search

awslabs / agents-for-amazon-bedrock-blueprints

MIT No Attribution
16 stars 3 forks source link

[BUG]Knowledge Base sync fails #21

Open moritalous opened 3 months ago

moritalous commented 3 months ago

Describe the bug

I try to deploy 03-agent-with-kb-and-guardrails

git clone https://github.com/aws-samples/amazon-bedrock-samples.git
cd amazon-bedrock-samples/agents-for-bedrock/agent-blueprint-templates/
./blueprints.sh init
source ~/.bashrc
aws configure
./blueprints.sh deploy 03-agent-with-kb-and-guardrails

Cfn deploy is success, but Knowledge Base sync fails

Error messages in Sync history 

Encountered error: Access Denied (Service: S3, Status Code: 403, Request ID: 3C7W8SDZFXKRB5E5, Extended Request ID: vTA/SackaEevUIZtZMMqHdntIhr97qSdSl45//+4v4jl799qH0FwKM6mvgakWDwCoon89zILntw=). Call to Amazon S3 Source did not succeed.

I check service role of KnowledgeBase.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": "bedrock:InvokeModel",
            "Resource": "arn:aws:bedrock:us-east-1::foundation-model/amazon.titan-embed-text-v1",
            "Effect": "Allow",
            "Sid": "AllowKBToInvokeEmbedding"
        },
        {
            "Action": "aoss:APIAccessAll",
            "Resource": "arn:aws:aoss:us-east-1:637423213562:collection/ccygcjufi7yyog6ks2q9",
            "Effect": "Allow",
            "Sid": "AllowKBToAccessAOSS"
        },
        {
            "Condition": {
                "StringEquals": {
                    "aws:SourceAccount": "637423213562"
                }
            },
            "Action": [
                "s3:GetObject",
                "s3:ListBucket"
            ],
            "Resource": [
                "arn:aws:s3:::agentwithkbandguardrailss-agenticragstackagentblue-xgal3cstax2l/*",
                "arn:aws:s3:::agentwithkbandguardrailss-agenticragstackagentblue-xgal3cstax2l"
            ],
            "Effect": "Allow",
            "Sid": "AllowKBToAccessAssets"
        }
    ]
}

For comparison, we created a new knowledge base using the Management Console, and check it.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "S3ListBucketStatement",
            "Effect": "Allow",
            "Action": [
                "s3:ListBucket"
            ],
            "Resource": [
                "arn:aws:s3:::bedrock-637423213562"
            ],
            "Condition": {
                "StringEquals": {
                    "aws:ResourceAccount": [
                        "637423213562"
                    ]
                }
            }
        },
        {
            "Sid": "S3GetObjectStatement",
            "Effect": "Allow",
            "Action": [
                "s3:GetObject"
            ],
            "Resource": [
                "arn:aws:s3:::bedrock-637423213562/kb-0721/",
                "arn:aws:s3:::bedrock-kb-custom-transformation/*",
                "arn:aws:s3:::bedrock-637423213562/kb-0719/*",
                "arn:aws:s3:::bedrock-637423213562/kb-0721/*"
            ],
            "Condition": {
                "StringEquals": {
                    "aws:ResourceAccount": [
                        "637423213562"
                    ]
                }
            }
        },
        {
            "Sid": "S3PutObjectStatement",
            "Effect": "Allow",
            "Action": [
                "s3:PutObject"
            ],
            "Resource": [
                "arn:aws:s3:::bedrock-kb-custom-transformation/*"
            ],
            "Condition": {
                "StringEquals": {
                    "aws:ResourceAccount": "637423213562"
                }
            }
        }
    ]
}

I found that there is a difference in the condition block

Create by agent blueprint

            "Condition": {
                "StringEquals": {
                    "aws:SourceAccount": "637423213562"
                }
            },

Create by management console

            "Condition": {
                "StringEquals": {
                    "aws:ResourceAccount": "637423213562"
                }
            }

I change aws:SourceAccount to aws:ResourceAccount , then retry is success.

Is this a specified behavior?

Target aws --version aws-cli/2.17.32 Python/3.11.9 Linux/5.15.123.1-microsoft-standard-WSL2 exe/x86_64.ubuntu.22 cdk version 2.152.0 (build faa7d79)

Host Ubuntu 22.04 on WSL2

MrIce-9 commented 1 month ago

Hello, I fixed it removing the account check there https://github.com/awslabs/agents-for-amazon-bedrock-blueprints/commit/2b762b14d4c121172a921c5b21c13861db8ddd81

but your solution seems actually better. Did you check if it addresses the problem consistently? I see other permissions errors based on timing: https://github.com/awslabs/agents-for-amazon-bedrock-blueprints/issues/22