使用AWS re:Post即您表示您同意 AWS re:Post 使用条款
AWS re:Postre:Post

Can't access Bedrock FM from REST Gateway

0

I'm deploying a REST gateway that calls Bedrock Titan FM. It works as expected when the REST Gateway runs locally using sam local --start-api .... Running the REST Gateway on the cloud, as follows:

sam deploy -t sam.yaml --s3-bucket $BUCKET_NAME --stack-name bedrock-gateway-stack --capabilities CAPABILITY_IAM

and invoking endpoints that call the Bedrock Titan FM, raises the following exception:

2024-04-18 16:26:18,682 ERROR [fr.sim.qua.BedrockAiResource] (sdk-async-response-0-0) ### BedrockAiResource.inoke(): Model invocation failed: {}: java.util.concurrent.CompletionException: software.amazon.awssdk.services.bedrockruntime.model.AccessDeniedException: User: arn:aws:sts::...:assumed-role/bedrock-gateway-stack-BedrockGatewayApiRole-37LTyaxmS5Gi/bedrock-gateway-stack-BedrockGatewayApi-UbY8COwJ3v6I is not authorized to perform: bedrock:InvokeModel on resource: arn:aws:bedrock:eu-west-3::foundation-model/amazon.titan-text-express-v1 because no identity-based policy allows the bedrock:InvokeModel action (Service: BedrockRuntime, Status Code: 403, Request ID: 0781f5c7-a0f9-4f5a-99b0-127c20dd69b2)

Here is the sam.yaml file (generated by quarkus-amazon-lambda-rest plugin):

  AWSTemplateFormatVersion: '2010-09-09'
  Transform: AWS::Serverless-2016-10-31
  Description: AWS Serverless Quarkus HTTP - bedrock-gateway-api
  Globals:
    Api:
      EndpointConfiguration: REGIONAL
      BinaryMediaTypes:
        - "*/*"

  Resources:
    BedrockGatewayApi:
      Type: AWS::Serverless::Function
      Properties:
        Handler: io.quarkus.amazon.lambda.runtime.QuarkusStreamHandler::handleRequest
        Runtime: java17
        CodeUri: function.zip
        MemorySize: 512
        Policies: AWSLambdaBasicExecutionRole
        Timeout: 15
        Events:
          GetResource:
            Type: Api
            Properties:
              Path: /{proxy+}
              Method: any

  Outputs:
    BedrockGatewayApiApi:
      Description: URL for application
      Value: !Sub 'https://${ServerlessRestApi}.execute-api.${AWS::Region}.amazonaws.com/Prod/'
      Export:
        Name: BedrockGatewayApiApi

Also, the Bedrock playground in the AWS console works as expected.

Many thanks in advance.

Nicolas

主题
无服务器计算前端 Web 和移动网络和内容交付机器学习和人工智能AWS 上的生成式 AI
标签
AWS Lambda亚马逊 API 网关Amazon Bedrock
语言
English
profile picture
nicolas
已提问 1 个月前338 查看次数
2 回答
0
已接受的回答

The required permission was AmazonBedrockFullAccess. Adding it to the SAM template fixes the issue.

profile picture
nicolas
已回答 1 个月前
0

Hi Nicolas,

it looks like the role that is attached to your Lambda function does not have permissions to call InvokeModel.

User: arn:aws:sts::<account-id>:assumed-role/bedrock-gateway-stack-BedrockGatewayApiRole-37LTyaxmS5Gi/bedrock-gateway-stack-BedrockGatewayApi-UbY8COwJ3v6I is not authorized to perform: bedrock:InvokeModel on resource: arn:aws:bedrock:eu-west-3::foundation-model/amazon.titan-text-express-v1 because no identity-based policy allows the bedrock:InvokeModel action (Service: BedrockRuntime, Status Code: 403, Request ID: 0781f5c7-a0f9-4f5a-99b0-127c20dd69b2)

To resolve this, add the relevant permission to the function execution role. Currently, the role only has the Policies: AWSLambdaBasicExecutionRole role.

And consider removing your account id from your post

profile pictureAWS
专家
ben-from-aws
已回答 1 个月前
  • nicolas
    1 个月前

    This answer is void. While it's obvious that a required permission is missing here, answering the question would have involved mentioning what this permission would be. Saying "do what you need to do" doesn't help.

您未登录。 登录 发布回答。

一个好的回答可以清楚地解答问题和提供建设性反馈,并能促进提问者的职业发展。

回答问题的准则

相关内容