Leveraging Amazon Bedrock to enhance customer service with AI-powered Automated Email Response > Setup IAM > IAM Role for Lambda

IAM Role for Lambda

In the AWS Console, search “iam” and choose IAM

Next, we need to create policies first. Choose Policies in the left panel > Create Policy
Copy this JSON policies for our lambda function

NOTE: In the Resource property, you must change the specified ARN you want to allow, for simple i group all service into an array, this is not recommend.

{
    "Version" : "2012-10-17",
    "Statement" : [
      {
        "Effect" : "Allow",
        "Action" : [
          "s3:GetObject",
          "s3:ListBucket",
          "sqs:SendMessage",
          "sqs:GetQueueUrl",
          "logs:CreateLogGroup",
          "logs:CreateLogStream",
          "logs:PutLogEvents"
        ],
        "Resource" : "*"
      }
    ]
}

// Or you can use best practice for policies (Replace your account id with <account-id>)
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:GetObject"
            ],
            "Resource": "arn:aws:s3:::ai-powered-email-auto-replies/*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:ListBucket"
            ],
            "Resource": "arn:aws:s3:::ai-powered-email-auto-replies"
        },
        {
            "Effect": "Allow",
            "Action": [
                "logs:CreateLogGroup",
                "logs:CreateLogStream",
                "logs:PutLogEvents"
            ],
            "Resource": "arn:aws:logs:us-east-1:<account-id>:log-group:/aws/lambda/ExtractEmailLambda:*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "sqs:ReceiveMessage",
                "sqs:DeleteMessage"
            ],
            "Resource": "arn:aws:sqs:us-east-1:<account-id>:generated-email-queue"
        }
    ]
}

Choose JSON > paste JSON above > Next

At the Policy name we put it as ExtractEmailFunctionPolicy and choose Create policy

Success created policies

Choose Roles > Create role
At the use case we choose Lambda > Next
Choose our ExtractEmailFunctionPolicy and Next
Insert our role name ExtractEmailFunctionRole
Choose Create role

Success create ExtractEmailLambdaRole

Ok, Let’s create 2 remaining roles

Please repeat from step 1 to create 2 remaining roles with configuration below

Generate email lambda function role

Configuration	Value
role	`GenerateEmailFunctionRole`
policy	`GenerateEmailFunctionPolicy`

NOTE: In real life, the Resource property, you must change the specified ARN you want to allow, for simple i am using wildcard for all components in that service, this is not recommend.

{
    "Version" : "2012-10-17",
    "Statement" : [
      {
        "Effect": "Allow",
        "Action": [
          "bedrock:InvokeModel",
          "bedrock:ListKnowledgeBases", 
          "bedrock:GetKnowledgeBase",
          "bedrock:Retrieve",
          "bedrock:RetrieveAndGenerate",
          "bedrock:ListAgents",
          "bedrock:GetAgent",
          "bedrock:InvokeAgent"
        ],
        "Resource": [
          "arn:aws:bedrock:us-east-1::foundation-model/*",
          "arn:aws:bedrock:us-east-1:<account-id>:knowledge-base/*",
          "arn:aws:bedrock:us-east-1:<account-id>:agent/*",
          "arn:aws:bedrock:us-east-1:<account-id>:agent-alias/*"
        ]
      },
      {
            "Effect": "Allow",
            "Action": [
                "sqs:SendMessage",
                "sqs:ReceiveMessage",
                "sqs:GetQueueUrl",
                "sqs:DeleteMessage",
                "sqs:GetQueueAttributes"
            ],
            "Resource": "arn:aws:sqs:us-east-1:<account-id>:sqs-send-email-to-customer-queue"
        },
        {
            "Effect": "Allow",
            "Action": [
                "dynamodb:Scan", 
                "dynamodb:Query",
                "dynamodb:GetItem"
            ],
            "Resource": "arn:aws:dynamodb:us-east-1:<account-id>:table/*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "logs:CreateLogGroup",
                "logs:CreateLogStream",
                "logs:PutLogEvents"
            ],
            "Resource": "arn:aws:logs:us-east-1:<account-id>:log-group:/aws/lambda/GenerateEmailLambda:*"
        }
    ]
  }

Send email lambda function role

Configuration	Value
role	`SendEmailFunctionRole`
policy	`SendEmailFunctionPolicy`

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow", 
            "Action": [
                "sqs:SendMessage",
                "sqs:ReceiveMessage",
                "sqs:GetQueueUrl",
                "sqs:DeleteMessage",
                "sqs:GetQueueAttributes"
            ],
            "Resource": "arn:aws:sqs:us-east-1:<account-id>:*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "ses:SendEmail",
                "ses:SendRawEmail"
            ],
            "Resource": "arn:aws:ses:us-east-1:<account-id>:identity/*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:ListBucket"
            ],
            "Resource": "arn:aws:s3:::ai-powered-email-auto-replies"
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:PutObject"
            ],
            "Resource": "arn:aws:s3:::ai-powered-email-auto-replies/*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "logs:CreateLogGroup",
                "logs:CreateLogStream",
                "logs:PutLogEvents"
            ],
            "Resource": "arn:aws:logs:us-east-1:<account-id>:log-group:/aws/lambda/GenerateEmailLambda:*"
        }
    ]
}

After created, you can go next, we will use these roles in the Lambda section.