Permissions needed in Lex V2 for Bedrock Agent Intent
-
To access this feature on Amazon Lex V2 console, ensure your console role has
bedrock:ListFoundationModelspermission. -
The IAM role associated with the bot should have permissions required for
AMAZON.BedrockAgentIntent.The bot role should have permissions for calling
bedrock:InvokeAgentif using Amazon Bedrock Agents, andbedrock:InvokeModelandbedrock:RetrieveAndGenerateif using Amazon Bedrock Knowledge Bases in the intent. You should also attach a statement for each of the agents that you specify in your bots'AMAZON.BedrockAgentIntent(see the Permissions to access Amazon Bedrock Agent or Permissions to access Amazon Bedrock Knowledge Bases statement in the policy below).When you enable the feature with the Amazon Lex console the policy will get automatically added to the bot role provided your bot is using a service-linked role generated by Amazon Lex.
{ "Version": "2012-10-17", "Statement": [ { "Sid": "Permissions to access Amazon Bedrock Agent", "Effect": "Allow", "Action": [ "bedrock:InvokeAgent" ], "Resource": [ "arn:aws:bedrock:region:accountId:agent-alias/agentId/aliasId" ], "Condition": { "StringEquals": { "aws:ResourceAccount": "accountId" } } }, { "Sid": "Permissions to access Knowledge Base in Amazon Bedrock", "Effect": "Allow", "Action": [ "bedrock:RetrieveAndGenerate" ], "Resource": [ "arn:aws:bedrock:region:accountId:knowledge-base/knowledgeBaseId" ], "Condition": { "StringEquals": { "aws:ResourceAccount": "accountId" } } }, { "Sid": "Permissions to invoke Amazon Bedrock foundation models", "Effect": "Allow", "Action": [ "bedrock:InvokeModel" ], "Resource": [ "arn:aws:bedrock:region::foundation-model/modelId" ], "Condition": { "StringEquals": { "aws:ResourceAccount": "accountId" } } } ] }
