFormation

See CloudFormation Deployment below.

Option 2: Manual IAM Policy

Create the IAM policy and attach it to your existing Vell IAM role manually.

See Manual Deployment below.

---

CloudFormation Deployment

Step 1: Download Template

Download the CloudFormation template: - vell-agentcore-bedrock-role.yaml

Or use the hosted template URL:

https://vell-mp-connector.s3.amazonaws.com/templates/vell-agentcore-bedrock-role.yaml

Step 2: Open CloudFormation Console

Navigate to the AWS CloudFormation console:

Open CloudFormation Console

Region Selection

You can deploy this in any region, but us-east-1 is recommended for Bedrock model availability.

Step 3: Create Stack

1. Click Create stack → With new resources (standard)
2. Choose one:
3. Upload template: Select your downloaded .yaml file
4. Amazon S3 URL: Use https://vell-mp-connector.s3.amazonaws.com/templates/vell-agentcore-bedrock-role.yaml
5. Click Next

Step 4: Configure Parameters

Enter the following values:

Parameter	Value	Notes
Stack name	vell-agentcore-bedrock	Stack name
ExternalId	From Vell dashboard	Copy from Vell AgentCore settings
VellAccountId	253265132499	Vell's AWS account ID
RoleName	vell-agentcore-bedrock	IAM role name
AllowedRegions	us-east-1,us-west-2	Regions where Bedrock is available

External ID

Get your unique External ID from Dashboard → Settings → AgentCore → IAM Setup

Click Next

Step 5: Configure Stack Options

• Tags (optional): Add organizational tags
• Permissions (optional): Leave as default
• Leave other options as default

Click Next

Step 6: Review and Create

1. Scroll to bottom of review page
2. ✅ Check: "I acknowledge that AWS CloudFormation might create IAM resources"
3. Click Create stack

Step 7: Wait for Completion

The stack takes 2-3 minutes to deploy.

Wait for status: CREATE_COMPLETE ✅

Step 8: Get Role ARN

Once complete: 1. Click Outputs tab 2. Copy the RoleArn value 3. Paste into Vell dashboard: Settings → AgentCore → IAM Role ARN

Step 9: Validate in Vell

1. Go to Dashboard → Settings → AgentCore
2. Paste the Role ARN
3. Click Validate Permissions
4. Confirm all checks pass ✅

---

Manual Deployment

If you prefer to create the IAM policy manually:

Step 1: Create IAM Policy

1. Go to AWS IAM Console → Policies
2. Click Create policy
3. Switch to JSON tab
4. Paste the IAM Policy JSON from above
5. Click Next
6. Name: VellAgentCoreBedrockAccess
7. Description: Allows Vell AgentCore to invoke Bedrock foundation models
8. Click Create policy

Step 2: Attach to Existing Role

If you already have a Vell IAM role (e.g., from AWS Marketplace connector):

1. Go to IAM → Roles
2. Find your Vell role (e.g., vell-marketplace-connector)
3. Click Add permissions → Attach policies
4. Search for VellAgentCoreBedrockAccess
5. Select and click Attach policies

Step 3: Or Create New Role

If you need a new role for AgentCore:

1. Go to IAM → Roles → Create role
2. Trusted entity type: AWS account
3. Account ID: 253265132499 (Vell's AWS account)
4. ✅ Check Require external ID
5. External ID: Get from Vell dashboard
6. Click Next
7. Attach the VellAgentCoreBedrockAccess policy
8. Name: vell-agentcore-bedrock
9. Click Create role
10. Copy the Role ARN

Step 4: Configure in Vell

1. Go to Dashboard → Settings → AgentCore
2. Paste the Role ARN
3. Click Validate Permissions

---

Regional Considerations

Bedrock Model Availability

Not all models are available in all regions. Check AWS Bedrock availability:

Region	Claude 3.5	Nova	Stable Diffusion
us-east-1	✅	✅	✅
us-west-2	✅	✅	✅
eu-west-1	✅	❌	✅
ap-southeast-1	✅	❌	✅

Region Mismatch

If your S3 credentials are in us-east-1 but you try to use Nova models in eu-west-1, invocations will fail. Ensure your region supports all models you plan to use.

Multi-Region Support

To support multiple regions:

1. Use the CloudFormation template's AllowedRegions parameter
2. Or use wildcard in Resource ARN: arn:aws:bedrock:*::foundation-model/*

---

Security Best Practices

Least Privilege

The IAM policy grants only Bedrock model invocation permissions:

• ✅ Can invoke foundation models
• ✅ Can list available models
• ❌ Cannot manage Bedrock resources
• ❌ Cannot access other AWS services
• ❌ Cannot create/delete models

External ID

The External ID prevents confused deputy attacks:

• 🔒 Unique per Vell account
• 🔐 Required for role assumption
• ♻️ Rotatable on demand
• 🚫 Never shared between customers

Trust Relationship

The role trusts only Vell's AWS account with External ID validation:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::253265132499:root"
      },
      "Action": "sts:AssumeRole",
      "Condition": {
        "StringEquals": {
          "sts:ExternalId": "your-unique-external-id"
        }
      }
    }
  ]
}

Session Duration

• Default: 1 hour (3600 seconds)
• Maximum: 12 hours (43200 seconds)
• Vell renews sessions automatically

