By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Error when Bedrock agent invoke lambda

2

I have created an AWS bedrock agent, when invoking the lambda I receive the following error:

Access denied while invoking Lambda function arn:aws:lambda:us-east-1:XXXXXXXXXXXXXX:function:InsuranceClaimsLambda. Check the permissions on Lambda function and retry the request.

Can you help me?

Topics
ServerlessComputeMachine Learning & AIGenerative AI on AWS
Tags
AWS LambdaAmazon Bedrock
Language
English
Villa83
asked a year ago7.9K views
4 Answers
7

Was able to solve my issue. You need to add a resource-based policy statement on the Lambda.

  1. Go into Lambda function
  2. Select Configuration tab
  3. Select Permission menu item
  4. Scroll down to Resource-based Policy Statements and click Add Permissions button
  5. Click AWS Service radio button
  6. Choose Other from the Service dropdown
  7. Enter anything for Statement ID
  8. Enter bedrock.amazonaws.com for the Principal
  9. Enter your Bedrock Agent's ARN as the Source ARN
  10. Select lambda:InvokeFunctionas the Action
  11. Click Save
smotamed
answered a year ago
  • Trevor Sullivan
    8 months ago

    The same issue can occur with Bedrock Prompt Flows. Make sure you specify the Prompt Flow ARN instead, in these cases.

  • saikotag
    8 months ago

    Example resource policy: { "Version": "2012-10-17", "Id": "default", "Statement": [ { "Sid": "lambdaaccess-for-bedrockagentaccess", "Effect": "Allow", "Principal": { "Service": "bedrock.amazonaws.com" }, "Action": "lambda:InvokeFunction", "Resource": "arn:aws:lambda:us-xxxx-1:84XXXXXX428:function:<lambda-function-name>", "Condition": { "ArnLike": { "AWS:SourceArn": "arn:aws:bedrock:us-east-1:84XXXXXX428:agent/*" } } } ] }

3
Accepted Answer

hey, i feel your BedRock agent IAM Service role is missing lambda:InvokeFunction permission to invoke a lambda function. Make sure to give this permission to BedRock agent on resource(your lambda function ARN) lambda function. Let me if you need something.

profile picture
Bhuvan Prasad G
answered a year ago
profile picture
EXPERT
Oleksii Bebych
reviewed a year ago
profile pictureAWS
EXPERT
Didier_Durand
reviewed a year ago
0

I'm having same error. I gave both Bedrock Agent IAM role and Lambda role AdministratorAccess policy and still getting the error. Executing the Lambda manually is fine but can't run test with Bedrock Agent.

The trace from the Bedrock Agent test shows that in pre-processing step, it correctly classified my input. The orchestration step shows that it understood the input correctly and was ready to call the right function with the right mapping of parameters. But that's all I see. There's only that single step and nothing else and there's nothing on the post-processing tab.

The error states Access denied while invoking Lambda function arn:aws:lambda:us-west-2:xxxxxxxxxxxx:function:yyyyyy Check the permissions on Lambda function and retry the request. I checked the CloudWatch logs for the Lambda and there's nothing which seems to confirm Bedrock is unable to even invoke the Lambda function.

smotamed
answered a year ago
  • Anamaria_T
    10 months ago

    You need the agent ARN, not the Agent's role ARN. I also had the same problem and when I put the agent ARN in it finally went through.

0

To complete the answer here is the CDK way to add this Resource-based Policy Statement:

lambda_.CfnPermission(
      self,
      "BedrockInvocationPermission",
       action="lambda:InvokeFunction",
       function_name=action_group_function.function_name,
       principal="bedrock.amazonaws.com",
       source_arn=agent.agent_arn,
)
MLGuy
answered a year ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content