Actions, resources, and condition keys for Amazon Bedrock - Service Authorization Reference

Actions, resources, and condition keys for Amazon Bedrock

Amazon Bedrock (service prefix: bedrock) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:

Actions defined by Amazon Bedrock

You can specify the following actions in the Action element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The Resource types column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("*") to which the policy applies in the Resource element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (*). If you limit resource access with the Resource element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.

The Condition keys column of the Actions table includes keys that you can specify in a policy statement's Condition element. For more information on the condition keys that are associated with resources for the service, see the Condition keys column of the Resource types table.

Note

Resource condition keys are listed in the Resource types table. You can find a link to the resource type that applies to an action in the Resource types (*required) column of the Actions table. The resource type in the Resource types table includes the Condition keys column, which are the resource condition keys that apply to an action in the Actions table.

For details about the columns in the following table, see Actions table.

Actions Description Access level Resource types (*required) Condition keys Dependent actions
AllowVendedLogDeliveryForResource [permission only] Grants permission to configure vended log delivery for a knowledge base Permissions management

knowledge-base

ApplyGuardrail Grants permission to apply a guardrail Read

guardrail*

AssociateAgentCollaborator Grants permission to associate another existing agent as a collaborator to an existing agent Write

agent*

AssociateAgentKnowledgeBase Grants permission to associate a knowledge base with an agent Write

agent*

knowledge-base*

AssociateThirdPartyKnowledgeBase [permission only] Grants permission to use 3rd party platform to store knowledge data Write

bedrock:ThirdPartyKnowledgeBaseCredentialsSecretArn

BatchDeleteEvaluationJob Grants permission to batch delete list of bedrock evaluation jobs Write

evaluation-job*

CreateAgent Grants permission to create a new agent and a test agent alias pointing to the DRAFT agent version Write

aws:RequestTag/${TagKey}

aws:TagKeys

CreateAgentActionGroup Grants permission to create a new action group in an existing agent Write

agent*

aws:RequestTag/${TagKey}

aws:TagKeys

CreateAgentAlias Grants permission to create a new alias for an agent Write

agent*

aws:RequestTag/${TagKey}

aws:TagKeys

CreateBlueprint Grants permission to create a blueprint for custom output from data automation Write
CreateBlueprintVersion Grants permission to create a new version for an existing blueprint Write

blueprint*

CreateDataAutomationProject Grants permission to create a data automation project Write

blueprint

CreateDataSource Grants permission to create a data source Write

knowledge-base*

CreateEvaluationJob Grants permission to create a job for evaluation foundation models or custom models Write

custom-model*

foundation-model*

aws:RequestTag/${TagKey}

aws:TagKeys

CreateFlow Grants permission to create a prompt flow Write

aws:RequestTag/${TagKey}

aws:TagKeys

CreateFlowAlias Grants permission to create an alias of a prompt flow Write

flow*

aws:RequestTag/${TagKey}

aws:TagKeys

CreateFlowVersion Grants permission to create an immutable version of a prompt flow Write

flow*

CreateFoundationModelAgreement Grants permission to create a new foundation model agreement Write
CreateGuardrail Grants permission to create a new guardrail Write

aws:RequestTag/${TagKey}

aws:TagKeys

CreateGuardrailVersion Grants permission to create a new guardrail version Write

guardrail*

CreateInferenceProfile Grants permission to create inference profiles Write

application-inference-profile*

foundation-model*

inference-profile*

aws:RequestTag/${TagKey}

aws:TagKeys

CreateKnowledgeBase Grants permission to create a knowledge base Write

aws:RequestTag/${TagKey}

aws:TagKeys

CreateMarketplaceModelEndpoint Grants permission to create a marketplace model endpoint Write
CreateModelCopyJob Grants permission to create a job for copying a custom model across region or across account Write

custom-model*

aws:RequestTag/${TagKey}

aws:TagKeys

CreateModelCustomizationJob Grants permission to create a job for customizing the model with your custom training data Write

custom-model*

foundation-model*

aws:RequestTag/${TagKey}

aws:TagKeys

CreateModelEvaluationJob Grants permission to create a job for evaluation foundation models or custom models Write

