Can't access Bedrock FM from REST Gateway

0

I'm deploying a REST gateway that calls Bedrock Titan FM. It works as expected when the REST Gateway runs locally using sam local --start-api .... Running the REST Gateway on the cloud, as follows:

sam deploy -t sam.yaml --s3-bucket $BUCKET_NAME --stack-name bedrock-gateway-stack --capabilities CAPABILITY_IAM 

and invoking endpoints that call the Bedrock Titan FM, raises the following exception:

2024-04-18 16:26:18,682 ERROR [fr.sim.qua.BedrockAiResource] (sdk-async-response-0-0) ### BedrockAiResource.inoke(): Model invocation failed: {}: java.util.concurrent.CompletionException: software.amazon.awssdk.services.bedrockruntime.model.AccessDeniedException: User: arn:aws:sts::...:assumed-role/bedrock-gateway-stack-BedrockGatewayApiRole-37LTyaxmS5Gi/bedrock-gateway-stack-BedrockGatewayApi-UbY8COwJ3v6I is not authorized to perform: bedrock:InvokeModel on resource: arn:aws:bedrock:eu-west-3::foundation-model/amazon.titan-text-express-v1 because no identity-based policy allows the bedrock:InvokeModel action (Service: BedrockRuntime, Status Code: 403, Request ID: 0781f5c7-a0f9-4f5a-99b0-127c20dd69b2)

Here is the sam.yaml file (generated by quarkus-amazon-lambda-rest plugin):

  AWSTemplateFormatVersion: '2010-09-09'
  Transform: AWS::Serverless-2016-10-31
  Description: AWS Serverless Quarkus HTTP - bedrock-gateway-api
  Globals:
    Api:
      EndpointConfiguration: REGIONAL
      BinaryMediaTypes:
        - "*/*"

  Resources:
    BedrockGatewayApi:
      Type: AWS::Serverless::Function
      Properties:
        Handler: io.quarkus.amazon.lambda.runtime.QuarkusStreamHandler::handleRequest
        Runtime: java17
        CodeUri: function.zip
        MemorySize: 512
        Policies: AWSLambdaBasicExecutionRole
        Timeout: 15
        Events:
          GetResource:
            Type: Api
            Properties:
              Path: /{proxy+}
              Method: any

  Outputs:
    BedrockGatewayApiApi:
      Description: URL for application
      Value: !Sub 'https://${ServerlessRestApi}.execute-api.${AWS::Region}.amazonaws.com/Prod/'
      Export:
        Name: BedrockGatewayApiApi

Also, the Bedrock playground in the AWS console works as expected.

Many thanks in advance.

Nicolas

2개 답변
0
수락된 답변

The required permission was AmazonBedrockFullAccess. Adding it to the SAM template fixes the issue.

profile picture
nicolas
답변함 한 달 전
0

Hi Nicolas,

it looks like the role that is attached to your Lambda function does not have permissions to call InvokeModel.

User: arn:aws:sts::<account-id>:assumed-role/bedrock-gateway-stack-BedrockGatewayApiRole-37LTyaxmS5Gi/bedrock-gateway-stack-BedrockGatewayApi-UbY8COwJ3v6I is not authorized to perform: bedrock:InvokeModel on resource: arn:aws:bedrock:eu-west-3::foundation-model/amazon.titan-text-express-v1 because no identity-based policy allows the bedrock:InvokeModel action (Service: BedrockRuntime, Status Code: 403, Request ID: 0781f5c7-a0f9-4f5a-99b0-127c20dd69b2)

To resolve this, add the relevant permission to the function execution role. Currently, the role only has the Policies: AWSLambdaBasicExecutionRole role.

And consider removing your account id from your post

profile pictureAWS
전문가
답변함 한 달 전
  • This answer is void. While it's obvious that a required permission is missing here, answering the question would have involved mentioning what this permission would be. Saying "do what you need to do" doesn't help.

로그인하지 않았습니다. 로그인해야 답변을 게시할 수 있습니다.

좋은 답변은 질문에 명확하게 답하고 건설적인 피드백을 제공하며 질문자의 전문적인 성장을 장려합니다.

질문 답변하기에 대한 가이드라인