Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

CDK - Resource handler returned message: "Access denied for operation 'AWS::Bedrock::Agent'." when creating an agent with foundationModel set as inference-profile.

0

When I try to deploy a bedrock agent with CDK and attempt to use a model inference-profile rather than foundation-model I get the following error:

17:21:04 | CREATE_FAILED        | AWS::Bedrock::Agent         | agent-bedrock-us-east-1
Resource handler returned message: "Access denied for operation 'AWS::Bedrock::Agent'." (RequestToken: <Redacted>, HandlerErrorCode: AccessDenied)

Even if I'm over permissive and grant bedrock:InvokeModel with resources set to:

"arn:aws:bedrock:us-east-1:<account-id>:inference-profile/*", "arn:aws:bedrock:us-east-1::foundation-model/*", "arn:aws:bedrock:us-west-2::foundation-model/*"

I still get the same error. I also tried enabling model access in all US regions and the issue persists.

Below are snippets of the agent configuration:

const agent = new CfnAgent(this, `agent-${props.service}-${this.region}`, {
      agentName: `agent-${props.service}-${this.region}`,
      instruction: readFileSync("../prompts/base.md", "utf-8"),
      agentResourceRoleArn: agentRole.roleArn,
      foundationModel: props.inferenceProfile.inferenceProfileArn,
      autoPrepare: true,
      memoryConfiguration: {
        enabledMemoryTypes: [
          "SESSION_SUMMARY"
        ],
        storageDays: 30
      },
      idleSessionTtlInSeconds: 3600,
      knowledgeBases: [
        {
          knowledgeBaseId: knowledgeBase.attrKnowledgeBaseId,
          knowledgeBaseState: "ENABLED",
          description: "Description for the KB."
        }
      ],
      tags: {
        model: props.inferenceProfile.inferenceProfileId || "",
        updatedAt: new Date().toISOString(),
        service: props.service
      }
    });

And the agent service role:

const agentPolicy = new Policy(this, `agent-policy-${props.service}-${this.region}`, {
      policyName: `agent-policy-${props.service}-${this.region}`,
      statements: [
        new PolicyStatement({
          effect: Effect.ALLOW,
          actions: [
            "bedrock:InvokeModel*"
          ],
          resources: [
            "arn:aws:bedrock:us-east-1:<account-id>:inference-profile/*",
            "arn:aws:bedrock:us-east-1::foundation-model/*",
            "arn:aws:bedrock:us-west-2::foundation-model/*"
          ]
        }),
        new PolicyStatement({
          effect: Effect.ALLOW,
          actions: [
            "bedrock:Retrieve",
            "bedrock:RetrieveAndGenerate"
          ],
          resources: [
            `arn:aws:bedrock:${this.region}:*:knowledge-base/${knowledgeBase.attrKnowledgeBaseId}`,
            `arn:aws:bedrock:${this.region}:*:knowledge-base/${knowledgeBase.attrKnowledgeBaseId}/*`
          ]
        }),
        new PolicyStatement({
          effect: Effect.ALLOW,
          actions: [
            "logs:CreateLogGroup",
            "logs:CreateLogStream",
            "logs:PutLogEvents"
          ],
          resources: [
            `arn:aws:logs:${this.region}:${this.account}:log-group:/aws/bedrock/agent/*`
          ]
        })
      ]
    });
    agentRole.attachInlinePolicy(agentPolicy);

EDIT: Also to note, if I use a foundation model available in us-east-1 it works, and the deployment was done using AdministratorAccess.

Topics
Management & GovernanceMachine Learning & AIAWS Cloud Development Kit (CDK)Generative AI on AWS
Tags
AWS CloudFormationAWS Cloud Development Kit (CDK)Amazon Bedrock
Language
English
asked 8 months ago781 views
1 Answer
1
Accepted Answer

I was able to replicate the error message in my environment as well using the permissions that you provided for the Bedrock agentResourceRoleArn. For replication, I used the inference profile for Claude 3.5 Haiku.

In order to solve this issue, you will have to add the following permission to the IAM role policy.

{
            "Action": [
                "bedrock:GetInferenceProfile",
                "bedrock:ListInferenceProfiles",
                "bedrock:UseInferenceProfile"
            ],
            "Resource": "arn:aws:bedrock:us-east-1:<account-id>:inference-profile/*",
            "Effect": "Allow"
        }

I added the following policyStatement to the Agent Role policy and then the Bedrock agent was created successfully.

new iam.PolicyStatement({
          effect: iam.Effect.ALLOW,
          actions: [
            "bedrock:GetInferenceProfile",
            "bedrock:ListInferenceProfiles",
            "bedrock:UseInferenceProfile"
          ],
          resources: [
            `arn:aws:bedrock:us-east-1:${this.account}:inference-profile/*`,
          ]
        }),

For more detail on the IAM permissions required to use inference profiles refer to the document https://docs.aws.amazon.com/bedrock/latest/userguide/inference-profiles-prereq.html

Requesting you to please try out the same in your environment and if issues persists, please reach out to us using AWS Support portal as further troubleshooting would require checking your stack details and other resource's specification.

answered 8 months ago
AWS
SUPPORT ENGINEER
revised 8 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content