Error after running `list_foundation_models`

[Mohannadcse]

I receive the following error after running this line boto3_bedrock.list_foundation_models() in https://github.com/aws-samples/amazon-bedrock-workshop/blob/main/00_Intro/bedrock_boto3_setup.ipynb

NoCredentialsError                        Traceback (most recent call last)
Cell In[11], line 1
----> 1 boto3_bedrock.list_foundation_models()

File [~/Downloads/repos/bedrock/.venv/lib/python3.11/site-packages/botocore/client.py:530](https://file+.vscode-resource.vscode-cdn.net/Users/moh/Downloads/repos/bedrock/00_Intro/~/Downloads/repos/bedrock/.venv/lib/python3.11/site-packages/botocore/client.py:530), in ClientCreator._create_api_method.._api_call(self, *args, **kwargs)
    526     raise TypeError(
    527         f"{py_operation_name}() only accepts keyword arguments."
    528     )
    529 # The "self" in this scope is referring to the BaseClient.
--> 530 return self._make_api_call(operation_name, kwargs)

File [~/Downloads/repos/bedrock/.venv/lib/python3.11/site-packages/botocore/client.py:947](https://file+.vscode-resource.vscode-cdn.net/Users/moh/Downloads/repos/bedrock/00_Intro/~/Downloads/repos/bedrock/.venv/lib/python3.11/site-packages/botocore/client.py:947), in BaseClient._make_api_call(self, operation_name, api_params)
    945 else:
    946     apply_request_checksum(request_dict)
--> 947     http, parsed_response = self._make_request(
    948         operation_model, request_dict, request_context
    949     )
    951 self.meta.events.emit(
    952     'after-call.{service_id}.{operation_name}'.format(
    953         service_id=service_id, operation_name=operation_name
   (...)
    958     context=request_context,
    959 )
    961 if http.status_code >= 300:
...
--> 418         raise NoCredentialsError()
    419     datetime_now = datetime.datetime.utcnow()
    420     request.context['timestamp'] = datetime_now.strftime(SIGV4_TIMESTAMP)

NoCredentialsError: Unable to locate credentials

[athewsey]

Hi, it looks like your AWS credentials are not being correctly picked up from your environment.

Are you able to run other simple commands in your notebook like !aws s3 ls or !aws sts get-caller-identity? I assume from the other PR you're using a non-SageMaker notebook environment? in which case would suggest referring to the general docs here for tips on how to set up your credentials with the AWS CLI.

If you usually use a profile to manage your AWS credentials, please note there was a very recent fix #16 that you'd need to make sure you took before setting the AWS_PROFILE env var.

[Mohannadcse]

These commands don't work, but why I received that the client created successfully?

[Mohannadcse]

When I run !aws config, I receive this but doesn't allow me to type anything

[Mohannadcse]

Where I assume I'm using Env vars based on the info provided here https://github.com/aws-samples/amazon-bedrock-workshop/issues/19

[athewsey]

These commands don't work, but why I received that the client created successfully?

This is just reflective of how boto3 works so is unfortunately outside our control for the workshop 🤷‍♂️ I believe actual credentials are lazily fetched only at the point an API request is attempted?

When I run !aws config, I receive this but doesn't allow me to type anything

Yes you won't be able to run aws config from a notebook cell because it's not an interactive shell: If you're able to open up a terminal in the same environment though (e.g. VSCode integrated terminal), you should be able to configure your CLI from there: Especially if you use e.g. aws configure --profile MyCoolProfile to create a named profile (which gets saved in local file) and then set AWS_PROFILE env var in your notebook.

FWIW I'd probably suggest setting up a profile rather than trying to set credential environment variables like AWS_ACCESS_KEY_ID directly from within the notebook through os.environ[], because of the risk of accidentally checking in any secrets hard-coded in your notebook files.

[Mohannadcse]

FWIW I'd probably suggest setting up a profile rather than trying to set credential environment variables like AWS_ACCESS_KEY_ID directly from within the notebook through os.environ[], because of the risk of accidentally checking in any secrets hard-coded in your notebook files

I think this is what I'm doing, I have: 1- ~/.aws/credentials which contains

[mohannad]
aws_access_key_id = YOUR_ACCESS_KEY
aws_secret_access_key = YOUR_SECRET_KEY

2- ~/.aws/config which contains

[profile mohannad]
region = YOUR_REGION

Finally, inside the notebook, I have this setting:

# os.environ["AWS_DEFAULT_REGION"] = "us-west-2"  # E.g. "us-east-1"
os.environ["AWS_PROFILE"] = "mohannad"
# os.environ["BEDROCK_ASSUME_ROLE"] = "<YOUR_ROLE_ARN>"  # E.g. "arn:aws:..."
# os.environ["BEDROCK_ENDPOINT_URL"] = "<YOUR_ENDPOINT_URL>"  # E.g. "https://..."

