SageMakerStudioBedrockFlowServiceRolePolicy
Description: Allows Amazon Bedrock Flows to access Amazon Bedrock models and other resources attached to a flow in SageMaker Studio.
SageMakerStudioBedrockFlowServiceRolePolicy is an AWS managed policy.
Using this policy
You can attach SageMakerStudioBedrockFlowServiceRolePolicy to your users, groups, and roles.
Policy
details
-
Type: Service role policy
-
Creation time: February 14, 2025, 00:07 UTC
-
Edited time: March 12, 2025, 18:37 UTC
-
ARN:
arn:aws:iam::aws:policy/service-role/SageMakerStudioBedrockFlowServiceRolePolicy
Policy version
Policy version: v2 (default)
The policy's default version is the version that defines the permissions for the policy. When a user or role with the policy makes a request to access an AWS resource, AWS checks the default version of the policy to determine whether to allow the request.
JSON policy document
{
"Version" : "2012-10-17",
"Statement" : [
{
"Sid" : "BedrockPromptPermissions",
"Effect" : "Allow",
"Action" : "bedrock:GetPrompt",
"Resource" : "arn:aws:bedrock:*:*:prompt/*",
"Condition" : {
"StringEquals" : {
"aws:ResourceAccount" : "${aws:PrincipalAccount}",
"aws:ResourceTag/AmazonDataZoneProject" : "${aws:PrincipalTag/AmazonDataZoneProject}"
}
}
},
{
"Sid" : "BedrockKnowledgeBasePermissions",
"Effect" : "Allow",
"Action" : "bedrock:Retrieve",
"Resource" : "arn:aws:bedrock:*:*:knowledge-base/*",
"Condition" : {
"StringEquals" : {
"aws:ResourceAccount" : "${aws:PrincipalAccount}",
"aws:ResourceTag/AmazonDataZoneProject" : "${aws:PrincipalTag/AmazonDataZoneProject}"
}
}
},
{
"Sid" : "BedrockGuardrailPermissions",
"Effect" : "Allow",
"Action" : "bedrock:ApplyGuardrail",
"Resource" : "arn:aws:bedrock:*:*:guardrail/*",
"Condition" : {
"StringEquals" : {
"aws:ResourceAccount" : "${aws:PrincipalAccount}",
"aws:ResourceTag/AmazonDataZoneProject" : "${aws:PrincipalTag/AmazonDataZoneProject}"
}
}
},
{
"Sid" : "AllowBedrockRetrieveAndGeneratePermissions",
"Effect" : "Allow",
"Action" : "bedrock:RetrieveAndGenerate",
"Resource" : "*"
},
{
"Sid" : "AllowLambdaInvokeFunctionInProjectPermissions",
"Effect" : "Allow",
"Action" : "lambda:InvokeFunction",
"Resource" : "arn:aws:lambda:*:*:function:amazon-bedrock*",
"Condition" : {
"StringEquals" : {
"aws:ResourceAccount" : "${aws:PrincipalAccount}",
"aws:ResourceTag/AmazonDataZoneProject" : "${aws:PrincipalTag/AmazonDataZoneProject}"
}
}
},
{
"Sid" : "AllowBedrockApplicationInferenceProfileAccessInProjectPermissions",
"Effect" : "Allow",
"Action" : [
"bedrock:GetInferenceProfile",
"bedrock:InvokeModel"
],
"Resource" : "arn:aws:bedrock:*:*:application-inference-profile/*",
"Condition" : {
"StringEquals" : {
"aws:ResourceTag/AmazonDataZoneProject" : "${aws:PrincipalTag/AmazonDataZoneProject}"
}
}
},
{
"Sid" : "AllowBedrockInvokeModelAccessWithInferenceProfilePermissions",
"Effect" : "Allow",
"Action" : "bedrock:InvokeModel",
"Resource" : [
"arn:aws:bedrock:*::foundation-model/*",
"arn:aws:bedrock:*:*:custom-model/*",
"arn:aws:bedrock:*:*:provisioned-model/*"
],
"Condition" : {
"Null" : {
"bedrock:InferenceProfileArn" : "false"
}
}
},
{
"Sid" : "BedrockPromptKmsPermissions",
"Effect" : "Allow",
"Action" : [
"kms:Decrypt",
"kms:GenerateDataKey"
],
"Resource" : "arn:aws:kms:*:*:key/${aws:PrincipalTag/KmsKeyId}",
"Condition" : {
"StringLike" : {
"kms:ViaService" : "bedrock.*.amazonaws.com",
"kms:EncryptionContext:aws:bedrock-prompts:arn" : "arn:aws:bedrock:*:${aws:PrincipalAccount}:prompt/*"
},
"StringEquals" : {
"aws:ResourceAccount" : "${aws:PrincipalAccount}"
}
}
},
{
"Sid" : "BedrockGuardrailKmsPermissions",
"Effect" : "Allow",
"Action" : "kms:Decrypt",
"Resource" : "arn:aws:kms:*:*:key/${aws:PrincipalTag/KmsKeyId}",
"Condition" : {
"StringLike" : {
"kms:ViaService" : "bedrock.*.amazonaws.com"
},
"StringEquals" : {
"aws:ResourceAccount" : "${aws:PrincipalAccount}"
},
"Null" : {
"kms:EncryptionContext:aws:bedrock:guardrail-id" : "false"
}
}
}
]
}Learn more
