本文為英文版的機器翻譯版本,如內容有任何歧義或不一致之處,概以英文版為準。 # 設定 Amazon Bedrock 市集 您可以使用 [Amazon Bedrock 完整存取政策](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AmazonBedrockFullAccess.html),為 SageMaker AI 提供許可。我們建議您使用受管政策,但如果您無法使用受管政策,請確定您的 IAM 角色具有下列許可。 以下是 Amazon Bedrock Marketplace 的建議自訂政策。如需 Amazon Bedrock Full Access 受管政策的最新版本,請參閱 [AmazonBedrockFullAccess](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AmazonBedrockFullAccess.html)。 ``` { "Version":"2012-10-17", "Statement": [ { "Sid": "BedrockAll", "Effect": "Allow", "Action": [ "bedrock:*" ], "Resource": "*" }, { "Sid": "DescribeKey", "Effect": "Allow", "Action": [ "kms:DescribeKey" ], "Resource": "arn:*:kms:*:::*" }, { "Sid": "APIsWithAllResourceAccess", "Effect": "Allow", "Action": [ "iam:ListRoles", "ec2:DescribeVpcs", "ec2:DescribeSubnets", "ec2:DescribeSecurityGroups" ], "Resource": "*" }, { "Sid": "MarketplaceModelEndpointMutatingAPIs", "Effect": "Allow", "Action": [ "sagemaker:CreateEndpoint", "sagemaker:CreateEndpointConfig", "sagemaker:CreateModel", "sagemaker:DeleteEndpoint", "sagemaker:UpdateEndpoint" ], "Resource": [ "arn:*:sagemaker:*:*:endpoint/*", "arn:*:sagemaker:*:*:endpoint-config/*", "arn:*:sagemaker:*:*:model/*" ], "Condition": { "StringEquals": { "aws:CalledViaLast": "bedrock.amazonaws.com" } } }, { "Sid": "BedrockEndpointTaggingOperations", "Effect": "Allow", "Action": [ "sagemaker:AddTags", "sagemaker:DeleteTags" ], "Resource": [ "arn:*:sagemaker:*:*:endpoint/*", "arn:*:sagemaker:*:*:endpoint-config/*", "arn:*:sagemaker:*:*:model/*" ] }, { "Sid": "MarketplaceModelEndpointNonMutatingAPIs", "Effect": "Allow", "Action": [ "sagemaker:DescribeEndpoint", "sagemaker:DescribeEndpointConfig", "sagemaker:DescribeModel", "sagemaker:DescribeInferenceComponent", "sagemaker:ListEndpoints", "sagemaker:ListTags" ], "Resource": [ "arn:*:sagemaker:*:*:endpoint/*", "arn:*:sagemaker:*:*:endpoint-config/*", "arn:*:sagemaker:*:*:model/*" ], "Condition": { "StringEquals": { "aws:CalledViaLast": "bedrock.amazonaws.com" } } }, { "Sid": "BedrockEndpointInvokingOperations", "Effect": "Allow", "Action": [ "sagemaker:InvokeEndpoint", "sagemaker:InvokeEndpointWithResponseStream" ], "Resource": [ "arn:*:sagemaker:*:*:endpoint/*" ], "Condition": { "StringEquals": { "aws:CalledViaLast": "bedrock.amazonaws.com" } } }, { "Sid": "DiscoveringMarketplaceModel", "Effect": "Allow", "Action": [ "sagemaker:DescribeHubContent" ], "Resource": [ "arn:*:sagemaker:*:aws:hub-content/SageMakerPublicHub/Model/*", "arn:*:sagemaker:*:aws:hub/SageMakerPublicHub" ] }, { "Sid": "AllowMarketplaceModelsListing", "Effect": "Allow", "Action": [ "sagemaker:ListHubContents" ], "Resource": "arn:*:sagemaker:*:aws:hub/SageMakerPublicHub" }, { "Sid": "RetrieveSubscribedMarketplaceLicenses", "Effect": "Allow", "Action": [ "license-manager:ListReceivedLicenses" ], "Resource": [ "*" ] }, { "Sid": "PassRoleToSageMaker", "Effect": "Allow", "Action": [ "iam:PassRole" ], "Resource": [ "arn:*:iam::*:role/*Sagemaker*ForBedrock*" ], "Condition": { "StringEquals": { "iam:PassedToService": [ "sagemaker.amazonaws.com", "bedrock.amazonaws.com" ] } } }, { "Sid": "PassRoleToBedrock", "Effect": "Allow", "Action": [ "iam:PassRole" ], "Resource": "arn:*:iam::*:role/*AmazonBedrock*", "Condition": { "StringEquals": { "iam:PassedToService": [ "bedrock.amazonaws.com" ] } } } ] } ``` **重要** Amazon Bedrock 完整存取政策僅提供對 Amazon Bedrock API 的許可。若要在 中使用 Amazon Bedrock AWS 管理主控台,您的 IAM 角色也必須具有下列許可: ``` { "Sid": "AllowConsoleS3AccessForBedrockMarketplace", "Effect": "Allow", "Action": [ "s3:GetObject", "s3:GetBucketCORS", "s3:ListBucket", "s3:ListBucketVersions", "s3:GetBucketLocation" ], "Resource": "*" } ``` 如果您正在撰寫自己的政策,則必須包含允許資源其 Amazon Bedrock 市集動作的政策陳述式。例如,下列政策允許 Amazon Bedrock 針對您已部署至端點的模型使用 `InvokeModel` 操作。 ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Sid": "BedrockAll", "Effect": "Allow", "Action": [ "bedrock:InvokeModel" ], "Resource": [ "arn:aws:bedrock:{{us-east-1}}:{{111122223333}}:marketplace/model-endpoint/all-access" ] }, { "Sid": "VisualEditor1", "Effect": "Allow", "Action": ["sagemaker:InvokeEndpoint"], "Resource": "arn:aws:sagemaker:{{us-east-1}}:{{111122223333}}:endpoint/*", "Condition": { "StringEquals": { "aws:ResourceTag/project": "{{example-project-id}}", "aws:CalledViaLast": "bedrock.amazonaws.com" } } } ] } ``` ------ 如需設定 Amazon Bedrock 的詳細資訊,請參閱[快速指南](getting-started.md)。 您可能想要使用 AWS Key Management Service 金鑰來加密已部署模型的端點。您必須修改前項政策,才能擁有使用 AWS KMS 金鑰的許可。 AWS KMS 金鑰也必須具有加密端點的許可。您必須修改 AWS KMS 資源政策以加密端點。如需修改政策的詳細資訊,請參閱[搭配 使用 IAM 政策 AWS Key Management Service](https://docs.aws.amazon.com/kms/latest/developerguide/iam-policies)。 您的 AWS KMS 金鑰也必須具有 `CreateGrant` 許可。以下是必須在金鑰政策中的許可範例。 ``` { "Sid": "Allow access for AmazonSageMaker-ExecutionRole", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::111122223333:role/{{SagemakerExecutionRole}}" }, "Action": "kms:CreateGrant", "Resource": "*" } ``` 如需提供建立授予許可的詳細資訊,請參閱[授予 CreateGrant 許可](https://docs.aws.amazon.com/kms/latest/developerguide/create-grant-overview.html#grant-creategrant)。