- Newest
- Most votes
- Most comments
Well, finally I managed to create Bedrock Agent using API (and Terraform).
- Service role for Amazon Bedrock Agent
- The prefix
AmazonBedrockExecutionRoleForAgents_
must be used for the role name. - The path must be
/service-role/
.
- Policy attached to this role
- The prefix
AmazonBedrockAgentBedrockFoundationModelPolicy_
must be used for the policy name.
See also this information.
I can't find such requirement in AWS documentation.
The situation you're experiencing, where you can create a Bedrock Agent using the AWS Management Console but not through the CLI, despite having the necessary permissions, could be due to a few potential reasons:
-
IAM Permission Discrepancy: While your IAM user appears to have the necessary permissions based on the simulate-principal-policy output, there might be a discrepancy between the permissions applied to console actions versus API/CLI actions. Sometimes, certain permissions are implicitly granted for console use but need to be explicitly defined for API/CLI use.
-
Service Control Policies (SCPs): If your AWS account is part of an organization, there might be SCPs in place that restrict API/CLI actions but not console actions for Bedrock Agents.
-
Temporary Permission Issues: There could be a temporary issue with permission propagation or caching on AWS's side.
-
Region-specific Permissions: Ensure that you're using the same region in both the console and CLI, as permissions can sometimes be region-specific.
-
CLI Configuration: Your AWS CLI might not be correctly configured with the right credentials or region.
To resolve this issue, you can try the following solutions:
-
Double-check your IAM permissions: Ensure that your IAM user or role has explicit permissions for Bedrock Agent API actions, including "bedrock:CreateAgent".
-
Use AWS CloudTrail: Check CloudTrail logs to see if there are any permission-related issues when making the API call.
-
Try using AWS STS: Use the AWS Security Token Service (STS) to obtain temporary credentials and try the operation with those.
-
Verify CLI configuration: Ensure your AWS CLI is configured correctly with the right credentials and region.
-
Contact AWS Support: If the issue persists, it might be worth contacting AWS Support for further assistance, as there could be an account-specific issue.
-
Use the new simplified configuration: Amazon Bedrock has recently introduced a simplified agent creation and configuration experience. You might want to check if this new approach works better with the CLI.
Remember to always follow the principle of least privilege when assigning permissions, granting only the necessary access required for the task at hand.
Sources
Amazon Bedrock Agents simplifies agent creation and launches Return of Control capability
Agents for Amazon Bedrock: Introducing a simplified creation and configuration experience | AWS News Blog
Hi,
This is very probably due to the fact that the credentials with which you make the CLI request from your machine are not those that you believe you use.
So, check them with CLI aws sts get-caller-identity
on your laptop the same way that you issue the Bedrock command. It will return you the IAM identity that is used and finally the auths of this identity to see which Bedrock commands it is allowed to issue.
Best,
Didier
Thank you for your answer.
I've done it already. See https://repost.aws/questions/QU0-Eu489JRBep27gk-8H7aQ/i-can-create-bedrock-agent-using-console-but-can-t-using-cli#CO11rrsYjWTM6aUNw7K1DCQw
This is the same user.
Hi again,
It may be due to model, can you try with claude-3-5-sonnet-20241022 ?
Not all models are optimized for agents: see https://docs.aws.amazon.com/bedrock/latest/userguide/agents-create.html
Best,
Didier
Thank you for this suggestion. I've tried with several models, which are available in my account / region.
Again - I can create agent using the same user with several models using console, but can't do this using API.
I wonder if there are some other limitations / restrictions that are not related to IAM policies - e.g. some billing / budget limits or other factors that can cause such situation?
Relevant content
- Accepted Answerasked 3 months ago
- asked a year ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 10 months ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 10 months ago
I've added
AmazonBedrockFullAccess
policy, which contains:Result: still AccessDeniedException
This is the same user that is used to create Bedrock Agent using AWS Management Console.
I'm not sure how this applies to CLI. According to
I can see
CreateAgent
event.Done. I've assumed role with policy described here: https://docs.aws.amazon.com/bedrock/latest/userguide/security_iam_id-based-policy-examples-agent.html#iam-agents-ex-all.
Result: the same :-(