내용으로 건너뛰기
AWS re:Post을(를) 사용하면 다음에 동의하게 됩니다. AWS re:Post 이용 약관
AWS re:Postre:Post
re:Post 소개

CDK - Resource handler returned message: "Access denied for operation 'AWS::Bedrock::Agent'." when creating an agent with foundationModel set as inference-profile.

0

When I try to deploy a bedrock agent with CDK and attempt to use a model inference-profile rather than foundation-model I get the following error:

17:21:04 | CREATE_FAILED        | AWS::Bedrock::Agent         | agent-bedrock-us-east-1
Resource handler returned message: "Access denied for operation 'AWS::Bedrock::Agent'." (RequestToken: <Redacted>, HandlerErrorCode: AccessDenied)

Even if I'm over permissive and grant bedrock:InvokeModel with resources set to:

"arn:aws:bedrock:us-east-1:<account-id>:inference-profile/*", "arn:aws:bedrock:us-east-1::foundation-model/*", "arn:aws:bedrock:us-west-2::foundation-model/*"

I still get the same error. I also tried enabling model access in all US regions and the issue persists.

Below are snippets of the agent configuration:

const agent = new CfnAgent(this, `agent-${props.service}-${this.region}`, {
      agentName: `agent-${props.service}-${this.region}`,
      instruction: readFileSync("../prompts/base.md", "utf-8"),
      agentResourceRoleArn: agentRole.roleArn,
      foundationModel: props.inferenceProfile.inferenceProfileArn,
      autoPrepare: true,
      memoryConfiguration: {
        enabledMemoryTypes: [
          "SESSION_SUMMARY"
        ],
        storageDays: 30
      },
      idleSessionTtlInSeconds: 3600,
      knowledgeBases: [
        {
          knowledgeBaseId: knowledgeBase.attrKnowledgeBaseId,
          knowledgeBaseState: "ENABLED",
          description: "Description for the KB."
        }
      ],
      tags: {
        model: props.inferenceProfile.inferenceProfileId || "",
        updatedAt: new Date().toISOString(),
        service: props.service
      }
    });

And the agent service role:

const agentPolicy = new Policy(this, `agent-policy-${props.service}-${this.region}`, {
      policyName: `agent-policy-${props.service}-${this.region}`,
      statements: [
        new PolicyStatement({
          effect: Effect.ALLOW,
          actions: [
            "bedrock:InvokeModel*"
          ],
          resources: [
            "arn:aws:bedrock:us-east-1:<account-id>:inference-profile/*",
            "arn:aws:bedrock:us-east-1::foundation-model/*",
            "arn:aws:bedrock:us-west-2::foundation-model/*"
          ]
        }),
        new PolicyStatement({
          effect: Effect.ALLOW,
          actions: [
            "bedrock:Retrieve",
            "bedrock:RetrieveAndGenerate"
          ],
          resources: [
            `arn:aws:bedrock:${this.region}:*:knowledge-base/${knowledgeBase.attrKnowledgeBaseId}`,
            `arn:aws:bedrock:${this.region}:*:knowledge-base/${knowledgeBase.attrKnowledgeBaseId}/*`
          ]
        }),
        new PolicyStatement({
          effect: Effect.ALLOW,
          actions: [
            "logs:CreateLogGroup",
            "logs:CreateLogStream",
            "logs:PutLogEvents"
          ],
          resources: [
            `arn:aws:logs:${this.region}:${this.account}:log-group:/aws/bedrock/agent/*`
          ]
        })
      ]
    });
    agentRole.attachInlinePolicy(agentPolicy);

EDIT: Also to note, if I use a foundation model available in us-east-1 it works, and the deployment was done using AdministratorAccess.

주제
관리 및 거버넌스기계 학습 및 AIAWS Cloud 개발 키트(CDK)AWS의 제너레이티브 AI
태그
AWS CloudFormationAWS Cloud 개발 키트(CDK)아마존 Bedrock
언어
English
질문됨 8달 전818회 조회
1개 답변
1
수락된 답변

I was able to replicate the error message in my environment as well using the permissions that you provided for the Bedrock agentResourceRoleArn. For replication, I used the inference profile for Claude 3.5 Haiku.

In order to solve this issue, you will have to add the following permission to the IAM role policy.

{
            "Action": [
                "bedrock:GetInferenceProfile",
                "bedrock:ListInferenceProfiles",
                "bedrock:UseInferenceProfile"
            ],
            "Resource": "arn:aws:bedrock:us-east-1:<account-id>:inference-profile/*",
            "Effect": "Allow"
        }

I added the following policyStatement to the Agent Role policy and then the Bedrock agent was created successfully.

new iam.PolicyStatement({
          effect: iam.Effect.ALLOW,
          actions: [
            "bedrock:GetInferenceProfile",
            "bedrock:ListInferenceProfiles",
            "bedrock:UseInferenceProfile"
          ],
          resources: [
            `arn:aws:bedrock:us-east-1:${this.account}:inference-profile/*`,
          ]
        }),

For more detail on the IAM permissions required to use inference profiles refer to the document https://docs.aws.amazon.com/bedrock/latest/userguide/inference-profiles-prereq.html

Requesting you to please try out the same in your environment and if issues persists, please reach out to us using AWS Support portal as further troubleshooting would require checking your stack details and other resource's specification.

답변함 8달 전
AWS
지원 엔지니어
수정됨 8달 전

로그인하지 않았습니다. 로그인해야 답변을 게시할 수 있습니다.

좋은 답변은 질문에 명확하게 답하고 건설적인 피드백을 제공하며 질문자의 전문적인 성장을 장려합니다.

관련 콘텐츠