Expand Bedrock permissions #4
Conversation
|
Nope. I don't want people to have permissions to create these. When needed, they are to be created through TF. For new accounts, common/service-llnked-roles.tf is provisioned, with some variables files
If it's an existing account without this, you can grab these files from support/local-app/aws-account-setup/ansible/roles/inf-common/files and import ones which may be created, and add new ones needed and follow with git workflow. May I ask you to create a how-to document for this in support/docs/how-to/aws-service-linked-roles/README.md? |
…ofilePolicyForKnowledgeBase
|
I know this is still listed as draft, but I don’t think this is the right place for this stuff. I think we may need a bed rack specific policy |
I agree. I'm still working with them to get the full list of things they are trying to do. Once that is done, I think this will need to pivot to be a unique PS, sc-aiml, or something like that. Though we would have to dupe sc-developer and add these? that's not awesome. Would be nice if we could create it as a managed policy and attach the managed policy to the group, but it has to attach to a PS. Surely there is some way to make PS's more composable.... |
Group in lab is trying to test Bedrock Agents.
Chris Jackson reached out with error messages they were hitting.
Discovered they were using Bedrock Console to create Bedrock Agents which was failing due to inability to create a Role for the agent, and to create/attach the policy to that role. Once those were in place, role creation/policy creation succeeded but Agent Create failed due to PassRole, added that as well, and agent creation succeeded.
PR in Draft - Will continue testing/validate with Chris Jackson. Once confirmed from customer will submit PR