Fulfill prerequisites to copy models

To allow a role to copy a model, you might have to set up permissions, depending on the role's permissions and the model's configuration. Review the permissions in the following list and the circumstances in which you must configure them:

If your role doesn't have the AmazonBedrockFullAccess policy attached, attach the following identity-based policy to the role to allow the minimal permissions to copy models and to track copy jobs.


{ 
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "CopyModels",
            "Effect": "Allow",
            "Action": [
                "bedrock:CreateModelCopyJob",
                "bedrock:GetModelCopyJob",
                "bedrock:ListModelCopyJobs"
            ],
            "Resource": [
                "${model-arn}"
            ],
            "Condition": {
               "StringEquals": {
                   "aws:RequestedRegion": [
                        "${region}"
                   ]
               }
            }
        }
    ]
}

Add ARNs of models to the Resource list. You can restrict the regions that the model is copied to by adding regions to the list in the aws:RequestedRegion condition key.

(Optional) If the model to be copied is encrypted with a KMS key, attach a key policy to the KMS key that encrypted the model to allow a role to decrypt it. Specify the account that the model will be shared with in the Principal field.
(Optional) If you plan to encrypt the model copy with a KMS key, attach a key policy to the KMS key that will be used to encrypt the model to allow a role to encrypt the model with the key. Specify the role in the Principal field.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Supported regions and models

Copy a model to a region