Closed Mohannadcse closed 11 months ago
Hi, it looks like your AWS credentials are not being correctly picked up from your environment.
Are you able to run other simple commands in your notebook like !aws s3 ls
or !aws sts get-caller-identity
? I assume from the other PR you're using a non-SageMaker notebook environment? in which case would suggest referring to the general docs here for tips on how to set up your credentials with the AWS CLI.
If you usually use a profile to manage your AWS credentials, please note there was a very recent fix #16 that you'd need to make sure you took before setting the AWS_PROFILE
env var.
These commands don't work, but why I received that the client created successfully?
When I run !aws config
, I receive this but doesn't allow me to type anything
Where I assume I'm using Env vars based on the info provided here https://github.com/aws-samples/amazon-bedrock-workshop/issues/19
These commands don't work, but why I received that the client created successfully?
This is just reflective of how boto3 works so is unfortunately outside our control for the workshop 🤷♂️ I believe actual credentials are lazily fetched only at the point an API request is attempted?
When I run !aws config, I receive this but doesn't allow me to type anything
Yes you won't be able to run aws config
from a notebook cell because it's not an interactive shell: If you're able to open up a terminal in the same environment though (e.g. VSCode integrated terminal), you should be able to configure your CLI from there: Especially if you use e.g. aws configure --profile MyCoolProfile
to create a named profile (which gets saved in local file) and then set AWS_PROFILE
env var in your notebook.
FWIW I'd probably suggest setting up a profile rather than trying to set credential environment variables like AWS_ACCESS_KEY_ID
directly from within the notebook through os.environ[]
, because of the risk of accidentally checking in any secrets hard-coded in your notebook files.
FWIW I'd probably suggest setting up a profile rather than trying to set credential environment variables like
AWS_ACCESS_KEY_ID
directly from within the notebook throughos.environ[]
, because of the risk of accidentally checking in any secrets hard-coded in your notebook files
I think this is what I'm doing, I have:
1- ~/.aws/credentials
which contains
[mohannad]
aws_access_key_id = YOUR_ACCESS_KEY
aws_secret_access_key = YOUR_SECRET_KEY
2- ~/.aws/config
which contains
[profile mohannad]
region = YOUR_REGION
Finally, inside the notebook, I have this setting:
# os.environ["AWS_DEFAULT_REGION"] = "us-west-2" # E.g. "us-east-1"
os.environ["AWS_PROFILE"] = "mohannad"
# os.environ["BEDROCK_ASSUME_ROLE"] = "<YOUR_ROLE_ARN>" # E.g. "arn:aws:..."
# os.environ["BEDROCK_ENDPOINT_URL"] = "<YOUR_ENDPOINT_URL>" # E.g. "https://..."
Am I missing anything? or Do I need to get any permission to access Bedrock?
After doing many things on the config file, I think no credential issues any more, but no the problem is the following
botocore.exceptions.ClientError: An error occurred (AccessDenied) when calling the AssumeRole operation: User: arn:aws:iam::432471158435:user/mohannad is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::432471158435:policy/workshop_aws
Seems I need to get some permission to access the Bedrock APIs
@Mohannadcse @athewsey I'm getting the exact same issue even when I run it from SM Studio. I ensured that I gave the SM role Bedrock full access.
@seabasshn so it works for you now, right? can you please elaborate more on the steps that you've taken to give the full access to Bedrock, thx
@Mohannadcse No. I'm still struggling with the issue.
this is the error that I'm getting now
boto3_bedrock.list_foundation_models()
botocore.errorfactory.AccessDeniedException: An error occurred (AccessDeniedException) when calling the ListFoundationModels operation: Your account is not authorized to invoke this API operation.
You should be able to fix that by adding this policy to the role that's call the Bedrock endpoint:
{ "Version": "2012-10-17", "Statement": [ { "Sid": "BedrockFullAccess", "Effect": "Allow", "Action": "bedrock:*", "Resource": "*" } ] }
@Mohannadcse how did you manage to fix the sts:AssumeRole issue?
You should be able to fix that by adding this policy to the role that's call the Bedrock endpoint:
I already have it
What endpoint are you calling?
I just added AWS
under the Principle field to point out to my user
It seems we need to sign up to get some permission because the model isn't accessible
I was granted preview access but I'm still stuck with sts issue.
"Failed to update trust policy. Invalid principal in policy: "AWS""
I got past the permissions issue and you're right it says:
An error occurred (AccessDeniedException) when calling the ListFoundationModels operation: Your account is not authorized to invoke this API operation.
yeah, we need some confirmation from @athewsey because this is one of the settings of the workshop that I'm sure taken into account
To try and clarify, BEDROCK_ASSUME_ROLE
is only necessary if your notebook environment needs to assume a different role than the default/current for calls to Bedrock - You shouldn't need it if you're:
The (unusual) use-case for BEDROCK_ASSUME_ROLE
is if your regular identity/role hasn't been granted Bedrock permissions, and you need to assume a special separate role to call the service.
AWS_PROFILE
you should use if (like @Mohannadcse) you're setting up credentials through the AWS CLI and choose to do so by creating a named profile. You don't need this one either, if you're running in SageMaker.
