When creating your knowledge base, you can either create your own custom role or let Amazon Bedrock create one for you. How you configure the permissions depend on whether you're creating a new role or using an existing role. If you already have an existing IAM role, you must ensure that your domain's access policy does not prevent the roles in your account from performing the necessary OpenSearch API actions.
If you are choosing to let Amazon Bedrock Knowledge Bases create the IAM role for you, you must ensure that your domain's access policy grants the permissions to perform the required OpenSearch API actions by the roles in your account. If your domain has a restrictive access policy, it can prevent your role from performing these actions. Following shows an example of a restrictive resource-based policy.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Principal": {
"AWS": "arn:aws:iam::<accountId>:root"
},
"Action": "*",
"Resource": "arn:<partition>:es:<region>:<accountId>:domain/<domainName>"
}
]
}In this case, you can either:
-
Create your knowledge base using an existing IAM role that your OpenSearch domain can grant access to this role for performing the necessary operations.
-
Alternatively, you can let Amazon Bedrock create a new role for you. In this case, you must ensure that the domain's access policy must grant the permissions to perform the necessary OpenSearch API actions by the roles in your account.
The following sections show a sample IAM policy that grants the necessary permissions and how you can update the domain's access policy so that it grants permissions to perform the necessary OpenSearch API operations.
Topics
Sample IAM identity-based and resource-based
policies
This section provides a sample identity policy and a resource-based policy that you can configure for your OpenSearch domain when integrating with Amazon Bedrock Knowledge Bases. You must grant Amazon Bedrock permissions to perform these actions on the index that you provide your Knowledge Base.
| Action | Resource | Description |
|---|---|---|
es:ESHttpPost |
arn: |
For inserting information to the index |
es:ESHttpGet |
|
For searching information from the index. This action is
configured at both the at both the domain/index
level and the domain/index/* level. At the
domain/index level, it can get high level
details about the index, such as the engine type. To retrieve
details stored within the index, permissions are required at the
domain/index/* level. |
es:ESHttpHead |
|
For getting information from the index. This action is
configured at both the at both the domain/index
level and the domain/index/* level, in case
information needs to be obtained at a higher level, such as
whether a particular index exists. |
es:ESHttpDelete |
arn: |
For deleting information to the index |
es:DescribeDomain |
arn: |
For performing validations on the domain, such as the engine version used. |
{
"Version": "2012-10-17",
"Statement": [{
"Sid": "OpenSearchIndexAccess",
"Effect": "Allow",
"Action": [
"es:ESHttpGet",
"es:ESHttpPost",
"es:ESHttpPut",
"es:ESHttpDelete"
],
"Resource": [
"arn:<partition>:es:<region>:<accountId>:domain/<domainName>/<indexName>/*"
]
},
{
"Sid": "OpenSearchIndexGetAccess",
"Effect": "Allow",
"Action": [
"es:ESHttpGet",
"es:ESHttpHead"
],
"Resource": [
"arn:<partition>:es:<region>:<accountId>:domain/<domainName>/<indexName>"
]
},
{
"Sid": "OpenSearchDomainValidation",
"Effect": "Allow",
"Action": [
"es:DescribeDomain"
],
"Resource": [
"arn:<partition>:es:<region>:<accountId>:domain/<domainName>"
]
}]
}Note
Make sure that the service role has been created for it to be used in the resource-based policy.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:<partition>:iam::<accountId>:role/service-role/<KnowledgeBaseServiceRoleName>"
]
},
"Action": [
"es:ESHttpGet",
"es:ESHttpPost",
"es:ESHttpHead",
"es:ESHttpDelete"
],
"Resource": [
"arn:<partition>:es:<region>:<accountId>:domain/<domainName>/<indexName>/*"
]
},
{
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:<partition>:iam::<accountId>:(role|service-role)/<KnowledgeBaseServiceRoleName>"
]
},
"Action": "es:ESHttpGet",
"Resource": [
"arn:<partition>:es:<region>:<accountId>:domain/<domainName>/<indexName>"
]
},
{
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:<partition>:iam::<accountId>:(role|service-role)/<KnowledgeBaseServiceRoleName>"
]
},
"Action": "es:DescribeDomain",
"Resource": [
"arn:<partition>:es:<region>:<accountId>:domain/<domainName>"
]
}
]
}Creating the Amazon Bedrock Knowledge Bases service role
When you create the knowledge base, you can choose the option to create and use a new service role. This section walks you through creating the Amazon Bedrock Knowledge Bases service role. By mapping the resource-based policies and the fine-grained access policies to this role, it will grant Amazon Bedrock the permissions to make requests to the OpenSearch domain.
To specify the Amazon Bedrock Knowledge Bases service role:
-
In the Amazon Bedrock console, go to Knowledge Bases
. -
Choose Create and then choose Knowledge base with vector store.
-
Choose Create and use a new service role. You can either use the default, or provide a custom role name, and Amazon Bedrock will automatically create the Knowledge Base service role for you.
-
Continue going through the console to configure your data source and parsing and chunking strategies.
-
Choose an Embeddings model and then, under Choose an existing vector store, choose Amazon OpenSearch Managed Cluster.
Important
Before you proceed to create the knowledge base, complete the following steps to configure the resource-based policies and fine-grained access policies. For detailed steps on creating the knowledge base, see Create a knowledge base by connecting to a data source in Amazon Bedrock Knowledge Bases.
Updating the resource-based
policies
If your OpenSearch domain has a restrictive access policy, you can follow the instructions on this page to update the resource-based policy. These permissions allow Knowledge Bases to make use of the index that you provide, and to retrieve the OpenSearch domain definition to perform the required validation on the domain.
To configure the resource-based policies from the AWS Management Console
-
Go to the Amazon OpenSearch Service console
. -
Go to the domain that you had created, and then go to Security Configurations where the resource-based policy is configured.
-
Edit the policy in the JSON tab and then update the policy similar to the Sample resource-based policy.
-
You can now go back to the Amazon Bedrock console and provide the details for your OpenSearch domain and index as described in Knowledge base setup for Managed Clusters.
