Use AWS Bedrock with Edge Delta
3 minute read
Background
Edge Delta features OnCall AI to interpret anomaly patterns generated by Fleets on the edge and monitors in the Edge Delta back end. Edge Delta sends some non-sensitive data, such as log patterns, to Edge Delta’s third-party AI service providers. You can configure Edge Delta to call your AWS Bedrock service instead.
Overview
This how to will demonstrate how to configure AWS and Edge Delta so that Edge Delta executes AI API calls to AWS Bedrock.
1. (Optional) Create a new AWS account
Since you will be granting Edge Delta permission to make AWS Bedrock calls on your behalf it may be difficult to differentiate between the calls made by Edge Delta from other Bedrock calls. An optional step to separate your own AWS Bedrock calls from those initiated by Edge Delta is to create a new AWS account that would be governed by the same billing as your master AWS account. This provides some security and cost tracking benefits.
2. Create an IAM Role
Create an IAM role for Edge Delta:
- Go to the IAM section in the AWS Console.
- Click Roles in the sidebar and click Create Role.
- Select AWS Service and select EC2, Lambda, or whichever service you plan to use with Bedrock.
- Click Next: Permissions.
3. Attach a Policy for Bedrock Access
You need to either create a custom policy to the role or attach an existing one.
- Click Create Policy, then go to the JSON editor and paste the policy.
This example grants full access to Amazon Bedrock, but you may want to make it more specific to particular resources:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"bedrock:InvokeModel"
],
"Resource": "*"
}
]
}
- Save the policy and give it a name like
BedrockLimitedAccess
.
4. Attach the Policy to the Role
Next, you assign the policy to the role you created earlier.
- Go back to the role creation workflow.
- Search for the policy
BedrockLimitedAccess
and attach it. - Click Next and complete the role creation process.
5. Configure Trust Relationship
Now that the role is created and permissions assigned to it, you give permission to Edge Delta to assume that role. Open the Trust relationships tab and click Edit trust relationship. Paste the following policy after replacing the placeholders.
{"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws: iam::<123456789>:root",
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals": {
"sts:ExternalId": "<some_random_string>"
}
}
}
}
]
}
Replace <some_random_string>
with a unique string that you generate. This will be referenced in Edge Delta settings UI. Replace <123456789>
with the Edge Delta ARN. Please contact support to obtain it and enable the feature for your account.
6. Enable AWS Bedrock Models
Navigate to the Bedrock Console and request access for the models you want to enable.
7. Configure Edge Delta
In this step you specify the enabled models in Edge Delta and provide the sts:ExternalId.
- Click Admin and select the My Organization tab.
- Click Edit in your Organization pane.
- Click Use Custom AWS Account for AI Processing.
- Enter your AWS Account ID, the AWS External ID you configured earlier, and your AWS Region of your resources.
- Specify the names of the models you enabled earlier.
- Click Save.