Do remember (it's caught me out in the past) that simply commenting os.environ["XYZ"] = "ABC"
lines back out won't clear environment variables! You can set them to ""
or restart your kernel to do this.
AccessDeniedException
is a different error than the original NoCredentialsError
(progress!)
For @seabasshn I see your policy has "Action": "bedrock:*"
: Could you try replacing with "Action": ["bedrock:*"]
?
For @Mohannadcse It looks like your permission error is related to sts:AssumeRole
which (as per above) I don't think you need to do? Just set your BEDROCK_ASSUME_ROLE
to empty string.
- Running with an IAM access key/secret for a user that has IAM permissions for Bedrock
@athewsey thanks for the clarification, would you mind explaining how to do this?
where I already have the inline policy configured, see below
And these are all permissions that my account has
Am I missing anything?
For @Mohannadcse's ask:
I think you were able to run aws configure
from terminal to create a named profile linked to this IAM User's access key & secret, right?
The screenshot looks good. So in terms of your workshop notebook environment variables for running locally:
AWS_PROFILE
should be the name of the profile you created in the CLIAWS_DEFAULT_REGION
should be the region where your Bedrock preview is enabled (for e.g. us-west-2
or us-east-1
or etc)... (Just to be safe - if region is configured in your profile, you might not need this)BEDROCK_ASSUME_ROLE
and BEDROCK_ENDPOINT_URL
env vars are not set, or are set to empty string.If you see a NoCredentialsError
as originally, then Python/boto3 was not able to find the access key/secret for your profile. If you see AccessDenied
, then it could be mis-configuration of your IAM policies or your target region.
To troubleshoot, you could start from AWS basics and work up to Bedrock:
aws configure --profile MyCoolProfile
to check your profile actually has the access key & secret configured? Not set to None
aws iam list-users --profile MyCoolProfile
, since your user has IAMFullAccess)!aws iam list-users --profile MyCoolProfile
botosess = boto3.Session(profile_name="MyCoolProfile")
iam = botosess.client("iam")
iam.list_users()
(Steps up to this point are just relating to using AWS from Python - not specific to Bedrock or this workshop...)
get_bedrock_client(...)
, check the profile variable is definitely getting picked up (it should print a message saying so)AccessDenied
on sts:AssumeRole
then you did not properly clear out the BEDROCK_ASSUME_ROLE
env var.get_bedrock_client(...)
works successfully, check the logged endpoint URL is in the AWS region you expect (us-east-1
, etc)If get_bedrock_client(...)
works successfully, picks up your profile which you know can run other AWS commands, and returns the expected endpoint but you still get errors when you try to list_foundation_models()
, then:
%pip install
ed the custom awscli, botocore and boto3 packages in the notebook's environment.Much appreciated for the detailed response.
AWS_DEFAULT_REGION
should be the region where your Bedrock preview is enabled (for e.g.us-west-2
orus-east-1
or etc)... (Just to be safe - if region is configured in your profile, you might not need this)
How can I check this point? I did try both regions but none of them works.
See the below screenshots that show there is no problem with the user configurations.
At this point, there error that I constantly receive is this: Your account is not authorized to invoke this API operation, which indicates I need to get some authorization from somewhere I don't know. Though I did setup the inline policy (see the next screenshot) See below the entire error.
AccessDeniedException Traceback (most recent call last)
Cell In[8], line 1
----> 1 boto3_bedrock.list_foundation_models()
File [~/Downloads/repos/bedrock/.venv/lib/python3.11/site-packages/botocore/client.py:530](https://file+.vscode-resource.vscode-cdn.net/Users/moh/Downloads/repos/bedrock/00_Intro/~/Downloads/repos/bedrock/.venv/lib/python3.11/site-packages/botocore/client.py:530), in ClientCreator._create_api_method.._api_call(self, *args, **kwargs)
526 raise TypeError(
527 f"{py_operation_name}() only accepts keyword arguments."
528 )
529 # The "self" in this scope is referring to the BaseClient.
--> 530 return self._make_api_call(operation_name, kwargs)
File [~/Downloads/repos/bedrock/.venv/lib/python3.11/site-packages/botocore/client.py:964](https://file+.vscode-resource.vscode-cdn.net/Users/moh/Downloads/repos/bedrock/00_Intro/~/Downloads/repos/bedrock/.venv/lib/python3.11/site-packages/botocore/client.py:964), in BaseClient._make_api_call(self, operation_name, api_params)
962 error_code = parsed_response.get("Error", {}).get("Code")
963 error_class = self.exceptions.from_code(error_code)
--> 964 raise error_class(parsed_response, operation_name)
965 else:
966 return parsed_response
AccessDeniedException: An error occurred (AccessDeniedException) when calling the ListFoundationModels operation: Your account is not authorized to invoke this API operation.
Please retest using the latest version of the repo and SDK now that Amazon Bedrock is Generally Available. You need to enable access in your AWS account (AWS Console > Bedrock > Providers > Model Access), but is now immediate. Apart from Titan Text Express, the other models are GA.
I receive the following error after running this line
boto3_bedrock.list_foundation_models()
in https://github.com/aws-samples/amazon-bedrock-workshop/blob/main/00_Intro/bedrock_boto3_setup.ipynb