By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

CreateBotLocale is erroring with user has no permissions

0

Hi, I am using java sdk to create lex bot v2. Here is the code to create a bot:

final DataPrivacy dataPrivacy = DataPrivacy.builder().childDirected(isDataPrivacyRequired).build();

final CreateBotRequest botRequest = CreateBotRequest.builder().botName(botName).roleArn(roleARN).idleSessionTTLInSeconds(idleSessionTTLInSeconds).dataPrivacy(dataPrivacy).build();

final CreateBotResponse response = this.lexClient.createBot(botRequest);

The bot gets created. As a next step I create bot locale like the following: ``

final CreateBotLocaleRequest botLocaleRequest = CreateBotLocaleRequest.builder().botId(botId).nluIntentConfidenceThreshold(0.4).botVersion("DRAFT").localeId("en_US").build();

final CreateBotLocaleResponse botLocaleResponse = this.lexClient.createBotLocale(botLocaleRequest);

The above doesnt work and I get the following error:

software.amazon.awssdk.services.lexmodelsv2.model.LexModelsV2Exception: User: arn:aws:iam::xxxxxxxxxxx:user/ci-user is not authorized to perform: null (Service: LexModelsV2, Status Code: 403, Request ID: f9ebd3de-c0d4-4c3d-b1ad-8a2c38a22552, Extended Request ID: null)

The only difference in creating the bot and botlocale is roleArn. I am not sure if that is creating this problem. How can I solve? Any insights?

Btw I am using the following code to get the lex client:

public LexModelsV2Client getLexClient() {
Region region = Region.AP_SOUTHEAST_1;
DefaultCredentialsProvider provider = DefaultCredentialsProvider.create();

return LexModelsV2Client.builder().credentialsProvider(provider).region(region).build();
}

This IAM user has all AWS permission to access and i have used simlator to test the policy and it gives access. Not sure what is missing!

Topics
Security, Identity, & ComplianceMachine Learning & AI
Tags
AWS Identity and Access ManagementAmazon Lex
Language
English
AWS-User-6871093
asked 2 years ago366 views
2 Answers
0

Looking at the available permissions for Lex, I see that you've got permissions for Lex and Lex v2 to choose from. This might explain why you can build a bot but cannot build a locale, because in Lex v1 there is no explicit permission for creating a locale, but in Lex v2 there is 'BuildBotLocale'.

I would say to go back to the IAM permissions for the IAM user that you're using for these calls, double-check that they have what they need and modify their permissions if needed.

I see that you've mentioned that the simulator worked fine, so if you find that is the case again (simulator works but implementation doesn't) then I would start trying to whittle down the permissions. Start with things like "Put*" in the policy statement for the Lex service, and check it. If that works, then list out all of the Puts and whittle down. If you go from "Put*" to all of the "Put" actions and it stops working, then you may have found a hidden permission and that needs to be reflected in the documentation. You can report this through the 2nd page I linked above. Scroll to the bottom of it and hit the 'thumbs down' option and explain what was missing and it should be updated relatively quickly.

profile pictureAWS
Ciaran Carragher
answered 2 years ago
  • AWS-User-6871093
    2 years ago

    Hi Ciaran, Not sure if I have explained it properly. I am not trying to "build" the bot locale, rather I am trying to "create" the bot locale. I would assume build is required when you already have created the bot and the locale. So I think BuildBotLocale is not required. But anyways the user have all the permissions.

    In terms of permissions, my actions are " * " and resources are " * " as well. Which means the user can do anything they want.

    Also, when I was trying out creating the bot with CreateBot call. I was getting the similar error. In the code, I passed in roleArn and it started to work.

    It seems passing the roleARN is possible in creating the bot but not when creating the bot locale as there is not method available in CreateBotLOcaleRequest to pass in the roleARN. I feel this is what is missing.

0

Hi everyone, Can anyone please suggest me how can I resolve this please? I am stuck until this is resolved as I cant create a bot completely due to the problem above with locale.

AWS-User-6871093
answered 2 years ago
  • ABHISHEK
    2 years ago

    Hey, were you able to resolve this issue?

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content