custom-model*

foundation-model*

aws:RequestTag/${TagKey}

aws:TagKeys

CreateModelImportJob Grants permission to create a job for importing model into Bedrock Write

aws:RequestTag/${TagKey}

aws:TagKeys

CreateModelInvocationJob Grants permission to create a new model invocation job Write

custom-model*

foundation-model*

model-invocation-job*

aws:RequestTag/${TagKey}

aws:TagKeys

CreatePrompt Grants permission to create a prompt Write

aws:RequestTag/${TagKey}

aws:TagKeys

CreatePromptVersion Grants permission to create a version of a prompt Write

prompt*

aws:RequestTag/${TagKey}

aws:TagKeys

CreateProvisionedModelThroughput Grants permission to create a new provisioned model throughput Write

custom-model*

foundation-model*

aws:RequestTag/${TagKey}

aws:TagKeys

DeleteAgent Grants permission to delete an Agent that you created earlier Write

agent*

DeleteAgentActionGroup Grants permission to delete an actionGroup that you created earlier Write

agent*

DeleteAgentAlias Grants permission to delete an AgentAlias that you created earlier Write

agent-alias*

DeleteAgentMemory Grants permission to delete existing memory for an alias Write

agent-alias*

DeleteAgentVersion Grants permission to delete an Agent Version that you created earlier Write

agent*

DeleteBlueprint Grants permission to delete a blueprint for data automation Write

blueprint*

DeleteCustomModel Grants permission to delete a custom model that you created earlier Write

custom-model*

DeleteDataAutomationProject Grants permission to delete a data automation project Write

data-automation-project*

DeleteDataSource Grants permission to delete a data source Write

knowledge-base*

DeleteFlow Grants permission to delete a prompt flow Write

flow*

DeleteFlowAlias Grants permission to delete an alias of a prompt flow Write

flow-alias*

DeleteFlowVersion Grants permission to delete a version of a prompt flow Write

flow*

DeleteFoundationModelAgreement Grants permission to delete a foundation model agreement that you created earlier Write
DeleteGuardrail Grants permission to delete a guardrail or its version Write

guardrail*

DeleteImportedModel Grants permission to delete previously created Bedrock imported model Write

imported-model*

DeleteInferenceProfile Grants permission to delete inference profiles Write

application-inference-profile*

DeleteKnowledgeBase Grants permission to delete a knowledge base Write

knowledge-base*

DeleteKnowledgeBaseDocuments Grants permission to delete documents from a knowledge base Write

knowledge-base*

DeleteMarketplaceModelAgreement Grants permission to unsubscribe from a bedrock marketplace enabled AWS marketplace model Write
DeleteMarketplaceModelEndpoint Grants permission to delete a marketplace model endpoint Write

bedrock-marketplace-model-endpoint*

DeleteModelInvocationLoggingConfiguration Grants permission to delete an existing Invocation logging configuration Write
DeletePrompt Grants permission to delete a prompt or its version Write

prompt*

prompt-version*

DeleteProvisionedModelThroughput Grants permission to delete a provisioned model throughput that you created earlier Write

provisioned-model*

DeleteResourcePolicy [permission only] Deletes a previously created Bedrock resource policy Write

custom-model*

DeregisterMarketplaceModelEndpoint Grants permission to deregister a marketplace model endpoint to make it unusable in Bedrock Marketplace Write

bedrock-marketplace-model-endpoint*

DetectGeneratedContent Grants permission to detect if the provided content is generated using Amazon Bedrock Read

foundation-model*

DisassociateAgentCollaborator Grants permission to diassociate a collaborator that you associated earlier Write

agent*

DisassociateAgentKnowledgeBase Grants permission to disassociate a knowledge base from the agent Write

agent*

knowledge-base*

GenerateQuery Grants permission to generate queries associated with user input Read
GetAgent Grants permission to retrieve an existing agent Read

agent*

GetAgentActionGroup Grants permission to retrieve an existing action group Read

agent*

GetAgentAlias Grants permission to retrieve an existing alias Read

agent-alias*

GetAgentCollaborator Grants permission to retrieve an existing collaborator Read

agent*

GetAgentKnowledgeBase Grants permission to describe a knowledge base associated with an agent Read

