Unstable Creation of Knowledge Base using CDK

0

Hi, I'm trying to use AWS Lambda to deploy a CloudFormation template into an application, but I'm encountering an issue.

My application includes an AWS Bedrock Knowledge Base. Sometimes when I trigger the Lambda function to deploy the CloudFormation template, it runs smoothly, but other times I get the following error message: "Resource handler returned message: 'The knowledge base storage configuration provided is invalid... Bad Authorization (Service: BedrockAgent, Status Code: 400, Request ID: ****)'".

I have followed the documentation for Creating a service role for Knowledge bases for Amazon Bedrock and Data access control for Amazon OpenSearch Serverless. Here is my code for the kb_role and data_access_policy:


self.kb_role = iam.Role(self, 'KBRole',
    assumed_by=iam.ServicePrincipal('bedrock.amazonaws.com'),
    inline_policies={
        'KBRolePolicyDocument': iam.PolicyDocument(
            statements=[
                iam.PolicyStatement(
                    actions=["bedrock:InvokeModel"],
                    resources=[f"arn:aws:bedrock:{REGION}::foundation-model/{KB_FOUNDATION_MODEL}"]
                ),
                iam.PolicyStatement(
                    actions=[
                        "s3:ListBucket",
                        "s3:GetObject"
                    ],
                    resources=[
                        bucket_arn,
                        f"{bucket_arn}/*"
                    ]
                ),
                iam.PolicyStatement(
                    actions=[
                        "aoss:APIAccessAll",
                        "aoss:DashboardsAccessAll"
                    ],
                    resources=[COLLECTION_ARN]
                ),
            ]
        ),
    }
)
data_access_policy = json.dumps([
{
    "Rules": [
        {
            "Resource": [
                f"collection/{COLLECTION_NAME}"
            ],
            "Permission": [
                "aoss:CreateCollectionItems",
                "aoss:UpdateCollectionItems",
                "aoss:DescribeCollectionItems"
            ],
            "ResourceType": "collection"
        },
        {
            "Resource": [
                f"index/{COLLECTION_NAME}/*"
            ],
            "Permission": [
                "aoss:UpdateIndex",
                "aoss:DescribeIndex",
                "aoss:ReadDocument",
                "aoss:CreateIndex",
                "aoss:WriteDocument",
                "aoss:*"
            ],
            "ResourceType": "index"
        }
    ],
    "Principal": [
        self.kb_role.role_arn,
        invoke_lambda_role.role_arn,
        ADMIN_USER_ARN
    ],
    "Description": "data-access-rule"
}
], indent=2)

self.cfn_access_policy = aws_opensearchserverless.CfnAccessPolicy(self, "DataAccessPolicy",
    name="data_access_policy_name",
    description="Policy for data access created by CDK",
    policy=data_access_policy,
    type="data"
)

Do I miss anything? Thank you for your help!

1 Answer
0

Please check the trustPolicy for the assume role and the IAM Permissions of the Service Role. Check that Lambda is not over quota and S3 is accessible the way you need.

https://repost.aws/knowledge-center/bedrock-knowledge-base-permission-errors

profile picture
EXPERT
answered 2 months ago
profile picture
EXPERT
reviewed 2 months ago
  • Thank you for your response. The Lambda function I'm using has full permissions (Action: "" and Resource: ""), and the S3 access is properly configured. Despite updating the policies of the kb_role to grant full permissions, the issue persists. Sometimes, the application is deployed successfully, but other times it fails due to the same error I mentioned above.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions