IAM policies for Amazon Bedrock
When you create a state machine using the console, Step Functions automatically creates an execution role for your state machine with the least privileges required. These automatically generated IAM roles are valid for the Amazon Web Services Region in which you create the state machine.
The following example templates show how Amazon Step Functions generates IAM policies based on the resources in your state machine definition. For more information, see IAM Policies for integrated services and Service integration patterns.
We recommend that when you create IAM policies, do not include wildcards in the policies. As a security best practice, you should scope your policies down as much as possible. You should use dynamic policies only when certain input parameters are not known during runtime.
In this topic
IAM policy examples for Amazon Bedrock integration with Step Functions
The following section describes the IAM permissions you need based on the Amazon Bedrock API that you use for a specific foundation or provisioned model. This section also contains examples of policies that grant full access.
Remember to replace the italicized text with your resource-specific information.
-
IAM policy example to access a specific foundation model using InvokeModel
-
IAM policy example to access a specific provisioned model using InvokeModel
-
IAM policy example to access a specific foundation model as a base model
-
IAM policy example to access a specific custom model as a base model
-
Full access IAM policy example to use CreateModelCustomizationJob.sync
-
IAM policy example to access a specific foundation model using CreateModelCustomizationJob.sync
-
IAM policy example to access a custom model using CreateModelCustomizationJob.sync
-
Full access IAM policy example to use CreateModelCustomizationJob.sync
IAM policy example to access a specific foundation model using InvokeModel
The following is an IAM policy example for a state machine that accesses a specific foundation model named amazon.titan-text-express-v1 using the InvokeModel API action.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Sid": "InvokeModel1", "Action": [ "bedrock:InvokeModel" ], "Resource": [ "arn:aws-cn:bedrock:us-west-2::foundation-model/amazon.titan-text-express-v1" ] } ] }
IAM policy example to access a specific provisioned model using InvokeModel
The following is an IAM policy example for a state machine that accesses a specific provisioned model named c2oi931ulksx using the InvokeModel API action.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Sid": "InvokeModel1", "Action": [ "bedrock:InvokeModel" ], "Resource": [ "arn:aws-cn:bedrock:us-west-2:123456789012:provisioned-model/c2oi931ulksx" ] } ] }
Full access IAM policy example to use InvokeModel
The following is an IAM policy example for a state machine that provides full access when you use the InvokeModel API action.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Sid": "InvokeModel1", "Action": [ "bedrock:InvokeModel" ], "Resource": [ "arn:aws-cn:bedrock:us-west-2::foundation-model/*", "arn:aws-cn:bedrock:us-west-2:123456789012:provisioned-model/*" ] } ] }
IAM policy example to access a specific foundation model as a base model
The following is an IAM policy example for a state machine to access a specific foundation model named amazon.titan-text-express-v1 as a base model using the CreateModelCustomizationJob API action.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Sid": "CreateModelCustomizationJob1", "Action": [ "bedrock:CreateModelCustomizationJob" ], "Resource": [ "arn:aws-cn:bedrock:us-west-2::foundation-model/amazon.titan-text-express-v1", "arn:aws-cn:bedrock:us-west-2:123456789012:custom-model/*", "arn:aws-cn:bedrock:us-west-2:123456789012:model-customization-job/*" ] }, { "Effect": "Allow", "Sid": "CreateModelCustomizationJob2", "Action": [ "iam:PassRole" ], "Resource": [ "arn:aws-cn:iam::123456789012:role/myRole" ] } ] }
IAM policy example to access a specific custom model as a base model
