Permissions for the AMAZON.QnAIntent
To access this feature on Amazon Lex V2 console, ensure your console role has bedrock:ListFoundationModels permissions.
The IAM role associated with the bot should have the following permissions required for AMAZON.QnAIntent. The bot role should have permissions
for calling bedrock:InvokeModel. You should also attach a statement for each data stores that you specify in your bots' AMAZON.QnAIntent (see the Permissions to access Amazon Kendra index, Permissions to access OpenSearch Service index, and Permissions to access knowledge base in Amazon Bedrock statements in the policy below). When you enable the feature with the Amazon Lex console, the policies will automatically get added to the bot role provided your bot is using a service-linked role generated by Amazon Lex.
{ "Version": "2012-10-17", "Statement": [ { "Sid": "Permissions to invoke Amazon Bedrock foundation models", "Effect": "Allow", "Action": [ "bedrock:InvokeModel" ], "Resource": [ "arn:aws:bedrock:region::foundation-model/model-id" ] }, { "Sid": "Permissions to access Amazon Kendra index", "Effect": "Allow", "Action": [ "kendra:Query", "kendra:Retrieve" ], "Resource": [ "arn:aws:kendra:region:account-id:index/kendra-index" ] }, { "Sid": "Permissions to access OpenSearch Service index", "Effect": "Allow", "Action": [ "es:ESHttpGet", "es:ESHttpPost" ], "Resource": [ "arn:aws:es:region:account-id:domain/domain-name/index-name/_search" ] }, { "Sid": "Permissions to access knowledge base in Amazon Bedrock", "Effect": "Allow", "Action": [ "bedrock:Retrieve" ], "Resource": [ "arn:aws:bedrock:region:account-id:knowledge-base/knowledge-base" ] } ] }
