Bedrock KnowledgeBase sync error, can't access S3 bucket

1

I'm following the instructions here to create a Knowledge Base.

I configure the Knowledge Base to have on of my S3 buckets (under the same account) as my data source. However, when I try to Sync the data source, it errors out right away with:

Encountered error: Access Denied (Service: S3, Status Code: 403, Request ID: JDKB992YNZEJ475K, Extended Request ID: VhXJ7Nrt+ZYjxx5IlAnwsg+Wmu2iLGeJ/7zomRMhr0OW83Sac+BtiwUMpe+9XYj0+zkwl8LMau0=). Call to Amazon S3 Source did not succeed.

Error screenshot

The Role/policies that the console setup seem right.

Role/policies screenshot

Any thoughts about what could be wrong here?

4 Answers
3
Accepted Answer

The policy generated by Bedrock when creating the Knowledge Base data source is incorrect at the time being - it lacks reference to the bucket itself in Resources so as to authorize the ListBucket action itself. Manually adding the bucket to the Resources (in your case "arn:aws:s3:::equilo-data-ingestion") will solve the issue. NB: I would recommend to hide your account number when posting in an open forum for security.

macamhi
answered 6 months ago
profile picture
EXPERT
reviewed 5 hours ago
  • First, thanks for the security callout. That was an oversight. I have updated the screenshot in the question, fwiw.

    You were totally right. Adding the bucket itself as a resource to the policy enabled a sync. Hope the default policy generation can account for this edge case where a user only wants to ingest a buckets sub folder/object.

  • Seems fixed now.

1

Please check the region in which your bucket has been created and the region where bedrock is being used. I had the same issue, just checked the regions between both and it is resolved. The autogenerated policies have proper access you do not need to edit anything else.

AWS
answered 5 months ago
0

Hey, couple of reasons that i could assume causing the above failure.

  1. Proper IAM polices are not setup. s3:GetObject, s3:ListObject are the bare minimum policies to copy over the S3 bucket object. But if your bucket is enabled with versioning, you need s3:GetObjectVersion permission. And to copy the objects with tags, you need s3:GetObjectTagging(source bucket), s3:PutObjectTagging(needed for destination bucket). If you have attached the permission polices to the destination bucket, make sure that bucket has these policies s3:GetObject, s3:PutObject, and s3:ListBucket.
  2. S3-SSE. If you have enabled the Server-side encryption with AWS Managed KMS Key or Customer Managed Key, you should have kms:Decrypt, kms:GenerateDataKey permissions on specific KMS key in resource section of IAM policy.
profile picture
answered 6 months ago
  • Thanks for the reply. Good to know about the additional permissions needed in these various scenarios, which I am about to get into. For now, the issue was about the actual bucket not being listed as a resource in the policy, even though I only wanted to ingest files in a sub folder/object.

0

I am getting similar sync error, but it says Knowledge base role is not able to call specified embedding model . But I see the policy is generated. What could be the issue?

Sayan
answered 5 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions