代理内存权限 - Amazon Bedrock

本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。

代理内存权限

如果您已为代理启用内存,并且使用客户托管密钥加密代理会话,则必须配置以下密钥策略和调用身份 IAM 权限来配置您的客户托管密钥。

客户托管密钥政策

Amazon Bedrock 使用这些权限生成加密的数据密钥,然后使用生成的密钥来加密代理内存。Amazon Bedrock 还需要使用不同的加密上下文重新加密生成的数据密钥的权限。当客户托管密钥在另一个客户托管密钥或服务拥有的密钥之间转换时,也会使用重新加密权限。有关更多信息,请参阅分层密钥环

用适当的值替换$regionaccount-id、和${caller-identity-role}

{
    "Version": "2012-10-17",
    {
        "Sid": "Allow access for bedrock to enable long term memory",
        "Effect": "Allow",
        "Principal": {
            "Service": [
                "bedrock.amazonaws.com",
            ],
        },
        "Action": [
            "kms:GenerateDataKeyWithoutPlainText",
            "kms:ReEncrypt*"
        ],
        "Condition": {
            "StringEquals": {
                "aws:SourceAccount": "$account-id"
            },
            "ArnLike": {
                "aws:SourceArn": "arn:aws:bedrock:$region:$account-id:agent-alias/*"
            }
        }
        "Resource": "*"
    },
    {
        "Sid": "Allow the caller identity control plane permissions for long term memory",
        "Effect": "Allow", 
        "Principal": {
            "AWS": "arn:aws:iam::${account-id}:role/${caller-identity-role}"
        },
        "Action": [
            "kms:GenerateDataKeyWithoutPlainText",
            "kms:ReEncrypt*"
        ],
        "Resource": "*",
        "Condition": {
            "StringLike": {
                "kms:EncryptionContext:aws-crypto-ec:aws:bedrock:arn": "arn:aws:bedrock:${region}:${account-id}:agent-alias/*"
            }
        }
    },
    {
        "Sid": "Allow the caller identity data plane permissions to decrypt long term memory",
        "Effect": "Allow",
        "Principal": {
            "AWS": "arn:aws:iam::${account-id}:role/${caller-identity-role}"
        },
        "Action": [
            "kms:Decrypt"
        ],
        "Resource": "*",
        "Condition": {
            "StringLike": {
                "kms:EncryptionContext:aws-crypto-ec:aws:bedrock:arn": "arn:aws:bedrock:${region}:${account-id}:agent-alias/*",
                "kms:ViaService": "bedrock.$region.amazonaws.com" 
            }
        }
    }
}

用于加密和解密代理内存的 IAM 权限

身份调用代理 API 需要以下 IAM 权限才能为启用内存的代理配置 KMS 密钥。Amazon Bedrock 代理使用这些权限来确保呼叫者身份被授权拥有上述密钥策略中提及的 API 管理、训练和部署模型的权限。对于调用代理的 API,Amazon Bedrock 代理使用呼叫者身份的kms:Decrypt权限来解密内存。

用适当的值替换$regionaccount-id、和${key-id}

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Bedrock agents control plane long term memory permissions",
            "Effect": "Allow",
            "Action": [
                "kms:GenerateDataKeyWithoutPlaintext", 
                "kms:ReEncrypt*",
            ],
            "Resource": "arn:aws:kms:$region:$account-id:key/$key-id",
            "Condition": {
                "StringEquals": {
                    "kms:EncryptionContext:aws-crypto-ec:aws:bedrock:arn": "arn:aws:bedrock:${region}:${account-id}:agent-alias/*"
                }
            }
        },
        {
            "Sid": "Bedrock agents data plane long term memory permissions",
            "Effect": "Allow",
            "Action": [
                "kms:Decrypt"
            ],
            "Resource": "arn:aws:kms:$region:$account-id:key/$key-id",
            "Condition": {
                "StringEquals": {
                    "kms:EncryptionContext:aws-crypto-ec:aws:bedrock:arn": "arn:aws:bedrock:${region}:${account-id}:agent-alias/*"
                }
            }
        }
    ]
}}