agent*

knowledge-base*

GetAgentMemory Grants permission to retrieve existing memory for an alias Read

agent-alias*

GetAgentVersion Grants permission to retrieve an existing version of an agent Read

agent*

GetAsyncInvoke Grants permission to get the properties associated with an asynchronous invocation that you have submitted Read

async-invoke*

GetBlueprint Grants permission to retrieve an existing blueprint for data automation Read

blueprint*

GetBlueprintRecommendation [permission only] Grants permission to retrieve blueprint recommendation Read
GetCustomModel Grants permission to get the properties associated with a Bedrock custom model that you have created Read

custom-model*

GetDataAutomationProject Grants permission to retrieve an existing data automation project Read

data-automation-project*

GetDataAutomationStatus Grants permission to retrieve the status of a data automation invocation job Read

data-automation-invocation-job*

GetDataSource Grants permission to retrieve an existing data source Read

knowledge-base*

GetEvaluationJob Grants permission to get the properties associated with a evaluation job. Use this operation to get the status of a evaluation job Read

evaluation-job*

GetFlow Grants permission to retrieve an existing prompt flow Read

flow*

GetFlowAlias Grants permission to retrieve an existing alias of a prompt flow Read

flow-alias*

GetFlowVersion Grants permission to retrieve an existing version of a prompt flow Read

flow*

GetFoundationModel Grants permission to get the properties associated with a Bedrock foundation model Read

foundation-model*

GetFoundationModelAvailability Grants permission to get the availability of a foundation model Read
GetGuardrail Grants permission to retrieve a guardrail or its version Read

guardrail*

GetImportedModel Grants permission to get the properties associated with Bedrock imported model Read

imported-model*

GetInferenceProfile Grants permission to get the properties associated with an inference profile Read

application-inference-profile*

inference-profile*

GetIngestionJob Grants permission to retrieve an existing ingestion job Read

knowledge-base*

GetKnowledgeBase Grants permission to retrieve an existing knowledge base Read

knowledge-base*

GetKnowledgeBaseDocuments Grants permission to get details for documents in a knowledge base Read

knowledge-base*

GetMarketplaceModelEndpoint Grants permission to get the properties of a marketplace model endpoint Read

bedrock-marketplace-model-endpoint*

GetModelCopyJob Grants permission to get the properties associated with a model-copy job. Use this operation to get the status of a model-copy job Read

model-copy-job*

GetModelCustomizationJob Grants permission to get the properties associated with a model-customization job. Use this operation to get the status of a model-customization job Read

model-customization-job*

GetModelEvaluationJob Grants permission to get the properties associated with a model-evaluation job. Use this operation to get the status of a model-evaluation job Read

model-evaluation-job*

GetModelImportJob Grants permission to get the properties associated with a model import job and is used to get the status of a model import job Read

model-import-job*

GetModelInvocationJob Grants permission to retrieve a model invocation job Read

model-invocation-job*

GetModelInvocationLoggingConfiguration Grants permission to retrieve an existing Invocation logging configuration Read
GetPrompt Grants permission to retrieve an existing prompt or its version Read

prompt*

prompt-version*

GetPromptRouter Grants permission to get the properties associated with a prompt router Read

default-prompt-router*

GetProvisionedModelThroughput Grants permission to retrieve a provisioned model throughput Read

provisioned-model*

GetResourcePolicy [permission only] Gets the resource policy document for a Bedrock resource Read

custom-model*

GetUseCaseForModelAccess Grants permission to retrieve a use case for model access Read
IngestKnowledgeBaseDocuments Grants permission to directly ingest documents into a knowledge base Write

knowledge-base*

InvokeAgent Grants permission to send user input (text-only) to the alias of an agent for Bedrock Read

agent-alias*

InvokeBlueprintRecommendationAsync [permission only] Grants permission to invoke blueprint recommendations asynchronously Write
InvokeBuilder [permission only] Grants permission to use the conversational builder which aids in building supported bedrock resources Write
InvokeDataAutomationAsync Grants permission to invoke a Bedrock data automation job Write

