Skip to content

Commit ea72d79

Browse files
laurencegoolsbylaurencegoolsby
committed
Add InvokeDataAutomationAsync permission and profile resource access
1 parent afd08ac commit ea72d79

File tree

2 files changed

+3
-7
lines changed

2 files changed

+3
-7
lines changed

infra/app-flask/service/document_data_extraction.tf

Lines changed: 0 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -71,9 +71,3 @@ module "dde" {
7171

7272
name = "${local.prefix}${local.document_data_extraction_config.name}"
7373
}
74-
75-
resource "aws_iam_role_policy_attachment" "app_bedrock_access" {
76-
count = local.document_data_extraction_config != null ? 1 : 0
77-
role = module.service.app_role_name
78-
policy_arn = module.dde[0].access_policy_arn
79-
}

infra/modules/document-data-extraction/resources/access_control.tf

Lines changed: 3 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -8,6 +8,7 @@ data "aws_iam_policy_document" "bedrock_access" {
88
actions = [
99
"bedrock:InvokeModel",
1010
"bedrock:InvokeModelWithResponseStream",
11+
"bedrock:InvokeDataAutomationAsync",
1112
"bedrock:GetDataAutomationProject",
1213
"bedrock:GetBlueprint",
1314
"bedrock:StartDataAutomationJob",
@@ -18,7 +19,8 @@ data "aws_iam_policy_document" "bedrock_access" {
1819
resources = [
1920
awscc_bedrock_data_automation_project.bda_project.project_arn,
2021
"${awscc_bedrock_data_automation_project.bda_project.project_arn}/*",
21-
"arn:aws:bedrock:*:*:blueprint/*"
22+
"arn:aws:bedrock:*:*:blueprint/*",
23+
"arn:aws:bedrock:*:*:data-automation-profile/*"
2224
]
2325
}
2426
}

0 commit comments

Comments
 (0)