Crie uma função de provisionamento para o Amazon Bedrock Studio - Amazon Bedrock

As traduções são geradas por tradução automática. Em caso de conflito entre o conteúdo da tradução e da versão original em inglês, a versão em inglês prevalecerá.

Crie uma função de provisionamento para o Amazon Bedrock Studio

O Amazon Bedrock Studio está em versão prévia do Amazon Bedrock e está sujeito a alterações.

Para permitir que o Amazon Bedrock Studio crie recursos em uma conta de usuário, como um componente de guardrail, você precisa criar uma função de provisionamento.

Para usar uma função de provisionamento para o Amazon Bedrock Studio, crie uma IAM função e anexe as seguintes permissões seguindo as etapas em Criar uma função para delegar permissões a um serviço. AWS

Relação de confiança

A política a seguir permite que o Amazon Bedrock assuma essa função e permita que o Amazon Bedrock Studio gerencie os recursos do Bedrock Studio na conta de um usuário.

  • Defina o valor aws:SourceAccount para o ID da sua conta.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "datazone.amazonaws.com" }, "Action": "sts:AssumeRole", "Condition": { "StringEquals": { "aws:SourceAccount": "account ID" } } } ] }

Permissões para gerenciar recursos de usuário do Amazon Bedrock Studio

Política padrão para a função de provisionamento do Amazon Bedrock Studio. Essa política permite que o diretor crie, atualize e exclua AWS recursos no Amazon Bedrock Studio usando Amazon DataZone e. AWS CloudFormation

Essa política consiste nos seguintes conjuntos de permissões.

  • cloudformation — permite que o diretor crie e gerencie CloudFormation pilhas para provisionar recursos do Amazon Bedrock Studio como parte dos ambientes da Amazon. DataZone

  • iam — Permite que o diretor crie, gerencie e passe IAM funções com um limite de permissões para uso do Amazon Bedrock Studio. AWS CloudFormation

  • s3 — Permite que o diretor crie e gerencie buckets do Amazon S3 para uso do Amazon Bedrock Studio. AWS CloudFormation

  • aoss — Permite que o diretor crie e gerencie OpenSearch coleções Amazon Serverless para uso do Amazon Bedrock Studio. AWS CloudFormation

  • bedrock — Permite que o diretor crie e gerencie agentes, bases de conhecimento, grades de proteção, solicitações e fluxos do Amazon Bedrock para usar o Amazon Bedrock Studio. AWS CloudFormation

  • lambda — Permite que o diretor crie, gerencie e invoque AWS Lambda funções para o Amazon Bedrock Studio usando. AWS CloudFormation

  • logs — Permite que o diretor crie e gerencie grupos de CloudWatch registros da Amazon para usar AWS CloudFormation o Amazon Bedrock Studio.

  • secretsmanager — Permite que o diretor crie e gerencie AWS Secrets Manager segredos para o Amazon Bedrock Studio usando. AWS CloudFormation

  • kms — Concede acesso AWS KMS para criptografar recursos provisionados com uma chave gerenciada pelo cliente destinada ao uso do Amazon Bedrock. AWS CloudFormation

Devido ao tamanho dessa política, você precisa anexar a política como uma política embutida. Para obter instruções, consulte Etapa 2: criar limite de permissões, função de serviço e função de provisionamento.

