Permissions for reranking in Amazon Bedrock

A user requires the following permissions to use reranking:

Access to the reranking models that they plan to use. For more information, see Access Amazon Bedrock foundation models.

Permissions for their role and, if they plan to use reranking in a Retrieve workflow, permissions for the Amazon Bedrock Knowledge Bases service role that has a trust relationship with their role.

Tip

To configure the required permissions quickly, you can do the following:

Attach the AmazonBedrockFullAccess AWS managed policy to the user role. For more information about attaching a policy to an IAM role, see Adding and removing IAM identity permissions.
Use the Amazon Bedrock console to create an Amazon Bedrock Knowledge Bases service role when creating a knowledge base. If you already have an Amazon Bedrock Knowledge Bases service role that the console created for you, you can use the console to update it when retrieving sources in the console.

Important

When you use reranking in a Retrieve workflow with an Amazon Bedrock Knowledge Bases service role, note the following:

If you manually edit the AWS Identity and Access Management (IAM) policy that Amazon Bedrock created for your knowledge base service role, then you might encounter errors when trying to update the permissions in the AWS Management Console. To resolve this issue, in the IAM console, delete the policy version that you created manually. Then, refresh the reranker page in the Amazon Bedrock console and retry.
If you use a custom role, then Amazon Bedrock can't update the knowledge base service role on your behalf. Verify that the permissions are properly configured for the service role.

For a summary of use cases and the permissions needed for them, refer to the following table:

Use case	User permissions needed	Amazon Bedrock Knowledge Bases service role permissions needed
Use reranking independently	bedrock:Rerank bedrock:InvokeModel, optionally scoped to the reranking models	N/A
Use reranking in a Retrieve workflow	bedrock:Retrieve	bedrock:Rerank bedrock:InvokeModel, optionally scoped to the reranking models
Use reranking in a RetrieveAndGenerate workflow	bedrock:RetrieveAndGenerate bedrock:Rerank bedrock:InvokeModel, optionally scoped to the reranking models and to the models to use for generating responses.	N/A

For example permissions policies that you can attach to an IAM role, expand the section that corresponds to your use case:

To use Rerank directly with a list of sources, the user role needs permissions to use both the bedrock:Rerank and bedrock:InvokeModel actions. Similarly, to prevent usage of a reranking model, you must deny permissions for both actions. To allow the user role to use a reranking model independently, you can attach the following policy to the role:


{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "RerankSid",
            "Effect": "Allow",
            "Action": [  
                "bedrock:Rerank"
            ],
            "Resource": "*"
        },
        {
            "Sid": "InvokeModelSid",
            "Effect": "Allow",
            "Action": [  
                "bedrock:InvokeModel"
            ],
            "Resource": [ 
                "arn:${Partition}:bedrock:${Region}::foundation-model/${Rerank-model-id}"
            ]
        }
    ]   
}

In the preceding policy, for the the bedrock:InvokeModel action, you scope the permissions to the models that you want to allow the role to use for reranking. To allow access to all models, use a wildcard (*) in the Resource field.

To use reranking while retrieving data from a knowledge base, you must set up the following permissions:

For the user role

The user role needs permissions to use the bedrock:Retrieve action. To allow the user role to retrieve data from a knowledge base, you can attach the following policy to the role:


{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "RetrieveSid",
            "Effect": "Allow",
            "Action": [  
                "bedrock:Retrieve",
            ],
            "Resource": [
                "arn:${Partition}:bedrock:${Region}:${AccountId}:knowledge-base/${KnowledgeBaseId}"
            ]
        }
    ]   
}

In the preceding policy, for the bedrock:Retrieve action, you scope the permissions to the knowledge bases from which you want to allow the role to retrieve information. To allow access to all knowledge bases, you can use a wildcard (*) in the Resource field.

For the service role

The Amazon Bedrock Knowledge Bases service role that the user uses needs permissions to use the bedrock:Rerank and bedrock:InvokeModel actions. You can use the Amazon Bedrock console to configure permissions for your service role automatically when you choose a reranking model when you configure knowledge base retrieval. Otherwise, to allow the service role to rerank sources during retrieval, you can attach the following policy:


{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "RerankSid",
            "Effect": "Allow",
            "Action": [  
                "bedrock:Rerank"

            ],
            "Resource": "*"
        },
        {
            "Sid": "InvokeModelSid",
            "Effect": "Allow",
            "Action": [  
                "bedrock:InvokeModel"

            ],
            "Resource": "arn:{Partition}:bedrock:{Region}::foundation-model/{Rerank-model-id}"
        }
    ]   
}

In the preceding policy, for the bedrock:InvokeModel action, you scope the permissions to the models that you want to allow the role to use for reranking. To allow access to all models, you can use a wildcard (*) in the Resource field.

To use a reranker model when retrieving data from a knowledge base and subsequently generating responses based on the retrieved results, the user role needs permissions to use the bedrock:RetrieveAndGenerate, bedrock:Rerank, and bedrock:InvokeModel actions. To allow reranking of sources during retrieval, and to allow generation of responses based on the results, you can attach the following policy to the user role:


{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "RerankRetrieveAndGenerateSid",
            "Effect": "Allow",
            "Action": [
                "bedrock:Rerank"
                "bedrock:RetrieveAndGenerate"
            ],
            "Resource": "*"
        },
        {
            "Sid": "InvokeModelSid",
            "Effect": "Allow",
            "Action": [
                "bedrock:InvokeModel"
            ],
            "Resource": [
                "arn:${Partition}:bedrock:${Region}::foundation-model/${Rerank-model-id}",
                "arn:${Partition}:bedrock:${Region}::foundation-model/${Generation-model-id}"
            ]
        }
    ]
}

In the preceding policy, for the bedrock:InvokeModel operation, you scope the permissions to the models that you want to allow the role to use for reranking, and to the models that you want to allow the role to use for generating responses. To allow access to all models, you can use a wildcard (*) in the Resource field.

To further restrict permissions, you can omit actions, or you can specify resources and condition keys by which to filter permissions. For more information about actions, resources, and condition keys, see the following topics in the Service Authorization Reference:

Actions defined by Amazon Bedrock – Learn about actions, the resource types that you can scope them to in the Resource field, and the condition keys that you can filter permissions on in the Condition field.
Resource types defined by Amazon Bedrock – Learn about the resource types in Amazon Bedrock.
Condition keys for Amazon Bedrock – Learn about the condition keys in Amazon Bedrock.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Supported Regions and models

Use a reranker model