Describe the bug

When you grant a role permissions to invoke an AgentCore Runtime with runtime.grantInvoke(role), it doesn't grant permissions to bedrock-agentcore:InvokeAgentRuntimeWithWebSocketStream, meaning you get authentication issues when using that role to sign websocket connection requests.

Regression Issue

• Select this option if this issue appears to be a regression.

Last Known Working CDK Library Version

No response

Expected Behavior

grantInvoke allows a role to invoke the Bedrock AgentCore Runtime via websocket.

Current Behavior

grantInvoke only grants http invoke permissions.

Reproduction Steps

const fn = new Function(this, 'Function', { ... });

const runtime = new Runtime(this, 'Runtime', {
  ...
});

runtime.grantInvoke(fn); // does not allow invoking via websocket

Possible Solution

Add bedrock-agentcore:InvokeAgentRuntimeWithWebSocketStream to the permissions added by grantInvoke. Also add a grantInvokeWithWebSocketStream method for explicitly only granting for websocket.

Additional Information/Context

No response

AWS CDK Library version (aws-cdk-lib)

2.244.0

AWS CDK CLI version

2.1113.0 (build bb3ff6f)

Node.js Version

22.22.0

OS

OSX

Language

TypeScript

Language Version

6.0.2

Other information

No response