本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。
IAM policies for Amazon Bedrock
使用控制台创建状态机时,Step Functions 会自动为状态机创建一个具有所需最低权限的执行角色。这些自动生成的IAM角色对 Amazon Web Services 区域 您在其中创建状态机的角色有效。
以下示例模板展示了如何根据状态机定义中的资源 Amazon Step Functions 生成 IAM 策略。有关更多信息,请参阅 集成服务的 IAM 策略 和 服务集成模式。
我们建议您在创建 IAM 策略时,不要在策略中包含通配符。作为安全最佳实操,应尽可能缩小策略范围。只有在运行时不知道某些输入参数时,才应使用动态策略。
本主题内容
Amazon Bedrock 与 Step Functions 集成的 IAM 策略示例
以下部分根据您用于特定基础或预置模型的 Amazon Bedrock API 说明了您需要的 IAM 权限。本部分还包含授予完全访问权限的策略示例。
切记用特定资源信息替换斜体文本。
IAM使用访问特定基础模型的策略示例 InvokeModel
以下是访问amazon.titan-text-express-v1使用 InvokeModelAPI 操作命名的特定基础模型的状态机的IAM策略示例。
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Sid": "InvokeModel1", "Action": [ "bedrock:InvokeModel" ], "Resource": [ "arn:aws:bedrock:us-east-2::foundation-model/amazon.titan-text-express-v1" ] } ] }
IAM使用访问特定预配置模型的策略示例 InvokeModel
以下是访问c2oi931ulksx使用 InvokeModelAPI 操作命名的特定预配置模型的状态机的IAM策略示例。
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Sid": "InvokeModel1", "Action": [ "bedrock:InvokeModel" ], "Resource": [ "arn:aws:bedrock:us-east-2:123456789012:provisioned-model/c2oi931ulksx" ] } ] }
要使用的完全访问IAM策略示例 InvokeModel
以下是状态机的IAM策略示例,该状态机在您使用 InvokeModelAPI 操作时提供完全访问权限。
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Sid": "InvokeModel1", "Action": [ "bedrock:InvokeModel" ], "Resource": [ "arn:aws:bedrock:us-east-2::foundation-model/*", "arn:aws:bedrock:us-east-2:123456789012:provisioned-model/*" ] } ] }
将特定基础模型作为基本模型访问的 IAM 策略示例
以下是状态机使用 CreateModelCustomizationJobAPI 操作访问名amazon.titan-text-express-v1为基础模型的特定基础模型的IAM策略示例。
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Sid": "CreateModelCustomizationJob1", "Action": [ "bedrock:CreateModelCustomizationJob" ], "Resource": [ "arn:aws:bedrock:us-east-2::foundation-model/amazon.titan-text-express-v1", "arn:aws:bedrock:us-east-2:123456789012:custom-model/*", "arn:aws:bedrock:us-east-2:123456789012:model-customization-job/*" ] }, { "Effect": "Allow", "Sid": "CreateModelCustomizationJob2", "Action": [ "iam:PassRole" ], "Resource": [ "arn:aws:iam::123456789012:role/myRole" ] } ] }
将特定自定义模型作为基本模型访问的 IAM 策略示例
以下是状态机使用 CreateModelCustomizationJobAPI 操作访问作为基础模型的特定自定义模型的IAM策略示例。
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Sid": "CreateModelCustomizationJob1", "Action": [ "bedrock:CreateModelCustomizationJob" ], "Resource": [ "arn:aws:bedrock:us-east-2:123456789012:custom-model/*", "arn:aws:bedrock:us-east-2:123456789012:model-customization-job/*" ] }, { "Effect": "Allow", "Sid": "CreateModelCustomizationJob2", "Action": [ "iam:PassRole" ], "Resource": [ "arn:aws:iam::123456789012:role/[[roleName]]" ] } ] }
使用 CreateModelCustomizationJob .sync 的完全访问IAM策略示例
以下是状态机的IAM策略示例,该状态机在您使用 CreateModelCustomizationJobAPI 操作时提供完全访问权限。
