Service roles
Amazon Bedrock uses IAM service roles for some features to let Amazon Bedrock carry out tasks on your behalf.
The console automatically creates service roles for supported features.
You can also create a custom service role and customize the attached permissions to your specific use-case. If you use the console, you can select this role instead of letting Amazon Bedrock create one for you.
To set up the custom service role, you carry out the following general steps.
-
Create the role by following the steps at Creating a role to delegate permissions to an AWS service.
-
Attach a trust policy.
-
Attach the relevant identity-based permissions.
Important
When setting the iam:PassRole permission, make sure that a user can't pass
a role where the role has more permissions than you want the user to have. For example,
Alice might not be allowed to perform bedrock:InvokeModel on a custom
model. If Alice can pass a role to Amazon Bedrock to create an evaluation of that custom
model, the service could invoke that model on behalf of Alice while running the
job.
Refer to the following links for more information about IAM concepts that are relevant to setting service role permissions.
Select a topic to learn more about service roles for a specific feature.
Topics
- Create a custom service role for batch inference
- Create a service role for model customization
- Create a service role for model import
- Create a service role for Amazon Bedrock Agents
- Create a service role for Amazon Bedrock Knowledge Bases
- Create a service role for Amazon Bedrock Flows in Amazon Bedrock
- Create a service role for Amazon Bedrock Studio
- Create a provisioning role for Amazon Bedrock Studio
- Service role requirements for model evaluation jobs
