Create a service role for model customization - Amazon Bedrock

Create a service role for model customization

To use a custom role for model customization instead of the one Amazon Bedrock automatically creates, create an IAM role and attach the following permissions by following the steps at Creating a role to delegate permissions to an AWS service.

  • Trust relationship

  • Permissions to access your training and validation data in S3 and to write your output data to S3

  • (Optional) If you encrypt any of the following resources with a KMS key, permissions to decrypt the key (see Encryption of model customization jobs and artifacts)

    • A model customization job or the resulting custom model

    • The training, validation, or output data for the model customization job

Trust relationship

The following policy allows Amazon Bedrock to assume this role and carry out the model customization job. The following shows an example policy you can use.

You can optionally restrict the scope of the permission for cross-service confused deputy prevention by using one or more global condition context keys with the Condition field. For more information, see AWS global condition context keys.

  • Set the aws:SourceAccount value to your account ID.

  • (Optional) Use the ArnEquals or ArnLike condition to restrict the scope to specific model customization jobs in your account ID.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "bedrock.amazonaws.com" }, "Action": "sts:AssumeRole", "Condition": { "StringEquals": { "aws:SourceAccount": "account-id" }, "ArnEquals": { "aws:SourceArn": "arn:aws:bedrock:us-east-1:account-id:model-customization-job/*" } } } ] }

Permissions to access training and validation files and to write output files in S3

Attach the following policy to allow the role to access your training and validation data and the bucket to which to write your output data. Replace the values in the Resource list with your actual bucket names.

To restrict access to a specific folder in a bucket, add an s3:prefix condition key with your folder path. You can follow the User policy example in Example 2: Getting a list of objects in a bucket with a specific prefix

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "s3:GetObject", "s3:ListBucket" ], "Resource": [ "arn:aws:s3:::training-bucket", "arn:aws:s3:::training-bucket/*", "arn:aws:s3:::validation-bucket", "arn:aws:s3:::validation-bucket/*" ] }, { "Effect": "Allow", "Action": [ "s3:GetObject", "s3:PutObject", "s3:ListBucket" ], "Resource": [ "arn:aws:s3:::output-bucket", "arn:aws:s3:::output-bucket/*" ] } ] }