本文為英文版的機器翻譯版本,如內容有任何歧義或不一致之處,概以英文版為準。
為 Amazon 基岩工作室建立佈建角色
Amazon 基岩工作室正在針對 Amazon 基岩的預覽版本,可能會有所變更。 |
若要允許 Amazon 基岩工作室在使用者帳戶 (例如護欄元件) 中建立資源,您需要建立佈建角色。
若要為 Amazon Bdrock Studio 使用佈建角色,請按照建立IAM角色以委派許可給服務中的步驟,建立角色並附加以下許可。 AWS
信任關係
下列政策允許 Amazon 基岩擔任此角色,並讓 Amazon 基岩工作室管理使用者帳戶中的基岩工作室資源。
-
將
aws:SourceAccount
值設定為您的帳戶 ID。
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "datazone.amazonaws.com" }, "Action": "sts:AssumeRole", "Condition": { "StringEquals": { "aws:SourceAccount": "
account ID
" } } } ] }
管理 Amazon 基岩工作室使用者資源的許可
Amazon 基岩工作室佈建角色的預設政策。此政策允許主體使用 Amazon 和 Amazon 基岩工作室中創建,更新和刪除 AWS 資源。 DataZone AWS CloudFormation
此原則包含下列權限集。
-
雲形成 — 允許主體創建和管理 CloudFormation 堆棧以佈建 Amazon 基岩工作室資源作為 Amazon 環境的一部分。 DataZone
-
iam — 允許主體使用 Amazon 基岩工作室建立、管理和傳遞具有許可界限的IAM角色。 AWS CloudFormation
-
s3 — 允許主體創建和管理 Amazon S3 存儲桶 Amazon 基岩工作室使用. AWS CloudFormation
-
aoss — 允許校長創建和使用 Amazon 基岩工作室管理 Amazon OpenSearch 無服務器集合. AWS CloudFormation
-
基岩 — 允許主體創建和管理 Amazon 基岩工作室使用的 Amazon 基岩工作室的知識庫,護欄,提示和流程。 AWS CloudFormation
-
lambda-允許主體創建,管理和使用 Amazon 基岩工作室調用 AWS Lambda 功能。 AWS CloudFormation
-
日誌 — 允許主體使用 Amazon 基岩工作室創建和管理 Amazon 日 CloudWatch 誌組。 AWS CloudFormation
-
秘密經理 — 允許校長創建和使用 Amazon 基岩工作室管理 AWS Secrets Manager 秘密. AWS CloudFormation
-
kms — 授予存取權以使 AWS KMS 用 Amazon 基岩使用的客戶管理金鑰來加密佈建的資源。 AWS CloudFormation
由於此原則的大小,您必須將原則附加為內嵌原則。如需說明,請參閱「步驟 2:建立權限界限、服務角色和佈建角色」。
{ "Version": "2012-10-17", "Statement": [ { "Sid": "CreateStacks", "Effect": "Allow", "Action": [ "cloudformation:CreateStack", "cloudformation:TagResource" ], "Resource": "arn:aws:cloudformation:*:*:stack/DataZone*", "Condition": { "ForAnyValue:StringEquals": { "aws:TagKeys": "AmazonDataZoneEnvironment" }, "Null": { "aws:ResourceTag/AmazonDataZoneEnvironment": "false" } } }, { "Sid": "ManageStacks", "Effect": "Allow", "Action": [ "cloudformation:DescribeStacks", "cloudformation:DescribeStackEvents", "cloudformation:UpdateStack", "cloudformation:DeleteStack" ], "Resource": "arn:aws:cloudformation:*:*:stack/DataZone*" }, { "Sid": "DenyOtherActionsNotViaCloudFormation", "Effect": "Deny", "NotAction": [ "cloudformation:DescribeStacks", "cloudformation:DescribeStackEvents", "cloudformation:CreateStack", "cloudformation:UpdateStack", "cloudformation:DeleteStack", "cloudformation:TagResource" ], "Resource": "*", "Condition": { "StringNotEqualsIfExists": { "aws:CalledViaFirst": "cloudformation.amazonaws.com" } } }, { "Sid": "ListResources", "Effect": "Allow", "Action": [ "iam:ListRoles", "s3:ListAllMyBuckets", "aoss:ListCollections", "aoss:BatchGetCollection", "aoss:ListAccessPolicies", "aoss:ListSecurityPolicies", "aoss:ListTagsForResource", "bedrock:ListAgents", "bedrock:ListKnowledgeBases", "bedrock:ListGuardrails", "bedrock:ListPrompts", "bedrock:ListFlows", "bedrock:ListTagsForResource", "lambda:ListFunctions", "logs:DescribeLogGroups", "secretsmanager:ListSecrets" ], "Resource": "*" }, { "Sid": "GetRoles", "Effect": "Allow", "Action": "iam:GetRole", "Resource": [ "arn:aws:iam::*:role/DataZoneBedrockProject*", "arn:aws:iam::*:role/AmazonBedrockExecution*", "arn:aws:iam::*:role/BedrockStudio*" ] }, { "Sid": "CreateRoles", "Effect": "Allow", "Action": [ "iam:CreateRole", "iam:PutRolePolicy", "iam:AttachRolePolicy", "iam:DeleteRolePolicy", "iam:DetachRolePolicy" ], "Resource": [ "arn:aws:iam::*:role/DataZoneBedrockProject*", "arn:aws:iam::*:role/AmazonBedrockExecution*", "arn:aws:iam::*:role/BedrockStudio*" ], "Condition": { "StringEquals": { "aws:ResourceTag/AmazonBedrockManaged": "true" } } }, { "Sid": "ManageRoles", "Effect": "Allow", "Action": [ "iam:UpdateRole", "iam:DeleteRole", "iam:ListRolePolicies", "iam:GetRolePolicy", "iam:ListAttachedRolePolicies" ], "Resource": [ "arn:aws:iam::*:role/DataZoneBedrockProject*", "arn:aws:iam::*:role/AmazonBedrockExecution*", "arn:aws:iam::*:role/BedrockStudio*" ], "Condition": { "StringEquals": { "aws:ResourceTag/AmazonBedrockManaged": "true" } } }, { "Sid": "PassRoleToBedrockService", "Effect": "Allow", "Action": "iam:PassRole", "Resource": [ "arn:aws:iam::*:role/AmazonBedrockExecution*", "arn:aws:iam::*:role/BedrockStudio*" ], "Condition": { "StringEquals": { "iam:PassedToService": "bedrock.amazonaws.com" } } }, { "Sid": "PassRoleToLambdaService", "Effect": "Allow", "Action": "iam:PassRole", "Resource": "arn:aws:iam::*:role/BedrockStudio*", "Condition": { "StringEquals": { "iam:PassedToService": "lambda.amazonaws.com" } } }, { "Sid": "CreateRoleForOpenSearchServerless", "Effect": "Allow", "Action": "iam:CreateServiceLinkedRole", "Resource": "*", "Condition": { "StringEquals": { "iam:AWSServiceName": "observability.aoss.amazonaws.com" } } }, { "Sid": "GetDataZoneBlueprintCfnTemplates", "Effect": "Allow", "Action": "s3:GetObject", "Resource": "*", "Condition": { "StringNotEquals": { "s3:ResourceAccount": "${aws:PrincipalAccount}" } } }, { "Sid": "CreateAndAccessS3Buckets", "Effect": "Allow", "Action": [ "s3:CreateBucket", "s3:DeleteBucket", "s3:GetBucketPolicy", "s3:PutBucketPolicy", "s3:DeleteBucketPolicy", "s3:PutBucketTagging", "s3:PutBucketCORS", "s3:PutBucketLogging", "s3:PutBucketVersioning", "s3:PutBucketPublicAccessBlock", "s3:PutEncryptionConfiguration", "s3:PutLifecycleConfiguration", "s3:GetObject", "s3:GetObjectVersion" ], "Resource": "arn:aws:s3:::br-studio-*" }, { "Sid": "ManageOssAccessPolicies", "Effect": "Allow", "Action": [ "aoss:GetAccessPolicy", "aoss:CreateAccessPolicy", "aoss:DeleteAccessPolicy", "aoss:UpdateAccessPolicy" ], "Resource": "*", "Condition": { "StringLikeIfExists": { "aoss:collection": "br-studio-*", "aoss:index": "br-studio-*" } } }, { "Sid": "ManageOssSecurityPolicies", "Effect": "Allow", "Action": [ "aoss:GetSecurityPolicy", "aoss:CreateSecurityPolicy", "aoss:DeleteSecurityPolicy", "aoss:UpdateSecurityPolicy" ], "Resource": "*", "Condition": { "StringLikeIfExists": { "aoss:collection": "br-studio-*" } } }, { "Sid": "ManageOssCollections", "Effect": "Allow", "Action": [ "aoss:CreateCollection", "aoss:UpdateCollection", "aoss:DeleteCollection" ], "Resource": "*", "Condition": { "StringEquals": { "aws:ResourceTag/AmazonBedrockManaged": "true" } } }, { "Sid": "GetBedrockResources", "Effect": "Allow", "Action": [ "bedrock:GetAgent", "bedrock:GetKnowledgeBase", "bedrock:GetGuardrail", "bedrock:GetPrompt", "bedrock:GetFlow", "bedrock:GetFlowAlias" ], "Resource": "*" }, { "Sid": "ManageBedrockResources", "Effect": "Allow", "Action": [ "bedrock:CreateAgent", "bedrock:UpdateAgent", "bedrock:PrepareAgent", "bedrock:DeleteAgent", "bedrock:ListAgentAliases", "bedrock:GetAgentAlias", "bedrock:CreateAgentAlias", "bedrock:UpdateAgentAlias", "bedrock:DeleteAgentAlias", "bedrock:ListAgentActionGroups", "bedrock:GetAgentActionGroup", "bedrock:CreateAgentActionGroup", "bedrock:UpdateAgentActionGroup", "bedrock:DeleteAgentActionGroup", "bedrock:ListAgentKnowledgeBases", "bedrock:GetAgentKnowledgeBase", "bedrock:AssociateAgentKnowledgeBase", "bedrock:DisassociateAgentKnowledgeBase", "bedrock:UpdateAgentKnowledgeBase