Add required permission to retrieve OAuth2 Credential Provider client secret (#228)

Author: brianlaoaws

src/bedrock_agentcore_starter_toolkit/utils/runtime/templates/execution_role_policy.json.j2

@@ -120,6 +120,16 @@
         "arn:aws:bedrock-agentcore:{{ region }}:{{ account_id }}:workload-identity-directory/default/workload-identity/{{ agent_name }}-*"
       ]
     },
+    {
+      "Sid": "BedrockAgentCoreIdentityGetCredentialProviderClientSecret",
+      "Effect": "Allow",
+      "Action": [
+        "secretsmanager:GetSecretValue"
+      ],
+      "Resource": [
+        "arn:aws:secretsmanager:{{ region }}:{{ account_id }}:secret:bedrock-agentcore-identity!default/oauth2/*"
+      ]
+    },
     {
       "Sid": "BedrockAgentCoreIdentityGetResourceOauth2Token",
       "Effect": "Allow",