Creating an Amazon Bedrock Studio workspace - Amazon Bedrock

Creating an Amazon Bedrock Studio workspace

Amazon Bedrock Studio is in preview release for Amazon Bedrock and is subject to change.

A workspace is where your users (builders and explorers) work with Amazon Bedrock models in Amazon Bedrock Studio Before you can create a workspace, you must first configure single sign-on (SSO) for your users with AWS IAM Identity Center. When you create a workspace, you specify details such as the workspace name and the default models that you want your users to have access to. After you create a workspace you can invite users to become members of the workspace and start experimenting with Amazon Bedrock models.

Step 1: Set up AWS IAM Identity Center for Amazon Bedrock Studio

To create a Amazon Bedrock Studio workspace, you first need to set up AWS IAM Identity Center for Amazon Bedrock Studio.

Note

AWS Identity Center must be enabled in the same AWS Region as your Bedrock Studio workspace. Currently, AWS Identity Center can only be enabled in a single AWS Region.

To enable AWS IAM Identity Center, you must sign in to the AWS Management Console by using the credentials of your AWS Organizations management account. You can't enable IAM Identity Center while signed in with credentials from an AWS Organizations member account. For more information, see Creating and managing an organization in the AWS Organizations User Guide.

You can skip the procedures in this section if you already have AWS IAM Identity Center (successor to AWS Single Sign-On) enabled and configured in the same AWS region where you want to create your Bedrock Studio workspace. You must configure Identity Center with an AWS organization-level instance. For more information, see Manage organization and account instances of IAM Identity Center.

Complete the following procedure to enable AWS IAM Identity Center (successor to AWS Single Sign-On).

  1. Open the AWS IAM Identity Center (successor to AWS Single Sign-On) console and use the region selector in the top navigation bar to choose the AWS region in which you want create your Bedrock Studio workspace.

  2. Choose Enable. On the Enable IAM Identity Center dialog box, be sure to choose Enable with AWS Organizations.

  3. Choose your identity source.

    By default, you get an IAM Identity Center store for quick and easy user management. Optionally, you can connect an external identity provider instead. In this procedure, we use the default IAM Identity Center store.

    For more information, see Choose your identity source.

  4. In the IAM Identity Center navigation pane, choose Groups, and choose Create group. Enter the group name and choose Create.

  5. In the IAM Identity Center navigation pane, choose Users.

  6. On the Add user screen, enter the required information and choose Send an email to the user with password setup instructions. The user should get an email about the next setup steps.

  7. Choose Next: Groups, choose the group that you want, and choose Add user. Users should receive an email inviting them to use SSO. In this email, they need to choose Accept invitation and set the password.

  8. Next step: Step 2: Create service role, provisioning role and permission boundary.

Step 2: Create permissions boundary, service role, and provisioning role

Before you can create a Amazon Bedrock Studio workspace you need to create a permissions boundary, a service role, and a provisioning role.

Tip

As an alternative to using the following instructions, you can use the Amazon Bedrock Studio bootstrapper script. For more information, see bedrock_studio_bootstrapper.py.

To create a permissions boundary, a service role, and a provisioning role.
  1. Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/.

  2. Create a permissions boundary by doing the following.

    1. On the left navigation pane, choose Policies and the Create policy.

    2. Choose JSON.

    3. In the policy editor, enter the policy at Permission boundaries.

    4. Choose Next.

    5. For Policy name, be sure to enter AmazonDataZoneBedrockPermissionsBoundary.

    6. Choose Create policy.

  3. Create a service role by doing the following.

    1. On the left navigation pane, choose Roles and then choose Create role.

    2. Choose Custom trust policy and use the trust policy at Trust relationship. Be sure to update any replaceable fields in the JSON.

    3. Choose Next.

    4. Choose Next again.

    5. Enter a role name in Role name.

    6. Choose Create role.

    7. Open the role you just created by choosing View role at the top of the page or by searching for the role.

    8. Choose the Permissions tab.

    9. Choose Add permissions and then Create inline policy.

    10. Choose JSON and enter the policy at Permissions to manage an Amazon Bedrock Studio workspace with Amazon DataZone.

    11. Choose Next

    12. Enter a policy name in Policy name.

    13. Choose Create policy.

  4. Create a provisioning role by doing the following.

    1. On the left navigation pane, choose Roles and then choose Create role.

    2. Choose Custom trust policy and in the custom trust policy editor, enter the trust policy at Trust relationship. Be sure to update any replaceable fields in the JSON.

    3. Choose Next.

    4. Choose Next again.

    5. Enter a role name in Role name.

    6. Choose Create role.

    7. Open the role you just created by choosing View role at the top of the page or by searching for the role.

    8. Choose the Permissions tab.

    9. Choose Add permissions and then Create inline policy.

    10. Choose JSON and enter the policy at Permissions to manage Amazon Bedrock Studio user resources.

    11. Choose Next.

    12. Enter a policy name in Policy name.

    13. Choose Create policy.

  5. Next step: Step 3: Create an Amazon Bedrock Studio workspace.

Step 3: Create an Amazon Bedrock Studio workspace

To create a Amazon Bedrock Studio workspace, do the following.

