Set up permissions for batch inference

Note

Batch inference is in preview and is subject to change. Batch inference is currently only available through the API. Access batch APIs through the following SDKs.

We recommend that you create a virtual environment to use the SDK. Because batch inference APIs aren't available in the latest SDKs, we recommend that you uninstall the latest version of the SDK from the virtual environment before installing the version with the batch inference APIs. For a guided example, see Code samples.

To set up a role for batch inference, create an IAM role by following the steps at Creating a role to delegate permissions to an AWS service. Attach the following policies to the role:

Trust policy
Access to the Amazon S3 buckets containing the input data for your batch inference jobs and to write the output data.

The following policy allows Amazon Bedrock to assume this role and carry out batch inference jobs. The following shows an example policy you can use. You can restrict the scope of the permission by using one or more global condition context keys. For more information, see AWS global condition context keys. Set the aws:SourceAccount value to your account ID. Use the ArnEquals or ArnLike condition to restrict the scope.

Note
As a best practice for security purposes, replace the * with specific batch inference job IDs after you have created them.
```
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": "bedrock.amazonaws.com"
      },
      "Action": "sts:AssumeRole",
      "Condition": {
          "StringEquals": {
            "aws:SourceAccount": "account-id" 
          },
          "ArnEquals": {
            "aws:SourceArn": "arn:aws:bedrock:region:account-id:model-invocation-job/*"
          }
     }
    }
  ]
}
```

Attach the following policy to allow Amazon Bedrock to access the S3 bucket containing input data for your batch inference jobs (replace my_input_bucket) and the S3 bucket to write output data to (replace my_output_bucket). Replace the account-id with the account ID of the user to whom you are providing S3 bucket access permissions.


{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "s3:GetObject",
        "s3:PutObject",
        "s3:ListBucket"
      ],
      "Resource": [
        "arn:aws:s3:::my_input_bucket",
        "arn:aws:s3:::my_input_bucket/*",
        "arn:aws:s3:::my_output_bucket",
        "arn:aws:s3:::my_output_bucket/*"
      ],
      "Condition": {
        "StringEquals": {
          "aws:ResourceAccount": [
            "account-id"
          ]
        }
      }
    }
  ]
}

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Run batch inference

Set up data