# Share a model for another account to use
<a name="share-model"></a>

By default, models are only available in the Region and account in which they were created. Amazon Bedrock provides you the ability to share custom models with other accounts so that they can use them. The general process to share a model with another account is as follows:

1. Sign up for an AWS Organizations account, create an organization, and add the account that will share the model and the account that will receive the model to the organization.

1. Set up IAM permissions for the following:
   + The account that will share the model.
   + The model that will be shared.

1. Share the model with the help of AWS Resource Access Manager.

1. The recipient account copies the model to the Region in which they want to use it.

**Topics**
+ [Supported Regions and models for model sharing](share-model-support.md)
+ [Fulfill prerequisites to share models](share-model-prereq.md)
+ [Share a model with another account](share-model-share.md)
+ [View information about shared models](share-model-view.md)
+ [Update access to a shared model](share-model-edit.md)
+ [Revoke access to a shared model](share-model-revoke.md)

# Supported Regions and models for model sharing
<a name="share-model-support"></a>

The following list provides links to general information about Regional and model support in Amazon Bedrock:
+ For a list of Region codes and endpoints supported in Amazon Bedrock, see [Amazon Bedrock endpoints and quotas](https://docs.aws.amazon.com/general/latest/gr/bedrock.html#bedrock_region).
+ For a list of Amazon Bedrock model IDs to use when calling Amazon Bedrock API operations, see [Supported foundation models in Amazon Bedrock](models-supported.md).

The following table shows the models that you can share and the Regions from which you can share:


| Provider | Model | Model ID | Single-region model support | 
| --- | --- | --- | --- | 
| Amazon | Titan Multimodal Embeddings G1 | amazon.titan-embed-image-v1 |  ap-south-1 ap-southeast-2 eu-west-1 eu-west-3 us-east-1 us-west-2  | 
| Anthropic | Claude 3 Haiku | anthropic.claude-3-haiku-20240307-v1:0 |  ap-south-1 ap-southeast-2 eu-west-1 eu-west-2 us-east-1 us-west-2  | 

**Note**  
Custom Amazon Titan Text Premier models aren't shareable because they can't be [copied to a Region](copy-model.md).

# Fulfill prerequisites to share models
<a name="share-model-prereq"></a>

Amazon Bedrock interfaces with the [AWS Resource Access Manager](https://docs.aws.amazon.com/ram/latest/userguide/) and [AWS Organizations](https://docs.aws.amazon.com/organizations/latest/userguide/) services to allow the sharing of models. Before you can share a model with another account, you must fulfill the following prerequisites:

## Create an organization with AWS Organizations and add the model sharer and recipient
<a name="share-model-prereq-orgs"></a>

For an account to share a model with another account, the two accounts must be part of the same organization in AWS Organizations and resource sharing in AWS RAM must be enabled for the organization. To set up an organization and invite accounts to it, do the following:

1. Enable resource sharing through AWS RAM in AWS Organizations by following the steps at [Enable resource sharing within AWS Organizations](https://docs.aws.amazon.com/ram/latest/userguide/getting-started-sharing.html#getting-started-sharing-orgs) in the AWS RAM User Guide.

1. Create an organization in AWS Organizations by following the steps at [Creating an organization](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_org_create.html) in the AWS Organizations User Guide.

1. Invite the account that you want to share the model with by following the steps at [Inviting an AWS account to join your organization](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_accounts_invites.html) in the AWS Organizations User Guide.

1. The administrator of the account you sent an invitation to must accept the invitation by following the steps at [Accepting or declining an invitation from an organization](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_accounts_invites.html#orgs_manage_accounts_accept-decline-invite).

## Add an identity-based policy to an IAM role to allow it to share a model
<a name="share-model-prereq-ibp"></a>

For a role to have permissions to share a model, it must have permissions to both Amazon Bedrock and AWS RAM actions. Attach the following policies to the role:

1. To provide permissions for a role to manage sharing of a model with another account through AWS Resource Access Manager, attach the following identity-based policy to the role to provide minimal permissions:

------
#### [ JSON ]

****  

   ```
   { 
       "Version":"2012-10-17",		 	 	 
       "Statement": [
           {
              "Sid": "ShareResources",
              "Effect": "Allow",
              "Action": [
                  "ram:CreateResourceShare",
                  "ram:UpdateResourceShare",
                  "ram:DeleteResourceShare",
                  "ram:AssociateResourceShare",
                  "ram:DisassociateResourceShare",
                  "ram:GetResourceShares"
              ],
              "Resource": [
                  "arn:aws:bedrock:us-east-1::foundation-model/model-id"
              ]
           }
       ]
   }
   ```

------

   Replace *\$1\$1model-arn\$1* with the Amazon Resource Name (ARN) of the model that you want to share. Add models to the `Resource` list as necessary. You can review the [Actions, resources, and condition keys for AWS Resource Access Manager](https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsresourceaccessmanagerram.html) and modify the AWS RAM actions that the role can carry out as necessary.
**Note**  
You can also attach the more permissive [AWSResourceManagerFullAccess managed policy](https://docs.aws.amazon.com/ram/latest/userguide/security-iam-managed-policies.html#security-iam-managed-policies-AWSResourceAccessManagerFullAccess) to the role.

