为 Amazon Bedrock Studio 创建服务角色 - Amazon Bedrock
信任关系管理 Amazon Bedrock Studio 工作空间的权限

本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。

为 Amazon Bedrock Studio 创建服务角色

亚马逊 Bedrock Studio 处于亚马逊 Bedrock 的预览版,可能会发生变化。

要管理您的 Amazon Bedrock Studio 工作空间,您需要创建一个允许亚马逊 DataZone 管理您的工作空间的服务角色。

要在 Amazon Bedrock Studio 中使用服务IAM角色,请按照创建角色向 AWS 服务委派权限中的步骤创建一个角色并附加以下权限

信任关系

以下政策允许亚马逊 Bedrock 担任此角色并使用亚马逊管理 Amazon Bedrock Studio 工作空间。 DataZone下面所示为您可以使用的示例策略。

  • 将该aws:SourceAccount值设置为您的 AWS 账户 ID。

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": "datazone.amazonaws.com"
      },
      "Action": [
        "sts:AssumeRole",
        "sts:TagSession"
      ],
      "Condition": {
        "StringEquals": {
          "aws:SourceAccount": "account ID"
        },
        "ForAllValues:StringLike": {
          "aws:TagKeys": "datazone*"
        }
      }
    }
  ]
}

管理 Amazon Bedrock Studio 工作空间的权限

亚马逊 Bedrock Studio 主服务角色的默认策略。Amazon Bedrock 使用此角色在 Bedrock Studio 中与亚马逊共享 Bedrock Studio 中的资源。 DataZone

此策略由以下几组权限组成。

  • datazone — 授予对由亚马逊 Bedrock Studio 管理的亚马逊 DataZone 资源的访问权限。

  • ram — 允许检索您拥有的资源共享关联。

  • 基岩 — 授予调用 Amazon Bedrock 基础模型的能力。

  • kms — 授予使用客户管理 AWS KMS 的密钥加密 Amazon Bedrock Studio 数据的访问权限。

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "GetDataZoneDomain",
      "Effect": "Allow",
      "Action": "datazone:GetDomain",
      "Resource": "*",
      "Condition": {
        "StringEquals": {
          "aws:ResourceTag/AmazonBedrockManaged": "true"
        }
      }
    },
    {
      "Sid": "ManageDataZoneResources",
      "Effect": "Allow",
      "Action": [
        "datazone:ListProjects",
        "datazone:GetProject",
        "datazone:CreateProject",
        "datazone:UpdateProject",
        "datazone:DeleteProject",
        "datazone:ListProjectMemberships",
        "datazone:CreateProjectMembership",
        "datazone:DeleteProjectMembership",
        "datazone:ListEnvironments",
        "datazone:GetEnvironment",
        "datazone:CreateEnvironment",
        "datazone:UpdateEnvironment",
        "datazone:DeleteEnvironment",
        "datazone:ListEnvironmentBlueprints",
        "datazone:GetEnvironmentBlueprint",
        "datazone:ListEnvironmentBlueprintConfigurations",
        "datazone:GetEnvironmentBlueprintConfiguration",
        "datazone:ListEnvironmentProfiles",
        "datazone:GetEnvironmentProfile",
        "datazone:CreateEnvironmentProfile",
        "datazone:UpdateEnvironmentProfile",
        "datazone:DeleteEnvironmentProfile",
        "datazone:GetEnvironmentCredentials",
        "datazone:ListGroupsForUser",
        "datazone:SearchUserProfiles",
        "datazone:SearchGroupProfiles",
        "datazone:GetUserProfile",
        "datazone:GetGroupProfile"
      ],
      "Resource": "*"
    },
    {
      "Sid": "GetResourceShareAssociations",
      "Effect": "Allow",
      "Action": "ram:GetResourceShareAssociations",
      "Resource": "*"
    },
    {
      "Sid": "InvokeBedrockModels",
      "Effect": "Allow",
      "Action": [
        "bedrock:GetFoundationModelAvailability",
        "bedrock:InvokeModel",
        "bedrock:InvokeModelWithResponseStream"
      ],
      "Resource": "*"
    },
    {
      "Sid": "UseCustomerManagedKmsKey",
      "Effect": "Allow",
      "Action": [
        "kms:DescribeKey",
        "kms:GenerateDataKey",
        "kms:Decrypt"
      ],
      "Resource": "*",
      "Condition": {
        "StringEquals": {
          "aws:ResourceTag/EnableBedrock": "true"
        }
      }
    }
  ]
}