Prerequisites
Complete the following prerequisites before you invoke your inline agent:
Decide on the foundation model you want to use for configuring your inline agent, region where you want to invoke the agent, and an instruction that tells the inline agent what it should do.
Create or prepare one or more of the following Amazon Bedrock agent properties you want to use for your inline agent.
Field Use case actionGroups Provide a list of action groups with each action group defining the actions that the inline agent can carry out. For example, you can define an action group Appointment that helps users carry out actions such as CreateAppointment, GetAppointment, CancelAppointment, etc. guardrailConfiguration Configure guardrails to block topics, to prevent hallucinations, and to implement safeguards for your application. knowledgeBases Associate knowledgeBases with your inline agent to augment response generated by the model. Knowledge bases can be used not only to answer user queries, and analyze documents, but also to augment prompts provided to foundation models by providing context to the prompt. promptOverridenConfiguration Configure override prompts in different parts of an agent sequence to enhance your inline agent's accuracy. customerEncryptionArn Specify the Amazon Resource Name (ARN) of the AWS KMS key to use to encrypt your inline agent. -
Create a AWS Identity and Access Management (IAM) role and attach the policy mentioned in this step to the role.
Before you can invoke an inline agent, you must create an IAM role that provides the necessary permissions for using the
InvokeInlineAgentAPI and to access resources like Lambda functions, knowledge bases, and foundation models.Create a custom service role for your inline agent by following steps at Creating a role to delegate permissions to an IAM user. After you create the IAM role, attach the following policy to the role.
Note
As a best practice for security purposes, replace the
${region},${account-id}, and*.idswith region, your account id, and specific resource ids. after you have created them.{ "Version": "2012-10-17", "Statement": [ { "Sid": "InvokeInlineAgent", "Effect": "Allow", "Action": "bedrock:InvokeInlineAgent" } { "Sid": "InvokeFoundationModel", "Effect": "Allow", "Action": "bedrock:InvokeModel", "Resource": "arn:aws:bedrock:${region}::foundation-model/{modelId}" }, { "Sid": "S3AccessForKBAndActions", "Effect": "Allow", "Action": [ "s3:GetObject", "s3:GetObjectMetadata" ], "Resource": "arn:aws:s3:::" }, { "Sid": "S3AccessForCodeInterpreter", "Effect": "Allow", "Action": [ "s3:GetObjectVersion", "s3:GetObjectVersionAttributes", "s3:GetObjectAttributes" ], "Resource": "arn:aws:s3:::bucket/path/to/file" }, { "Sid": "KnowledgeBaseAccess", "Effect": "Allow", "Action": [ "bedrock:Retrieve", "bedrock:RetrieveAndGenerate" ], "Resource": "arn:aws:bedrock:${region}:${account-id}:knowledge-base/knowledge-base-id" }, { "Sid": "GuardrailAccess", "Effect": "Allow", "Action": "bedrock:ApplyGuardrail", "Resource": "arn:aws:bedrock:${region}:${account-id}:guardrail/${guardrail-id}" }, { "Sid": "LambdaInvoke", "Effect": "Allow", "Action": "lambda:InvokeFunction", "Resource": "arn:aws:lambda:${region}:${account-id}:function:function-name" }, { "Sid": "KMSAccess", "Effect": "Allow", "Action": [ "kms:GenerateDataKey*", "kms:Decrypt" ], "Resource": "arn:aws:kms:${region}:${account-id}:key/${key-id}" } ] }
