Fix: Runtime configure function now sets CodeBuild execution role from --code_build_execution_role parameter (#184)

* codebuild role parameter added

* codebuild role parameter added

* codebuild role parameter added

* unit test added

* unit test added

* unit test added

* PR 184

Author: kuriaks1

src/bedrock_agentcore_starter_toolkit/cli/runtime/commands.py

@@ -167,6 +167,7 @@ def configure(
     entrypoint: Optional[str] = typer.Option(None, "--entrypoint", "-e", help="Python file with BedrockAgentCoreApp"),
     agent_name: Optional[str] = typer.Option(None, "--name", "-n"),
     execution_role: Optional[str] = typer.Option(None, "--execution-role", "-er"),
+    code_build_execution_role: Optional[str] = typer.Option(None, "--code-build-execution-role", "-cber"),
     ecr_repository: Optional[str] = typer.Option(None, "--ecr", "-ecr"),
     container_runtime: Optional[str] = typer.Option(None, "--container-runtime", "-ctr"),
     requirements_file: Optional[str] = typer.Option(
@@ -268,6 +269,7 @@ def configure(
             agent_name=agent_name,
             entrypoint_path=Path(entrypoint),
             execution_role=execution_role,
+            code_build_execution_role=code_build_execution_role,
             ecr_repository=ecr_repository,
             container_runtime=container_runtime,
             auto_create_ecr=auto_create_ecr,

src/bedrock_agentcore_starter_toolkit/notebook/runtime/bedrock_agentcore.py

@@ -35,6 +35,7 @@ def configure(
         self,
         entrypoint: str,
         execution_role: Optional[str] = None,
+        code_build_execution_role: Optional[str] = None,
         agent_name: Optional[str] = None,
         requirements: Optional[List[str]] = None,
         requirements_file: Optional[str] = None,
@@ -53,6 +54,7 @@ def configure(
             entrypoint: Path to Python file with optional Bedrock AgentCore name
                 (e.g., "handler.py" or "handler.py:bedrock_agentcore")
             execution_role: AWS IAM execution role ARN or name (optional if auto_create_execution_role=True)
+            code_build_execution_role: Optional separate CodeBuild execution role ARN or name
             agent_name: name of the agent
             requirements: Optional list of requirements to generate requirements.txt
             requirements_file: Optional path to existing requirements file
@@ -109,6 +111,7 @@ def configure(
             entrypoint_path=Path(file_path),
             auto_create_execution_role=auto_create_execution_role,
             execution_role=execution_role,
+            code_build_execution_role=code_build_execution_role,
             ecr_repository=ecr_repository,
             container_runtime=container_runtime,
             auto_create_ecr=auto_create_ecr,

src/bedrock_agentcore_starter_toolkit/operations/runtime/configure.py

@@ -12,6 +12,7 @@
     AWSConfig,
     BedrockAgentCoreAgentSchema,
     BedrockAgentCoreDeploymentInfo,
+    CodeBuildConfig,
     NetworkConfiguration,
     ObservabilityConfig,
     ProtocolConfiguration,
@@ -25,6 +26,7 @@ def configure_bedrock_agentcore(
     agent_name: str,
     entrypoint_path: Path,
     execution_role: Optional[str] = None,
+    code_build_execution_role: Optional[str] = None,
     ecr_repository: Optional[str] = None,
     container_runtime: Optional[str] = None,
     auto_create_ecr: bool = True,
@@ -43,6 +45,7 @@ def configure_bedrock_agentcore(
         agent_name: name of the agent,
         entrypoint_path: Path to the entrypoint file
         execution_role: AWS execution role ARN or name (auto-created if not provided)
+        code_build_execution_role: CodeBuild execution role ARN or name (uses execution_role if not provided)
         ecr_repository: ECR repository URI
         container_runtime: Container runtime to use
         auto_create_ecr: Whether to auto-create ECR repository
@@ -109,6 +112,24 @@ def configure_bedrock_agentcore(
             else:
                 log.debug("No execution role provided and auto-create disabled")
 
