Amazon Bedrock

To connect the AWS Bedrock integration, an AWS administrator must create a dedicated IAM role and attach a read-only permissions policy.

Permissions Required for Connecting User which typically are allowed by the Admin level role in an org:

"iam:ListUsers",
"iam:ListRoles",
"cloudtrail:LookupEvents",
"ce:GetCostAndUsage",
"ce:GetDimensionValues"

 

Conditions to connect:

  1. The AWS account ID entered during integration setup must be the same AWS account that contains the SaasManagerBedrockIntegration role.

  2. Saas Manager uses the organizationId, the trust relationship must require that exact to be give as AWS Role external ID. If the external ID does not match, the connection will fail. Making this connection is outline in the steps below.

Step 1: Create The Permissions Policy

  1. Sign in to the customer AWS account.

  2. Go to IAM → Policies.

  3. Click Create policy.

  4. Choose the JSON editor.

  5. Paste this policy:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "iam:ListUsers",
        "iam:ListRoles",
        "cloudtrail:LookupEvents",
        "ce:GetCostAndUsage",
        "ce:GetDimensionValues"
      ],
      "Resource": "*"
    }
  ]
}
  1. Click Next.

  2. Recommended to name the policy:

SaasManagerIntegrationBedrockPolicy
  1. Review and click Create policy.

What The Permissions Are Used For

  • iam:ListUsers: lists IAM users that may appear as Bedrock actors.

  • iam:ListRoles: lists IAM roles and service-account-style actors that may appear in Bedrock usage.

  • cloudtrail:LookupEvents: reads Bedrock runtime events used to determine model, caller identity, request count, input tokens, and output tokens.

  • ce:GetCostAndUsage: reads app/account-level Bedrock spend and billing usage from AWS Cost Explorer.

  • "ce:GetDimensionValues": reads Cost Explorer dimension labels for the account and date range

Step 2: Create The IAM Role

  1. Go to IAM → Roles.

  2. Click Create role.

  3. For Trusted entity type, choose AWS account.

  4. Choose Another AWS account.

  5. Enter AWS account ID  377450845233 which is the Saas Manager account that will assume your role.

  6. Saas Manager requires an  external ID be provided to connect, select Require external ID.

  7. Required: Enter your users' Organization Id for the account that is going to connect. This can be found by opening a new tab and navigating to Saas Manager →  Dashboard →  Tap the icon in right hand corner →  Profile. Copy the Organization Id and paste into the configuration window as external ID.

  8. Click Next.

  9. Search for and select:

SaasManagerIntegrationBedrockPolicy
  1. Click Next.

  2. Must name the role exactly:

SaasManagerBedrockIntegration
  1. Review the trusted entity, external ID is your organizationID, role name is exact match, and attached policy.

  2. Click Create role.

Step 3: Fill in  integration form

  1. After the role is created, use the AWS account ID for the account that contains the role when connecting the integration.

  2. Choose the region for your aws instance and connect.

 

 

Was this article helpful?

0 out of 0 found this helpful

Comments

0 comments

Please sign in to leave a comment.