To create an Amazon Bedrock Studio workspace
  1. Sign in to the AWS Management Console and open the Amazon Bedrock console at https://console.aws.amazon.com/bedrock/.

  2. In the left navigation pane, choose Bedrock Studio.

  3. In Bedrock Studio workspaces choose Create workspace to open the Create Amazon Bedrock Studio workspace.

  4. If you haven't already, configure AWS IAM security. For more information, see Step 1: Set up AWS IAM Identity Center for Amazon Bedrock Studio.

  5. In Workspace details enter a name and a description for the workspace.

  6. In the Permissions and roles section, do the following:

    1. In the Service access section, choose Use an existing service role and select the service role that you created in Step 2: Create permissions boundary, service role, and provisioning role .

    2. In the Provisioning role, section choose to Use an existing role and select the provisioning role that you created in Step 2: Create permissions boundary, service role, and provisioning role .

  7. (Optional) To associate tags with the workspace, choose Add new tag in the Tags section. Then enter a Key and Value for the tag. Choose Remove to remove a tag from the workspace.

  8. (Optional) By default, Amazon Bedrock Studio encrypts the workspace and all created resources by using keys that AWS owns. To use your own key, for the workspace and all created resources, choose Customize encryption settings In KMS key selection and do one of the following.

    • Enter the ARN of the AWS KMS key that you want to use.

    • Choose Create an AWS KMS key to create a new key.

    For information about the permissions that the key needs, see Encryption of Amazon Bedrock Studio.

  9. (Optional) In Default models, Select the default generative model and the default embedding model for the workspace. The default generative model appears in Bedrock Studio as pre-selected defaults in the model selector. The default embedding model appears as the default model when a user creates a Knowledge Base. Bedrock Studio users with the correct permissions can change their default model selections at any time.

  10. Choose Create to create the workspace.

  11. Next step: Create an Amazon OpenSearch encryption policy for the workspace.

Step 4: Create an Amazon OpenSearch Serverless encryption policy

Amazon Bedrock uses Amazon OpenSearch Serverless (OSS) collections with the projects that workspace members create. To safeguard member data in the collections, you need to create an encryption policy for the collections in the workspace domain. Workspace members aren't able to create a project until you create the policy. For more information, see Encryption in Amazon OpenSearch Serverless.

To create an encryption policy
  1. Get the workspace ID from the overview tab on the workspace details page. The policy requires the first 7 characters of the workspace ID, but not the dzd prefix.

  2. Follow the instructions at Creating encryption policies (console) to create the encryption policy. Do the following:

    1. For step 5, in the Specify a prefix term or collection name edit box, enter br-studio-first_7_characters of workspace ID*. Make sure to fill first_7_characters of workspace ID with the first 7 characters of your workspace ID. Don't include the prefix dzd. For example, with the workspace dzd_1234567wt2nwy8 you would enter br-studio-1234567*

    2. For step 6, If you are creating a workspace with AWS Key Management Service key, choose Choose a different AWS KMS key (advanced) in the Encryption section and enter the ARN for the AWS KMS key that you created in step 9 of Step 3: Create an Amazon Bedrock Studio workspace.

    3. Next step: Add members to the workspace.

Alternatively, you can use the AWS SDK to create the encryption policy. Use the following JSON in a call to CreateCollection.

{ "Rules": [ { "ResourceType": "collection", "Resource": [ "collection/br-studio-first_7_characters of workspace ID*" ] } ], "AWSOwnedKey": true }

If you are encrypting the workspace with a AWS KMS key, use the following JSON. Replace the value of KmsARN with the ARN of the AWS KMS key.

{ "Rules": [ { "ResourceType": "collection", "Resource": [ "collection/br-studio-first_7_characters of workspace ID*" ] } ], "AWSOwnedKey":false, "KmsARN":"arn:aws:encryption:us-east-1:123456789012:key/93fd6da4-a317-4c17-bfe9-382b5d988b36" }

For more information, see Creating encryption policies (AWS CLI).

Step 5: Add workspace members

After creating a Bedrock Studio workspace, you add members to the workspace. Workspace members can use the Amazon Bedrock models in the workspace. A member can be an authorized IAM Identity Center user or group. You use the Amazon Bedrock console to manage the members of a workspace. After adding a new member, you can send the member a link to the workspace. You can also delete workspace members and make other changes.

To add a member to a workspace, do the following.

To add a member to an Amazon Bedrock Studio workspace
  1. Open the Bedrock Studio workspace that you want to add the user to.

  2. Choose the User management tab.

  3. In Add users or groups, search for the users or groups that you want add to the workspace.

  4. (Optional) Remove users or groups from the workspace by selecting the user or group that you want remove and choosing Unassign.

  5. Choose Confirm to make the membership changes.

  6. Invite users to the workspace by doing the following.

    1. Choose the Overview tab

    2. Copy the Bedrock Studio URL.

    3. Send the URL to workspace members.