使用 AWS re:Post 即表示您同意 AWS re:Post 使用條款
AWS re:Postre:Post

Can't access Bedrock FM from REST Gateway

0

I'm deploying a REST gateway that calls Bedrock Titan FM. It works as expected when the REST Gateway runs locally using sam local --start-api .... Running the REST Gateway on the cloud, as follows:

sam deploy -t sam.yaml --s3-bucket $BUCKET_NAME --stack-name bedrock-gateway-stack --capabilities CAPABILITY_IAM

and invoking endpoints that call the Bedrock Titan FM, raises the following exception:

2024-04-18 16:26:18,682 ERROR [fr.sim.qua.BedrockAiResource] (sdk-async-response-0-0) ### BedrockAiResource.inoke(): Model invocation failed: {}: java.util.concurrent.CompletionException: software.amazon.awssdk.services.bedrockruntime.model.AccessDeniedException: User: arn:aws:sts::...:assumed-role/bedrock-gateway-stack-BedrockGatewayApiRole-37LTyaxmS5Gi/bedrock-gateway-stack-BedrockGatewayApi-UbY8COwJ3v6I is not authorized to perform: bedrock:InvokeModel on resource: arn:aws:bedrock:eu-west-3::foundation-model/amazon.titan-text-express-v1 because no identity-based policy allows the bedrock:InvokeModel action (Service: BedrockRuntime, Status Code: 403, Request ID: 0781f5c7-a0f9-4f5a-99b0-127c20dd69b2)

Here is the sam.yaml file (generated by quarkus-amazon-lambda-rest plugin):

  AWSTemplateFormatVersion: '2010-09-09'
  Transform: AWS::Serverless-2016-10-31
  Description: AWS Serverless Quarkus HTTP - bedrock-gateway-api
  Globals:
    Api:
      EndpointConfiguration: REGIONAL
      BinaryMediaTypes:
        - "*/*"

  Resources:
    BedrockGatewayApi:
      Type: AWS::Serverless::Function
      Properties:
        Handler: io.quarkus.amazon.lambda.runtime.QuarkusStreamHandler::handleRequest
        Runtime: java17
        CodeUri: function.zip
        MemorySize: 512
        Policies: AWSLambdaBasicExecutionRole
        Timeout: 15
        Events:
          GetResource:
            Type: Api
            Properties:
              Path: /{proxy+}
              Method: any

  Outputs:
    BedrockGatewayApiApi:
      Description: URL for application
      Value: !Sub 'https://${ServerlessRestApi}.execute-api.${AWS::Region}.amazonaws.com/Prod/'
      Export:
        Name: BedrockGatewayApiApi

Also, the Bedrock playground in the AWS console works as expected.

Many thanks in advance.

Nicolas

主題
無伺服器運算前端網頁與行動裝置網路與內容交付機器學習與 AIAWS 上的生成式 AI
標籤
AWS LambdaAmazon API GatewayAmazon Bedrock
語言
English
profile picture
nicolas
已提問 1 個月前檢視次數 338 次
2 個答案
0
已接受的答案

The required permission was AmazonBedrockFullAccess. Adding it to the SAM template fixes the issue.

profile picture
nicolas
已回答 1 個月前
0

Hi Nicolas,

it looks like the role that is attached to your Lambda function does not have permissions to call InvokeModel.

User: arn:aws:sts::<account-id>:assumed-role/bedrock-gateway-stack-BedrockGatewayApiRole-37LTyaxmS5Gi/bedrock-gateway-stack-BedrockGatewayApi-UbY8COwJ3v6I is not authorized to perform: bedrock:InvokeModel on resource: arn:aws:bedrock:eu-west-3::foundation-model/amazon.titan-text-express-v1 because no identity-based policy allows the bedrock:InvokeModel action (Service: BedrockRuntime, Status Code: 403, Request ID: 0781f5c7-a0f9-4f5a-99b0-127c20dd69b2)

To resolve this, add the relevant permission to the function execution role. Currently, the role only has the Policies: AWSLambdaBasicExecutionRole role.

And consider removing your account id from your post

profile pictureAWS
專家
ben-from-aws
已回答 1 個月前
  • nicolas
    1 個月前

    This answer is void. While it's obvious that a required permission is missing here, answering the question would have involved mentioning what this permission would be. Saying "do what you need to do" doesn't help.

您尚未登入。 登入 去張貼答案。

一個好的回答可以清楚地回答問題並提供建設性的意見回饋,同時有助於提問者的專業成長。

回答問題指南

相關內容