For a role to use prompt management, you need to allow it to perform a certain set of API actions. Review the following prerequisites and fulfill the ones that apply to your use case:
-
If your role has the AmazonBedrockFullAccess AWS managed policy attached, you can skip this section. Otherwise, follow the steps at Update the permissions policy for a role and attach the following policy to a role to provide permissions to perform actions related to Prompt management:
{ "Version": "2012-10-17", "Statement": [ { "Sid": "PromptManagementPermissions", "Effect": "Allow", "Action": [ "bedrock:CreatePrompt", "bedrock:UpdatePrompt", "bedrock:GetPrompt", "bedrock:ListPrompts", "bedrock:DeletePrompt", "bedrock:CreatePromptVersion", "bedrock:OptimizePrompt", "bedrock:GetFoundationModel", "bedrock:ListFoundationModels", "bedrock:GetInferenceProfile", "bedrock:ListInferenceProfiles", "bedrock:InvokeModel", "bedrock:InvokeModelWithResponseStream", "bedrock:RenderPrompt", "bedrock:TagResource", "bedrock:UntagResource", "bedrock:ListTagsForResource" ], "Resource": * } ] }To further restrict permissions, you can omit actions, or you can specify resources and condition keys by which to filter permissions. For more information about actions, resources, and condition keys, see the following topics in the Service Authorization Reference:
-
Actions defined by Amazon Bedrock – Learn about actions, the resource types that you can scope them to in the
Resourcefield, and the condition keys that you can filter permissions on in theConditionfield. -
Resource types defined by Amazon Bedrock – Learn about the resource types in Amazon Bedrock.
-
Condition keys for Amazon Bedrock – Learn about the condition keys in Amazon Bedrock.
Note
-
If you plan to deploy your prompt using the Converse API, see Prerequisites for running model inference to learn about the permissions that you must set up to invoke a prompt.
-
If you plan to use a flow in Amazon Bedrock Flows to deploy your prompt, see Prerequisites for Amazon Bedrock Flows to learn about the permissions that you must set up to create a flow.
-
-
If you plan to encrypt your prompt with a customer managed key rather than using an AWS managed key (for more information, see AWS KMS keys), create the following policies:
-
Follow the steps at Creating a key policy and attach the following key policy to a KMS key to allow Amazon Bedrock encrypt and decrypt a prompt with the key, replacing the
valuesas necessary. The policy contains optional condition keys (see Condition keys for Amazon Bedrock and AWS global condition context keys) in theConditionfield that we recommend you use as a security best practice.{ "Sid": "EncryptFlowKMS", "Effect": "Allow", "Principal": { "Service": "bedrock.amazonaws.com" }, "Action": [ "kms:GenerateDataKey", "kms:Decrypt" ], "Resource": "*", "Condition": { "StringEquals": { "kms:EncryptionContext:aws:bedrock-prompts:arn": "arn:${partition}:bedrock:${region}:${account-id}:prompt/${prompt-id}" } } } -
Follow the steps at Update the permissions policy for a role and attach the following policy to the prompt management role, replacing the
valuesas necessary, to allow it to generate and decrypt the customer managed key for a prompt. The policy contains optional condition keys (see Condition keys for Amazon Bedrock and AWS global condition context keys) in theConditionfield that we recommend you use as a security best practice.{ "Sid": "KMSPermissions", "Effect": "Allow", "Action": [ "kms:GenerateDataKey", "kms:Decrypt" ], "Resource": [ "arn:aws:kms:${region}:${account-id}:key/${key-id}" ], "Condition": { "StringEquals": { "aws:ResourceAccount": "${account-id}" } } }
-
