Create an Amazon Bedrock Studio workspace
Amazon Bedrock Studio, renamed to Amazon Bedrock IDE, is now available in Amazon SageMaker Unified Studio. Amazon Bedrock Studio will be available until February 28, 2025. You may access existing workspaces in this previous version through February 28, 2025, but you may not create new workspaces. To access the enhanced GA version of Amazon Bedrock Studio with additional features and capabilities, you can create a new Amazon SageMaker Unified Studio domain. To learn about Amazon Bedrock Studio IDE, see the documentation. |
A workspace is where your users (builders and explorers) work with Amazon Bedrock foundation models in Amazon Bedrock Studio. Before you can create a workspace, you must configure single sign-on (SSO) for your users with AWS IAM Identity Center. When you create a workspace, you specify details such as the workspace name and the default foundation models that you want your users to have access to. After you create a workspace you can invite users to become members of the workspace and start experimenting with Amazon Bedrock models.
Topics
Step 1: Set up AWS IAM Identity Center for Amazon Bedrock Studio
To create a Amazon Bedrock Studio workspace, you first need to set up AWS IAM Identity Center for Amazon Bedrock Studio.
Note
AWS Identity Center must be enabled in the same AWS Region as your Bedrock Studio workspace. Currently, AWS Identity Center can only be enabled in a single AWS Region.
To enable AWS IAM Identity Center, you must sign in to the AWS Management Console by using the credentials of your AWS Organizations management account. You can't enable IAM Identity Center while signed in with credentials from an AWS Organizations member account. For more information, see Creating and managing an organization in the AWS Organizations User Guide.
You can skip the procedures in this section if you already have AWS IAM Identity Center (successor to AWS Single Sign-On) enabled and configured in the same AWS region where you want to create your Bedrock Studio workspace. You must configure Identity Center with an AWS organization-level instance. For more information, see Manage organization and account instances of IAM Identity Center.
Complete the following procedure to enable AWS IAM Identity Center (successor to AWS Single Sign-On).
-
Open the AWS IAM Identity Center (successor to AWS Single Sign-On) console
and use the region selector in the top navigation bar to choose the AWS region in which you want create your Bedrock Studio workspace. -
Choose Enable. On the Enable IAM Identity Center dialog box, be sure to choose Enable with AWS Organizations.
-
Choose your identity source.
By default, you get an IAM Identity Center store for quick and easy user management. Optionally, you can connect an external identity provider instead. In this procedure, we use the default IAM Identity Center store.
For more information, see Choose your identity source.
-
In the IAM Identity Center navigation pane, choose Groups, and choose Create group. Enter the group name and choose Create.
-
In the IAM Identity Center navigation pane, choose Users.
-
On the Add user screen, enter the required information and choose Send an email to the user with password setup instructions. The user should get an email about the next setup steps.
-
Choose Next: Groups, choose the group that you want, and choose Add user. Users should receive an email inviting them to use SSO. In this email, they need to choose Accept invitation and set the password.
Next step: Step 2: Create permissions boundary, service role, and provisioning role.
Step 2: Create permissions boundary, service role, and provisioning role
Before you can create an Amazon Bedrock Studio workspace, you need to create a permissions boundary, a service role, and a provisioning role.
Tip
As an alternative to using the following instructions, you can use the Amazon Bedrock Studio
bootstrapper script. For more information, see bedrock_studio_bootstrapper.py
To create a permissions boundary, a service role, and a provisioning role
Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/
. Create a permissions boundary by doing the following.
On the left navigation pane, choose Policies and the Create policy.
Choose JSON.
In the policy editor, enter the policy at Permission boundaries.
Choose Next.
For Policy name, be sure to enter
AmazonDataZoneBedrockPermissionsBoundary
. Amazon Bedrock Studio expects this exact policy name.Choose Create policy.
Create a service role by doing the following.
On the left navigation pane, choose Roles and then choose Create role.
Choose Custom trust policy and use the trust policy at Trust relationship. Be sure to update any replaceable fields in the JSON.
Choose Next.
