Required permissions for Provisioned Throughput Allow users to invoke a provisioned model

Identity-based policy examples for Provisioned Throughput

Select a topic to see example IAM policies that you can attach to an IAM role to provision permissions for actions related to Provisioned Throughput for Amazon Bedrock.

Topics

Required permissions for Provisioned Throughput
Allow users to invoke a provisioned model

Required permissions for Provisioned Throughput

For an IAM identity to use Provisioned Throughput, you must configure it with the necessary permissions. You can attach the AmazonBedrockFullAccess policy to grant the proper permissions to the role.

To restrict permissions to only actions that are used in Provisioned Throughput, attach the following identity-based policy to an IAM role:


{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Provisioned Throughput permissions",
            "Effect": "Allow",
            "Action": [
                "bedrock:GetFoundationModel",
                "bedrock:ListFoundationModels",
                "bedrock:InvokeModel",
                "bedrock:InvokeModelWithResponseStream",
                "bedrock:ListTagsForResource",
                "bedrock:UntagResource",
                "bedrock:TagResource",
                "bedrock:CreateProvisionedModelThroughput",
                "bedrock:GetProvisionedModelThroughput",
                "bedrock:ListProvisionedModelThroughputs",
                "bedrock:UpdateProvisionedModelThroughput",
                "bedrock:DeleteProvisionedModelThroughput"
            ],
            "Resource": "*"
        }
    ]
}

You can further restrict permissions by omitting actions or specifying resources and condition keys. An IAM identity can call API operations on specific resources. For example, the CreateProvisionedModelThroughput operation can only be used on custom model and foundation model resources and the DeleteProvisionedModelThroughput operation can only be used on provisioned model resources. For API operations that aren't used on a specific resource type (such as ListProvisionedModelThroughputs), specify * as the Resource. If you specify an API operation that can't be used on the resource specified in the policy, Amazon Bedrock returns an error.

Allow users to invoke a provisioned model

The following is a sample policy that you can attach to an IAM role to allow it to use a provisioned model in model inference. For example, you could attach this policy to a role that you want to only have permissions to use a provisioned model. The role won't be able to manage or see information about the Provisioned Throughput.


{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Use a Provisioned Throughput for model inference",
            "Effect": "Allow",
            "Action": [
                "bedrock:InvokeModel",
                "bedrock:InvokeModelWithResponseStream"
            ],
            "Resource": "arn:aws:bedrock:aws-region:111122223333:provisioned-model/${my-provisioned-model}"
        }
    ]
}

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Amazon Bedrock Agents examples

Bedrock Studio examples