本文為英文版的機器翻譯版本,如內容有任何歧義或不一致之處,概以英文版為準。
在專案上管理 IAM 政策
Amazon Bedrock Projects 支援直接 IAM 政策連接,可讓您在專案資源層級管理存取控制。這提供了管理 IAM 使用者和角色政策的替代方案。
了解專案層級 IAM 政策
專案層級 IAM 政策可讓您:
-
集中存取控制:直接在專案資源上定義許可
-
簡化管理:在不修改個別使用者/角色政策的情況下更新存取權
-
輕鬆稽核:在一個位置檢視專案的所有許可
-
委派管理:允許專案擁有者管理其專案的存取權
將 IAM 政策連接至專案
連接政策以授予存取權
將 IAM 政策直接連接至專案以授予許可:
import boto3 import json iam = boto3.client('iam', region_name='us-east-1') project_arn = "arn:aws:bedrock-mantle:us-east-1:123456789012:project/proj_abc123" # Define the identity-based policy document policy_document = { "Version": "2012-10-17", "Statement": [ { "Sid": "AllowTeamAlphaAccess", "Effect": "Allow", "Action": [ "bedrock-mantle:ListTagsForResources", "bedrock-mantle:GetProject" ], "Resource": project_arn } ] } policy_json = json.dumps(policy_document) # Create a managed policy create_response = iam.create_policy( PolicyName="TeamAlphaAccessPolicy", PolicyDocument=policy_json, Description="Grants Team Alpha read access to the Bedrock project" ) policy_arn = create_response['Policy']['Arn'] print(f"Policy created: {policy_arn}") # Attach the policy to alice (IAM user) iam.attach_user_policy( UserName="alice", PolicyArn=policy_arn ) print("Policy attached to alice") # Attach the policy to bob (IAM user) iam.attach_user_policy( UserName="bob", PolicyArn=policy_arn ) print("Policy attached to bob") # Attach the policy to TeamAlphaRole (IAM role) iam.attach_role_policy( RoleName="TeamAlphaRole", PolicyArn=policy_arn ) print("Policy attached to TeamAlphaRole")
授予團隊完整專案存取權
允許團隊完整存取以管理和使用專案:
import boto3 import json iam = boto3.client('iam', region_name='us-east-1') project_arn = "arn:aws:bedrock-mantle:us-east-1:123456789012:project/proj_abc123" # Identity-based policy — no Principal block needed policy_document = { "Version": "2012-10-17", "Statement": [ { "Sid": "FullProjectAccess", "Effect": "Allow", "Action": "bedrock-mantle:*", "Resource": project_arn } ] } # Create a managed policy create_response = iam.create_policy( PolicyName="DataScienceFullAccess", PolicyDocument=json.dumps(policy_document), Description="Grants DataScienceTeamRole full access to the Bedrock project" ) policy_arn = create_response['Policy']['Arn'] print(f"Policy created: {policy_arn}") # Attach to the DataScienceTeamRole iam.attach_role_policy( RoleName="DataScienceTeamRole", PolicyArn=policy_arn ) print("Full access policy attached to DataScienceTeamRole")
授予 唯讀存取權
連接僅允許檢視專案詳細資訊和提出推論請求的政策:
import boto3 import json iam = boto3.client('iam', region_name='us-east-1') project_arn = "arn:aws:bedrock-mantle:us-east-1:123456789012:project/proj_abc123" # Identity-based policy — no Principal block needed policy_document = { "Version": "2012-10-17", "Statement": [ { "Sid": "ReadOnlyAccess", "Effect": "Allow", "Action": [ "bedrock-mantle:CreateInference", "bedrock-mantle:GetProject", "bedrock-mantle:ListProjects", "bedrock-mantle:ListTagsForResources" ], "Resource": project_arn } ] } # Create a managed policy create_response = iam.create_policy( PolicyName="ReadOnlyAccessPolicy", PolicyDocument=json.dumps(policy_document), Description="Grants viewer1 and viewer2 read-only access to the Bedrock project" ) policy_arn = create_response['Policy']['Arn'] print(f"Policy created: {policy_arn}") # Attach to viewer1 iam.attach_user_policy( UserName="viewer1", PolicyArn=policy_arn ) print("Policy attached to viewer1") # Attach to viewer2 iam.attach_user_policy( UserName="viewer2", PolicyArn=policy_arn ) print("Policy attached to viewer2")
