Create a provisioning role for Amazon Bedrock Studio
Amazon Bedrock Studio is in preview release for Amazon Bedrock and is subject to change. |
To allow Amazon Bedrock Studio to create resources in a users account, such as a guardrail component, you need to create a provisioning role.
To use a provisioning role for Amazon Bedrock Studio, create an IAM role and attach the following permissions by following the steps at Creating a role to delegate permissions to an AWS service.
Trust relationship
The following policy allows Amazon Bedrock to assume this role and let Amazon Bedrock Studio manage the Bedrock Studio resources in a user's account.
-
Set the
aws:SourceAccountvalue to your account ID.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "datazone.amazonaws.com" }, "Action": "sts:AssumeRole", "Condition": { "StringEquals": { "aws:SourceAccount": "account ID" } } } ] }
Permissions to manage Amazon Bedrock Studio user resources
Default policy for the Amazon Bedrock Studio provisioning role. This policy allows the principal to create, update, and delete AWS resources in Amazon Bedrock Studio using Amazon DataZone and AWS CloudFormation.
This policy consists of the following sets of permissions.
-
cloudformation — Allows the principal to create and manage CloudFormation stacks to provision Amazon Bedrock Studio resources as part of Amazon DataZone environments.
-
iam — Allows the principal to create, manage, and pass IAM roles with a permissions boundary for Amazon Bedrock Studio using AWS CloudFormation.
-
s3 — Allows the principal to to create and manage Amazon S3 buckets for Amazon Bedrock Studio using AWS CloudFormation.
-
aoss — Allows the principal to to create and manage Amazon OpenSearch Serverless collections for Amazon Bedrock Studio using AWS CloudFormation.
-
bedrock — Allows the principal to create and manage Amazon Bedrock agents, knowledge bases, guardrails, prompts, and flows for Amazon Bedrock Studio using AWS CloudFormation.
-
lambda — Allows the principal to create, manage, and invoke AWS Lambda functions for Amazon Bedrock Studio using AWS CloudFormation.
-
logs — Allows the principal to create and manage Amazon CloudWatch log groups for Amazon Bedrock Studio using AWS CloudFormation.
-
secretsmanager — Allows the principal to create and manage AWS Secrets Manager secrets for Amazon Bedrock Studio using AWS CloudFormation.
-
kms — Grants access to AWS KMS for encrypting provisioned resources with a customer-managed key intended for Amazon Bedrock using AWS CloudFormation.
Due to the size of this policy, you need to attach the policy as an inline policy. For instructions, see Step 2: Create permissions boundary, service role, and provisioning role.
{ "Version": "2012-10-17", "Statement": [ { "Sid": "CreateStacks", "Effect": "Allow", "Action": [ "cloudformation:CreateStack", "cloudformation:TagResource" ], "Resource": "arn:aws:cloudformation:*:*:stack/DataZone*", "Condition": { "ForAnyValue:StringEquals": { "aws:TagKeys": "AmazonDataZoneEnvironment" }, "Null": { "aws:ResourceTag/AmazonDataZoneEnvironment": "false" } } }, { "Sid": "ManageStacks", "Effect": "Allow", "Action": [ "cloudformation:DescribeStacks", "cloudformation:DescribeStackEvents", "cloudformation:UpdateStack", "cloudformation:DeleteStack" ], "Resource": "arn:aws:cloudformation:*:*:stack/DataZone*" }, { "Sid": "DenyOtherActionsNotViaCloudFormation", "Effect": "Deny", "NotAction": [ "cloudformation:DescribeStacks", "cloudformation:DescribeStackEvents", "cloudformation:CreateStack", "cloudformation:UpdateStack", "cloudformation:DeleteStack", "cloudformation:TagResource" ], "Resource": "*", "Condition": { "StringNotEqualsIfExists": { "aws:CalledViaFirst": "cloudformation.amazonaws.com" } } }, { "Sid": "ListResources", "Effect": "Allow", "Action": [ "iam:ListRoles", "s3:ListAllMyBuckets", "aoss:ListCollections", "aoss:BatchGetCollection", "aoss:ListAccessPolicies", "aoss:ListSecurityPolicies", "aoss:ListTagsForResource", "bedrock:ListAgents", "bedrock:ListKnowledgeBases", "bedrock:ListGuardrails", "bedrock:ListPrompts", "bedrock:ListFlows", "bedrock:ListTagsForResource", "lambda:ListFunctions", "logs:DescribeLogGroups", "secretsmanager:ListSecrets" ], "Resource": "*" }, { "Sid": "GetRoles", "Effect": "Allow", "Action": "iam:GetRole", "Resource": [ "arn:aws:iam::*:role/DataZoneBedrockProject*", "arn:aws:iam::*:role/AmazonBedrockExecution*", "arn:aws:iam::*:role/BedrockStudio*" ] }, { "Sid": "CreateRoles", "Effect": "Allow", "Action": [ "iam:CreateRole", "iam:PutRolePolicy", "iam:AttachRolePolicy", "iam:DeleteRolePolicy", "iam:DetachRolePolicy" ], "Resource": [ "arn:aws:iam::*:role/DataZoneBedrockProject*", "arn:aws:iam::*:role/AmazonBedrockExecution*", "arn:aws:iam::*:role/BedrockStudio*" ], "Condition": { "StringEquals": { "aws:ResourceTag/AmazonBedrockManaged": "true" } } }, { "Sid": "ManageRoles", "Effect": "Allow", "Action": [ "iam:UpdateRole", "iam:DeleteRole", "iam:ListRolePolicies", "iam:GetRolePolicy", "iam:ListAttachedRolePolicies" ], "Resource": [ "arn:aws:iam::*:role/DataZoneBedrockProject*", "arn:aws:iam::*:role/AmazonBedrockExecution*", "arn:aws:iam::*:role/BedrockStudio*" ], "Condition": { "StringEquals": { "aws:ResourceTag/AmazonBedrockManaged": "true" } } }, { "Sid": "PassRoleToBedrockService", "Effect": "Allow", "Action": "iam:PassRole", "Resource": [ "arn:aws:iam::*:role/AmazonBedrockExecution*", "arn:aws:iam::*:role/BedrockStudio*" ], "Condition": { "StringEquals": { "iam:PassedToService": "bedrock.amazonaws.com" } } }, { "Sid": "PassRoleToLambdaService", "Effect": "Allow", "Action": "iam:PassRole", "Resource": "arn:aws:iam::*:role/BedrockStudio*", "Condition": { "StringEquals": { "iam:PassedToService": "lambda.amazonaws.com" } } }, { "Sid": "CreateRoleForOpenSearchServerless", "Effect": "Allow", "Action": "iam:CreateServiceLinkedRole", "Resource": "*", "Condition": { "StringEquals": { "iam:AWSServiceName": "observability.aoss.amazonaws.com" } } }, { "Sid": "GetDataZoneBlueprintCfnTemplates", "Effect": "Allow", "Action": "s3:GetObject", "Resource": "*", "Condition": { "StringNotEquals": { "s3:ResourceAccount": "${aws:PrincipalAccount}" } } }, { "Sid": "CreateAndAccessS3Buckets", "Effect": "Allow", "Action": [ "s3:CreateBucket", "s3:DeleteBucket", "s3:GetBucketPolicy", "s3:PutBucketPolicy", "s3:DeleteBucketPolicy", "s3:PutBucketTagging", "s3:PutBucketCORS", "s3:PutBucketLogging", "s3:PutBucketVersioning", "s3:PutBucketPublicAccessBlock", "s3:PutEncryptionConfiguration", "s3:PutLifecycleConfiguration", "s3:GetObject", "s3:GetObjectVersion" ], "Resource": "arn:aws:s3:::br-studio-*" }, { "Sid": "ManageOssAccessPolicies", "Effect": "Allow", "Action": [ "aoss:GetAccessPolicy", "aoss:CreateAccessPolicy", "aoss:DeleteAccessPolicy", "aoss:UpdateAccessPolicy" ], "Resource": "*", "Condition": { "StringLikeIfExists": { "aoss:collection": "br-studio-*", "aoss:index": "br-studio-*" } } }, { "Sid": "ManageOssSecurityPolicies", "Effect": "Allow", "Action": [ "aoss:GetSecurityPolicy", "aoss:CreateSecurityPolicy", "aoss:DeleteSecurityPolicy", "aoss:UpdateSecurityPolicy" ], "Resource": "*", "Condition": { "StringLikeIfExists": { "aoss:collection": "br-studio-*" } } }, { "Sid": "ManageOssCollections", "Effect": "Allow", "Action": [ "aoss:CreateCollection", "aoss:UpdateCollection", "aoss:DeleteCollection" ], "Resource": "*", "Condition": { "StringEquals": { "aws:ResourceTag/AmazonBedrockManaged": "true" } } }, { "Sid": "GetBedrockResources", "Effect": "Allow", "Action": [ "bedrock:GetAgent", "bedrock:GetKnowledgeBase", "bedrock:GetGuardrail", "bedrock:GetPrompt", "bedrock:GetFlow", "bedrock:GetFlowAlias" ], "Resource": "*" }, { "Sid": "ManageBedrockResources", "Effect": "Allow", "Action": [ "bedrock:CreateAgent", "bedrock:UpdateAgent", "bedrock:PrepareAgent", "bedrock:DeleteAgent", "bedrock:ListAgentAliases", "bedrock:GetAgentAlias", "bedrock:CreateAgentAlias", "bedrock:UpdateAgentAlias", "bedrock:DeleteAgentAlias", "bedrock:ListAgentActionGroups", "bedrock:GetAgentActionGroup", "bedrock:CreateAgentActionGroup", "bedrock:UpdateAgentActionGroup", "bedrock:DeleteAgentActionGroup", "bedrock:ListAgentKnowledgeBases", "bedrock:GetAgentKnowledgeBase", "bedrock:AssociateAgentKnowledgeBase", "bedrock:DisassociateAgentKnowledgeBase", "bedrock:UpdateAgentKnowledgeBase", "bedrock:CreateKnowledgeBase", "bedrock:UpdateKnowledgeBase", "bedrock:DeleteKnowledgeBase", "bedrock:ListDataSources", "bedrock:GetDataSource", "bedrock:CreateDataSource", "bedrock:UpdateDataSource", "bedrock:DeleteDataSource", "bedrock:CreateGuardrail", "bedrock:UpdateGuardrail", "bedrock:DeleteGuardrail", "bedrock:CreateGuardrailVersion", "bedrock:CreatePrompt", "bedrock:UpdatePrompt", "bedrock:DeletePrompt", "bedrock:CreatePromptVersion", "bedrock:CreateFlow", "bedrock:UpdateFlow", "bedrock:PrepareFlow", "bedrock:DeleteFlow", "bedrock:ListFlowAliases", "bedrock:GetFlowAlias", "bedrock:CreateFlowAlias", "bedrock:UpdateFlowAlias", "bedrock:DeleteFlowAlias", "bedrock:ListFlowVersions", "bedrock:GetFlowVersion", "bedrock:CreateFlowVersion", "bedrock:DeleteFlowVersion" ], "Resource": "*", "Condition": { "StringEquals": { "aws:ResourceTag/AmazonBedrockManaged": "true" } } }, { "Sid": "TagBedrockAgentAliases", "Effect": "Allow", "Action": "bedrock:TagResource", "Resource": "arn:aws:bedrock:*:*:agent-alias/*", "Condition": { "StringEquals": { "aws:RequestTag/AmazonBedrockManaged": "true" } } }, { "Sid": "TagBedrockFlowAliases", "Effect": "Allow", "Action": "bedrock:TagResource", "Resource": "arn:aws:bedrock:*:*:flow/*/alias/*", "Condition": { "Null": { "aws:RequestTag/AmazonDataZoneEnvironment": "false" } } }, { "Sid": "CreateFunctions", "Effect": "Allow", "Action": [ "lambda:GetFunction", "lambda:CreateFunction", "lambda:InvokeFunction", "lambda:DeleteFunction", "lambda:UpdateFunctionCode", "lambda:GetFunctionConfiguration", "lambda:UpdateFunctionConfiguration", "lambda:ListVersionsByFunction", "lambda:PublishVersion", "lambda:GetPolicy", "lambda:AddPermission", "lambda:RemovePermission", "lambda:ListTags" ], "Resource": "arn:aws:lambda:*:*:function:br-studio-*" }, { "Sid": "ManageLogGroups", "Effect": "Allow", "Action": [ "logs:CreateLogGroup", "logs:DeleteLogGroup", "logs:PutRetentionPolicy", "logs:DeleteRetentionPolicy", "logs:GetDataProtectionPolicy", "logs:PutDataProtectionPolicy", "logs:DeleteDataProtectionPolicy", "logs:AssociateKmsKey", "logs:DisassociateKmsKey", "logs:ListTagsLogGroup", "logs:ListTagsForResource" ], "Resource": "arn:aws:logs:*:*:log-group:/aws/lambda/br-studio-*" }, { "Sid": "GetRandomPasswordForSecret", "Effect": "Allow", "Action": "secretsmanager:GetRandomPassword", "Resource": "*" }, { "Sid": "ManageSecrets", "Effect": "Allow", "Action": [ "secretsmanager:CreateSecret", "secretsmanager:DescribeSecret", "secretsmanager:UpdateSecret", "secretsmanager:DeleteSecret", "secretsmanager:GetResourcePolicy", "secretsmanager:PutResourcePolicy", "secretsmanager:DeleteResourcePolicy" ], "Resource": "arn:aws:secretsmanager:*:*:secret:br-studio/*" }, { "Sid": "UseCustomerManagedKmsKey", "Effect": "Allow", "Action": [ "kms:DescribeKey", "kms:Encrypt", "kms:Decrypt", "kms:GenerateDataKey", "kms:CreateGrant", "kms:RetireGrant" ], "Resource": "*", "Condition": { "StringEquals": { "aws:ResourceTag/EnableBedrock": "true" } } }, { "Sid": "TagResources", "Effect": "Allow", "Action": [ "iam:TagRole", "iam:UntagRole", "aoss:TagResource", "aoss:UntagResource", "bedrock:TagResource", "bedrock:UntagResource", "lambda:TagResource", "lambda:UntagResource", "logs:TagLogGroup", "logs:UntagLogGroup", "logs:TagResource", "logs:UntagResource", "secretsmanager:TagResource", "secretsmanager:UntagResource" ], "Resource": "*", "Condition": { "StringEquals": { "aws:ResourceTag/AmazonBedrockManaged": "true" } } } ] }
