I'm deploying a REST gateway that calls Bedrock Titan FM. It works as expected when the REST Gateway runs locally using sam local --start-api ...
.
Running the REST Gateway on the cloud, as follows:
sam deploy -t sam.yaml --s3-bucket $BUCKET_NAME --stack-name bedrock-gateway-stack --capabilities CAPABILITY_IAM
and invoking endpoints that call the Bedrock Titan FM, raises the following exception:
2024-04-18 16:26:18,682 ERROR [fr.sim.qua.BedrockAiResource] (sdk-async-response-0-0) ### BedrockAiResource.inoke(): Model invocation failed: {}: java.util.concurrent.CompletionException: software.amazon.awssdk.services.bedrockruntime.model.AccessDeniedException: User: arn:aws:sts::...:assumed-role/bedrock-gateway-stack-BedrockGatewayApiRole-37LTyaxmS5Gi/bedrock-gateway-stack-BedrockGatewayApi-UbY8COwJ3v6I is not authorized to perform: bedrock:InvokeModel on resource: arn:aws:bedrock:eu-west-3::foundation-model/amazon.titan-text-express-v1 because no identity-based policy allows the bedrock:InvokeModel action (Service: BedrockRuntime, Status Code: 403, Request ID: 0781f5c7-a0f9-4f5a-99b0-127c20dd69b2)
Here is the sam.yaml file (generated by quarkus-amazon-lambda-rest
plugin):
AWSTemplateFormatVersion: '2010-09-09'
Transform: AWS::Serverless-2016-10-31
Description: AWS Serverless Quarkus HTTP - bedrock-gateway-api
Globals:
Api:
EndpointConfiguration: REGIONAL
BinaryMediaTypes:
- "*/*"
Resources:
BedrockGatewayApi:
Type: AWS::Serverless::Function
Properties:
Handler: io.quarkus.amazon.lambda.runtime.QuarkusStreamHandler::handleRequest
Runtime: java17
CodeUri: function.zip
MemorySize: 512
Policies: AWSLambdaBasicExecutionRole
Timeout: 15
Events:
GetResource:
Type: Api
Properties:
Path: /{proxy+}
Method: any
Outputs:
BedrockGatewayApiApi:
Description: URL for application
Value: !Sub 'https://${ServerlessRestApi}.execute-api.${AWS::Region}.amazonaws.com/Prod/'
Export:
Name: BedrockGatewayApiApi
Also, the Bedrock playground in the AWS console works as expected.
Many thanks in advance.
Nicolas
This answer is void. While it's obvious that a required permission is missing here, answering the question would have involved mentioning what this permission would be. Saying "do what you need to do" doesn't help.