How do I troubleshoot the permission errors I get when I create a knowledge base in Amazon Bedrock?

5 minute read
0

I want to resolve the permission errors I get when I create an Amazon Bedrock knowledge base.

Short description

You must use a service role to create a knowledge base in Amazon Bedrock. The service role provides Amazon Bedrock the required permission to access the necessary AWS services. You can let Amazon Bedrock create the service role or use a custom role that you created.

Resolution

Review the following errors to find the resolution for your issue.

Error: "Not able to find/see custom service role while creating KnowledgeBase from console"

This error occurs when the custom Amazon Bedrock service role is missing the necessary trust policy.

To resolve this error, make sure that the trust policy exists in the custom service role for Amazon Bedrock.

Example policy code with the trust policy:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": "bedrock.amazonaws.com"
      },
      "Action": "sts:AssumeRole",
      "Condition": {
        "StringEquals": {
          "aws:SourceAccount": "account-id"
        },
        "ArnLike": {
          "AWS:SourceArn": "arn:aws:bedrock:region:account-id:knowledge-base/*"
        }
      }
    }
  ]
}

Error: "User: arn:aws:sts::999999999999: assumed-role/DataScientist/user is not authorized to perform: iam:CreateRole on resource: arn:aws:iam::9999999999:role/service-role/bedrock-knowledge-base because no identity-based policy allows the iam:CreateRole action"

-or-

Error: "User: arn:aws:sts::999999999999: assumed-role/DataScientist/user is not authorized to perform: iam:PassRole on resource: arn:aws:iam::9999999999:role/service-role/bedrock-knowledge-base because no identity-based policy allows theiam:PassRole action"

This error occurs when either of these conditions is true:

  • The Identity or Access Management (IAM) or user role doesn't have the iam:CreateRole permissions to create the service role.
    -or-
  • The IAM or user role is missing the iam:PassRole to assume a custom service role for Amazon Bedrock service to use on your behalf.

To resolve the error, complete the following steps:

  1. Add the following permissions to the IAM or user role so that it can create the service role

    `{   "Version": "2012-10-17",   "Statement": [     {       "Effect": "Allow",       "Action": [         "iam:AttachRolePolicy",         "iam:CreateRole",         "iam:PutRolePolicy",        ],        "Resource": "arn:aws:iam::*:role/SERVICE-ROLE-NAME"     }   ] }` 
  2. If you use a pre-created custom service role, make sure that you have added iam:PassRole permission to the IAM or user role. The IAM or user role passes the service role to the Amazon Bedrock service to create the knowledge base:

    {
      "Version": "2012-10-17",
      "Statement": [
        {
          "Effect": "Allow",
          "Action": [
            "iam:PassRole"
          ],
          "Resource": "arn:aws:iam::*:role/SERVICE-ROLE-NAME"
        }
      ]
    }

Error: "An error occurred (ValidationException) when calling the CreateKnowledgeBase operation: The knowledge base storage configuration provided is invalid... Bad Authorization"
-or-
Error: "The knowledge base storage configuration provided is invalid... Request failed: [security_exception] 403 Forbidden"

This error occurs when any of these conditions is true:

  • The service role lacks the necessary permissions for Amazon OpenSearch Serverless collections.
  • The data access policy for the collection doesn't include the service role under the principal section.
  • The AWS Secrets Manager configuration isn't properly authentication by Amazon Bedrock.

To resolve the error, follow these steps:

  1. Make sure that the service role has access to OpenSearch Serverless collections and that the trust policy that's associated with the Amazon Bedrock service.

    Note: If you created a vector database in Amazon OpenSearch Serverless for your knowledge base, then attach the following policy to the Amazon Bedrock's service role. The policy allows Amazon Bedrock service to access the collection. For more information, see Create a service role for Knowledge bases for Amazon Bedrock. Verify that the data access policy for the collection gives permission to the Amazon Bedrock's service role. Make sure that the Amazon Bedrock service role is listed under the principal section of the data access control policy. For more information, see Data access control for Amazon OpenSearch Serverless.

    {
      "Version": "2012-10-17",
      "Statement": [
        {
          "Effect": "Allow",
          "Action": [
            "aoss:APIAccessAll"
          ],
          "Resource": [
            "arn:aws:aoss:region:account-id:collection/collection-id"
          ]
        }
      ]
    }
  2. Verify that the data access policy for the collection gives permission to the Amazon Bedrock's service role. Also, make sure that the Amazon Bedrock service role is listed under the principal section of the data access control policy. For more information, see Data access control for Amazon OpenSearch Serverless.

  3. Your vector database might be configured with an AWS Secrets Manager secret. Make sure that the Amazon Bedrock service role allows AWS Secrets Manager to authenticate your account for you to access the database. For more information, see Create a service role for Knowledge bases for Amazon Bedrock.

Error: "The knowledge base storage configuration provided is invalid... no such index [bedrock-knowledge-base-default-index]"

Amazon OpenSearch Serverless might take some time to propagate systemic changes or updates across all nodes or replicas of an index. The preceding error can occur if you try to access data during this propagation process.

To resolve the error, follow these steps:

  1. Confirm that the service role that you are using has the necessary permissions to access OpenSearch Serverless collections or the selected vector database.
  2. Verify that you can display or create an index manually in OpenSearch Serverless. If you can create a manual index, then that the issue is related to the eventual consistency of the system. Or, make sure that you have the required permission to create the index. For more information, see Sample datasets on OpenSearch Dashboards.
  3. If the error persists, then there wasn't enough time for the configuration to propagate the changes across the system. Wait for about five minutes between the time that you create an index and the time that you create the knowledge base. Then, try again.
AWS OFFICIAL
AWS OFFICIALUpdated 15 days ago