Amazon Bedrock with Qdrant (Beta)

The following table describes the parameters for configuring a RAG Agent that uses Amazon Bedrock with a Qdrant vector database.

Field	Description
Amazon Bedrock Embedding Model Provider
AWS Region	The AWS Region.
Authentication Scheme	The authentication scheme to use when connecting to Amazon Bedrock. One of: AWS Access Key—Additional configuration is required. For more information, see Access Key. AWS Chained IAM Role Assumption—Additional configuration is required. For more information, see Chained IAM Role Assumption. Authentication using AWS Chained IAM Role Assumption is supported only for event brokers hosted on AWS.
Model ID	The specific version or name of the embedding model to use. For example: `amazon.titan-embed-text-v2:0`
Chunk Size	The size of text segments into which a document is divided by an embedding model for vector database storage. Default: 1000.
Embedding Model Context Length	The maximum number of tokens to embed at once by the embedding model. Default: 8191.
Number of Embedding Dimensions	The number of dimensions in the resulting output embeddings.
Qdrant Vector Database Connection Details
Endpoint URL	The API endpoint URL for the Qdrant Vector Database. For example: `https://xyz-example.eu-central.aws.cloud.qdrant.io:6333`
Secret Access Key	The API Secret Access Key for the Qdrant provider.
Collection Name	The name of the Qdrant collection. A collection in Qdrant is a container that stores vectors where all vectors must have the same dimensions and have used the same model for their creation. Collections allow you to efficiently search for and retrieve vectors that are similar to a vector you specify in a query. For more information, see Collections in the Qdrant documentation. If the specified collection does not exist, the Agent creates a new empty basic collection with the specified name.
Vector Database Retrieval Limit	The maximum number of similar documents to retrieve from the vector database.
Select LLM Provider	Not editable. Pre-populates to Amazon Bedrock.
Amazon Bedrock LLM Connection Details
AWS Region	The AWS Region.
Authentication Scheme	The authentication scheme to use when connecting to Amazon Bedrock. One of: AWS Access Key—Additional configuration is required. For more information, see Access Key. AWS Chained IAM Role Assumption—Additional configuration is required. For more information, see Chained IAM Role Assumption. Authentication using AWS Chained IAM Role Assumption is supported only for event brokers hosted on AWS.
Model ID	The specific version or name of the LLM to use. For example: `bedrock/anthropic.claude-3-5-sonnet-20240620-v1:0`
Inference Profile ARN	The Bedrock application inference profile ARN. For example, `arn:aws:bedrock:us-east-2:<account-id>:inference-profile/us.anthropic.claude-3-5-sonnet-20240620-v1:0` Refer to the AWS Console for Bedrock to find the inference profile ARN for your account and model.
User Prompt	A template for the user prompt with placeholder `{{text://input.payload}}` for user input and placeholder `{{text://user_data.retrieved_data}}` for injection of vector database query results. For example: `<context>{{text://user_data.retrieved_data}}</context><user-question>{{text://input.payload}}</user-question>`
System Prompt	A system prompt that provides instructions for the model's overall behavior.
Max Tokens	The `max_tokens` hyperparamter, which controls the maximum length of the LLM's response.
Temperature	The `temperature` hyperparameter, which controls the randomness of the LLM's output. Valid values are between 0.0 and 1.0.
Destination for AI Responses
Destination Type	Specifies whether the destination on the event broker service is a topic endpoint or queue.
Destination Name	The name of the topic or queue to publish AI response messages to. For the Beta release, you can publish only to queues.

Amazon Bedrock Authentication Parameters

The tables that follow describe the parameters required for the selected authentication scheme. You can choose one of:

Access Key
Chained IAM Role Assumption

Access Key

Field	Description
AWS Access Key	An access key identifier.
AWS Secret Key	The secret key associated with the AWS Access Key.

Chained IAM Role Assumption

Chained IAM role assumption allows Agents to securely access AWS resources across different AWS accounts without requiring direct credential exchange. Chained IAM role assumption works through a trust relationship between AWS accounts:

The resource owner creates an IAM role (solace-mi-workload-role) in their AWS account, and configures it with the specific permissions required.
This role is configured to trust the Solace AWS account's role (single-pod-identity-role in account 718462147973).

When an Agent needs to access the resource, it uses the trust chain to temporarily assume the necessary permissions, as follows:

[Assume single-pod-identity-role] → [Get credentials to assume solace-mi-workload-role] → 
[Assume solace-mi-workload-role] → [Get credentials to access the target vendor resource] → 
[Access the resource]

The resource owner must do the following:

Create a role called solace-mi-workload-role in the resource owner's AWS account and attach the following trust policy:

{
  "Version":"2012-10-17",
  "Statement":[{
    "Effect":"Allow",
    "Principal":{
      "AWS":"arn:aws:iam::718462147973:role/single-pod-identity-role"
     },
    "Action":[
     "sts:TagSession",
     "sts:AssumeRole"
     ]
  }]
}

Attach the required resource permissions to the solace-mi-workload-role. The minimum required permissions are:
- bedrock:InvokeModel
- bedrock:InvokeModelWithResponseStream

The following table describes the parameters for configuring authentication using chained IAM role assumption.

Field Description

AWS Account ID The 12-digit AWS Account ID to be used for IAM role assumption. This is the account where the solace-mi-workload-role exists.

Session Name

Field	Description
AWS Account ID	The 12-digit AWS Account ID to be used for IAM role assumption. This is the account where the `solace-mi-workload-role` exists.
Session Name	The session name to use for the assumed role session (defaults to `solace-mi-workload-session` if not provided)
External ID	An optional external ID to use if the resource owner's trust policy requires it. To configure it, the resource owner must separate the `sts:TagSession` and `sts:AssumeRole` into different statements in the `solace-mi-workload-role` trust policy and add the following condition to the `sts:AssumeRole` statement: "Condition":{ "StringEquals":{ "sts:ExternalId":"<your_external_id_string>" } }

The session name to use for the assumed role session (defaults to solace-mi-workload-session if not provided)

External ID

An optional external ID to use if the resource owner's trust policy requires it.

To configure it, the resource owner must separate the sts:TagSession and sts:AssumeRole into different statements in the solace-mi-workload-role trust policy and add the following condition to the sts:AssumeRole statement:

"Condition":{
  "StringEquals":{
    "sts:ExternalId":"<your_external_id_string>"
   }
 }

Provide feedback