How do I troubleshoot connection issues between Confluence Cloud instance and my Amazon Bedrock knowledge base?

Resolution

You might get the following connection error message during the configuration or data ingestion process:

"There was an issue when connecting to your data source. Please check your data source credentials in Secrets Manager to ensure they are correct and provide the necessary permissions."

Check your Confluence Cloud instance URL

When you connect your Confluence instance to Amazon Bedrock, make sure that your Confluence instance URL is correct. Amazon Bedrock supports only Confluence URLs that end with .atlassian.net. Amazon Bedrock doesn't support custom domains.

Correctly configure your authentication method

Amazon Bedrock supports basic and OAuth 2.0 authentication types for Confluence Cloud connections. 

Basic authentication

To set up basic authentication, create an API token. For more information, see Manage API tokens for your Atlassian account on the Atlassian website.

Note: By default, Atlassian API tokens expire after 1 year.

Then, create an AWS Secrets Manager secret to store your credentials.

OAuth 2.0 Authentication

To configure OAuth 2.0 see, OAuth 2.0 Configuration for Confluence on the Atlassian website.

Then, create a Secrets Manager secret to store the following credentials:

• confluenceAppKey
• confluenceAppSecret
• confluenceAccessToken
• confluenceRefreshToken

Check your IAM role permissions

Attach a policy to provide permissions for the AWS Identity and Access Management (IAM) role that you associated with the knowledge base to access your Confluence data source.

Confirm that the secrets can access Amazon Bedrock

Complete the following steps:

1. Open the Secrets Manager console.
2. Select the secret.
3. Confirm that the Amazon Resource Name (ARN) is in the format arn:aws:secretsmanager:REGION:account-id:secret:amazonbedrock-name.
   Note: Replace REGION with your AWS Region, account-id with your AWS account ID and name with your secret's name.

Test API token access

To test token access, run the following curl command from an Amazon Elastic Compute Cloud (Amazon EC2) instance:

curl -v https://yourcompany.atlassian.net --user your-email@example.com:your-api-token

Note: Replace yourcompany with your company name, your-email@example.com with your company email, and your-api-token with your API token. If you share the output with AWS Support, then replace your-api-token with REDACTED.

If the curl command is successful, then the 200 OK HTTP status code is in the response header and there's content from the Confluence instance in the response body. Also, there are no "401 Unauthorized" error messages or connection timeouts.

Remove IP allowlists in Confluence

Amazon Bedrock doesn't support IP allowlists or VPNs. If you added an IP allowlist in Confluence, then remove it so that the network connection doesn't fail.

If your network setup requires an IP allowlist, then use the Web Crawler that Amazon Bedrock provides.

For information about how to keep your knowledge base secure, see Security in Amazon Bedrock.

Configure log destinations to monitor issues

To monitor and troubleshoot ingestion issues, set up either Amazon CloudWatch Logs or Amazon S3 as a log destination.