Prerequisites for Flows for Amazon Bedrock

Note

Prompt flows is in preview and is subject to change.

You can further restrict permissions by omitting actions or specifying resources and condition keys. An IAM identity can call API operations on specific resources. If you specify an API operation that can't be used on the resource specified in the policy, Amazon Bedrock returns an error.

Before creating a prompt flow, review the following prerequisites and determine which ones you need to fulfill:

Define or create resources for one or more nodes you plan to add to your flow:
- For a prompt node – Create a prompt by using Prompt management. For more information, see Prompt management in Amazon Bedrock. If you plan to define prompts inline when creating the node in the flow, you don't have to create a prompt in Prompt management.
- For a knowledge base node – Create a knowledge base that you plan to use in the prompt flow. For more information, see Knowledge bases for Amazon Bedrock.
- For an agent node – Create an agent that you plan to use in the flow. For more information, see Agents for Amazon Bedrock.
- For an S3 storage node – Create an S3 bucket to store an output from a node in the flow.
- For an S3 retrieval node – Create an S3 object in a bucket from which to retrieve data for the flow. The S3 object must be a UTF-8 encoded string.
- For a Lambda node – Define a AWS Lambda function for the business logic you plan to implement in the prompt flow. For more information, see the AWS Lambda Developer Guide.
- For a Amazon Lex node – Create a Amazon Lex bot to identify intents. For more information, see the Amazon Lex Developer Guide.
(Optional) Create a custom AWS Identity and Access Management service role for your prompt flow with the proper permissions. If you plan to use the Amazon Bedrock console to automatically create a role when you create a prompt flow, you can skip this step.

Ensure that your IAM role has the necessary permissions to perform actions related to Prompt flows for Amazon Bedrock. For an IAM identity to submit and manage prompt flows, you must configure it with the necessary permissions.

If you created an Amazon Bedrock role by following the steps at Getting started with Amazon Bedrock, you can use that role.

Otherwise, you can attach the AmazonBedrockFullAccess policy to grant the proper permissions to the role. To restrict a role's permissions to only actions that are used for prompt flows, attach the following identity-based policy to the IAM role:


{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "FlowPermissions",
            "Effect": "Allow",
            "Action": [  
                "bedrock:CreateFlow",
                "bedrock:UpdateFlow",
                "bedrock:GetFlow",
                "bedrock:ListFlows", 
                "bedrock:DeleteFlow",
                "bedrock:CreateFlowVersion",
                "bedrock:GetFlowVersion",
                "bedrock:ListFlowVersions",
                "bedrock:DeleteFlowVersions",
                "bedrock:CreateFlowAlias",
                "bedrock:UpdateFlowAlias",
                "bedrock:GetFlowAlias",
                "bedrock:ListFlowAliases",
                "bedrock:DeleteFlowAlias",
                "bedrock:InvokeFlow",
                "bedrock:TagResource",
                "bedrock:UntagResource", 
                "bedrock:ListTagsForResource",
            ],
            "Resource": "*"
        }
    ]   
}

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Supported regions and models

Create a flow