Choose Next again.
Enter a role name in Role name.
Choose Create role.
Open the role you just created by choosing View role at the top of the page or by searching for the role.
Choose the Permissions tab.
Choose Add permissions and then Create inline policy.
Choose JSON and enter the policy at Permissions to manage an Amazon Bedrock Studio workspace.
Choose Next
Enter a policy name in Policy name.
Choose Create policy.
Create a provisioning role by doing the following.
On the left navigation pane, choose Roles and then choose Create role.
Choose Custom trust policy and in the custom trust policy editor, enter the trust policy at Trust relationship. Be sure to update any replaceable fields in the JSON.
Choose Next.
Choose Next again.
Enter a role name in Role name.
Choose Create role.
Open the role you just created by choosing View role at the top of the page or by searching for the role.
Choose the Permissions tab.
Choose Add permissions and then Create inline policy.
Choose JSON and enter the policy at Permissions to manage Amazon Bedrock Studio user resources.
Choose Next.
Enter a policy name in Policy name.
Choose Create policy.
Next step: Step 3: Create an Amazon Bedrock Studio workspace.
Step 3: Create an Amazon Bedrock Studio workspace
To create a Amazon Bedrock Studio workspace, do the following.
To create an Amazon Bedrock Studio workspace
-
Sign in to the AWS Management Console and open the Amazon Bedrock console at https://console.aws.amazon.com/bedrock/
. In the left navigation pane, choose Bedrock Studio.
In Bedrock Studio workspaces choose Create workspace to open the Create Amazon Bedrock Studio workspace.
If you haven't already, configure AWS IAM security. For more information, see Step 1: Set up AWS IAM Identity Center for Amazon Bedrock Studio.
In Workspace details enter a name and a description for the workspace.
In the Permissions and roles section, do the following:
-
In the Service access section, choose Use an existing service role and select the service role that you created in Step 2: Create permissions boundary, service role, and provisioning role.
-
In the Provisioning role, section choose to Use an existing role and select the provisioning role that you created in Step 2: Create permissions boundary, service role, and provisioning role.
-
(Optional) To associate tags with the workspace, choose Add new tag in the Tags section. Then enter a Key and Value for the tag. Choose Remove to remove a tag from the workspace.
-
(Optional) By default, Amazon Bedrock Studio encrypts the workspace and all created resources by using keys that AWS owns. To use your own key, for the workspace and all created resources, do the following.
Choose Customize encryption settings In KMS key selection and do one of the following.
Enter the ARN of the AWS KMS key that you want to use.
Choose Create an AWS KMS key to create a new key.
For information about the permissions that the key needs, see Encryption of Amazon Bedrock Studio.
-
Tag your AWS KMS key with the key
EnableBedrock
and a value oftrue
. For more information, see Tagging keys.
-
(Optional) In Default models, Select the default generative model and the default embedding model for the workspace. The default generative model appears in Bedrock Studio as pre-selected defaults in the model selector. The default embedding model appears as the default model when a user creates a Knowledge Base. Bedrock Studio users with the correct permissions can change their default model selections at any time.
Choose Create to create the workspace.
Next step: Step 4: Add workspace members.
Step 4: Add workspace members
After creating a Bedrock Studio workspace, you add members to the workspace. Workspace members can use the Amazon Bedrock models in the workspace. A member can be an authorized IAM Identity Center user or group. You use the Amazon Bedrock console to manage the members of a workspace. After adding a new member, you can send the member a link to the workspace. You can also delete workspace members and make other changes.
To add a member to a workspace, do the following.
To add a member to an Amazon Bedrock Studio workspace
Open the Bedrock Studio workspace that you want to add the user to.
Choose the User management tab.
In Add users or groups, search for the users or groups that you want add to the workspace.
(Optional) Remove users or groups from the workspace by selecting the user or group that you want remove and choosing Unassign.
Choose Confirm to make the membership changes.
Invite users to the workspace by doing the following.
Choose the Overview tab
Copy the Bedrock Studio URL.
Send the URL to workspace members.