Prerequisites for Prompt flows for Amazon Bedrock

Note

Prompt flows is in preview and is subject to change.

You can further restrict permissions by omitting actions or specifying resources and condition keys. An IAM identity can call API operations on specific resources. If you specify an API operation that can't be used on the resource specified in the policy, Amazon Bedrock returns an error.

Before creating a prompt flow, review the following prerequisites and determine which ones you need to fulfill:

1. Define or create resources for one or more nodes you plan to add to your flow:

   • For a prompt node – Create a prompt by using Prompt management. For more information, see Prompt management in Amazon Bedrock. If you plan to define prompts inline when creating the node in the flow, you don't have to create a prompt in Prompt management.

   • For a knowledge base node – Create a knowledge base that you plan to use in the prompt flow. For more information, see Knowledge bases for Amazon Bedrock.

   • For an agent node – Create an agent that you plan to use in the flow. For more information, see Agents for Amazon Bedrock.

   • For an S3 storage node – Create an S3 bucket to store an output from a node in the flow.

   • For an S3 retrieval node – Create an S3 object in a bucket from which to retrieve data for the flow. The S3 object must be a UTF-8 encoded string.

   • For a Lambda node – Define a AWS Lambda function for the business logic you plan to implement in the prompt flow. For more information, see the AWS Lambda Developer Guide.

   • For a Amazon Lex node – Create a Amazon Lex bot to identify intents. For more information, see the Amazon Lex Developer Guide.

2. To use prompt flows, you must have two different roles:

   1. User role – The IAM role that you use to log into the AWS Management Console or to make API calls must have permissions to carry out prompt flows-related actions.

      If your role has the AmazonBedrockFullAccess policy attached, you don't need to configure additional permissions for this role. To restrict a role's permissions to only actions that are used for prompt flows, attach the following identity-based policy to the IAM role:

      {
          "Version": "2012-10-17",
          "Statement": [
              {
                  "Sid": "FlowPermissions",
                  "Effect": "Allow",
                  "Action": [  
                      "bedrock:CreateFlow",
                      "bedrock:UpdateFlow",
                      "bedrock:GetFlow",
                      "bedrock:ListFlows", 
                      "bedrock:DeleteFlow",
                      "bedrock:CreateFlowVersion",
                      "bedrock:GetFlowVersion",
                      "bedrock:ListFlowVersions",
                      "bedrock:DeleteFlowVersions",
                      "bedrock:CreateFlowAlias",
                      "bedrock:UpdateFlowAlias",
                      "bedrock:GetFlowAlias",
                      "bedrock:ListFlowAliases",
                      "bedrock:DeleteFlowAlias",
                      "bedrock:InvokeFlow",
                      "bedrock:TagResource",
                      "bedrock:UntagResource", 
                      "bedrock:ListTagsForResource",
                  ],
                  "Resource": "*"
              }
          ]   
      }

   2. Service role – A role that allows Amazon Bedrock to perform actions on your behalf. You must specify this role when creating or updating a prompt flow. You can create a custom AWS Identity and Access Management service role.

      Note

      If you plan to use the Amazon Bedrock console to automatically create a role when you create a prompt flow, you don't need to manually set up this role.