Whether you're taking your first steps with Kubernetes or you're an experienced practitioner looking to sharpen your skills, our Amazon EKS workshop series delivers practical, real-world experience that moves you forward. Learn directly from AWS solutions architects and EKS specialists through hands-on sessions designed to build your confidence with Kubernetes. Register now and start building with Amazon EKS!
How do I troubleshoot permission errors that I get when I create a knowledge base in Amazon Bedrock?
I receive permission-related errors when I try to create an Amazon Bedrock knowledge base. I want to resolve these permission errors to successfully set up the knowledge base.
Short description
To create a knowledge base in Amazon Bedrock, you must configure a service role. The service role gives Amazon Bedrock the necessary permissions to access the required AWS services. You can either use the service role that Amazon Bedrock has already created for you. Or, you can create a custom service role and assign it the required permissions.
Resolution
Missing IAM service role
If you don't have an Amazon Bedrock trust relationship policy for the Identity and Access Management (IAM) service role to create the Amazon Bedrock Knowledge base, then you receive the following error:
"Bedrock Knowledge Base was unable to assume the given role. Provide the proper permissions and retry the request"
To resolve this error, attach the following trust relationship policy for Amazon Bedrock to your IAM policy:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "bedrock.amazonaws.com" }, "Action": "sts:AssumeRole" } ] }
Missing IAM permissions
If the IAM role that you used to create the Amazon Bedrock knowledge base doesn't have the iam:CreateRole permission, then you receive the following error:
"User: arn:aws:sts::account id:assumed-role/IAM role/IAM user is not authorized to perform: iam:CreateRole on resource: arn:aws:iam:region:account id:role/service-role/bedrock-knowledge-base because no identity-based policy allows the iam:CreateRole action"
To resolve this error, add the iam:CreateRole permission to your IAM policy:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "iam:AttachRolePolicy", "iam:CreateRole", "iam:PutRolePolicy" ], "Resource": "arn:aws:iam::*:role/service-role-name" } ] }
Note: Replace service-role-name with your service role name.
If the IAM role that you used to create the Amazon Bedrock knowledge base doesn't have the iam:PassRole permission, then you receive the following error:
"User: arn:aws:sts::account id:assumed-role/IAM role/IAM user is not authorized to perform: iam:PassRole on resource: arn:aws:iam:region:account id:role/service-role/bedrock-knowledge-base because no identity-based policy allows the iam:PassRole action"
To resolve this error, add the iam:PassRole permission to your IAM policy:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "iam:PassRole" ], "Resource": "arn:aws:iam::*:role/service-role-name" } ] }
Note: Replace service-role-name with your service role name.
Missing permissions for an Amazon OpenSearch Serverless collection
If the IAM service role doesn't have the necessary permissions for an Amazon OpenSearch Serverless collection, then you receive the following error:
"The knowledge base storage configuration provided is invalid... Request failed: [security_exception] 403 Forbidden"
To resolve this error, include the necessary permissions to your Amazon OpenSearch Serverless collection in your IAM service role. If you created a vector database in Amazon OpenSearch Serverless for your knowledge base, then attach the following policy:
{ "Version": "2012-10-17", "Statement": [ { "Sid": "OpenSearchServerlessAPIAccessAllStatement", "Effect": "Allow", "Action": [ "aoss:APIAccessAll" ], "Resource": [ "arn:aws:aoss:region:account-id:collection/collection-id" ] } ] }
The preceding policy provides the IAM service role that you use with access to the collection.
Verify that the data access policy from the Amazon OpenSearch Serverless collection console gives permission to the Amazon Bedrock service role. Also, make sure that the Amazon Bedrock service role is listed under the Principal section of the data access control policy.
Your vector database might be configured with an AWS Secrets Manager secret. Make sure that the IAM service role allows AWS Secrets Manager to authenticate your account for you to access the database.
Missing endpoint authorization
If you didn't add the Amazon Bedrock endpoint domain name to the network policy in the Amazon OpenSearch Service collection, then you receive the following error:
"The knowledge base storage configuration provided is invalid... Request failed: [http_exception] server returned 401"
To give Amazon Bedrock access to the private collection or the virtual private cloud (VPC) endpoint, add the endpoint domain name to the network policy.
To resolve this error, update your collection with a private network policy. If you don't have a collection with a private network policy, then you must create one. For more information, see the Create a collection with a private network policy section in
Note: When you create a new collection, for Access type, choose Private. You must also select AWS services private access, and then add bedrock.amazonaws.com to the list of allowed services.
Missing CORS permissions for your S3 bucket
If your knowledge base has an Amazon Simple Storage Service (Amazon S3) data source and the bucket doesn't have the necessary Cross-Origin Resource Sharing (CORS) permissions, then you receive the following error:
"The knowledge base storage configuration provided is invalid... Dependency error document status code: 404, error message: no such index [bedrock-knowledge-base-default-index]"
Without the proper CORS configuration on the S3 bucket, the Amazon Bedrock knowledge base can't access the data stored in the S3 bucket.
To resolve the error, set up CORS in your S3 bucket with the following CORS configuration:
[ { "AllowedHeaders": [ "*" ], "AllowedMethods": [ "GET", "PUT", "POST", "DELETE" ], "AllowedOrigins": [ "*" ], "ExposeHeaders": [ "Access-Control-Allow-Origin" ] } ]
You might also receive this error because Amazon OpenSearch Serverless requires time to propagate the changes across all the nodes or replicas of an index.
To address the delay issue caused by Amazon OpenSearch Serverless, take the following actions:
- Make sure that the service role you want to use has the permissions to access and interact with OpenSearch Serverless collections and the selected vector database.
- Check whether you have an existing index or whether you can manually create a new index in Amazon OpenSearch Serverless. If you can manually create an index from the Amazon OpenSearch dashboard, then your error might be caused by eventual consistency within the system. To resolve this error, wait approximately 5 minutes to allow the system to fully propagate the changes and reach a consistent state. If you can't manually create an index, then make sure that you have the necessary permissions to do so. For more information, see Sample datasets on OpenSearch Dashboards.
- Tags
- Amazon Bedrock
- Language
- English
