Control permissions for generating and using Amazon Bedrock API keys

The following IAM actions control the generation and use of Amazon Bedrock API keys:

iam:CreateServiceSpecificCredentials – Controls the creation of a service-specific key (such as an Amazon Bedrock API key). You can specify users that can use the key in the Resource field.
bedrock:CallWithBearerToken – Controls the use of the Amazon Bedrock API key.

You can attach the following policy to an IAM identity to prevent it from both generating and using Amazon Bedrock API keys:


{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid":"DenyBedrockShortAndLongTermAPIKeys",
      "Effect": "Deny",
      "Action": [
        "iam:CreateServiceSpecificCredential",
        "bedrock:CallWithBearerToken"
      ],
      "Resource": [
        "*"
      ]
    }
  ]
}

Warning

This policy will prevent the creation of credentials for all AWS services that support creating service-specific credentials. For more information, see Service-specific credentials for IAM users.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Refresh short-term keys

Access foundation models