设置 Amazon Bedrock Marketplace

您可以使用 Amazon Bedrock 完全访问权限策略为 SageMaker AI 提供权限。建议使用托管式策略，但如果您无法使用托管式策略，请确保您的 IAM 角色具有以下权限。

以下是 Amazon Bedrock 完全访问策略提供的权限。

JSON


{
    	"Version":"2012-10-17",
    	"Statement": [
    		{
    			"Sid": "BedrockAll",
    			"Effect": "Allow",
    			"Action": [
    				"bedrock:*"
    			],
    			"Resource": "*"
    		},
    		{
    			"Sid": "DescribeKey",
    			"Effect": "Allow",
    			"Action": [
    				"kms:DescribeKey"
    			],
    			"Resource": "arn:*:kms:*:::*"
    		},
    		{
    			"Sid": "APIsWithAllResourceAccess",
    			"Effect": "Allow",
    			"Action": [
    				"iam:ListRoles",
    				"ec2:DescribeVpcs",
    				"ec2:DescribeSubnets",
    				"ec2:DescribeSecurityGroups"
    			],
    			"Resource": "*"
    		},
    		{
    			"Sid": "MarketplaceModelEndpointMutatingAPIs",
    			"Effect": "Allow",
    			"Action": [
    				"sagemaker:CreateEndpoint",
    				"sagemaker:CreateEndpointConfig",
    				"sagemaker:CreateModel",
    				"sagemaker:CreateInferenceComponent",
    				"sagemaker:DeleteInferenceComponent",
    				"sagemaker:DeleteEndpoint",
    				"sagemaker:UpdateEndpoint"
    			],
    			"Resource": [
    				"arn:aws:sagemaker:*:*:endpoint/*",
    				"arn:aws:sagemaker:*:*:endpoint-config/*",
    				"arn:aws:sagemaker:*:*:model/*"
    			],
    			"Condition": {
    				"StringEquals": {
    					"aws:CalledViaLast": "bedrock.amazonaws.com"
    				}
    			}
    		},
    		{
    			"Sid": "BedrockEndpointTaggingOperations",
    			"Effect": "Allow",
    			"Action": [
    				"sagemaker:AddTags",
    				"sagemaker:DeleteTags"
    			],
    			"Resource": [
    				"arn:aws:sagemaker:*:*:endpoint/*",
    				"arn:aws:sagemaker:*:*:endpoint-config/*",
    				"arn:aws:sagemaker:*:*:model/*"
    			]
    		},
    		{
    			"Sid": "MarketplaceModelEndpointNonMutatingAPIs",
    			"Effect": "Allow",
    			"Action": [
    				"sagemaker:DescribeEndpoint",
    				"sagemaker:DescribeEndpointConfig",
    				"sagemaker:DescribeModel",
    				"sagemaker:DescribeInferenceComponent",
    				"sagemaker:ListEndpoints",
    				"sagemaker:ListTags"
    			],
    			"Resource": [
    				"arn:aws:sagemaker:*:*:endpoint/*",
    				"arn:aws:sagemaker:*:*:endpoint-config/*",
    				"arn:aws:sagemaker:*:*:model/*"
    			],
    			"Condition": {
    				"StringEquals": {
    					"aws:CalledViaLast": "bedrock.amazonaws.com"
    				}
    			}
    		},
    		{
    			"Sid": "BedrockEndpointInvokingOperations",
    			"Effect": "Allow",
    			"Action": [
    				"sagemaker:InvokeEndpoint",
    				"sagemaker:InvokeEndpointWithResponseStream"
    			],
    			"Resource": [
    				"arn:aws:sagemaker:*:*:endpoint/*"
    			],
    			"Condition": {
    				"StringEquals": {
    					"aws:CalledViaLast": "bedrock.amazonaws.com"
    				}
    			}
    		},
    		{
    			"Sid": "DiscoveringMarketplaceModel",
    			"Effect": "Allow",
    			"Action": [
    				"sagemaker:DescribeHubContent"
    			],
    			"Resource": [
    				"arn:aws:sagemaker:*:aws:hub-content/SageMakerPublicHub/Model/*",
    				"arn:aws:sagemaker:*:aws:hub/SageMakerPublicHub"
    			]
    		},
    		{
    			"Sid": "AllowMarketplaceModelsListing",
    			"Effect": "Allow",
    			"Action": [
    				"sagemaker:ListHubContents"
    			],
    			"Resource": "arn:aws:sagemaker:*:aws:hub/SageMakerPublicHub"
    		},
    		{
    			"Sid": "RetrieveSubscribedMarketplaceLicenses",
    			"Effect": "Allow",
    			"Action": [
    				"license-manager:ListReceivedLicenses"
    			],
    			"Resource": [
    				"*"
    			]
    		},
    		{
    			"Sid": "PassRoleToSageMaker",
    			"Effect": "Allow",
    			"Action": [
    				"iam:PassRole"
    			],
    			"Resource": [
    				"arn:aws:iam::*:role/*Sagemaker*ForBedrock*"
    			],
    			"Condition": {
    				"StringEquals": {
    					"iam:PassedToService": [
    						"sagemaker.amazonaws.com",
    						"bedrock.amazonaws.com"
    					]
    				}
    			}
    		},
    		{
    			"Sid": "PassRoleToBedrock",
    			"Effect": "Allow",
    			"Action": [
    				"iam:PassRole"
    			],
    			"Resource": "arn:aws:iam::*:role/*AmazonBedrock*",
    			"Condition": {
    				"StringEquals": {
    					"iam:PassedToService": [
    						"bedrock.amazonaws.com"
    					]
    				}
    			}
    		}
    	]
    }

重要

Amazon Bedrock 完全访问策略仅提供对 Amazon Bedrock API 的权限。要在中使用 Amazon BedrockAWS 管理控制台，您的 IAM 角色还必须具有以下权限：


{
        "Sid": "AllowConsoleS3AccessForBedrockMarketplace",
        "Effect": "Allow",
        "Action": [
          "s3:GetObject",
          "s3:GetBucketCORS",
          "s3:ListBucket",
          "s3:ListBucketVersions",
          "s3:GetBucketLocation"
        ],
        "Resource": "*"
    }

如果您要自行编写策略，则必须附上支持对资源执行 Amazon Bedrock Marketplace 操作的策略声明。例如，以下策略支持 Amazon Bedrock 对已部署到端点的模型使用 InvokeModel 操作。

有关设置 Amazon Bedrock 的更多信息，请参阅快速入门。

您可能需要使用AWS Key Management Service密钥对部署模型的端点进行加密。您必须修改前述策略，以便提供使用 AWS KMS 密钥的权限。

AWS KMS密钥还必须具有加密端点的权限。您必须修改 AWS KMS 资源策略来加密端点。有关修改策略的更多信息，请参阅将 IAM 策略与一起使用AWS Key Management Service。

您的AWS KMS密钥还必须具有CreateGrant权限。下面是密钥策略中必须具有的权限的示例。


{
"Sid": "Allow access for AmazonSageMaker-ExecutionRole",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::111122223333:role/SagemakerExecutionRole"
},
"Action": "kms:CreateGrant",
"Resource": "*"
}

有关提供创建授予权限的更多信息，请参阅授予 CreateGrant 权限。

Javascript 在您的浏览器中被禁用或不可用。

要使用 Amazon Web Services 文档，必须启用 Javascript。请参阅浏览器的帮助页面以了解相关说明。

文档惯例

Amazon Bedrock Marketplace

控制 Amazon Bedrock Marketplace 模型的访问