blueprint*

data-automation-project*

InvokeFlow Grants permission to invoke a prompt flow with user input Read

flow-alias*

InvokeInlineAgent Grants permission to send user input (text-only) to the inline agent for Bedrock Read
InvokeModel Grants permission to invoke the specified Bedrock model to run inference using the input provided in the request body Read

application-inference-profile*

async-invoke*

bedrock-marketplace-model-endpoint*

default-prompt-router*

foundation-model*

imported-model*

inference-profile*

provisioned-model*

bedrock:InferenceProfileArn

bedrock:PromptRouterArn

aws:RequestTag/${TagKey}

aws:TagKeys

InvokeModelWithResponseStream Grants permission to invoke the specified Bedrock model to run inference using the input provided in the request body with streaming response Read

application-inference-profile*

bedrock-marketplace-model-endpoint*

default-prompt-router*

foundation-model*

imported-model*

inference-profile*

provisioned-model*

bedrock:InferenceProfileArn

bedrock:PromptRouterArn

ListAgentActionGroups Grants permission to list action groups in an agent List

agent*

ListAgentAliases Grants permission to list aliases for an agent List

agent*

ListAgentCollaborators Grants permission to list collaborators for an agent List

agent*

ListAgentKnowledgeBases Grants permission to list knowledge bases associated with an agent List

agent*

ListAgentVersions Grants permission to list existing versions of an agent List

agent*

ListAgents Grants permission to list existing agents List
ListAsyncInvokes Grants permission to get a list of asynchronous invocations that you have submitted List
ListBlueprints Grants permission to list existing blueprints for data automation List

data-automation-project

ListCustomModels Grants permission to get a list of Bedrock custom models that you have created List
ListDataAutomationProjects Grants permission to list existing data automation projects List

blueprint

ListDataSources Grants permission to list existing data sources in an knowledge base List

knowledge-base*

ListEvaluationJobs Grants permission to get the list of evaluation jobs that you have submitted List
ListFlowAliases Grants permission to list existing aliases of a prompt flow List

flow*

ListFlowVersions Grants permission to list existing versions of a prompt flow List

flow*

ListFlows Grants permission to list existing prompt flows List
ListFoundationModelAgreementOffers Grants permission to get a list of foundation model agreement offers List
ListFoundationModels Grants permission to list Bedrock foundation models that you can use List
ListGuardrails Grants permission to list guardrails or its versions List

guardrail

ListImportedModels Grants permission to get list of Bedrock imported models List
ListInferenceProfiles Grants permission to list inference profiles that you can use List
ListIngestionJobs Grants permission to list ingestion jobs in a data source List

knowledge-base*

ListKnowledgeBaseDocuments Grants permission to list documents in a knowledge base List

knowledge-base*

ListKnowledgeBases Grants permission to list existing knowledge bases List
ListMarketplaceModelEndpoints Grants permission to list marketplace model endpoints that you can use Read
ListModelCopyJobs Grants permission to get the list of model copy jobs that you have submitted List
ListModelCustomizationJobs Grants permission to get the list of model customization jobs that you have submitted List
ListModelEvaluationJobs Grants permission to get the list of model evaluation jobs that you have submitted List
ListModelImportJobs Grants permission to get list of model import jobs List
ListModelInvocationJobs Grants permission to list model invocation jobs that you created earlier List
ListPromptRouters Grants permission to list prompt routers that you can use List
ListPrompts Grants permission to list existing prompts List

prompt

ListProvisionedModelThroughputs Grants permission to list provisioned model throughputs that you created earlier List
ListTagsForResource Grants permission to list tags for a Bedrock resource Read

agent*

agent-alias*

application-inference-profile*

async-invoke*

custom-model*

evaluation-job*

flow*

flow-alias*

guardrail*

imported-model*

knowledge-base*

model-copy-job*

model-customization-job*

model-evaluation-job*

model-import-job*

model-invocation-job*

prompt*

prompt-version*

provisioned-model*

OptimizePrompt Grants permission to optimize a prompt with user input Read
PrepareAgent Grants permission to prepare an existing agent to receive runtime requests Write

agent*

PrepareFlow Grants permission to apply the latest changes made to a prompt flow, so that they are reflected at runtime Write

