本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。
管理项目上的 IAM 策略
Amazon Bedrock Projects 支持直接 IAM 策略附件,允许您在项目资源级别管理访问控制。这为管理 IAM 用户和角色的策略提供了一种替代方案。
了解项目级 IAM 政策
项目级 IAM 策略允许您:
-
集中访问控制:直接对项目资源定义权限
-
简化管理:无需修改个别 user/role 策略即可更新访问权限
-
轻松审计:在一个地方查看项目的所有权限
-
委托管理:允许项目所有者管理其项目的访问权限
将 IAM 策略附加到项目
附加策略以授予访问权限
将 IAM 策略直接附加到项目以授予权限:
import boto3 import json iam = boto3.client('iam', region_name='us-east-1') project_arn = "arn:aws:bedrock-mantle:us-east-1:123456789012:project/proj_abc123" # Define the identity-based policy document policy_document = { "Version": "2012-10-17", "Statement": [ { "Sid": "AllowTeamAlphaAccess", "Effect": "Allow", "Action": [ "bedrock-mantle:ListTagsForResources", "bedrock-mantle:GetProject" ], "Resource": project_arn } ] } policy_json = json.dumps(policy_document) # Create a managed policy create_response = iam.create_policy( PolicyName="TeamAlphaAccessPolicy", PolicyDocument=policy_json, Description="Grants Team Alpha read access to the Bedrock project" ) policy_arn = create_response['Policy']['Arn'] print(f"Policy created: {policy_arn}") # Attach the policy to alice (IAM user) iam.attach_user_policy( UserName="alice", PolicyArn=policy_arn ) print("Policy attached to alice") # Attach the policy to bob (IAM user) iam.attach_user_policy( UserName="bob", PolicyArn=policy_arn ) print("Policy attached to bob") # Attach the policy to TeamAlphaRole (IAM role) iam.attach_role_policy( RoleName="TeamAlphaRole", PolicyArn=policy_arn ) print("Policy attached to TeamAlphaRole")
向团队授予完全项目访问权限
允许团队拥有管理和使用项目的完全访问权限:
import boto3 import json iam = boto3.client('iam', region_name='us-east-1') project_arn = "arn:aws:bedrock-mantle:us-east-1:123456789012:project/proj_abc123" # Identity-based policy — no Principal block needed policy_document = { "Version": "2012-10-17", "Statement": [ { "Sid": "FullProjectAccess", "Effect": "Allow", "Action": "bedrock-mantle:*", "Resource": project_arn } ] } # Create a managed policy create_response = iam.create_policy( PolicyName="DataScienceFullAccess", PolicyDocument=json.dumps(policy_document), Description="Grants DataScienceTeamRole full access to the Bedrock project" ) policy_arn = create_response['Policy']['Arn'] print(f"Policy created: {policy_arn}") # Attach to the DataScienceTeamRole iam.attach_role_policy( RoleName="DataScienceTeamRole", PolicyArn=policy_arn ) print("Full access policy attached to DataScienceTeamRole")
授予 只读访问权限
附上仅允许查看项目详细信息和发出推理请求的策略:
import boto3 import json iam = boto3.client('iam', region_name='us-east-1') project_arn = "arn:aws:bedrock-mantle:us-east-1:123456789012:project/proj_abc123" # Identity-based policy — no Principal block needed policy_document = { "Version": "2012-10-17", "Statement": [ { "Sid": "ReadOnlyAccess", "Effect": "Allow", "Action": [ "bedrock-mantle:CreateInference", "bedrock-mantle:GetProject", "bedrock-mantle:ListProjects", "bedrock-mantle:ListTagsForResources" ], "Resource": project_arn } ] } # Create a managed policy create_response = iam.create_policy( PolicyName="ReadOnlyAccessPolicy", PolicyDocument=json.dumps(policy_document), Description="Grants viewer1 and viewer2 read-only access to the Bedrock project" ) policy_arn = create_response['Policy']['Arn'] print(f"Policy created: {policy_arn}") # Attach to viewer1 iam.attach_user_policy( UserName="viewer1", PolicyArn=policy_arn ) print("Policy attached to viewer1") # Attach to viewer2 iam.attach_user_policy( UserName="viewer2", PolicyArn=policy_arn ) print("Policy attached to viewer2")
