It would be helpful to document the permissions needed for this solution and/or provide a policy file that can be attached to the role of the user who is running the notebook. For example, I ran the bedrock-data-automation-with-agents.ipynb in SageMaker Unified Studio under the generated AmazonSageMakerUserIAMExecutionRole, which has limited permissions. When I ran the cell that called the BedrockKnowledgeBase constructor, I had to work through a series of AccessDenied errors. Here's a list of permissions I needed for that cell and for uploading files to S3:
- aoss:APIAccessAll
- aoss:BatchGetCollection
- aoss:CreateAccessPolicy
- aoss:CreateCollection
- aoss:CreateIndex
- iam:CreateRole
- aoss:CreateSecurityPolicy
- aoss:GetAccessPolicy
- aoss:GetSecurityPolicy
- iam:CreatePolicy
- iam:GetPolicy
- s3:CreateBucket
- s3:PutObject
- iam:AttachRolePolicy
- iam:PassRole
These are all in addition to the default permissions in the role, a few of which might also be needed for the notebook (iam:GetRole, iam:ListRoles, sts:AssumeRole, for example).
It would be helpful to document the permissions needed for this solution and/or provide a policy file that can be attached to the role of the user who is running the notebook. For example, I ran the
bedrock-data-automation-with-agents.ipynbin SageMaker Unified Studio under the generated AmazonSageMakerUserIAMExecutionRole, which has limited permissions. When I ran the cell that called theBedrockKnowledgeBaseconstructor, I had to work through a series of AccessDenied errors. Here's a list of permissions I needed for that cell and for uploading files to S3:These are all in addition to the default permissions in the role, a few of which might also be needed for the notebook (iam:GetRole, iam:ListRoles, sts:AssumeRole, for example).