HeatWave on AWS  /  ...  /  Creating an IAM Role to Access Amazon Bedrock LLMs

20.5.4 Creating an IAM Role to Access Amazon Bedrock LLMs

Use the AWS Management Console to create an IAM role for HeatWave GenAI to access Amazon Bedrock LLMs.
This task requires the following:
  • Access to AWS Management Console.
  • IAM policy that specifies the permissions required. See Creating an IAM Policy to Access Amazon Bedrock LLMs.
  • The tenancy Oracle Cloud Identifier (OCID).
  • If you want to grant access to a specific DB System, the resource ID of the DB System.
Do the following to create an IAM role:
  1. Open the AWS Management Console and sign in with your credentials.
  2. In the AWS Management Console home page, click Services, and click Security, Identity, & Compliance, and then click IAM.
  3. In the navigation pane of the Console, under Access management, click Roles, and then click Create role.
  4. In the Select trusted entity panel, do the following:
    1. Select Custom trust policy.
    2. Specify the following trust policy:
      {    
          "Version": "2012-10-17",    
          "Statement": [        
              {            
                  "Effect": "Allow",            
                  "Action": "sts:AssumeRole",            
                  "Principal": {                
                      "AWS": "612981981079"            
                  },            
                  "Condition": {                
                      "StringLike": {                    
                          "sts:ExternalId": "<IDDetails>"                
                      }            
                  }        
              }    
          ]
      }
      • When you are editing a DB System, specify either of the following in <IDDetails>:
        • To grant access to a specific DB System in the tenancy: <TenancyOCID>/<DBSystemResourceId>. For example:
          ocid1.tenancy.oc1...axxxaaaat5j...famyhq/*
        • To grant access to all DB Systems in the tenancy: <TenancyOCID>/*. For example:
        ocid1.tenancy.oc1...axxxaaaat5j...famyhq/5281bb96-99a1-23fe-a65f-370cd85b979f
      • When you are creating a DB System, specify the following in <IDDetails>:
        • Grant access to all DB Systems in the tenancy with <TenancyOCID>/*

          Once the DB System is created, update the trust policy to limit access to the specific DB System.

      See Viewing OCID of the Tenancy to view the OCID of the tenancy, and see Viewing DB System Details to view the resource ID of the DB System.
  5. Resolve any warnings or errors generated during policy validation, and then click Next.
  6. In the Add permissions page, search for the policy you created (see Creating an IAM Policy to Access Amazon Bedrock LLMs), and select the check box to attach the policy to your new role.
  7. Click Next.
  8. In the Name, review, and create page, in the Role details section, enter the following:
    • Role name: Enter a name to identify the role.
    • Description: (Optional) Specify a description of the policy.
  9. Click Create role.
  10. Click the role you just created.
  11. In the Summary section, copy the ARN.
After you created the role, supply the role ARN to an existing DB System, or create a new DB System and enter the ARN details. See Editing a DB System and Creating a DB System.