flow*

PutFoundationModelEntitlement Grants permission to put entitlement to access a foundation model Write
PutModelInvocationLoggingConfiguration Grants permission to create an existing Invocation logging configuration Write
PutResourcePolicy [permission only] Adds a resource policy for a Bedrock resource Write

custom-model*

aws:RequestTag/${TagKey}

aws:TagKeys

PutUseCaseForModelAccess Grants permission to put a use case for model access Write
RegisterMarketplaceModelEndpoint Grants permission to register a sagemaker endpoint as a marketplace model endpoint Write

bedrock-marketplace-model-endpoint*

RenderPrompt [permission only] Grants permission to render an existing prompt or its version Read

prompt*

prompt-version*

Rerank Grants permission to rank documents based on user input Write
Retrieve Grants permission to retrieve ingested data from a knowledge base Read

knowledge-base*

RetrieveAndGenerate Grants permission to send user input to perform retrieval and generation Write
StartIngestionJob Grants permission to start an ingestion job Write

knowledge-base*

StopEvaluationJob Grants permission to stop a evaluation job while in progress Write

evaluation-job*

StopIngestionJob Grants permission to stop an ingestion job Write

knowledge-base*

StopModelCustomizationJob Grants permission to stop a Bedrock model customization job while in progress Write

model-customization-job*

StopModelInvocationJob Grants permission to stop a model invocation job that you started earlier Write

model-invocation-job*

TagResource Grants permission to Tag a Bedrock resource Tagging

agent

agent-alias

application-inference-profile

async-invoke

custom-model

evaluation-job

flow

flow-alias

guardrail

imported-model

knowledge-base

model-copy-job

model-customization-job

model-evaluation-job

model-import-job

model-invocation-job

prompt

prompt-version

provisioned-model

aws:TagKeys

aws:RequestTag/${TagKey}

UntagResource Grants permission to Untag a Bedrock resource Tagging

agent

agent-alias

application-inference-profile

async-invoke

custom-model

evaluation-job

flow

flow-alias

guardrail

imported-model

knowledge-base

model-copy-job

model-customization-job

model-evaluation-job

model-import-job

model-invocation-job

prompt

prompt-version

provisioned-model

aws:TagKeys

UpdateAgent Grants permission to update an existing agent Write

agent*

UpdateAgentActionGroup Grants permission to update an existing action group Write

agent*

UpdateAgentAlias Grants permission to update an existing alias Write

agent-alias*

UpdateAgentCollaborator Grants permission to update an existing collaborator Write

agent*

UpdateAgentKnowledgeBase Grants permission to update a knowledge base associated with an agent Write

agent*

knowledge-base*

UpdateBlueprint Grants permission to update a blueprint for data automation Write

blueprint*

UpdateDataAutomationProject Grants permission to update a data automation project Write

data-automation-project*

blueprint

UpdateDataSource Grants permission to update a data source Write

knowledge-base*

UpdateFlow Grants permission to update a prompt flow Write

flow*

UpdateFlowAlias Grants permission to update the configuration of an alias of a prompt flow Write

flow-alias*

UpdateGuardrail Grants permission to update a guardrail Write

guardrail*

UpdateKnowledgeBase Grants permission to update a knowledge base Write

knowledge-base*

UpdateMarketplaceModelEndpoint Grants permission to update a marketplace model endpoint Write

bedrock-marketplace-model-endpoint*

UpdatePrompt Grants permission to update a prompt Write

prompt*

UpdateProvisionedModelThroughput Grants permission to update a provisioned model throughput that you created earlier Write

custom-model*

foundation-model*

provisioned-model*

ValidateFlowDefinition Grants permission to validate prompt flow definitions Read

Resource types defined by Amazon Bedrock

The following resource types are defined by this service and can be used in the Resource element of IAM permission policy statements. Each action in the Actions table identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the Resource types table. For details about the columns in the following table, see Resource types table.