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Sid": "CreateModelCustomizationJob1", "Action": [ "bedrock:CreateModelCustomizationJob" ], "Resource": [ "arn:aws:bedrock:us-east-2::foundation-model/*", "arn:aws:bedrock:us-east-2:123456789012:custom-model/*", "arn:aws:bedrock:us-east-2:123456789012:model-customization-job/*" ] }, { "Effect": "Allow", "Sid": "CreateModelCustomizationJob2", "Action": [ "iam:PassRole" ], "Resource": [ "arn:aws:iam::123456789012:role/myRole" ] } ] }
IAM使用 CreateModelCustomizationJob .sync 访问特定基础模型的策略示例
以下是状态机访问amazon.titan-text-express-v1使用 CreateModelCustomizationJob.sync API 操作命名的特定基础模型的IAM策略示例。
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Sid": "CreateModelCustomizationJob1", "Action": [ "bedrock:CreateModelCustomizationJob" ], "Resource": [ "arn:aws:bedrock:us-east-2::foundation-model/amazon.titan-text-express-v1", "arn:aws:bedrock:us-east-2:123456789012:custom-model/*", "arn:aws:bedrock:us-east-2:123456789012:model-customization-job/*" ] }, { "Effect": "Allow", "Sid": "CreateModelCustomizationJob2", "Action": [ "bedrock:GetModelCustomizationJob", "bedrock:StopModelCustomizationJob" ], "Resource": [ "arn:aws:bedrock:us-east-2:123456789012:model-customization-job/*" ] }, { "Effect": "Allow", "Sid": "CreateModelCustomizationJob3", "Action": [ "iam:PassRole" ], "Resource": [ "arn:aws:iam::123456789012:role/myRole" ] } ] }
IAM使用 CreateModelCustomizationJob .sync 访问自定义模型的策略示例
以下是状态机使用 CreateModelCustomizationJob.sync API 操作访问自定义模型的IAM策略示例。
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Sid": "CreateModelCustomizationJob1", "Action": [ "bedrock:CreateModelCustomizationJob" ], "Resource": [ "arn:aws:bedrock:us-east-2:123456789012:custom-model/*", "arn:aws:bedrock:us-east-2:123456789012:model-customization-job/*" ] }, { "Effect": "Allow", "Sid": "CreateModelCustomizationJob2", "Action": [ "bedrock:GetModelCustomizationJob", "bedrock:StopModelCustomizationJob" ], "Resource": [ "arn:aws:bedrock:us-east-2:123456789012:model-customization-job/*" ] }, { "Effect": "Allow", "Sid": "CreateModelCustomizationJob3", "Action": [ "iam:PassRole" ], "Resource": [ "arn:aws:iam::123456789012:role/myRole" ] } ] }
使用 CreateModelCustomizationJob .sync 的完全访问IAM策略示例
以下是状态机的IAM策略示例,该状态机在您使用 CreateModelCustomizationJob.sync API 操作时提供完全访问权限。
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Sid": "CreateModelCustomizationJob1", "Action": [ "bedrock:CreateModelCustomizationJob" ], "Resource": [ "arn:aws:bedrock:us-east-2::foundation-model/*", "arn:aws:bedrock:us-east-2:123456789012:custom-model/*", "arn:aws:bedrock:us-east-2:123456789012:model-customization-job/*" ] }, { "Effect": "Allow", "Sid": "CreateModelCustomizationJob2", "Action": [ "bedrock:GetModelCustomizationJob", "bedrock:StopModelCustomizationJob" ], "Resource": [ "arn:aws:bedrock:us-east-2:123456789012:model-customization-job/*" ] }, { "Effect": "Allow", "Sid": "CreateModelCustomizationJob3", "Action": [ "iam:PassRole" ], "Resource": [ "arn:aws:iam::123456789012:role/myRole" ] } ] }