Am I missing anything? or Do I need to get any permission to access Bedrock?

[Mohannadcse]

After doing many things on the config file, I think no credential issues any more, but no the problem is the following

botocore.exceptions.ClientError: An error occurred (AccessDenied) when calling the AssumeRole operation: User: arn:aws:iam::432471158435:user/mohannad is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::432471158435:policy/workshop_aws

Seems I need to get some permission to access the Bedrock APIs

[seabasshn]

@Mohannadcse @athewsey I'm getting the exact same issue even when I run it from SM Studio. I ensured that I gave the SM role Bedrock full access.

[Mohannadcse]

@seabasshn so it works for you now, right? can you please elaborate more on the steps that you've taken to give the full access to Bedrock, thx

[seabasshn]

@Mohannadcse No. I'm still struggling with the issue.

[Mohannadcse]

this is the error that I'm getting now

boto3_bedrock.list_foundation_models()
botocore.errorfactory.AccessDeniedException: An error occurred (AccessDeniedException) when calling the ListFoundationModels operation: Your account is not authorized to invoke this API operation.

[seabasshn]

You should be able to fix that by adding this policy to the role that's call the Bedrock endpoint:

{ "Version": "2012-10-17", "Statement": [ { "Sid": "BedrockFullAccess", "Effect": "Allow", "Action": "bedrock:*", "Resource": "*" } ] }

[seabasshn]

@Mohannadcse how did you manage to fix the sts:AssumeRole issue?

[Mohannadcse]

You should be able to fix that by adding this policy to the role that's call the Bedrock endpoint:

I already have it

[seabasshn]

What endpoint are you calling?

[Mohannadcse]

I just added AWS under the Principle field to point out to my user

[Mohannadcse]

It seems we need to sign up to get some permission because the model isn't accessible

[seabasshn]

I was granted preview access but I'm still stuck with sts issue.

"Failed to update trust policy. Invalid principal in policy: "AWS""

[seabasshn]

I got past the permissions issue and you're right it says:

An error occurred (AccessDeniedException) when calling the ListFoundationModels operation: Your account is not authorized to invoke this API operation.

[Mohannadcse]

yeah, we need some confirmation from @athewsey because this is one of the settings of the workshop that I'm sure taken into account

[athewsey]

To try and clarify, BEDROCK_ASSUME_ROLE is only necessary if your notebook environment needs to assume a different role than the default/current for calls to Bedrock - You shouldn't need it if you're:

• Running in SageMaker and your SageMaker Execution Role has IAM permissions for Bedrock, or
• Running with an IAM access key/secret for a user that has IAM permissions for Bedrock

The (unusual) use-case for BEDROCK_ASSUME_ROLE is if your regular identity/role hasn't been granted Bedrock permissions, and you need to assume a special separate role to call the service.

AWS_PROFILE you should use if (like @Mohannadcse) you're setting up credentials through the AWS CLI and choose to do so by creating a named profile. You don't need this one either, if you're running in SageMaker.

Do remember (it's caught me out in the past) that simply commenting os.environ["XYZ"] = "ABC" lines back out won't clear environment variables! You can set them to "" or restart your kernel to do this.

---

AccessDeniedException is a different error than the original NoCredentialsError (progress!)

For @seabasshn I see your policy has "Action": "bedrock:*": Could you try replacing with "Action": ["bedrock:*"]?

For @Mohannadcse It looks like your permission error is related to sts:AssumeRole which (as per above) I don't think you need to do? Just set your BEDROCK_ASSUME_ROLE to empty string.

[Mohannadcse]

• Running with an IAM access key/secret for a user that has IAM permissions for Bedrock

@athewsey thanks for the clarification, would you mind explaining how to do this?

where I already have the inline policy configured, see below

And these are all permissions that my account has

Am I missing anything?

[athewsey]

For @Mohannadcse's ask:

I think you were able to run aws configure from terminal to create a named profile linked to this IAM User's access key & secret, right?

