Hi, I'm trying to use AWS Lambda to deploy a CloudFormation template into an application, but I'm encountering an issue.
My application includes an AWS Bedrock Knowledge Base. Sometimes when I trigger the Lambda function to deploy the CloudFormation template, it runs smoothly, but other times I get the following error message: "Resource handler returned message: 'The knowledge base storage configuration provided is invalid... Bad Authorization (Service: BedrockAgent, Status Code: 400, Request ID: ****)'".
I have followed the documentation for Creating a service role for Knowledge bases for Amazon Bedrock and Data access control for Amazon OpenSearch Serverless. Here is my code for the kb_role and data_access_policy:
self.kb_role = iam.Role(self, 'KBRole',
assumed_by=iam.ServicePrincipal('bedrock.amazonaws.com'),
inline_policies={
'KBRolePolicyDocument': iam.PolicyDocument(
statements=[
iam.PolicyStatement(
actions=["bedrock:InvokeModel"],
resources=[f"arn:aws:bedrock:{REGION}::foundation-model/{KB_FOUNDATION_MODEL}"]
),
iam.PolicyStatement(
actions=[
"s3:ListBucket",
"s3:GetObject"
],
resources=[
bucket_arn,
f"{bucket_arn}/*"
]
),
iam.PolicyStatement(
actions=[
"aoss:APIAccessAll",
"aoss:DashboardsAccessAll"
],
resources=[COLLECTION_ARN]
),
]
),
}
)
data_access_policy = json.dumps([
{
"Rules": [
{
"Resource": [
f"collection/{COLLECTION_NAME}"
],
"Permission": [
"aoss:CreateCollectionItems",
"aoss:UpdateCollectionItems",
"aoss:DescribeCollectionItems"
],
"ResourceType": "collection"
},
{
"Resource": [
f"index/{COLLECTION_NAME}/*"
],
"Permission": [
"aoss:UpdateIndex",
"aoss:DescribeIndex",
"aoss:ReadDocument",
"aoss:CreateIndex",
"aoss:WriteDocument",
"aoss:*"
],
"ResourceType": "index"
}
],
"Principal": [
self.kb_role.role_arn,
invoke_lambda_role.role_arn,
ADMIN_USER_ARN
],
"Description": "data-access-rule"
}
], indent=2)
self.cfn_access_policy = aws_opensearchserverless.CfnAccessPolicy(self, "DataAccessPolicy",
name="data_access_policy_name",
description="Policy for data access created by CDK",
policy=data_access_policy,
type="data"
)
Do I miss anything? Thank you for your help!
Thank you for your response. The Lambda function I'm using has full permissions (Action: "" and Resource: ""), and the S3 access is properly configured. Despite updating the policies of the kb_role to grant full permissions, the issue persists. Sometimes, the application is deployed successfully, but other times it fails due to the same error I mentioned above.