- Newest
- Most votes
- Most comments
Hi,
Did you try a more explicit policy than '*' for action and resource ?
i.e., CreateKnoledgeBase
for action https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonbedrock.html and arn:${Partition}:bedrock:${Region}:${Account}:knowledge-base/${KnowledgeBaseId}
for the knowledge base ?
If it works, then you may want to open a support ticket for '*' via the AWS console account: AWS service team like Bedrock's are not supposed to monitor re:Post for issues.
Best,
Didier
I encountered something similar. If you are trying to use a custom role to create a Knowledge Base, you may need to confirm that your role matches the required permissions documented here: https://docs.aws.amazon.com/bedrock/latest/userguide/kb-permissions.html
Key points:
- The role name must start with this prefix:
AmazonBedrockExecutionRoleForKnowledgeBase_
- The role permissions must include Bedrock actions: ListFoundationModels & ListCustomModels for all resources, and the bedrock:InvokeModel action for the specific model resource (currently only this one is allowed: arn:aws:bedrock:{REGION}::foundation-model/amazon.titan-embed-text-v1)
- This is listed as optional, but when I was testing by using a role AWS created for me (and I didn't have a vector database to provide already), this was included in the permissions as well: Full API access to Amazon OpenSearch
{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Action": [
"aoss:APIAccessAll"
],
"Resource": [
"*"
]
}]
}
Note Once the vector DB is created, best practice would be to limit that resource wildcard further to only the vector database the role will need.
- AND the role's trust policy must allow the bedrock service to assume the role.
{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Principal": {
"Service": "bedrock.amazonaws.com"
},
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals": {
"aws:SourceAccount": "account-id"
},
"ArnLike": {
"AWS:SourceArn": "arn:aws:bedrock:{REGION}:{ACCOUNT-ID}:knowledge-base/*"
}
}
}]
}
Note also once the knowledge base is created, you should update the trust policy on this role to restrict it further to the KnowledgeBase it created
I am getting the below error with custom role botocore.errorfactory.ValidationException: An error occurred (ValidationException) when calling the CreateKnowledgeBase operation: bedrock-knowledge cannot assume role arn:aws:iam::643045476917:role/AmazonBedrockExecutionRoleForKnowledgeBase_1232
My trust relation is as below
role = iam_resource.create_role(
RoleName=role_name,
AssumeRolePolicyDocument=json.dumps(
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AmazonBedrockKnowledgeBaseTrustPolicy",
"Effect": "Allow",
"Principal": {
"Service": ["bedrock.amazonaws.com"]
},
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals": {
"aws:SourceAccount": "643045476917"
},
"ArnLike": {
"aws:SourceArn": "arn:aws:bedrock:us-east-1:643045476917:knowledge-base/*"
}
}
}
]
}
)
Relevant content
- asked a year ago
- asked 4 years ago
- Accepted Answerasked 3 months ago
- AWS OFFICIALUpdated a month ago
- AWS OFFICIALUpdated 8 months ago
- AWS OFFICIALUpdated 10 months ago
- AWS OFFICIALUpdated a year ago