By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Use S3 bucket in kendra

0

I have created an index in Kendra and attached data source as S3 connector but when I am trying to sync, I am getting this error :

We couldn't sync the following data source: 's3-chatbot', at start time Jan 02, 2024, 3:39 PM GMT+5:30. User: arn:aws:sts::xxxxxxxxxxxxx:assumed-role/AmazonKendra-us-east-2-index/KendraCustomerSession is not authorized to perform: logs:CreateLogGroup on resource: arn:aws:logs:us-east-3:xxxxxxxxxxx:log-group:/aws/kendra/xxxxxxxxxxxxxxxxxxxxx:log-stream: because no identity-based policy allows the logs:CreateLogGroup action (Service: AWSLogs; Status Code: 400; Error Code: AccessDeniedException; Request ID: xxxxxxxxxxxxxxxx2d0232; Proxy: null)

Please help me with this error

Topics
Machine Learning & AISecurity, Identity, & ComplianceStorage
Tags
Amazon KendraIAM PoliciesAmazon S3 Access Grants
Language
English
BAdhikari
asked 4 months ago347 views
1 Answer
0
Accepted Answer

Hello.

Do you have the IAM role used by Kendra index configured to allow the "logs:CreateLogGroup" policy?
Please try setting a sample IAM policy in the document below.
Please change "your-region" and "your-account-id" to match your AWS account.
https://docs.aws.amazon.com/kendra/latest/dg/iam-roles.html

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "cloudwatch:PutMetricData",
            "Resource": "*",
            "Condition": {
                "StringEquals": {
                    "cloudwatch:namespace": "AWS/Kendra"
                }
            }
        },
        {
            "Effect": "Allow",
            "Action": "logs:DescribeLogGroups",
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": "logs:CreateLogGroup",
            "Resource": "arn:aws:logs:your-region:your-account-id:log-group:/aws/kendra/*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "logs:DescribeLogStreams",
                "logs:CreateLogStream",
                "logs:PutLogEvents"
            ],
            "Resource": "arn:aws:logs:your-region:your-account-id:log-group:/aws/kendra/*:log-stream:*"
        }
    ]
}
profile picture
EXPERT
Riku_Kobayashi
answered 4 months ago
  • BAdhikari
    4 months ago

    Thanks for replying, it worked.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content