For a role to run model inference, you need to allow it to perform the model invocation API actions. If your role has the AmazonBedrockFullAccess AWS managed policy attached, you can skip this section. Otherwise, attach the following permissions to the role to allow it to use the InvokeModel, InvokeModelWithResponseStream, Converse, and ConverseStream actions with all supported resources in Amazon Bedrock:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "ModelInvocationPermissions",
"Effect": "Allow",
"Action": [
"bedrock:InvokeModel",
"bedrock:InvokeModelWithResponseStream",
"bedrock:GetInferenceProfile",
"bedrock:ListInferenceProfiles",
"bedrock:RenderPrompt",
"bedrock:GetCustomModel",
"bedrock:ListCustomModels",
"bedrock:GetImportedModel",
"bedrock:ListImportedModels",
"bedrock:GetProvisionedModelThroughput",
"bedrock:ListProvisionedModelThroughputs",
"bedrock:GetGuardrail"
"bedrock:ListGuardrails"
"bedrock:ApplyGuardrail"
],
"Resource": "*"
}
]
}To further restrict permissions, you can omit actions, or you can specify resources and condition keys by which to filter permissions. For more information about actions, resources, and condition keys, see the following topics in the Service Authorization Reference:
-
Actions defined by Amazon Bedrock – Learn about actions, the resource types that you can scope them to in the
Resourcefield, and the condition keys that you can filter permissions on in theConditionfield. -
Resource types defined by Amazon Bedrock – Learn about the resource types in Amazon Bedrock.
-
Condition keys for Amazon Bedrock – Learn about the condition keys in Amazon Bedrock.
The following list summarizes whether you need an action, depending on your use case:
-
bedrock:InvokeModel– Required to carry out model invocation. Allows the role to call the InvokeModel and Converse API operations. -
bedrock:InvokeModelWithResponseStream– Required to carry out model invocation and return streaming responses. Allows the role to call the InvokeModelWithResponseStream and ConverseStream API operations. -
The following actions allow a role to run inference with Amazon Bedrock resources other than foundation models:
-
bedrock:GetInferenceProfile– Required to run inference with an inference profile. -
bedrock:RenderPrompt– Required to invoke a prompt from Prompt management. -
bedrock:GetCustomModel– Required to run inference with a custom model. -
bedrock:GetImportedModel– Required to run inference with an imported model. -
bedrock:GetProvisionedModelThroughput– Required to run inference with a Provisioned Throughput.
-
-
The following actions allow a role to see Amazon Bedrock resources other than foundation models in the Amazon Bedrock console and to select them:
-
bedrock:ListInferenceProfiles– Required to choose an inference profile in the Amazon Bedrock console. -
bedrock:ListCustomModels– Required to choose a custom model in the Amazon Bedrock console. -
bedrock:ListImportedModels– Required to choose an imported model in the Amazon Bedrock console. -
bedrock:ListProvisionedModelThroughputs– Required to choose a Provisioned Throughput in the Amazon Bedrock console.
-
-
The following actions allow a role to access and apply guardrails from Amazon Bedrock Guardrails during model invocation:
-
bedrock:GetGuardrail– Required to use a guardrail during model invocation. -
bedrock:ApplyGuardrail– Required to apply a guardrail during model invocation. -
bedrock:ListGuardrails– Required to choose a guardrail in the Amazon Bedrock console.
-
