To connect the AWS Bedrock integration, an AWS administrator must create a dedicated IAM role and attach a read-only permissions policy.
Permissions Required for Connecting User which typically are allowed by the Admin level role in an org:
"iam:ListUsers",
"iam:ListRoles",
"cloudtrail:LookupEvents",
"ce:GetCostAndUsage",
"ce:GetDimensionValues"
Conditions to connect:
The AWS account ID entered during integration setup must be the same AWS account that contains the SaasManagerBedrockIntegration role.
Saas Manager uses the organizationId, the trust relationship must require that exact to be give as AWS Role external ID. If the external ID does not match, the connection will fail. Making this connection is outline in the steps below.
Step 1: Create The Permissions Policy
Sign in to the customer AWS account.
Go to IAM → Policies.
Click Create policy.
Choose the JSON editor.
Paste this policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"iam:ListUsers",
"iam:ListRoles",
"cloudtrail:LookupEvents",
"ce:GetCostAndUsage",
"ce:GetDimensionValues"
],
"Resource": "*"
}
]
}Click Next.
Recommended to name the policy:
SaasManagerIntegrationBedrockPolicyReview and click Create policy.
What The Permissions Are Used For
iam:ListUsers: lists IAM users that may appear as Bedrock actors.iam:ListRoles: lists IAM roles and service-account-style actors that may appear in Bedrock usage.cloudtrail:LookupEvents: reads Bedrock runtime events used to determine model, caller identity, request count, input tokens, and output tokens.ce:GetCostAndUsage: reads app/account-level Bedrock spend and billing usage from AWS Cost Explorer."ce:GetDimensionValues": reads Cost Explorer dimension labels for the account and date range
Step 2: Create The IAM Role
Go to IAM → Roles.
Click Create role.
For Trusted entity type, choose AWS account.
Choose Another AWS account.
Enter AWS account ID
377450845233which is the Saas Manager account that will assume your role.Saas Manager requires an external ID be provided to connect, select Require external ID.
Required: Enter your users'
Organization Idfor the account that is going to connect. This can be found by opening a new tab and navigating to Saas Manager → Dashboard → Tap the icon in right hand corner → Profile. Copy theOrganization Idand paste into the configuration window as external ID.Click Next.
Search for and select:
SaasManagerIntegrationBedrockPolicyClick Next.
Must name the role exactly:
SaasManagerBedrockIntegrationReview the trusted entity, external ID is your organizationID, role name is exact match, and attached policy.
Click Create role.
Step 3: Fill in integration form
After the role is created, use the AWS account ID for the account that contains the role when connecting the integration.
Choose the region for your aws instance and connect.
Comments
0 comments
Please sign in to leave a comment.