Create a service role for model import
To use a custom role for model import instead of the one Amazon Bedrock automatically creates, create an IAM role and attach the following permissions by following the steps at Creating a role to delegate permissions to an AWS service.
Trust relationship
The following policy allows Amazon Bedrock to assume this role and carry out the model import job. The following shows an example policy you can use.
You can optionally restrict the scope of the permission for cross-service confused deputy
prevention by using one or more global condition context keys with the
Condition field. For more information, see AWS global condition context keys.
-
Set the
aws:SourceAccountvalue to your account ID. -
(Optional) Use the
ArnEqualsorArnLikecondition to restrict the scope to specific model import jobs in your account ID.
{ "Version": "2012-10-17", "Statement": [ { "Sid": "1", "Effect": "Allow", "Principal": { "Service": "bedrock.amazonaws.com" }, "Action": "sts:AssumeRole", "Condition": { "StringEquals": { "aws:SourceAccount": "account-id" }, "ArnEquals": { "aws:SourceArn": "arn:aws:bedrock:us-east-1:account-id:model-import-job/*" } } } ] }
Permissions to access custom model files in Amazon S3
Attach the following policy to allow the role to access to the custom model files in
your Amazon S3 bucket. Replace the values in the Resource list with your actual
bucket names.
To restrict access to a specific folder in a bucket, add an s3:prefix
condition key with your folder path. You can follow the User
policy example in Example 2: Getting a list of objects in a bucket with a specific prefix
{ "Version": "2012-10-17", "Statement": [ { "Sid": "1", "Effect": "Allow", "Action": [ "s3:GetObject", "s3:ListBucket" ], "Resource": [ "arn:aws:s3:::bucket", "arn:aws:s3:::bucket/*" ], "Condition": { "StringEquals": { "aws:ResourceAccount": "account-id" } } } ] }