1. Check that the role has the [AmazonBedrockFullAccess policy](security-iam-awsmanpol.md#security-iam-awsmanpol-AmazonBedrockFullAccess) attached. If it doesn't, you must also attach the following policy to the role to allow it to share models (replacing *\$1\$1model-arn\$1*) as necessary:

------
#### [ JSON ]

****  

   ```
   { 
       "Version":"2012-10-17",		 	 	 
       "Statement": [
           {
               "Sid": "ShareCustomModels",
               "Effect": "Allow",
               "Action": [
                   "bedrock:GetCustomModel",
                   "bedrock:ListCustomModels",
                   "bedrock:PutResourcePolicy",
                   "bedrock:GetResourcePolicy",
                   "bedrock:DeleteResourcePolicy"
               ],
               "Resource": [
                   "arn:aws:bedrock:us-east-1::foundation-model/model-id"
               ]
           }
       ]
   }
   ```

------

## (Optional) Set up KMS key policies to encrypt a model and to allow it to be decrypted
<a name="share-model-prereq-kms"></a>

**Note**  
Skip this prerequisite if the model you're sharing is not encrypted with a customer managed key and you don't plan to encrypt it.

If you need to encrypt a model with a customer managed key before sharing it with another account, attach permissions to the KMS key that you'll use to encrypt the model by following the steps at [Set up key permissions for encrypting custom models](encryption-custom-job.md#encryption-cm).

If the model you share with another account is encrypted with a customer managed key, attach permissions to the KMS key that encrypted the model to allow the recipient account to decrypt it by following the steps at [Set up key permissions for copying custom models](encryption-custom-job.md#encryption-copy).

# Share a model with another account
<a name="share-model-share"></a>

After you [fulfill the prerequisites](share-model-prereq.md), you can share a model. Choose the tab for your preferred method, and then follow the steps:

------
#### [ Console ]

1. Sign in to the AWS Management Console with an IAM identity that has permissions to use the Amazon Bedrock console. Then, open the Amazon Bedrock console at [https://console.aws.amazon.com/bedrock](https://console.aws.amazon.com/bedrock).

1. From the left navigation pane, choose **Custom models** under **Tune**.

1. Select the button next to the model that you want to share. Then, choose the three dots (![\[Vertical ellipsis icon representing a menu or more options.\]](http://docs.aws.amazon.com/bedrock/latest/userguide/images/icons/vertical-ellipsis.png)) and select **Share**.

1. In the **Model sharing details** section, do the following:

   1. In the **Name for shared model** field, give the shared model a name.

   1. In the **Recipient account ID** field, specify the ID of the account that will receive the model.

   1. (Optional) To add tags, expand the **Tags** section. For more information, see [Tagging Amazon Bedrock resources](tagging.md).

1. Choose **Share model**. After the recipient accepts the model in [Resource Access Manager](https://docs.aws.amazon.com/ram/latest/userguide/getting-started-shared.html), the model appears in their list of custom models.

------
#### [ API ]

To share a model, send a [CreateResourceShare](https://docs.aws.amazon.com/ram/latest/APIReference/API_CreateResourceShare.html) request with an [AWS Resource Access Manager endpoint](https://docs.aws.amazon.com/general/latest/gr/ram.html). Minimally, provide the following fields:


****  

| Field | Use case | 
| --- | --- | 
| Name | To provide a name for the resource share. | 
| resourceArns | To specify the ARNs of each model to share. | 
| principals | To specify the principals to share the model with. | 

The [CreateResourceShare](https://docs.aws.amazon.com/ram/latest/APIReference/API_CreateResourceShare.html) response returns a `resourceShareArn` that you can use to manage the resource share.

The account receiving a model can check whether a model has been shared by sending a [ListCustomModels](https://docs.aws.amazon.com/bedrock/latest/APIReference/API_ListCustomModels.html) request with an [Amazon Bedrock control plane endpoint](https://docs.aws.amazon.com/general/latest/gr/bedrock.html#br-cp). Models that have been shared will show up with a `shared` status of `true`.

------

After sharing the model, the recipient of the model must copy it into a Region in order to use it. For more information, see [Copy a customized or shared model to use in a Region](copy-model.md).

# View information about shared models
<a name="share-model-view"></a>

To learn how to view information about models that you've shared with other accounts or models that have been shared with you, choose the tab for your preferred method, and then follow the steps:

------
#### [ Console ]

**To view models that you've shared with other accounts**

1. Sign in to the AWS Management Console and open the AWS RAM console at [https://console.aws.amazon.com/ram/home](https://console.aws.amazon.com/ram/home).

1. Follow the steps at [Viewing resource shares you created in AWS Resource Access Manager](https://docs.aws.amazon.com/ram/latest/userguide/working-with-sharing-view-rs.html).

