From 5554047add652093ae289b02bdec12a53c222570 Mon Sep 17 00:00:00 2001 From: Xavier Schildwachter Date: Wed, 13 Nov 2024 07:59:22 -0800 Subject: [PATCH] IT-3988: Add role to invoke model and move inline sso policy to managed policy (#1277) * Add role * Move policy from inline to managed * Rename stack/policy * Fix per review * Rename stack * Restore inline policy per review * Create agent role in all accounts per review * Rename output per review --- .../300-account-defaults/_tasks.yaml | 10 ++++++ .../bedrock-agent-role.yaml | 36 +++++++++++++++++++ org-formation/600-access/_tasks.yaml | 28 +++++++++++++++ 3 files changed, 74 insertions(+) create mode 100644 org-formation/300-account-defaults/bedrock-agent-role.yaml diff --git a/org-formation/300-account-defaults/_tasks.yaml b/org-formation/300-account-defaults/_tasks.yaml index 4f20e3b6..c278a4ca 100644 --- a/org-formation/300-account-defaults/_tasks.yaml +++ b/org-formation/300-account-defaults/_tasks.yaml @@ -55,3 +55,13 @@ ItKmsKey: IncludeMasterAccount: true Account: '*' Region: !Ref primaryRegion + +BedrockAgentRole: + Type: update-stacks + Template: ./bedrock-agent-role.yaml + StackName: bedrock-agent-role + DefaultOrganizationBindingRegion: !Ref primaryRegion + DefaultOrganizationBinding: + IncludeMasterAccount: false + Account: '*' + Region: !Ref primaryRegion diff --git a/org-formation/300-account-defaults/bedrock-agent-role.yaml b/org-formation/300-account-defaults/bedrock-agent-role.yaml new file mode 100644 index 00000000..5db1044b --- /dev/null +++ b/org-formation/300-account-defaults/bedrock-agent-role.yaml @@ -0,0 +1,36 @@ +AWSTemplateFormatVersion: '2010-09-09' +Description: Enables executing a Bedrock model + +Resources: +# https://docs.aws.amazon.com/bedrock/latest/userguide/agents-permissions.html + bedrockAgentRole: + Type: AWS::IAM::Role + Properties: + AssumeRolePolicyDocument: + Version: 2012-10-17 + Statement: + - Effect: Allow + Principal: + Service: bedrock.amazonaws.com + Action: sts:AssumeRole + Condition: + StringEquals: + aws:SourceAccount: !Ref AWS::AccountId + ArnLike: + aws:SourceArn: !Sub "arn:aws:bedrock:${AWS::Region}:${AWS::AccountId}:agent/*" + Policies: + - PolicyName: bedrockAgentPolicy + PolicyDocument: + Version: "2012-10-17" + Statement: + - Effect: Allow + Action: "bedrock:InvokeModel" + Resource: + - !Sub "arn:aws:bedrock:${AWS::Region}::foundation-model/*" + +Outputs: + BedrockAgentRoleArn: + Description: The ARN of the Bedrock Agent Role + Value: !GetAtt bedrockAgentRole.Arn + Export: + Name: !Sub '${AWS::StackName}-BedrockAgentRoleArn' diff --git a/org-formation/600-access/_tasks.yaml b/org-formation/600-access/_tasks.yaml index b05660af..1394a84e 100644 --- a/org-formation/600-access/_tasks.yaml +++ b/org-formation/600-access/_tasks.yaml @@ -388,3 +388,31 @@ SynapseAthenaUserAccessPolicy: ] } PolicyName: SynapseAthenaUserAccessPolicy + +SynapseLlmDeveloperPolicy: + Type: update-stacks + Template: https://raw.githubusercontent.com/Sage-Bionetworks/aws-infra/v0.5.1/templates/IAM/managed-policy.yaml + StackName: synapsellm-developer-policy + DefaultOrganizationBinding: + IncludeMasterAccount: true + Account: + - SynapseLlmProdAccount + Region: !Ref primaryRegion + Parameters: + PolicyDocument: >- + { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": "s3:*", + "Resource": "arn:aws:s3:::cf-template*" + }, + { + "Effect": "Allow", + "Action": "iam:PassRole", + "Resource": "*" + } + ] + } + PolicyName: SynapseLlmDeveloperPolicy