", "bedrock:CreateKnowledgeBase", "bedrock:UpdateKnowledgeBase", "bedrock:DeleteKnowledgeBase", "bedrock:ListDataSources", "bedrock:GetDataSource", "bedrock:CreateDataSource", "bedrock:UpdateDataSource", "bedrock:DeleteDataSource", "bedrock:CreateGuardrail", "bedrock:UpdateGuardrail", "bedrock:DeleteGuardrail", "bedrock:CreateGuardrailVersion", "bedrock:CreatePrompt", "bedrock:UpdatePrompt", "bedrock:DeletePrompt", "bedrock:CreatePromptVersion", "bedrock:CreateFlow", "bedrock:UpdateFlow", "bedrock:PrepareFlow", "bedrock:DeleteFlow", "bedrock:ListFlowAliases", "bedrock:GetFlowAlias", "bedrock:CreateFlowAlias", "bedrock:UpdateFlowAlias", "bedrock:DeleteFlowAlias", "bedrock:ListFlowVersions", "bedrock:GetFlowVersion", "bedrock:CreateFlowVersion", "bedrock:DeleteFlowVersion" ], "Resource": "*", "Condition": { "StringEquals": { "aws:ResourceTag/AmazonBedrockManaged": "true" } } }, { "Sid": "TagBedrockAgentAliases", "Effect": "Allow", "Action": "bedrock:TagResource", "Resource": "arn:aws:bedrock:*:*:agent-alias/*", "Condition": { "StringEquals": { "aws:RequestTag/AmazonBedrockManaged": "true" } } }, { "Sid": "TagBedrockFlowAliases", "Effect": "Allow", "Action": "bedrock:TagResource", "Resource": "arn:aws:bedrock:*:*:flow/*/alias/*", "Condition": { "Null": { "aws:RequestTag/AmazonDataZoneEnvironment": "false" } } }, { "Sid": "CreateFunctions", "Effect": "Allow", "Action": [ "lambda:GetFunction", "lambda:CreateFunction", "lambda:InvokeFunction", "lambda:DeleteFunction", "lambda:UpdateFunctionCode", "lambda:GetFunctionConfiguration", "lambda:UpdateFunctionConfiguration", "lambda:ListVersionsByFunction", "lambda:PublishVersion", "lambda:GetPolicy", "lambda:AddPermission", "lambda:RemovePermission", "lambda:ListTags" ], "Resource": "arn:aws:lambda:*:*:function:br-studio-*" }, { "Sid": "ManageLogGroups", "Effect": "Allow", "Action": [ "logs:CreateLogGroup", "logs:DeleteLogGroup", "logs:PutRetentionPolicy", "logs:DeleteRetentionPolicy", "logs:GetDataProtectionPolicy", "logs:PutDataProtectionPolicy", "logs:DeleteDataProtectionPolicy", "logs:AssociateKmsKey", "logs:DisassociateKmsKey", "logs:ListTagsLogGroup", "logs:ListTagsForResource" ], "Resource": "arn:aws:logs:*:*:log-group:/aws/lambda/br-studio-*" }, { "Sid": "GetRandomPasswordForSecret", "Effect": "Allow", "Action": "secretsmanager:GetRandomPassword", "Resource": "*" }, { "Sid": "ManageSecrets", "Effect": "Allow", "Action": [ "secretsmanager:CreateSecret", "secretsmanager:DescribeSecret", "secretsmanager:UpdateSecret", "secretsmanager:DeleteSecret", "secretsmanager:GetResourcePolicy", "secretsmanager:PutResourcePolicy", "secretsmanager:DeleteResourcePolicy" ], "Resource": "arn:aws:secretsmanager:*:*:secret:br-studio/*" }, { "Sid": "UseCustomerManagedKmsKey", "Effect": "Allow", "Action": [ "kms:DescribeKey", "kms:Encrypt", "kms:Decrypt", "kms:GenerateDataKey", "kms:CreateGrant", "kms:RetireGrant" ], "Resource": "*", "Condition": { "StringEquals": { "aws:ResourceTag/EnableBedrock": "true" } } }, { "Sid": "TagResources", "Effect": "Allow", "Action": [ "iam:TagRole", "iam:UntagRole", "aoss:TagResource", "aoss:UntagResource", "bedrock:TagResource", "bedrock:UntagResource", "lambda:TagResource", "lambda:UntagResource", "logs:TagLogGroup", "logs:UntagLogGroup", "logs:TagResource", "logs:UntagResource", "secretsmanager:TagResource", "secretsmanager:UntagResource" ], "Resource": "*", "Condition": { "StringEquals": { "aws:ResourceTag/AmazonBedrockManaged": "true" } } } ] }