{ "Version": "2012-10-17", "Statement": [ { "Sid": "CreateStacks", "Effect": "Allow", "Action": [ "cloudformation:CreateStack", "cloudformation:TagResource" ], "Resource": "arn:aws:cloudformation:*:*:stack/DataZone*", "Condition": { "ForAnyValue:StringEquals": { "aws:TagKeys": "AmazonDataZoneEnvironment" }, "Null": { "aws:ResourceTag/AmazonDataZoneEnvironment": "false" } } }, { "Sid": "ManageStacks", "Effect": "Allow", "Action": [ "cloudformation:DescribeStacks", "cloudformation:DescribeStackEvents", "cloudformation:UpdateStack", "cloudformation:DeleteStack" ], "Resource": "arn:aws:cloudformation:*:*:stack/DataZone*" }, { "Sid": "DenyOtherActionsNotViaCloudFormation", "Effect": "Deny", "NotAction": [ "cloudformation:DescribeStacks", "cloudformation:DescribeStackEvents", "cloudformation:CreateStack", "cloudformation:UpdateStack", "cloudformation:DeleteStack", "cloudformation:TagResource" ], "Resource": "*", "Condition": { "StringNotEqualsIfExists": { "aws:CalledViaFirst": "cloudformation.amazonaws.com" } } }, { "Sid": "ListResources", "Effect": "Allow", "Action": [ "iam:ListRoles", "s3:ListAllMyBuckets", "aoss:ListCollections", "aoss:BatchGetCollection", "aoss:ListAccessPolicies", "aoss:ListSecurityPolicies", "aoss:ListTagsForResource", "bedrock:ListAgents", "bedrock:ListKnowledgeBases", "bedrock:ListGuardrails", "bedrock:ListPrompts", "bedrock:ListFlows", "bedrock:ListTagsForResource", "lambda:ListFunctions", "logs:DescribeLogGroups", "secretsmanager:ListSecrets" ], "Resource": "*" }, { "Sid": "GetRoles", "Effect": "Allow", "Action": "iam:GetRole", "Resource": [ "arn:aws:iam::*:role/DataZoneBedrockProject*", "arn:aws:iam::*:role/AmazonBedrockExecution*", "arn:aws:iam::*:role/BedrockStudio*" ] }, { "Sid": "CreateRoles", "Effect": "Allow", "Action": [ "iam:CreateRole", "iam:PutRolePolicy", "iam:AttachRolePolicy", "iam:DeleteRolePolicy", "iam:DetachRolePolicy" ], "Resource": [ "arn:aws:iam::*:role/DataZoneBedrockProject*", "arn:aws:iam::*:role/AmazonBedrockExecution*", "arn:aws:iam::*:role/BedrockStudio*" ], "Condition": { "StringEquals": { "aws:ResourceTag/AmazonBedrockManaged": "true" } } }, { "Sid": "ManageRoles", "Effect": "Allow", "Action": [ "iam:UpdateRole", "iam:DeleteRole", "iam:ListRolePolicies", "iam:GetRolePolicy", "iam:ListAttachedRolePolicies" ], "Resource": [ "arn:aws:iam::*:role/DataZoneBedrockProject*", "arn:aws:iam::*:role/AmazonBedrockExecution*", "arn:aws:iam::*:role/BedrockStudio*" ], "Condition": { "StringEquals": { "aws:ResourceTag/AmazonBedrockManaged": "true" } } }, { "Sid": "PassRoleToBedrockService", "Effect": "Allow", "Action": "iam:PassRole", "Resource": [ "arn:aws:iam::*:role/AmazonBedrockExecution*", "arn:aws:iam::*:role/BedrockStudio*" ], "Condition": { "StringEquals": { "iam:PassedToService": "bedrock.amazonaws.com" } } }, { "Sid": "PassRoleToLambdaService", "Effect": "Allow", "Action": "iam:PassRole", "Resource": "arn:aws:iam::*:role/BedrockStudio*", "Condition": { "StringEquals": { "iam:PassedToService": "lambda.amazonaws.com" } } }, { "Sid": "CreateRoleForOpenSearchServerless", "Effect": "Allow", "Action": "iam:CreateServiceLinkedRole", "Resource": "*", "Condition": { "StringEquals": { "iam:AWSServiceName": "observability.aoss.amazonaws.com" } } }, { "Sid": "GetDataZoneBlueprintCfnTemplates", "Effect": "Allow", "Action": "s3:GetObject", "Resource": "*", "Condition": { "StringNotEquals": { "s3:ResourceAccount": "${aws:PrincipalAccount}" } } }, { "Sid": "CreateAndAccessS3Buckets", "Effect": "Allow", "Action": [ "s3:CreateBucket", "s3:DeleteBucket", "s3:GetBucketPolicy", "s3:PutBucketPolicy", "s3:DeleteBucketPolicy", "s3:PutBucketTagging", "s3:PutBucketCORS", "s3:PutBucketLogging", "s3:PutBucketVersioning", "s3:PutBucketPublicAccessBlock", "s3:PutEncryptionConfiguration", "s3:PutLifecycleConfiguration", "s3:GetObject", "s3:GetObjectVersion" ], "Resource": "arn:aws:s3:::br-studio-*" }, { "Sid": "ManageOssAccessPolicies", "Effect": "Allow", "Action": [ "aoss:GetAccessPolicy", "aoss:CreateAccessPolicy", "aoss:DeleteAccessPolicy", "aoss:UpdateAccessPolicy" ], "Resource": "*", "Condition": { "StringLikeIfExists": { "aoss:collection": "br-studio-*", "aoss:index": "br-studio-*" } } }, { "Sid": "ManageOssSecurityPolicies", "Effect": "Allow", "Action": [ "aoss:GetSecurityPolicy", "aoss:CreateSecurityPolicy", "aoss:DeleteSecurityPolicy", "aoss:UpdateSecurityPolicy" ], "Resource": "*", "Condition": { "StringLikeIfExists": { "aoss:collection": "br-studio-*" } } }, { "Sid": "ManageOssCollections", "Effect": "Allow", "Action": [ "aoss:CreateCollection", "aoss:UpdateCollection", "aoss:DeleteCollection" ], "Resource": "*", "Condition": { "StringEquals": { "aws:ResourceTag/AmazonBedrockManaged": "true" } } }, { "Sid": "GetBedrockResources", "Effect": "Allow", "Action": [ "bedrock:GetAgent", "bedrock:GetKnowledgeBase", "bedrock:GetGuardrail", "bedrock:GetPrompt", "bedrock:GetFlow", "bedrock:GetFlowAlias" ], "Resource": "*" }, { "Sid": "ManageBedrockResources", "Effect": "Allow", "Action": [ "bedrock:CreateAgent", "bedrock:UpdateAgent", "bedrock:PrepareAgent", "bedrock:DeleteAgent", "bedrock:ListAgentAliases", "bedrock:GetAgentAlias", "bedrock:CreateAgentAlias", "bedrock:UpdateAgentAlias", "bedrock:DeleteAgentAlias", "bedrock:ListAgentActionGroups", "bedrock:GetAgentActionGroup", "bedrock:CreateAgentActionGroup", "bedrock:UpdateAgentActionGroup", "bedrock:DeleteAgentActionGroup", "bedrock:ListAgentKnowledgeBases", "bedrock:GetAgentKnowledgeBase", "bedrock:AssociateAgentKnowledgeBase", "bedrock:DisassociateAgentKnowledgeBase", "bedrock:UpdateAgentKnowledgeBase", "bedrock:CreateKnowledgeBase", "bedrock:UpdateKnowledgeBase", "bedrock:DeleteKnowledgeBase", "bedrock:ListDataSources", "bedrock:GetDataSource", "bedrock:CreateDataSource", "bedrock:UpdateDataSource", "bedrock:DeleteDataSource", "bedrock:CreateGuardrail", "bedrock:UpdateGuardrail", "bedrock:DeleteGuardrail", "bedrock:CreateGuardrailVersion", "bedrock:CreatePrompt", "bedrock:UpdatePrompt", "bedrock:DeletePrompt", "bedrock:CreatePromptVersion", "bedrock:CreateFlow", "bedrock:UpdateFlow", "bedrock:PrepareFlow", "bedrock:DeleteFlow", "bedrock:ListFlowAliases", "bedrock:GetFlowAlias", "bedrock:CreateFlowAlias", "bedrock:UpdateFlowAlias", "bedrock:DeleteFlowAlias", "bedrock:ListFlowVersions", "bedrock:GetFlowVersion", "bedrock:CreateFlowVersion", "bedrock:DeleteFlowVersion" ], "Resource": "*", "Condition": { "StringEquals": { "aws:ResourceTag/AmazonBedrockManaged": "true" } } }, { "Sid": "TagBedrockAgentAliases", "Effect": "Allow", "Action": "bedrock:TagResource", "Resource": "arn:aws:bedrock:*:*:agent-alias/*", "Condition": { "StringEquals": { "aws:RequestTag/AmazonBedrockManaged": "true" } } }, { "Sid": "TagBedrockFlowAliases", "Effect": "Allow", "Action": "bedrock:TagResource", "Resource": "arn:aws:bedrock:*:*:flow/*/alias/*", "Condition": { "Null": { "aws:RequestTag/AmazonDataZoneEnvironment": "false" } } }, { "Sid": "CreateFunctions", "Effect": "Allow", "Action": [ "lambda:GetFunction", "lambda:CreateFunction", "lambda:InvokeFunction", "lambda:DeleteFunction", "lambda:UpdateFunctionCode", "lambda:GetFunctionConfiguration", "lambda:UpdateFunctionConfiguration", "lambda:ListVersionsByFunction", "lambda:PublishVersion", "lambda:GetPolicy", "lambda:AddPermission", "lambda:RemovePermission", "lambda:ListTags" ], "Resource": "arn:aws:lambda:*:*:function:br-studio-*" }, { "Sid": "ManageLogGroups", "Effect": "Allow", "Action": [ "logs:CreateLogGroup", "logs:DeleteLogGroup", "logs:PutRetentionPolicy", "logs:DeleteRetentionPolicy", "logs:GetDataProtectionPolicy", "logs:PutDataProtectionPolicy", "logs:DeleteDataProtectionPolicy", "logs:AssociateKmsKey", "logs:DisassociateKmsKey", "logs:ListTagsLogGroup", "logs:ListTagsForResource" ], "Resource": "arn:aws:logs:*:*:log-group:/aws/lambda/br-studio-*" }, { "Sid": "GetRandomPasswordForSecret", "Effect": "Allow", "Action": "secretsmanager:GetRandomPassword", "Resource": "*" }, { "Sid": "ManageSecrets", "Effect": "Allow", "Action": [ "secretsmanager:CreateSecret", "secretsmanager:DescribeSecret", "secretsmanager:UpdateSecret", "secretsmanager:DeleteSecret", "secretsmanager:GetResourcePolicy", "secretsmanager:PutResourcePolicy", "secretsmanager:DeleteResourcePolicy" ], "Resource": "arn:aws:secretsmanager:*:*:secret:br-studio/*" }, { "Sid": "UseCustomerManagedKmsKey", "Effect": "Allow", "Action": [ "kms:DescribeKey", "kms:Encrypt", "kms:Decrypt", "kms:GenerateDataKey", "kms:CreateGrant", "kms:RetireGrant" ], "Resource": "*", "Condition": { "StringEquals": { "aws:ResourceTag/EnableBedrock": "true" } } }, { "Sid": "TagResources", "Effect": "Allow", "Action": [ "iam:TagRole", "iam:UntagRole", "aoss:TagResource", "aoss:UntagResource", "bedrock:TagResource", "bedrock:UntagResource", "lambda:TagResource", "lambda:UntagResource", "logs:TagLogGroup", "logs:UntagLogGroup", "logs:TagResource", "logs:UntagResource", "secretsmanager:TagResource", "secretsmanager:UntagResource" ], "Resource": "*", "Condition": { "StringEquals": { "aws:ResourceTag/AmazonBedrockManaged": "true" } } } ] }