setup/debug: Amazon Bedrock IAM policy for the add-in's inference-profile discovery + region-aware selection#270
Open
cschnidr wants to merge 1 commit into
Conversation
… discovery Grant bedrock:ListInferenceProfiles + bedrock:GetInferenceProfile and permit the five Anthropic inference-profile prefixes (us./eu./au./apac./global.) so the add-in can discover and invoke a permitted, region-appropriate cross-region inference profile. Reframe the admin docs around using the IAM Resource list as the control plane for model cost (restrict model family) and data residency (restrict region prefix). Add a trim warning that CRIS invocation requires both the inference-profile and the foundation-model ARN, so admins who narrow prefixes keep the foundation-model resource and avoid a self-inflicted 403. Slim debug.md: replace the upstream-bug / workaround framing with a generic too-narrow-policy 403 troubleshooting entry now that the add-in selects a permitted profile.
This was referenced Jun 10, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What & why
The Claude for M365 add-in (Bedrock direct) now discovers permitted inference profiles via bedrock:ListInferenceProfiles at sign-in and selects a region-appropriate profile, instead of probing a hardcoded model ID. The generated ClaudeBedrockAccess IAM policy from this install tooling predates that behavior: it omits the discovery actions and only permits the us.anthropic.* profile prefix. As a result, the role is not compatible with the current add-in — discovery is denied and non-US regions can't invoke a valid profile.
This PR updates the generated policy and admin docs so the role works with the shipped add-in.
Related to #246, #217, #126 (the IAM/provisioning side of each).
Deployment ordering (important)
The IAM policy is a prerequisite for the current add-in build:
Changes
setup.md
Admin guidance: IAM Resource list as the control plane for cost (restrict model family) and residency (restrict region prefix); in-region vs. cross-region-profile clarification; and a note that the shipped policy is intentionally permissive and should be tailored.
debug.md
Scope / non-goals
Provisioning template + docs only. The add-in client behavior is out of scope (and already fixed upstream). No application code changes.
Testing