Select your cookie preferences

We use essential cookies and similar tools that are necessary to provide our site and services. We use performance cookies to collect anonymous statistics, so we can understand how customers use our site and make improvements. Essential cookies cannot be deactivated, but you can choose “Customize” or “Decline” to decline performance cookies.

If you agree, AWS and approved third parties will also use cookies to provide useful site features, remember your preferences, and display relevant content, including relevant advertising. To accept or decline all non-essential cookies, choose “Accept” or “Decline.” To make more detailed choices, choose “Customize.”

Preferences
Contact Us
Feedback
AWS Documentation
Create an AWS Account

Required permissions for batch inference

PDF
RSS
Focus mode
Required permissions for batch inference - Amazon Bedrock
Required permissions for an IAM identity to submit and manage batch inference jobsRequired permissions for a service role to carry out batch inference

To carry out batch inference, you must set up permissions for the following IAM identities:

  • The IAM identity that will create and manage batch inference jobs.

  • The batch inference service role that Amazon Bedrock assumes to perform actions on your behalf.

To learn how to set up permissions for each identity, navigate through the following topics:

Required permissions for an IAM identity to submit and manage batch inference jobs

For an IAM identity to use this feature, you must configure it with the necessary permissions. To do so, do one of the following:

  • To allow an identity to carry out all Amazon Bedrock actions, attach the AmazonBedrockFullAccess policy to the identity. If you do this, you can skip this topic. This option is less secure.

  • As a security best practice, you should grant only the necessary actions to an identity. This topic describes the permissions that you need for this feature.

To restrict permissions to only actions that are used for batch inference, attach the following identity-based policy to an IAM identity:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "BatchInference",
            "Effect": "Allow",
            "Action": [  
                "bedrock:ListFoundationModels",
                "bedrock:GetFoundationModel",
                "bedrock:ListInferenceProfiles",
                "bedrock:GetInferenceProfile",
                "bedrock:ListCustomModels",
                "bedrock:GetCustomModel",
                "bedrock:TagResource", 
                "bedrock:UntagResource", 
                "bedrock:ListTagsForResource",
                "bedrock:CreateModelInvocationJob",
                "bedrock:GetModelInvocationJob",
                "bedrock:ListModelInvocationJobs",
                "bedrock:StopModelInvocationJob"
            ],
            "Resource": "*"
        }
    ]   
}

To further restrict permissions, you can omit actions, or you can specify resources and condition keys by which to filter permissions. For more information about actions, resources, and condition keys, see the following topics in the Service Authorization Reference:

The following policy is an example that scopes down permissions for batch inference to only allow a user with the account ID 123456789012 to create batch inference jobs in the us-west-2 region, using the Anthropic Claude 3 Haiku model:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "CreateBatchInferenceJob",
            "Effect": "Allow",
            "Action": [
                "bedrock:CreateModelInvocationJob"
            ],
            "Resource": [
                "arn:aws:bedrock:us-west-2::foundation-model/anthropic.claude-3-haiku-20240307-v1:0"
                "arn:aws:bedrock:us-west-2:123456789012:model-invocation-job/*"
            ]
        }
    ]
}

Required permissions for a service role to carry out batch inference

Batch inference is carried out by a service role that assumes your identity to perform actions on your behalf. You can create a service role in the following ways:

  • Let Amazon Bedrock automatically create a service role with the necessary permissions for you by using the AWS Management Console. You can select this option when you create a batch inference job.

  • Create a custom service role for Amazon Bedrock by using AWS Identity and Access Management and attach the necessary permissions. When you submit the batch inference job, you then specify this role. For more information about creating a custom service role for batch inference, see Create a custom service role for batch inference. For more general information about creating service roles, see Create a role to delegate permissions to an AWS service in the IAM User Guide.

Important

If the S3 bucket in which you uploaded your data for batch inference is in a different AWS account, you must configure an S3 bucket policy to allow the service role access to the data. You must manually configure this policy even if you use the console to automatically create a service role. To learn how to configure an S3 bucket policy for Amazon Bedrock resources, see Attach a bucket policy to an Amazon S3 bucket to allow another account to access it.

On this page

Related resources

Amazon Bedrock API Reference
AWS CLI commands for Amazon Bedrock
SDKs & Tools 

Related resources

Amazon Bedrock API Reference
AWS CLI commands for Amazon Bedrock
SDKs & Tools 
PrivacySite termsCookie preferences
© 2025, Amazon Web Services, Inc. or its affiliates. All rights reserved.