Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

Bedrock AgentCore creation fails due to existing WorkloadIdentity

0

I use python boto3 to create a bedrock agentCore gateway:

client = boto3.client("bedrock-agentcore-control", region_name=region)
...
gw = client.create_gateway(
        name=props["GatewayName"],
        roleArn=props["RoleArn"],
        protocolType="MCP",
        protocolConfiguration={
            "mcp": {
                "searchType": "SEMANTIC",
            }
        },
        authorizerType="CUSTOM_JWT",
        authorizerConfiguration={
            "customJWTAuthorizer": {
                "discoveryUrl": props["DiscoveryUrl"],
                "allowedClients": [props["ClientId"]],
            }
        },
        kmsKeyArn=props["KmsKeyArn"],
        exceptionLevel="DEBUG",
    )

After around 8-10 minutes the status of the gateway is FAILED. CloudTrail shows the errors:

  • 19:55:57 - CreateGateway succeeded
  • 19:55:57 - CreateWorkloadIdentity succeeded
  • 19:56:00 - CreateWorkloadIdentity FAILED - "already exists"
  • 19:56:04 - CreateWorkloadIdentity FAILED - "already exists"
  • 19:56:13 - CreateWorkloadIdentity FAILED - "already exists"
  • 19:56:29 - CreateWorkloadIdentity FAILED - "already exists"
  • 19:57:02 - CreateWorkloadIdentity FAILED - "already exists"
  • 19:58:06 - CreateWorkloadIdentity FAILED - "already exists"

Also, I see some orphaned WorkloadIdentities, which I can't delete - "An error occurred (ValidationException) when calling the DeleteWorkloadIdentity operation: WorkloadIdentity is linked to a service and cannot be deleted by the caller. "

I've tried with the new gateway name. Still fails.

Topics
Machine Learning & AIAWS Cloud Development Kit (CDK)Generative AI on AWS
Tags
AWS Cloud Development Kit (CDK)Amazon Bedrock AgentCore
Language
English
asked 4 months ago99 views
1 Answer
0
Accepted Answer

Hello.

If it is linked to an existing Agent or Gateway, the corresponding error will occur.

By the way, if you check the error message, it is possible that the deletion failed due to a known issue on the AWS side.
https://github.com/ekristen/aws-nuke/issues/835

If the problem is on the AWS side, you will not be able to resolve it yourself, so you will need to open a case with AWS Support under "Account and billing" and inquire.
"Account and billing" inquiries are free of charge.
https://console.aws.amazon.com/support

EXPERT
answered 4 months ago
AWS
EXPERT
reviewed 4 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content