How do I resolve the "Failed to connect to the URL of your data source" error when I use SharePoint as a data source in Amazon Bedrock Knowledge Bases?

Resolution

Check your Secrets Manager secret configuration

Make sure that you correctly configured your AWS Secrets Manager secret.

For SharePoint App-Only credentials, the secret must contain the following key-value pairs:

• Both the sharePointClientId and clientId are the SharePoint client ID that SharePoint generated when you registered the SharePoint client application.
• The clientSecret is the client secret that was generated for the Microsoft Entra SharePoint application.
  Note: For information about how to generate a client secret, see Add and manage application credentials in Microsoft Entra ID on the Microsoft website.
• The sharePointClientSecret is the client secret that SharePoint generated when you registered the application.

Note: To generate sharePointClientId, clientID and sharePointClientSecret, register your application. For more information, see Granting access using SharePoint App-Only on the Microsoft website. If you already registered your application and didn't save the client secret, then you must reregister the SharePoint application. You can view the client secret only at creation.

For SharePoint OAuth 2.0 authentication, the secret must contain the following key-value pairs:

• The username is your Microsoft Entra tenant ID.
  Note: For information about how to find your ID, see How to find your Microsoft Entra tenant ID on the Microsoft website.
• The password is the SharePoint admin password.
• The sharePointClientId is the OAuth app client ID that SharePoint generated when you registered the application.
• The sharePointClientSecret is the OAuth app client secret.
  Note: The username and password must belong to the SharePoint account admin.

(OAuth 2.0 authentication only) Grant the required API permissions

The SharePoint application must have SharePoint: AllSites.Read (Delegated) and Microsoft Graph > Sites.FullControl.All (Type=Delegated) permissions to read items in all site collections.

To further reduce the scope of API permissions, use SharePoint: Sites.Read.All (Application), Microsoft Graph > GroupMember.Read.All (Application) and Microsoft Graph > User.Read.All (Application).

Also, deactivate Security defaults and multi-factor authentication (MFA) to make sure that the SharePoint account allows Amazon Bedrock to crawl through the site's content. For steps to deactivate this feature, see Security defaults on the Microsoft website.

Check your networking configuration

Your SharePoint application must not use an IP address allowlist or have VPN restrictions. This configuration makes sure that Amazon Bedrock is allowed to crawl your SharePoint content.

Make sure that you set Allow access only from specific IP address ranges to Off. For steps to update this setting, see Set a location-based policy in the new SharePoint admin center on the Microsoft website.

Make sure that you adhere to the SharePoint URL requirements

Your SharePoint URL must adhere to the following requirements:

• The URL starts with https and contains sharepoint.com. Example: https://yourcompany.sharepoint.com/sites/SiteName
• The URL points to your actual SharePoint site.
• The URL doesn't point outside of your specific SharePoint site or to specific locations within the site.
  Note: You must use SharePoint online domains only. You can't use custom domain URLs.

Note: When you provide details to add your SharePoint data source, make sure to set the Domain parameter to yourcompany, not yourcompany.sharepoint.com.