为 Amazon Bedrock Studio 创建服务角色 - Amazon Bedrock
信任关系用于管理 Amazon Bedrock Studio 工作空间的权限

本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。

为 Amazon Bedrock Studio 创建服务角色

Amazon Bedrock Studio 在 Amazon Bedrock 中为预览版,未来可能发生变化。

要管理 Amazon Bedrock Studio 工作空间,您需要创建一个允许 Amazon DataZone 管理您工作空间的服务角色。

要对 Amazon Bedrock Studio 使用服务角色,请按照创建向 AWS 服务委派权限的角色中的步骤创建 IAM 角色并附加以下权限。

信任关系

以下策略允许 Amazon Bedrock 承担此角色,并使用 Amazon DataZone 管理 Amazon Bedrock Studio 工作空间。下面所示为您可以使用的示例策略。

  • aws:SourceAccount 值设置为您的 AWS 账户 ID。

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": "datazone.amazonaws.com"
      },
      "Action": [
        "sts:AssumeRole",
        "sts:TagSession"
      ],
      "Condition": {
        "StringEquals": {
          "aws:SourceAccount": "account ID"
        },
        "ForAllValues:StringLike": {
          "aws:TagKeys": "datazone*"
        }
      }
    }
  ]
}

用于管理 Amazon Bedrock Studio 工作空间的权限

Amazon Bedrock Studio 主服务角色的默认策略。Amazon Bedrock 使用此角色在 Bedrock Studio 中通过 Amazon DataZone 构建、运行和共享资源。

此策略由以下权限集组成。

  • datazone – 授予对由 Amazon Bedrock Studio 托管的 Amazon DataZone 资源的访问权限。

  • ram – 允许检索您拥有的资源共享关联。

  • bedrock – 授予调用 Amazon Bedrock 基础模型的能力。

  • kms – 授予使用 AWS KMS 的客户自主管理型密钥加密 Amazon Bedrock Studio 数据的访问权限。

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "GetDataZoneDomain",
      "Effect": "Allow",
      "Action": "datazone:GetDomain",
      "Resource": "*",
      "Condition": {
        "StringEquals": {
          "aws:ResourceTag/AmazonBedrockManaged": "true"
        }
      }
    },
    {
      "Sid": "ManageDataZoneResources",
      "Effect": "Allow",
      "Action": [
        "datazone:ListProjects",
        "datazone:GetProject",
        "datazone:CreateProject",
        "datazone:UpdateProject",
        "datazone:DeleteProject",
        "datazone:ListProjectMemberships",
        "datazone:CreateProjectMembership",
        "datazone:DeleteProjectMembership",
        "datazone:ListEnvironments",
        "datazone:GetEnvironment",
        "datazone:CreateEnvironment",
        "datazone:UpdateEnvironment",
        "datazone:DeleteEnvironment",
        "datazone:ListEnvironmentBlueprints",
        "datazone:GetEnvironmentBlueprint",
        "datazone:ListEnvironmentBlueprintConfigurations",
        "datazone:GetEnvironmentBlueprintConfiguration",
        "datazone:ListEnvironmentProfiles",
        "datazone:GetEnvironmentProfile",
        "datazone:CreateEnvironmentProfile",
        "datazone:UpdateEnvironmentProfile",
        "datazone:DeleteEnvironmentProfile",
        "datazone:GetEnvironmentCredentials",
        "datazone:ListGroupsForUser",
        "datazone:SearchUserProfiles",
        "datazone:SearchGroupProfiles",
        "datazone:GetUserProfile",
        "datazone:GetGroupProfile"
      ],
      "Resource": "*"
    },
    {
      "Sid": "GetResourceShareAssociations",
      "Effect": "Allow",
      "Action": "ram:GetResourceShareAssociations",
      "Resource": "*"
    },
    {
      "Sid": "InvokeBedrockModels",
      "Effect": "Allow",
      "Action": [
        "bedrock:GetFoundationModelAvailability",
        "bedrock:InvokeModel",
        "bedrock:InvokeModelWithResponseStream"
      ],
      "Resource": "*"
    },
    {
      "Sid": "UseCustomerManagedKmsKey",
      "Effect": "Allow",
      "Action": [
        "kms:DescribeKey",
        "kms:GenerateDataKey",
        "kms:Decrypt"
      ],
      "Resource": "*",
      "Condition": {
        "StringEquals": {
          "aws:ResourceTag/EnableBedrock": "true"
        }
      }
    }
  ]
}