+    # Handle CodeBuild execution role - use separate role if provided, otherwise use execution_role
+    codebuild_execution_role_arn = None
+    if code_build_execution_role:
+        # User provided a separate CodeBuild role
+        if code_build_execution_role.startswith("arn:aws:iam::"):
+            codebuild_execution_role_arn = code_build_execution_role
+        else:
+            codebuild_execution_role_arn = f"arn:aws:iam::{account_id}:role/{code_build_execution_role}"
+
+        if verbose:
+            log.debug("Using separate CodeBuild execution role: %s", codebuild_execution_role_arn)
+    else:
+        # No separate CodeBuild role provided - use None
+        codebuild_execution_role_arn = None
+
+        if verbose and execution_role_arn:
+            log.debug("Using same role for CodeBuild: %s", codebuild_execution_role_arn)
+
     # Generate Dockerfile and .dockerignore
     bedrock_agentcore_name = None
     # Try to find the variable name for the Bedrock AgentCore instance in the file
@@ -195,6 +216,9 @@ def configure_bedrock_agentcore(
             observability=ObservabilityConfig(enabled=enable_observability),
         ),
         bedrock_agentcore=BedrockAgentCoreDeploymentInfo(),
+        codebuild=CodeBuildConfig(
+            execution_role=codebuild_execution_role_arn,
+        ),
         authorizer_configuration=authorizer_configuration,
         request_header_configuration=request_header_configuration,
     )

tests/cli/runtime/test_commands.py

@@ -126,6 +126,51 @@ def test_configure_with_oauth(self, tmp_path):
             call_args = mock_configure.call_args
             assert call_args[1]["authorizer_configuration"] == oauth_config
 
+    def test_configure_with_code_build_execution_role(self, tmp_path):
+        """Test configure command with CodeBuild execution role."""
+        agent_file = tmp_path / "test_agent.py"
+        agent_file.write_text("from bedrock_agentcore.runtime import BedrockAgentCoreApp\napp = BedrockAgentCoreApp()")
+
+        with (
+            patch(
+                "bedrock_agentcore_starter_toolkit.cli.runtime.commands.configure_bedrock_agentcore"
+            ) as mock_configure,
+            patch("bedrock_agentcore_starter_toolkit.cli.runtime.commands.parse_entrypoint") as mock_parse,
+            patch(
+                "bedrock_agentcore_starter_toolkit.cli.runtime.commands._handle_requirements_file_display"
+            ) as mock_req_display,
+            patch("bedrock_agentcore_starter_toolkit.cli.common.prompt") as mock_prompt,
+        ):
+            mock_parse.return_value = (str(agent_file), "bedrock_agentcore")
+            mock_req_display.return_value = tmp_path / "requirements.txt"
+            mock_prompt.return_value = "no"
+
+            mock_result = Mock()
+            mock_result.runtime = "docker"
+            mock_result.region = "us-west-2"
+            mock_result.account_id = "123456789012"
+            mock_result.execution_role = "arn:aws:iam::123456789012:role/ExecutionRole"
+            mock_result.config_path = tmp_path / ".bedrock_agentcore.yaml"
+            mock_configure.return_value = mock_result
+
+            result = self.runner.invoke(
+                app,
+                [
+                    "configure",
+                    "--entrypoint",
+                    str(agent_file),
+                    "--execution-role",
+                    "ExecutionRole",
+                    "--code-build-execution-role",
+                    "CodeBuildRole",
+                ],
+            )
+
+            assert result.exit_code == 0
+            # Verify CodeBuild execution role was passed
+            call_args = mock_configure.call_args
+            assert call_args[1]["code_build_execution_role"] == "CodeBuildRole"
+
     def test_configure_with_invalid_protocol(self, tmp_path):
         agent_file = tmp_path / "test_agent.py"
 

tests/notebook/runtime/test_bedrock_agentcore.py

@@ -83,6 +83,33 @@ def test_configure_with_requirements_generation(self, tmp_path):
             assert "boto3" in content
             assert "pandas" in content
 
+    def test_configure_with_code_build_execution_role(self, tmp_path):
+        """Test configuration with CodeBuild execution role."""
+        agent_file = tmp_path / "test_agent.py"
+        agent_file.write_text("from bedrock_agentcore.runtime import BedrockAgentCoreApp\napp = BedrockAgentCoreApp()")
+
+        bedrock_agentcore = Runtime()
+
+        with (
+            patch(
+                "bedrock_agentcore_starter_toolkit.notebook.runtime.bedrock_agentcore.configure_bedrock_agentcore"
+            ) as mock_configure,
+        ):
+            mock_result = Mock()
+            mock_result.config_path = tmp_path / ".bedrock_agentcore.yaml"
+            mock_configure.return_value = mock_result
+
+            bedrock_agentcore.configure(
+                entrypoint=str(agent_file),
+                execution_role="ExecutionRole",
+                code_build_execution_role="CodeBuildRole",
+            )
+
+            # Verify configure was called with CodeBuild execution role
+            mock_configure.assert_called_once()
+            args, kwargs = mock_configure.call_args
+            assert kwargs["code_build_execution_role"] == "CodeBuildRole"
+
     def test_launch_without_config(self):
         """Test launch fails when not configured."""
         bedrock_agentcore = Runtime()