The screenshot looks good. So in terms of your workshop notebook environment variables for running locally:

• AWS_PROFILE should be the name of the profile you created in the CLI
• AWS_DEFAULT_REGION should be the region where your Bedrock preview is enabled (for e.g. us-west-2 or us-east-1 or etc)... (Just to be safe - if region is configured in your profile, you might not need this)
• Ensure BEDROCK_ASSUME_ROLE and BEDROCK_ENDPOINT_URL env vars are not set, or are set to empty string.

If you see a NoCredentialsError as originally, then Python/boto3 was not able to find the access key/secret for your profile. If you see AccessDenied, then it could be mis-configuration of your IAM policies or your target region.

---

To troubleshoot, you could start from AWS basics and work up to Bedrock:

• Re-run aws configure --profile MyCoolProfile to check your profile actually has the access key & secret configured? Not set to None
• Check you can perform basic/non-Bedrock expected actions via the CLI using the profile (e.g. aws iam list-users --profile MyCoolProfile, since your user has IAMFullAccess)
• Check the same CLI commands work in a notebook cell? e.g. !aws iam list-users --profile MyCoolProfile
• Check you can do equivalent via boto3 in notebook Python:

botosess = boto3.Session(profile_name="MyCoolProfile")
iam = botosess.client("iam")
iam.list_users()

(Steps up to this point are just relating to using AWS from Python - not specific to Bedrock or this workshop...)

• Next, when trying to get_bedrock_client(...), check the profile variable is definitely getting picked up (it should print a message saying so)
• If it fails with AccessDenied on sts:AssumeRole then you did not properly clear out the BEDROCK_ASSUME_ROLE env var.
• If get_bedrock_client(...) works successfully, check the logged endpoint URL is in the AWS region you expect (us-east-1, etc)

If get_bedrock_client(...) works successfully, picks up your profile which you know can run other AWS commands, and returns the expected endpoint but you still get errors when you try to list_foundation_models(), then:

• If it's an 'unknown service' error, double-check you %pip installed the custom awscli, botocore and boto3 packages in the notebook's environment.
• If it's 'access denied' on Bedrock, then double-check your IAM user can use the Bedrock console okay?

[Mohannadcse]

Much appreciated for the detailed response.

• AWS_DEFAULT_REGION should be the region where your Bedrock preview is enabled (for e.g. us-west-2 or us-east-1 or etc)... (Just to be safe - if region is configured in your profile, you might not need this)

How can I check this point? I did try both regions but none of them works.

See the below screenshots that show there is no problem with the user configurations.

At this point, there error that I constantly receive is this: Your account is not authorized to invoke this API operation, which indicates I need to get some authorization from somewhere I don't know. Though I did setup the inline policy (see the next screenshot) See below the entire error.

AccessDeniedException                     Traceback (most recent call last)
Cell In[8], line 1
----> 1 boto3_bedrock.list_foundation_models()

File [~/Downloads/repos/bedrock/.venv/lib/python3.11/site-packages/botocore/client.py:530](https://file+.vscode-resource.vscode-cdn.net/Users/moh/Downloads/repos/bedrock/00_Intro/~/Downloads/repos/bedrock/.venv/lib/python3.11/site-packages/botocore/client.py:530), in ClientCreator._create_api_method.._api_call(self, *args, **kwargs)
    526     raise TypeError(
    527         f"{py_operation_name}() only accepts keyword arguments."
    528     )
    529 # The "self" in this scope is referring to the BaseClient.
--> 530 return self._make_api_call(operation_name, kwargs)

File [~/Downloads/repos/bedrock/.venv/lib/python3.11/site-packages/botocore/client.py:964](https://file+.vscode-resource.vscode-cdn.net/Users/moh/Downloads/repos/bedrock/00_Intro/~/Downloads/repos/bedrock/.venv/lib/python3.11/site-packages/botocore/client.py:964), in BaseClient._make_api_call(self, operation_name, api_params)
    962     error_code = parsed_response.get("Error", {}).get("Code")
    963     error_class = self.exceptions.from_code(error_code)
--> 964     raise error_class(parsed_response, operation_name)
    965 else:
    966     return parsed_response

AccessDeniedException: An error occurred (AccessDeniedException) when calling the ListFoundationModels operation: Your account is not authorized to invoke this API operation.

[lauerarnaud]

Please retest using the latest version of the repo and SDK now that Amazon Bedrock is Generally Available. You need to enable access in your AWS account (AWS Console > Bedrock > Providers > Model Access), but is now immediate. Apart from Titan Text Express, the other models are GA.