本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。
为 Amazon Bedrock Studio 创建服务角色
Amazon Bedrock Studio 在 Amazon Bedrock 中为预览版,未来可能发生变化。 |
要管理 Amazon Bedrock Studio 工作空间,您需要创建一个允许 Amazon DataZone 管理您工作空间的服务角色。
要对 Amazon Bedrock Studio 使用服务角色,请按照创建向 AWS 服务委派权限的角色中的步骤创建 IAM 角色并附加以下权限。
信任关系
以下策略允许 Amazon Bedrock 承担此角色,并使用 Amazon DataZone 管理 Amazon Bedrock Studio 工作空间。下面所示为您可以使用的示例策略。
-
将
aws:SourceAccount
值设置为您的 AWS 账户 ID。
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "datazone.amazonaws.com" }, "Action": [ "sts:AssumeRole", "sts:TagSession" ], "Condition": { "StringEquals": { "aws:SourceAccount": "
account ID
" }, "ForAllValues:StringLike": { "aws:TagKeys": "datazone*" } } } ] }
用于管理 Amazon Bedrock Studio 工作空间的权限
Amazon Bedrock Studio 主服务角色的默认策略。Amazon Bedrock 使用此角色在 Bedrock Studio 中通过 Amazon DataZone 构建、运行和共享资源。
此策略由以下权限集组成。
datazone – 授予对由 Amazon Bedrock Studio 托管的 Amazon DataZone 资源的访问权限。
ram – 允许检索您拥有的资源共享关联。
bedrock – 授予调用 Amazon Bedrock 基础模型的能力。
kms – 授予使用 AWS KMS 的客户自主管理型密钥加密 Amazon Bedrock Studio 数据的访问权限。
{ "Version": "2012-10-17", "Statement": [ { "Sid": "GetDataZoneDomain", "Effect": "Allow", "Action": "datazone:GetDomain", "Resource": "*", "Condition": { "StringEquals": { "aws:ResourceTag/AmazonBedrockManaged": "true" } } }, { "Sid": "ManageDataZoneResources", "Effect": "Allow", "Action": [ "datazone:ListProjects", "datazone:GetProject", "datazone:CreateProject", "datazone:UpdateProject", "datazone:DeleteProject", "datazone:ListProjectMemberships", "datazone:CreateProjectMembership", "datazone:DeleteProjectMembership", "datazone:ListEnvironments", "datazone:GetEnvironment", "datazone:CreateEnvironment", "datazone:UpdateEnvironment", "datazone:DeleteEnvironment", "datazone:ListEnvironmentBlueprints", "datazone:GetEnvironmentBlueprint", "datazone:ListEnvironmentBlueprintConfigurations", "datazone:GetEnvironmentBlueprintConfiguration", "datazone:ListEnvironmentProfiles", "datazone:GetEnvironmentProfile", "datazone:CreateEnvironmentProfile", "datazone:UpdateEnvironmentProfile", "datazone:DeleteEnvironmentProfile", "datazone:GetEnvironmentCredentials", "datazone:ListGroupsForUser", "datazone:SearchUserProfiles", "datazone:SearchGroupProfiles", "datazone:GetUserProfile", "datazone:GetGroupProfile" ], "Resource": "*" }, { "Sid": "GetResourceShareAssociations", "Effect": "Allow", "Action": "ram:GetResourceShareAssociations", "Resource": "*" }, { "Sid": "InvokeBedrockModels", "Effect": "Allow", "Action": [ "bedrock:GetFoundationModelAvailability", "bedrock:InvokeModel", "bedrock:InvokeModelWithResponseStream" ], "Resource": "*" }, { "Sid": "UseCustomerManagedKmsKey", "Effect": "Allow", "Action": [ "kms:DescribeKey", "kms:GenerateDataKey", "kms:Decrypt" ], "Resource": "*", "Condition": { "StringEquals": { "aws:ResourceTag/EnableBedrock": "true" } } } ] }