**To view models shared with you by other accounts**

1. Sign in to the AWS Management Console with an IAM identity that has permissions to use the Amazon Bedrock console. Then, open the Amazon Bedrock console at [https://console.aws.amazon.com/bedrock](https://console.aws.amazon.com/bedrock).

1. From the left navigation pane, choose **Custom models** under **Tune**.

1. Models that have been shared with you by other accounts will be shown in the following ways, depending on whether you've [copied them to a Region](copy-model.md):

   1. Shared models that you haven't copied to a Region yet are listed in the **Models shared with you** section.

   1. Shared models that have been copied to the current Region are listed in the **Models** section with a **Share status** of `Shared`.

------
#### [ API ]

To view information about models that you've shared, send a [GetResourceShares](https://docs.aws.amazon.com/ram/latest/APIReference/API_GetResourceShares.html) request with an [AWS Resource Access Manager endpoint](https://docs.aws.amazon.com/general/latest/gr/ram.html) and specify `SELF` in the `resourceOwner` field. You can use the optional fields to filter for specific models or resource shares.

To view information about models that have been shared with you, send a [ListCustomModels](https://docs.aws.amazon.com/bedrock/latest/APIReference/API_ListCustomModels.html) request with an [Amazon Bedrock control plane endpoint](https://docs.aws.amazon.com/general/latest/gr/bedrock.html#br-cp) and specify `false` with the `isOwned` filter.

------

# Update access to a shared model
<a name="share-model-edit"></a>

To learn how to update access to models that you've shared with other accounts, choose the tab for your preferred method, and then follow the steps:

------
#### [ Console ]

**To update access to a model that you've shared**

1. Sign in to the AWS Management Console with an IAM identity that has permissions to use the Amazon Bedrock console. Then, open the Amazon Bedrock console at [https://console.aws.amazon.com/bedrock](https://console.aws.amazon.com/bedrock).

1. From the left navigation pane, choose **Custom models** under **Tune**.

1. In the **Models** section, select a model that you want to update access to.

1. In the **Model sharing details** section, do one of the following:
   + To share the model with another account, choose **Share** and then do the following:

     1. In the **Model sharing details** section, do the following:

        1. In the **Name for shared model** field, give the shared model a name.

        1. In the **Recipient account ID** field, specify the ID of the account that will receive the model.

        1. (Optional) To add tags, expand the **Tags** section. For more information, see [Tagging Amazon Bedrock resources](tagging.md).

     1. Choose **Share model**. After the recipient accepts the model in [Resource Access Manager](https://docs.aws.amazon.com/ram/latest/userguide/getting-started-shared.html), the model appears in their list of custom models.
   + To delete a model share and revoke access from the accounts specified in that model share, do the following:

     1. Select a model share and choose **Revoke shared model**.

     1. Review the message, type **revoke** in the text box, and choose **Revoke shared model** to confirm revoking of access.

------
#### [ API ]

To share a model with more accounts, do one of the following:
+ Send an [AssociateResourceShare](https://docs.aws.amazon.com/ram/latest/APIReference/API_AssociateResourceShare.html) request with an [AWS Resource Access Manager endpoint](https://docs.aws.amazon.com/general/latest/gr/ram.html). Specify the Amazon Resource Name (ARN) of the resource share in the `resourceShareArn` field and append accounts that you want to share the model with in the list of `principals`.
**Note**  
You can also share more models with the same account or accounts by appending model ARNs to the list of `resourceArns`.
+ Create a new resource share by following the steps in the **API** tab at [Share a model with another account](share-model-share.md).

------

# Revoke access to a shared model
<a name="share-model-revoke"></a>

To learn how to revoke access to a model that you've shared, choose the tab for your preferred method, and then follow the steps:

------
#### [ Console ]

1. Sign in to the AWS Management Console with an IAM identity that has permissions to use the Amazon Bedrock console. Then, open the Amazon Bedrock console at [https://console.aws.amazon.com/bedrock](https://console.aws.amazon.com/bedrock).

1. From the left navigation pane, choose **Custom models** under **Tune**.

1. In the **Models** table, select the model that you want to revoke access to.

1. In the **Model sharing details** section, do the following to delete a model share and revoke access from the accounts specified in that model share:

   1. Select a model share and choose **Revoke shared model**.

   1. Review the message, type **revoke** in the text box, and choose **Revoke shared model** to confirm revoking of access.

------
#### [ API ]

To revoke access to a model from an account, send a [DisassociateResourceShare](https://docs.aws.amazon.com/ram/latest/APIReference/API_DisassociateResourceShare.html) request with an [AWS Resource Access Manager endpoint](https://docs.aws.amazon.com/general/latest/gr/ram.html). Specify the ARN of the share in the `resourceShareArn` field and the account whose access you want to revoke in the list of `principals`.

To completely delete a resource share by sending a [DeleteResourceShare](https://docs.aws.amazon.com/ram/latest/APIReference/API_DeleteResourceShare.html) request with an [AWS Resource Access Manager endpoint](https://docs.aws.amazon.com/general/latest/gr/ram.html). Specify the ARN of the share in the `resourceShareArn`.

------