User: ARN is not authorized to perform: bedrock:CreateKnowledgeBase

Hi,

Did you try a more explicit policy than '*' for action and resource ?

i.e., CreateKnoledgeBase for action https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonbedrock.html and arn:${Partition}:bedrock:${Region}:${Account}:knowledge-base/${KnowledgeBaseId} for the knowledge base ?

If it works, then you may want to open a support ticket for '*' via the AWS console account: AWS service team like Bedrock's are not supposed to monitor re:Post for issues.

Best,

Didier

I encountered something similar. If you are trying to use a custom role to create a Knowledge Base, you may need to confirm that your role matches the required permissions documented here: https://docs.aws.amazon.com/bedrock/latest/userguide/kb-permissions.html

Key points:

• The role name must start with this prefix: AmazonBedrockExecutionRoleForKnowledgeBase_
• The role permissions must include Bedrock actions: ListFoundationModels & ListCustomModels for all resources, and the bedrock:InvokeModel action for the specific model resource (currently only this one is allowed: arn:aws:bedrock:{REGION}::foundation-model/amazon.titan-embed-text-v1)
• This is listed as optional, but when I was testing by using a role AWS created for me (and I didn't have a vector database to provide already), this was included in the permissions as well: Full API access to Amazon OpenSearch

{
    "Version": "2012-10-17",
    "Statement": [{
        "Effect": "Allow",
        "Action": [
            "aoss:APIAccessAll"
        ],
        "Resource": [
            "*"
        ]
    }]
}

Note Once the vector DB is created, best practice would be to limit that resource wildcard further to only the vector database the role will need.

• AND the role's trust policy must allow the bedrock service to assume the role.

{
    "Version": "2012-10-17",
    "Statement": [{
        "Effect": "Allow",
        "Principal": {
            "Service": "bedrock.amazonaws.com"
        },
        "Action": "sts:AssumeRole",
        "Condition": {
            "StringEquals": {
                "aws:SourceAccount": "account-id"
            },
            "ArnLike": {
                "AWS:SourceArn": "arn:aws:bedrock:{REGION}:{ACCOUNT-ID}:knowledge-base/*"
            }
        }
    }]
}

Note also once the knowledge base is created, you should update the trust policy on this role to restrict it further to the KnowledgeBase it created

I am getting the below error with custom role botocore.errorfactory.ValidationException: An error occurred (ValidationException) when calling the CreateKnowledgeBase operation: bedrock-knowledge cannot assume role arn:aws:iam::643045476917:role/AmazonBedrockExecutionRoleForKnowledgeBase_1232

My trust relation is as below

        role = iam_resource.create_role(
            RoleName=role_name,
            AssumeRolePolicyDocument=json.dumps(
                {
                    "Version": "2012-10-17",
                    "Statement": [
                        {
                            "Sid": "AmazonBedrockKnowledgeBaseTrustPolicy",
                            "Effect": "Allow",
                            "Principal": {
                                "Service": ["bedrock.amazonaws.com"]
                            },
                            "Action": "sts:AssumeRole",
                            "Condition": {
                                "StringEquals": {
                                    "aws:SourceAccount": "643045476917"
                                },
                                "ArnLike": {
                                    "aws:SourceArn": "arn:aws:bedrock:us-east-1:643045476917:knowledge-base/*"
                                }
                            }
                        }
                    ]
                }
            )