How do I troubleshoot permission errors that I get when I create a knowledge base in Amazon Bedrock?

Short description

You must use a service role to create a knowledge base in Amazon Bedrock. The service role provides Amazon Bedrock the required permission to access the necessary AWS services. You can use the service role that Amazon Bedrock created, or use a custom role that you created.

Resolution

Review the following errors to find the resolution for your issue.

Amazon Bedrock can't find the custom role

Error: "Not able to find/see custom service role while creating KnowledgeBase from console"

The preceding error occurs when the custom service role is missing the necessary trust policy.

To resolve the error, attach a trust policy to the service role.

Example trust policy:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": "bedrock.amazonaws.com"
      },
      "Action": "sts:AssumeRole",
      "Condition": {
        "StringEquals": {
          "aws:SourceAccount": "account-id"
        },
        "ArnLike": {
          "AWS:SourceArn": "arn:aws:bedrock:region:account-id:knowledge-base/*"
        }
      }
    }
  ]
}

The service role doesn't have the required IAM permissions

Error: "User: arn:aws:sts::999999999999: assumed-role/DataScientist/user is not authorized to perform: iam:CreateRole on resource: arn:aws:iam::9999999999:role/service-role/bedrock-knowledge-base because no identity-based policy allows the iam:CreateRole action"

The preceding error occurs when the AWS Identity and Access Management (IAM) user or role that you're using to create the custom role doesn't have the iam:CreateRole permission.

To resolve this issue, add the iam:CreateRole permission to your IAM policy:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "iam:AttachRolePolicy",
        "iam:CreateRole",
        "iam:PutRolePolicy",
       ],
       "Resource": "arn:aws:iam::*:role/SERVICE-ROLE-NAME"
    }
  ]
} 

Error: "User: arn:aws:sts::999999999999: assumed-role/DataScientist/user is not authorized to perform: iam:PassRole on resource: arn:aws:iam::9999999999:role/service-role/bedrock-knowledge-base because no identity-based policy allows theiam:PassRole action"

The preceding error occurs when the IAM user is missing the iam:PassRole permission that allows the IAM user to pass the role to Amazon Bedrock.

To resolve this issue, add the iam:PassRole permission to your IAM policy:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "iam:PassRole",
       ],
       "Resource": "arn:aws:iam::*:role/SERVICE-ROLE-NAME"
    }
  ]
}

You receive a Bad Authorization or 403 Forbidden error

Error: "An error occurred (ValidationException) when calling the CreateKnowledgeBase operation: The knowledge base storage configuration provided is invalid... Bad Authorization"

-or-

Error: "The knowledge base storage configuration provided is invalid... Request failed: [security_exception] 403 Forbidden"

The preceding errors occur in the following situations:

• The service role doesn't have the necessary permissions for Amazon OpenSearch Serverless collections.
• The data access policy for the collection doesn't include the service role under the Principal section.
• Amazon Bedrock didn't correctly authenticate the AWS Secrets Manager configuration.

To resolve these issues, make sure that the service role has access to OpenSearch Serverless collections. If you created a vector database in Amazon OpenSearch Serverless for your knowledge base, then attach the following policy to the Amazon Bedrock service role. The policy allows Amazon Bedrock to access the collection:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "aoss:APIAccessAll"
      ],
      "Resource": [
        "arn:aws:aoss:region:account-id:collection/collection-id"
      ]
    }
  ]
}

Verify that the data access policy for the collection gives permission to the Amazon Bedrock service role. Also, make sure that the Amazon Bedrock service role is listed under the Principal section of the data access control policy. For more information, see Data access control for Amazon OpenSearch Serverless.

Your vector database might be configured with an AWS Secrets Manager secret. Make sure that the Amazon Bedrock service role allows AWS Secrets Manager to authenticate your account for you to access the database. For more information, see Create a service role for Amazon Bedrock knowledge bases.

The index doesn't exist

Error: "The knowledge base storage configuration provided is invalid... no such index [bedrock-knowledge-base-default-index]"

Amazon OpenSearch Serverless might take some time to distribute systemic changes or updates across all nodes or replicas of an index. The preceding error can occur when you try to access data during the distribution process.

To resolve the issue, take the following actions:

• Confirm that the service role that you're using has the necessary permissions to access OpenSearch Serverless collections or the selected vector database.
• Verify that you can display or manually create an index in OpenSearch Serverless. If you can manually create an index, then the issue is related to the eventual consistency of the system. If you can't manually create an index, then check that you have the required permission to create one. For more information, see Sample datasets on OpenSearch Dashboards.
• If you have the necessary permissions and still continue to experience the issue, then wait about 5 minutes for the configuration to complete the changes across the system.