Create a service role for Amazon Bedrock Studio
Amazon Bedrock Studio is in preview release for Amazon Bedrock and is subject to change. |
To manage your Amazon Bedrock Studio workspaces, you need to create a service role that lets Amazon DataZone manage your workspaces.
To use a service role for Amazon Bedrock Studio, create an IAM role and attach the following permissions by following the steps at Creating a role to delegate permissions to an AWS service.
Trust relationship
The following policy allows Amazon Bedrock to assume this role and manage an Amazon Bedrock Studio workspace with Amazon DataZone. The following shows an example policy you can use.
-
Set the
aws:SourceAccountvalue to your AWS account ID.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "datazone.amazonaws.com" }, "Action": [ "sts:AssumeRole", "sts:TagSession" ], "Condition": { "StringEquals": { "aws:SourceAccount": "account ID" }, "ForAllValues:StringLike": { "aws:TagKeys": "datazone*" } } } ] }
Permissions to manage an Amazon Bedrock Studio workspace
Default policy for the main Amazon Bedrock Studio service role. Amazon Bedrock uses this role to build, run, and share resources in Bedrock Studio with Amazon DataZone.
This policy consists of the following sets of permissions.
datazone — Grants access to Amazon DataZone resources that are managed by Amazon Bedrock Studio.
ram — Allows retrieval of resource share associations that you own.
bedrock — Grants the ability to invoke Amazon Bedrock foundation models.
kms — Grants access to use AWS KMS for encrypting Amazon Bedrock Studio data with a customer-managed key.
{ "Version": "2012-10-17", "Statement": [ { "Sid": "GetDataZoneDomain", "Effect": "Allow", "Action": "datazone:GetDomain", "Resource": "*", "Condition": { "StringEquals": { "aws:ResourceTag/AmazonBedrockManaged": "true" } } }, { "Sid": "ManageDataZoneResources", "Effect": "Allow", "Action": [ "datazone:ListProjects", "datazone:GetProject", "datazone:CreateProject", "datazone:UpdateProject", "datazone:DeleteProject", "datazone:ListProjectMemberships", "datazone:CreateProjectMembership", "datazone:DeleteProjectMembership", "datazone:ListEnvironments", "datazone:GetEnvironment", "datazone:CreateEnvironment", "datazone:UpdateEnvironment", "datazone:DeleteEnvironment", "datazone:ListEnvironmentBlueprints", "datazone:GetEnvironmentBlueprint", "datazone:ListEnvironmentBlueprintConfigurations", "datazone:GetEnvironmentBlueprintConfiguration", "datazone:ListEnvironmentProfiles", "datazone:GetEnvironmentProfile", "datazone:CreateEnvironmentProfile", "datazone:UpdateEnvironmentProfile", "datazone:DeleteEnvironmentProfile", "datazone:GetEnvironmentCredentials", "datazone:ListGroupsForUser", "datazone:SearchUserProfiles", "datazone:SearchGroupProfiles", "datazone:GetUserProfile", "datazone:GetGroupProfile" ], "Resource": "*" }, { "Sid": "GetResourceShareAssociations", "Effect": "Allow", "Action": "ram:GetResourceShareAssociations", "Resource": "*" }, { "Sid": "InvokeBedrockModels", "Effect": "Allow", "Action": [ "bedrock:GetFoundationModelAvailability", "bedrock:InvokeModel", "bedrock:InvokeModelWithResponseStream" ], "Resource": "*" }, { "Sid": "UseCustomerManagedKmsKey", "Effect": "Allow", "Action": [ "kms:DescribeKey", "kms:GenerateDataKey", "kms:Decrypt" ], "Resource": "*", "Condition": { "StringEquals": { "aws:ResourceTag/EnableBedrock": "true" } } } ] }
