Can't access Bedrock FM from REST Gateway
I'm deploying a REST gateway that calls Bedrock Titan FM. It works as expected when the REST Gateway runs locally using sam local --start-api ....
Running the REST Gateway on the cloud, as follows:
sam deploy -t sam.yaml --s3-bucket $BUCKET_NAME --stack-name bedrock-gateway-stack --capabilities CAPABILITY_IAM
and invoking endpoints that call the Bedrock Titan FM, raises the following exception:
2024-04-18 16:26:18,682 ERROR [fr.sim.qua.BedrockAiResource] (sdk-async-response-0-0) ### BedrockAiResource.inoke(): Model invocation failed: {}: java.util.concurrent.CompletionException: software.amazon.awssdk.services.bedrockruntime.model.AccessDeniedException: User: arn:aws:sts::...:assumed-role/bedrock-gateway-stack-BedrockGatewayApiRole-37LTyaxmS5Gi/bedrock-gateway-stack-BedrockGatewayApi-UbY8COwJ3v6I is not authorized to perform: bedrock:InvokeModel on resource: arn:aws:bedrock:eu-west-3::foundation-model/amazon.titan-text-express-v1 because no identity-based policy allows the bedrock:InvokeModel action (Service: BedrockRuntime, Status Code: 403, Request ID: 0781f5c7-a0f9-4f5a-99b0-127c20dd69b2)
Here is the sam.yaml file (generated by quarkus-amazon-lambda-rest plugin):
AWSTemplateFormatVersion: '2010-09-09'
Transform: AWS::Serverless-2016-10-31
Description: AWS Serverless Quarkus HTTP - bedrock-gateway-api
Globals:
Api:
EndpointConfiguration: REGIONAL
BinaryMediaTypes:
- "*/*"
Resources:
BedrockGatewayApi:
Type: AWS::Serverless::Function
Properties:
Handler: io.quarkus.amazon.lambda.runtime.QuarkusStreamHandler::handleRequest
Runtime: java17
CodeUri: function.zip
MemorySize: 512
Policies: AWSLambdaBasicExecutionRole
Timeout: 15
Events:
GetResource:
Type: Api
Properties:
Path: /{proxy+}
Method: any
Outputs:
BedrockGatewayApiApi:
Description: URL for application
Value: !Sub 'https://${ServerlessRestApi}.execute-api.${AWS::Region}.amazonaws.com/Prod/'
Export:
Name: BedrockGatewayApiApi
Also, the Bedrock playground in the AWS console works as expected.
Many thanks in advance.
Nicolas
- 新しい順
- 投票が多い順
- コメントが多い順
The required permission was AmazonBedrockFullAccess. Adding it to the SAM template fixes the issue.
Hi Nicolas,
it looks like the role that is attached to your Lambda function does not have permissions to call InvokeModel.
User: arn:aws:sts::<account-id>:assumed-role/bedrock-gateway-stack-BedrockGatewayApiRole-37LTyaxmS5Gi/bedrock-gateway-stack-BedrockGatewayApi-UbY8COwJ3v6I is not authorized to perform: bedrock:InvokeModel on resource: arn:aws:bedrock:eu-west-3::foundation-model/amazon.titan-text-express-v1 because no identity-based policy allows the bedrock:InvokeModel action (Service: BedrockRuntime, Status Code: 403, Request ID: 0781f5c7-a0f9-4f5a-99b0-127c20dd69b2)
To resolve this, add the relevant permission to the function execution role. Currently, the role only has the Policies: AWSLambdaBasicExecutionRole role.
And consider removing your account id from your post
関連するコンテンツ
AWS公式更新しました 3年前- AWS公式更新しました 10ヶ月前
- AWS公式更新しました 2年前
This answer is void. While it's obvious that a required permission is missing here, answering the question would have involved mentioning what this permission would be. Saying "do what you need to do" doesn't help.