The following is an IAM policy example for a state machine to access a specific custom model as a base model using the CreateModelCustomizationJob API action.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Sid": "CreateModelCustomizationJob1", "Action": [ "bedrock:CreateModelCustomizationJob" ], "Resource": [ "arn:aws-cn:bedrock:us-west-2:123456789012:custom-model/*", "arn:aws-cn:bedrock:us-west-2:123456789012:model-customization-job/*" ] }, { "Effect": "Allow", "Sid": "CreateModelCustomizationJob2", "Action": [ "iam:PassRole" ], "Resource": [ "arn:aws-cn:iam::123456789012:role/[[roleName]]" ] } ] }
Full access IAM policy example to use CreateModelCustomizationJob.sync
The following is an IAM policy example for a state machine that provides full access when you use the CreateModelCustomizationJob API action.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Sid": "CreateModelCustomizationJob1", "Action": [ "bedrock:CreateModelCustomizationJob" ], "Resource": [ "arn:aws-cn:bedrock:us-west-2::foundation-model/*", "arn:aws-cn:bedrock:us-west-2:123456789012:custom-model/*", "arn:aws-cn:bedrock:us-west-2:123456789012:model-customization-job/*" ] }, { "Effect": "Allow", "Sid": "CreateModelCustomizationJob2", "Action": [ "iam:PassRole" ], "Resource": [ "arn:aws-cn:iam::123456789012:role/myRole" ] } ] }
IAM policy example to access a specific foundation model using CreateModelCustomizationJob.sync
The following is an IAM policy example for a state machine to access a specific foundation model named amazon.titan-text-express-v1 using the CreateModelCustomizationJob.sync API action.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Sid": "CreateModelCustomizationJob1", "Action": [ "bedrock:CreateModelCustomizationJob" ], "Resource": [ "arn:aws-cn:bedrock:us-west-2::foundation-model/amazon.titan-text-express-v1", "arn:aws-cn:bedrock:us-west-2:123456789012:custom-model/*", "arn:aws-cn:bedrock:us-west-2:123456789012:model-customization-job/*" ] }, { "Effect": "Allow", "Sid": "CreateModelCustomizationJob2", "Action": [ "bedrock:GetModelCustomizationJob", "bedrock:StopModelCustomizationJob" ], "Resource": [ "arn:aws-cn:bedrock:us-west-2:123456789012:model-customization-job/*" ] }, { "Effect": "Allow", "Sid": "CreateModelCustomizationJob3", "Action": [ "iam:PassRole" ], "Resource": [ "arn:aws-cn:iam::123456789012:role/myRole" ] } ] }
IAM policy example to access a custom model using CreateModelCustomizationJob.sync
The following is an IAM policy example for a state machine to access a custom model using the CreateModelCustomizationJob.sync API action.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Sid": "CreateModelCustomizationJob1", "Action": [ "bedrock:CreateModelCustomizationJob" ], "Resource": [ "arn:aws-cn:bedrock:us-west-2:123456789012:custom-model/*", "arn:aws-cn:bedrock:us-west-2:123456789012:model-customization-job/*" ] }, { "Effect": "Allow", "Sid": "CreateModelCustomizationJob2", "Action": [ "bedrock:GetModelCustomizationJob", "bedrock:StopModelCustomizationJob" ], "Resource": [ "arn:aws-cn:bedrock:us-west-2:123456789012:model-customization-job/*" ] }, { "Effect": "Allow", "Sid": "CreateModelCustomizationJob3", "Action": [ "iam:PassRole" ], "Resource": [ "arn:aws-cn:iam::123456789012:role/myRole" ] } ] }
Full access IAM policy example to use CreateModelCustomizationJob.sync
The following is an IAM policy example for a state machine that provides full access when you use the CreateModelCustomizationJob.sync API action.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Sid": "CreateModelCustomizationJob1", "Action": [ "bedrock:CreateModelCustomizationJob" ], "Resource": [ "arn:aws-cn:bedrock:us-west-2::foundation-model/*", "arn:aws-cn:bedrock:us-west-2:123456789012:custom-model/*", "arn:aws-cn:bedrock:us-west-2:123456789012:model-customization-job/*" ] }, { "Effect": "Allow", "Sid": "CreateModelCustomizationJob2", "Action": [ "bedrock:GetModelCustomizationJob", "bedrock:StopModelCustomizationJob" ], "Resource": [ "arn:aws-cn:bedrock:us-west-2:123456789012:model-customization-job/*" ] }, { "Effect": "Allow", "Sid": "CreateModelCustomizationJob3", "Action": [ "iam:PassRole" ], "Resource": [ "arn:aws-cn:iam::123456789012:role/myRole" ] } ] }