Resource types ARN Condition keys
foundation-model arn:${Partition}:bedrock:${Region}::foundation-model/${ResourceId}
async-invoke arn:${Partition}:bedrock:${Region}:${Account}:async-invoke/${ResourceId}

aws:ResourceTag/${TagKey}

inference-profile arn:${Partition}:bedrock:${Region}:${Account}:inference-profile/${ResourceId}
default-prompt-router arn:${Partition}:bedrock:${Region}:${Account}:default-prompt-router/${ResourceId}
application-inference-profile arn:${Partition}:bedrock:${Region}:${Account}:application-inference-profile/${ResourceId}

aws:ResourceTag/${TagKey}

custom-model arn:${Partition}:bedrock:${Region}:${Account}:custom-model/${ResourceId}

aws:ResourceTag/${TagKey}

provisioned-model arn:${Partition}:bedrock:${Region}:${Account}:provisioned-model/${ResourceId}

aws:ResourceTag/${TagKey}

model-customization-job arn:${Partition}:bedrock:${Region}:${Account}:model-customization-job/${ResourceId}

aws:ResourceTag/${TagKey}

agent arn:${Partition}:bedrock:${Region}:${Account}:agent/${AgentId}

aws:ResourceTag/${TagKey}

agent-alias arn:${Partition}:bedrock:${Region}:${Account}:agent-alias/${AgentId}/${AgentAliasId}

aws:ResourceTag/${TagKey}

knowledge-base arn:${Partition}:bedrock:${Region}:${Account}:knowledge-base/${KnowledgeBaseId}

aws:ResourceTag/${TagKey}

model-evaluation-job arn:${Partition}:bedrock:${Region}:${Account}:model-evaluation-job/${ResourceId}

aws:ResourceTag/${TagKey}

evaluation-job arn:${Partition}:bedrock:${Region}:${Account}:evaluation-job/${ResourceId}

aws:ResourceTag/${TagKey}

model-invocation-job arn:${Partition}:bedrock:${Region}:${Account}:model-invocation-job/${JobIdentifier}

aws:ResourceTag/${TagKey}

guardrail arn:${Partition}:bedrock:${Region}:${Account}:guardrail/${GuardrailId}

aws:ResourceTag/${TagKey}

flow arn:${Partition}:bedrock:${Region}:${Account}:flow/${FlowId}

aws:ResourceTag/${TagKey}

flow-alias arn:${Partition}:bedrock:${Region}:${Account}:flow/${FlowId}/alias/${FlowAliasId}

aws:ResourceTag/${TagKey}

model-copy-job arn:${Partition}:bedrock:${Region}:${Account}:model-copy-job/${ResourceId}

aws:ResourceTag/${TagKey}

prompt arn:${Partition}:bedrock:${Region}:${Account}:prompt/${PromptId}

aws:ResourceTag/${TagKey}

prompt-version arn:${Partition}:bedrock:${Region}:${Account}:prompt/${PromptId}:${PromptVersion}

aws:ResourceTag/${TagKey}

model-import-job arn:${Partition}:bedrock:${Region}:${Account}:model-import-job/${ResourceId}

aws:ResourceTag/${TagKey}

imported-model arn:${Partition}:bedrock:${Region}:${Account}:imported-model/${ResourceId}

aws:ResourceTag/${TagKey}

bedrock-marketplace-model-endpoint arn:${Partition}:bedrock:${Region}:${Account}:marketplace/model-endpoint/all-access
data-automation-project arn:${Partition}:bedrock:${Region}:${Account}:data-automation-project/${ProjectId}
blueprint arn:${Partition}:bedrock:${Region}:${Account}:blueprint/${BlueprintId}
data-automation-invocation-job arn:${Partition}:bedrock:${Region}:${Account}:data-automation-invocation/${JobId}

Condition keys for Amazon Bedrock

Amazon Bedrock defines the following condition keys that can be used in the Condition element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see Condition keys table.

To view the global condition keys that are available to all services, see Available global condition keys.

Condition keys Description Type
aws:RequestTag/${TagKey} Filters access by creating requests based on the allowed set of values for each of the mandatory tags String
aws:ResourceTag/${TagKey} Filters access by having actions based on the tag value associated with the resource String
aws:TagKeys Filters access by creating requests based on the presence of mandatory tags in the request ArrayOfString
bedrock:InferenceProfileArn Filters access by the specified inference profile ARN
bedrock:PromptRouterArn Filters access by the specified prompt router ARN
bedrock:ThirdPartyKnowledgeBaseCredentialsSecretArn Filters access by the secretArn containing the credentials of the third party platform ARN