Fulfill prerequisites to copy models
To allow a role to copy a model, you might have to set up permissions, depending on the role's permissions and the model's configuration. Review the permissions in the following list and the circumstances in which you must configure them:
-
If your role doesn't have the AmazonBedrockFullAccess policy attached, attach the following identity-based policy to the role to allow the minimal permissions to copy models and to track copy jobs.
{ "Version": "2012-10-17", "Statement": [ { "Sid": "CopyModels", "Effect": "Allow", "Action": [ "bedrock:CreateModelCopyJob", "bedrock:GetModelCopyJob", "bedrock:ListModelCopyJobs" ], "Resource": [ "
${model-arn}
" ], "Condition": { "StringEquals": { "aws:RequestedRegion": [ "${region}
" ] } } } ] }Add ARNs of models to the
Resource
list. You can restrict the regions that the model is copied to by adding regions to the list in theaws:RequestedRegion
condition key. -
(Optional) If the model to be copied is encrypted with a KMS key, attach a key policy to the KMS key that encrypted the model to allow a role to decrypt it. Specify the account that the model will be shared with in the
Principal
field. -
(Optional) If you plan to encrypt the model copy with a KMS key, attach a key policy to the KMS key that will be used to encrypt the model to allow a role to encrypt the model with the key. Specify the role in the
Principal
field.