Audit Trail

All Bedrock invocations are logged to AWS CloudTrail: - Model invocations - Role assumptions - Failed permission attempts

---

Troubleshooting

Agent Success Rate 0.0%

Symptom: All agent executions fail, success rate shows 0.0%

Cause: Missing Bedrock IAM permissions

Solution: 1. Check IAM role has bedrock:InvokeModel permission 2. Verify External ID is correct 3. Ensure role trust policy allows Vell account 253265132499 4. Validate role ARN in Vell settings

"Access Denied" Errors

Error: User: arn:aws:sts::253265132499:assumed-role/vell-app/session is not authorized to perform: bedrock:InvokeModel

Solution: 1. Check the IAM policy is attached to the role 2. Verify resource ARN includes the model ID 3. Ensure model is available in your region

"Model Not Found" Errors

Error: Could not resolve the foundation model from the model identifier

Solution: 1. Check model is available in your region 2. Verify model ID spelling in settings 3. Ensure bedrock:GetFoundationModel permission exists

Region-Specific Issues

Error: Model invocation works in us-east-1 but fails in eu-west-1

Solution: 1. Check model availability in target region 2. Update resource ARN to include specific regions 3. Or use wildcard: arn:aws:bedrock:*::foundation-model/*

CloudFormation Stack Fails

Error: Role with name vell-agentcore-bedrock already exists

Solution: 1. Delete existing stack: aws cloudformation delete-stack --stack-name vell-agentcore-bedrock 2. Or use different stack name in parameters

Validation Fails in Vell

Error: "Could not validate Bedrock permissions"

Solution: 1. Wait 2-3 minutes after role creation (IAM propagation) 2. Check role ARN is correct (starts with arn:aws:iam::) 3. Verify External ID matches Vell dashboard 4. Test role assumption manually:

aws sts assume-role \
  --role-arn arn:aws:iam::YOUR_ACCOUNT:role/vell-agentcore-bedrock \
  --role-session-name test \
  --external-id YOUR_EXTERNAL_ID

---

Cost Estimates

AgentCore uses Bedrock's pay-per-use pricing:

Model Pricing (us-east-1)

Model	Input (per 1K tokens)	Output (per 1K tokens)	Typical Agent Run
Claude 3.5 Sonnet v2	$3.00	$15.00	$0.10 - $0.50
Claude 3.5 Haiku	$0.80	$4.00	$0.03 - $0.15
Nova Pro	$0.80	$3.20	$0.03 - $0.12
Nova Lite	$0.06	$0.24	$0.01 - $0.03
Nova Micro	$0.035	$0.14	$0.005 - $0.02

Example Workflows

Co-Sell Partner Matching: - Model: Claude 3.5 Haiku - Tokens: ~5,000 input, 2,000 output - Cost per analysis: ~$0.12

Joint GTM Campaign Plan: - Model: Claude 3.5 Sonnet v2 - Tokens: ~10,000 input, 8,000 output - Cost per campaign: ~$0.45

Content Generation (Blog Post): - Model: Nova Pro - Tokens: ~3,000 input, 1,500 output - Cost per post: ~$0.07

Monthly Estimates

Usage Level	Agents/Month	Estimated Cost
Light (10 agents)	10	$1 - $5
Medium (50 agents)	50	$5 - $25
Heavy (200 agents)	200	$20 - $100

Cost Optimization

• Use Nova Lite/Micro for simple tasks
• Use Claude Haiku for speed
• Use Claude Sonnet only for complex planning
• Monitor usage in Vell dashboard

---

Combining with Marketplace Permissions

If you're using both AWS Marketplace Connector and AgentCore, you can combine permissions into a single role:

Option 1: Separate Roles (Recommended)

Keep marketplace and AgentCore permissions separate: - vell-marketplace-connector - AWS Marketplace API only - vell-agentcore-bedrock - AWS Bedrock only

Benefits: - Clear separation of concerns - Easier to audit and revoke - Follows least privilege principle

Option 2: Combined Role

Attach both policies to a single role vell-unified-role:

1. Create role with marketplace trust policy
2. Attach VellMarketplaceCatalogAPI policy
3. Attach VellAgentCoreBedrockAccess policy

Benefits: - Single role to manage - Simpler configuration in Vell

Drawbacks: - Broader permissions scope - Harder to audit specific access

---

Next Steps

Once AgentCore IAM is configured:

1. ✅ Test Agent Execution
2. Go to Dashboard → Agents
3. Create a test agent
4. Run a simple workflow

5. Verify success rate increases

6. ✅ Configure Model Preferences

7. Go to Settings → AgentCore
8. Select default model (Haiku for speed, Sonnet for quality)

9. Set token limits and timeouts

10. ✅ Enable Co-Sell Features

11. Create co-sell relationships
12. Run partner matching analysis

13. Generate joint GTM campaigns

14. ✅ Monitor Usage

15. Check Dashboard → Analytics → AgentCore Usage
16. Review token consumption
17. Optimize model selection

---

Related Documentation

• AWS Marketplace Connector Setup
• Troubleshooting Guide

---

Support

Need help with IAM setup?

• 📧 Email: support@vell.ai
• 💬 Chat: Available in dashboard
• 📚 Troubleshooting Guide
• 🐛 Report Issue

---

Last Updated: November 2025 Version: 1.0