Attach Amazon Bedrock permissions to a user or role

1. Select Users or Roles and then select your user or role.

2. In the Permissions tab, choose Add permissions and then choose Add AWS managed policy. 
   

   2.1 Amazon Bedrock APIs (BedrockAPIs)

   Permission	Description
   bedrock:Get*	Read any Bedrock resource
   bedrock:List*	List any Bedrock resource
   bedrock:CallWithBearerToken	Authenticate using bearer token
   bedrock:BatchDeleteEvaluationJob	Batch delete evaluation jobs
   bedrock:CreateEvaluationJob	Create a model evaluation job
   bedrock:CreateGuardrail	Create a guardrail
   bedrock:CreateGuardrailVersion	Version a guardrail
   bedrock:CreateInferenceProfile	Create an inference profile
   bedrock:CreateModelCopyJob	Copy a model
   bedrock:CreateModelCustomizationJob	Fine-tune or customize a model
   bedrock:CreateModelImportJob	Import an external model
   bedrock:CreateModelInvocationJob	Create a batch invocation job
   bedrock:CreatePromptRouter	Create a prompt router
   bedrock:CreateProvisionedModelThroughput	Provision dedicated model capacity
   bedrock:DeleteCustomModel	Delete a custom model
   bedrock:DeleteGuardrail	Delete a guardrail
   bedrock:DeleteImportedModel	Delete an imported model
   bedrock:DeleteInferenceProfile	Delete an inference profile
   bedrock:DeletePromptRouter	Delete a prompt router
   bedrock:DeleteProvisionedModelThroughput	Remove provisioned model capacity
   bedrock:StopEvaluationJob	Stop a running evaluation job
   bedrock:StopModelCustomizationJob	Stop a model customization job
   bedrock:StopModelInvocationJob	Stop a model invocation job
   bedrock:TagResource	Add tags to a resource
   bedrock:UntagResource	Remove tags from a resource
   bedrock:UpdateGuardrail	Modify an existing guardrail
   bedrock:UpdateProvisionedModelThroughput	Modify provisioned capacity
   bedrock:ApplyGuardrail	Apply a guardrail to content
   bedrock:InvokeModel	Invoke a model for inference
   bedrock:InvokeModelWithResponseStream	Invoke a model with streaming output

   Resource: * (All resources)

   ---

   2.2 KMS Key Access (DescribeKey)

   Permission	Description
   kms:DescribeKey	Look up details of a KMS encryption key

   Resource: arn:*:kms:*:::* (All KMS keys across all accounts and regions)

   ---

   2.3 Supporting Infrastructure Access (APIsWithAllResourceAccess)

   Permission	Description
   iam:ListRoles	List all IAM roles
   ec2:DescribeVpcs	Describe VPC configurations
   ec2:DescribeSubnets	Describe subnet configurations
   ec2:DescribeSecurityGroups	Describe security group configurations

   Resource: * (All resources)

   ---

   2.4 Bedrock Mantle APIs (BedrockMantleAPIs)

   Permission	Description
   bedrock-mantle:CallWithBearerToken	Authenticate using bearer token
   bedrock-mantle:Get*	Read any Bedrock Mantle resource
   bedrock-mantle:List*	List any Bedrock Mantle resource
   bedrock-mantle:CreateInference	Create an inference request

   Resource: * (All resources)

   ---

   2.5 AWS Marketplace – Third-Party Models (MarketplaceOperationsFromBedrockFor3pModels)

   Permission	Description
   aws-marketplace:Subscribe	Subscribe to a marketplace listing
   aws-marketplace:ViewSubscriptions	View existing subscriptions
   aws-marketplace:Unsubscribe	Unsubscribe from a listing

   Resource: * (All resources) Condition: Only allowed when the request is made via bedrock.amazonaws.com

   
   
   

References:

• https://docs.aws.amazon.com/bedrock/latest/userguide/getting-started-api.html#gs-api-br-permissions
  
• https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AmazonBedrockLimitedAccess.html