Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

Unable to create data source from S3 bucket for Knowledge Base using boto3

0

This is the code

response = client.create_data_source(
    dataDeletionPolicy='RETAIN',
    dataSourceConfiguration={![Enter image description here](/media/postImages/original/IMXYKqP4oJQ7GtzeMwNWSVIg)

        's3Configuration': {
            'bucketArn': 'arn:aws:s3:::backup-21june',
            'inclusionPrefixes': [
                'string',
            ]
        },
        'type': 'S3',
    },
    description='string',
    knowledgeBaseId='string',
    name='string',
    serverSideEncryptionConfiguration={
        'kmsKeyArn': 'string'
    },
    vectorIngestionConfiguration={
        'chunkingConfiguration': {
            'chunkingStrategy': 'FIXED_SIZE',
        },
    }
)

and this is the error : -

AccessDeniedException: An error occurred (AccessDeniedException) when calling the CreateDataSource operation: User: arn:aws:iam::940037879431:user/grazitti is not authorized to perform: bedrock:CreateDataSource

This is the policy

Enter image description here

We have the permission here

Enter image description here

The Policy attached to the User

Enter image description here

No Permission Boundary Set

Enter image description here

JSON Policy

{ "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": "bedrock:", "Resource": "" }, { "Effect": "Allow", "Action": "sts:AssumeRole", "Resource": "arn:aws:iam::940037879431:role/darwin-project-role" } ] }

Topics
Machine Learning & AIStorageSecurity, Identity, & ComplianceGenerative AI on AWS
Tags
Knowledge Bases for Amazon BedrockIAM PoliciesAmazon S3 Access GrantsAmazon Bedrock
Language
English
asked 2 years ago409 views
2 Answers
0

Hello.

Is the IAM policy shown in the image attached to the IAM user mentioned in the error message?
Also, is there a policy set to deny "bedrock:CreateDataSource" to the IAM user?
Please also check whether any permission boundaries have been set for the IAM user.
If a permission boundary is set, please delete the setting.
https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_boundaries.html

EXPERT
answered 2 years ago
  • grazitti
    2 years ago
    1. yes.
    2. checking for permission boundary
  • grazitti
    2 years ago

    Hi Riku, I edited my question to add the requisite screenshots

  • Riku_Kobayashi EXPERT
    2 years ago

    Is it possible to share the IAM policy in JSON?

  • grazitti
    2 years ago

    shared by editing the answer

0

Hello, Would you be able to share details regarding this role as well: role/darwin-project-role? Does it have a permission boundary set?

Is your AWS account in an organization with SCP? If so you need to ensure that the SCPs allow the necessary actions for creating a data source from an S3 bucket. Even if you have bedrock:fullAccess attached to your user, the SCPs might override this permission if they deny relevant actions.

Evaluate all policies, If there is an explicit deny mentioned anywhere most probably final decision will be deny

answered 2 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content