Bedrock KnowledgeBase sync error, can't access S3 bucket

1

I'm following the instructions here to create a Knowledge Base.

I configure the Knowledge Base to have on of my S3 buckets (under the same account) as my data source. However, when I try to Sync the data source, it errors out right away with:

Encountered error: Access Denied (Service: S3, Status Code: 403, Request ID: JDKB992YNZEJ475K, Extended Request ID: VhXJ7Nrt+ZYjxx5IlAnwsg+Wmu2iLGeJ/7zomRMhr0OW83Sac+BtiwUMpe+9XYj0+zkwl8LMau0=). Call to Amazon S3 Source did not succeed.

Error screenshot

The Role/policies that the console setup seem right.

Role/policies screenshot

Any thoughts about what could be wrong here?

4 Answers
3
Accepted Answer

The policy generated by Bedrock when creating the Knowledge Base data source is incorrect at the time being - it lacks reference to the bucket itself in Resources so as to authorize the ListBucket action itself. Manually adding the bucket to the Resources (in your case "arn:aws:s3:::equilo-data-ingestion") will solve the issue. NB: I would recommend to hide your account number when posting in an open forum for security.

macamhi
answered 10 months ago
profile picture
EXPERT
reviewed 4 months ago
  • First, thanks for the security callout. That was an oversight. I have updated the screenshot in the question, fwiw.

    You were totally right. Adding the bucket itself as a resource to the policy enabled a sync. Hope the default policy generation can account for this edge case where a user only wants to ingest a buckets sub folder/object.

  • Seems fixed now.

1

Please check the region in which your bucket has been created and the region where bedrock is being used. I had the same issue, just checked the regions between both and it is resolved. The autogenerated policies have proper access you do not need to edit anything else.

AWS
answered 10 months ago
0

Hey, couple of reasons that i could assume causing the above failure.

  1. Proper IAM polices are not setup. s3:GetObject, s3:ListObject are the bare minimum policies to copy over the S3 bucket object. But if your bucket is enabled with versioning, you need s3:GetObjectVersion permission. And to copy the objects with tags, you need s3:GetObjectTagging(source bucket), s3:PutObjectTagging(needed for destination bucket). If you have attached the permission polices to the destination bucket, make sure that bucket has these policies s3:GetObject, s3:PutObject, and s3:ListBucket.
  2. S3-SSE. If you have enabled the Server-side encryption with AWS Managed KMS Key or Customer Managed Key, you should have kms:Decrypt, kms:GenerateDataKey permissions on specific KMS key in resource section of IAM policy.
profile picture
answered 10 months ago
  • Thanks for the reply. Good to know about the additional permissions needed in these various scenarios, which I am about to get into. For now, the issue was about the actual bucket not being listed as a resource in the policy, even though I only wanted to ingest files in a sub folder/object.

0

I am getting similar sync error, but it says Knowledge base role is not able to call specified embedding model . But I see the policy is generated. What could be the issue?

Sayan
answered 10 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions