Prerequisites for Amazon Bedrock Flows

Before creating a flow, review the following prerequisites and determine which ones you need to fulfill:

Define or create resources for one or more nodes you plan to add to your flow:
- For a prompt node – Create a prompt by using Prompt management. For more information, see Construct and store reusable prompts with Prompt management in Amazon Bedrock. If you plan to define prompts inline when creating the node in the flow, you don't have to create a prompt in Prompt management.
- For a knowledge base node – Create a knowledge base that you plan to use in the flow. For more information, see Retrieve data and generate AI responses with Amazon Bedrock Knowledge Bases.
- For an agent node – Create an agent that you plan to use in the flow. For more information, see Automate tasks in your application using AI agents.
- For an S3 storage node – Create an S3 bucket to store an output from a node in the flow.
- For an S3 retrieval node – Create an S3 object in a bucket from which to retrieve data for the flow. The S3 object must be a UTF-8 encoded string.
- For a Lambda node – Define a AWS Lambda function for the business logic you plan to implement in the flow. For more information, see the AWS Lambda Developer Guide.
- For a Amazon Lex node – Create a Amazon Lex bot to identify intents. For more information, see the Amazon Lex Developer Guide.
To use flows, you must have two different roles:
1. User role – The IAM role that you use to log into the AWS Management Console or to make API calls must have permissions to carry out flows-related actions.
  
  If your role has the AmazonBedrockFullAccess policy attached, you don't need to configure additional permissions for this role. To restrict a role's permissions to only actions that are used for flows, attach the following identity-based policy to the IAM role:
```
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "FlowPermissions",
            "Effect": "Allow",
            "Action": [  
                "bedrock:CreateFlow",
                "bedrock:UpdateFlow",
                "bedrock:GetFlow",
                "bedrock:ListFlows", 
                "bedrock:DeleteFlow",
                "bedrock:ValidateFlowDefinition", 
                "bedrock:CreateFlowVersion",
                "bedrock:GetFlowVersion",
                "bedrock:ListFlowVersions",
                "bedrock:DeleteFlowVersion",
                "bedrock:CreateFlowAlias",
                "bedrock:UpdateFlowAlias",
                "bedrock:GetFlowAlias",
                "bedrock:ListFlowAliases",
                "bedrock:DeleteFlowAlias",
                "bedrock:InvokeFlow",
                "bedrock:TagResource",
                "bedrock:UntagResource", 
                "bedrock:ListTagsForResource"
            ],
            "Resource": "*"
        }
    ]   
}
```
  You can further restrict permissions by omitting actions or specifying resources and condition keys. An IAM identity can call API operations on specific resources. If you specify an API operation that can't be used on the resource specified in the policy, Amazon Bedrock returns an error.
2. Service role – A role that allows Amazon Bedrock to perform actions on your behalf. You must specify this role when creating or updating a flow. You can create a custom AWS Identity and Access Management service role.
  
  Note
  If you plan to use the Amazon Bedrock console to automatically create a role when you create a flow, you don't need to manually set up this role.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Supported regions and models

Create a flow

Prerequisites for Amazon Bedrock Flows

Note