IT-3988: Add role to invoke model and move inline sso policy to manag…

…ed policy (#1277) * Add role * Move policy from inline to managed * Rename stack/policy * Fix per review * Rename stack * Restore inline policy per review * Create agent role in all accounts per review * Rename output per review
Sage-Bionetworks-IT · Nov 13, 2024 · 5554047 · 5554047
1 parent d258791
commit 5554047
Show file tree

Hide file tree

Showing 3 changed files with 74 additions and 0 deletions.
diff --git a/org-formation/300-account-defaults/_tasks.yaml b/org-formation/300-account-defaults/_tasks.yaml
@@ -55,3 +55,13 @@ ItKmsKey:
     IncludeMasterAccount: true
     Account: '*'
     Region: !Ref primaryRegion
+
+BedrockAgentRole:
+  Type: update-stacks
+  Template: ./bedrock-agent-role.yaml
+  StackName: bedrock-agent-role
+  DefaultOrganizationBindingRegion: !Ref primaryRegion
+  DefaultOrganizationBinding:
+    IncludeMasterAccount: false
+    Account: '*'
+    Region: !Ref primaryRegion
diff --git a/org-formation/300-account-defaults/bedrock-agent-role.yaml b/org-formation/300-account-defaults/bedrock-agent-role.yaml
@@ -0,0 +1,36 @@
+AWSTemplateFormatVersion: '2010-09-09'
+Description: Enables executing a Bedrock model
+
+Resources:
+# https://docs.aws.amazon.com/bedrock/latest/userguide/agents-permissions.html
+  bedrockAgentRole:
+    Type: AWS::IAM::Role
+    Properties:
+      AssumeRolePolicyDocument:
+        Version: 2012-10-17
+        Statement:
+          - Effect: Allow
+            Principal:
+              Service: bedrock.amazonaws.com
+            Action: sts:AssumeRole
+            Condition:
+              StringEquals:
+                aws:SourceAccount: !Ref AWS::AccountId
+              ArnLike:
+                aws:SourceArn: !Sub "arn:aws:bedrock:${AWS::Region}:${AWS::AccountId}:agent/*"
+      Policies:
+        - PolicyName: bedrockAgentPolicy
+          PolicyDocument:
+            Version: "2012-10-17"
+            Statement:
+              - Effect: Allow
+                Action: "bedrock:InvokeModel"
+                Resource:
+                  - !Sub "arn:aws:bedrock:${AWS::Region}::foundation-model/*"
+
+Outputs:
+  BedrockAgentRoleArn:
+    Description: The ARN of the Bedrock Agent Role
+    Value: !GetAtt bedrockAgentRole.Arn
+    Export:
+      Name: !Sub '${AWS::StackName}-BedrockAgentRoleArn'
diff --git a/org-formation/600-access/_tasks.yaml b/org-formation/600-access/_tasks.yaml
@@ -388,3 +388,31 @@ SynapseAthenaUserAccessPolicy:
         ]
       }
     PolicyName: SynapseAthenaUserAccessPolicy
+
+SynapseLlmDeveloperPolicy:
+  Type: update-stacks
+  Template: https://raw.githubusercontent.com/Sage-Bionetworks/aws-infra/v0.5.1/templates/IAM/managed-policy.yaml
+  StackName: synapsellm-developer-policy
+  DefaultOrganizationBinding:
+    IncludeMasterAccount: true
+    Account:
+      - SynapseLlmProdAccount
+    Region: !Ref primaryRegion
+  Parameters:
+    PolicyDocument: >-
+      {
+        "Version": "2012-10-17",
+        "Statement": [
+          {
+            "Effect": "Allow",
+            "Action": "s3:*",
+            "Resource": "arn:aws:s3:::cf-template*"
+          },
+          {
+            "Effect": "Allow",
+            "Action": "iam:PassRole",
+            "Resource": "*"
+          }
+        ]
+      }
+    PolicyName: SynapseLlmDeveloperPolicy