Closed wwwDESIGN-basti closed 1 week ago
To resolve the "ValidationException: Operation not allowed" error when setting up the AWS Bedrock Connector with your AWS Key and SecKey in a self-hosted Dify version 0.7.1, ensure that you have correctly configured the required credentials and region. Here is the relevant configuration schema from the bedrock.yaml
file:
provider: bedrock
label:
en_US: AWS
description:
en_US: AWS Bedrock's models.
icon_small:
en_US: icon_s_en.svg
icon_large:
en_US: icon_l_en.svg
background: "#FCFDFF"
help:
title:
en_US: Get your Access Key and Secret Access Key from AWS Console
url:
en_US: https://console.aws.amazon.com/
supported_model_types:
- llm
- text-embedding
configurate_methods:
- predefined-model
provider_credential_schema:
credential_form_schemas:
- variable: aws_access_key_id
required: false
label:
en_US: Access Key (If not provided, credentials are obtained from the running environment.)
zh_Hans: Access Key
type: secret-input
placeholder:
en_US: Enter your Access Key
zh_Hans: 在此输入您的 Access Key
- variable: aws_secret_access_key
required: false
label:
en_US: Secret Access Key
zh_Hans: Secret Access Key
type: secret-input
placeholder:
en_US: Enter your Secret Access Key
zh_Hans: 在此输入您的 Secret Access Key
- variable: aws_region
required: true
label:
en_US: AWS Region
zh_Hans: AWS 地区
type: select
default: us-east-1
options:
- value: us-east-1
label:
en_US: US East (N. Virginia)
zh_Hans: 美国东部 (弗吉尼亚北部)
- value: us-west-2
label:
en_US: US West (Oregon)
zh_Hans: 美国西部 (俄勒冈州)
- value: ap-southeast-1
label:
en_US: Asia Pacific (Singapore)
zh_Hans: 亚太地区 (新加坡)
- value: ap-northeast-1
label:
en_US: Asia Pacific (Tokyo)
zh_Hans: 亚太地区 (东京)
- value: eu-central-1
label:
en_US: Europe (Frankfurt)
zh_Hans: 欧洲 (法兰克福)
- value: eu-west-2
label:
en_US: Eu west London (London)
zh_Hans: 欧洲西部 (伦敦)
- value: us-gov-west-1
label:
en_US: AWS GovCloud (US-West)
zh_Hans: AWS GovCloud (US-West)
- value: ap-southeast-2
label:
en_US: Asia Pacific (Sydney)
zh_Hans: 亚太地区 (悉尼)
- variable: model_for_validation
required: false
label:
en_US: Available Model Name
zh_Hans: 可用模型名称
type: text-input
placeholder:
en_US: A model you have access to (e.g. amazon.titan-text-lite-v1) for validation.
zh_Hans: 为了进行验证,请输入一个您可用的模型名称 (例如:amazon.titan-text-lite-v1)
Ensure that:
aws_access_key_id
and aws_secret_access_key
.aws_region
from the provided options.model_for_validation
.If the credentials and region are correctly set and you still encounter the error, verify that the IAM user associated with the provided keys has the necessary permissions to access AWS Bedrock services.
Additionally, you can validate your credentials programmatically as shown in the integration test for the Bedrock provider:
import os
import pytest
from core.model_runtime.errors.validate import CredentialsValidateFailedError
from core.model_runtime.model_providers.bedrock.bedrock import BedrockProvider
def test_validate_provider_credentials():
provider = BedrockProvider()
with pytest.raises(CredentialsValidateFailedError):
provider.validate_provider_credentials(
credentials={}
)
provider.validate_provider_credentials(
credentials={
"aws_region": os.getenv("AWS_REGION"),
"aws_access_key": os.getenv("AWS_ACCESS_KEY"),
"aws_secret_access_key": os.getenv("AWS_SECRET_ACCESS_KEY")
}
)
This test ensures that the credentials are validated correctly. Make sure to set the environment variables AWS_REGION
, AWS_ACCESS_KEY
, and AWS_SECRET_ACCESS_KEY
appropriately before running the test [1][2].
To continue talking to Dosu, mention @dosu.
I tried it, but can't reproduce this issue on 0.7.1 (on my ec2)
@ybalbert001 Thanks for your comments. I had to reconfigure my AWS Bedrock connection after swapping my AWS key. The new key includes the BedRockFullAccess policy. I have requested and been granted model access for the North Virginia region. During the configuration in Dify, I didn’t enter a model name (which I hadn’t done before either). However, recently, AWS notified me of a security incident. Could it be that this incident is affecting my ability to access AWS services while the issue remains unresolved?
I needed the model name (e.g. anthropic.claude-3-sonnet-20240229-v1:0) to verify the first time.
@ybalbert001 Thanks for your comments. I had to reconfigure my AWS Bedrock connection after swapping my AWS key. The new key includes the BedRockFullAccess policy. I have requested and been granted model access for the North Virginia region. During the configuration in Dify, I didn’t enter a model name (which I hadn’t done before either). However, recently, AWS notified me of a security incident. Could it be that this incident is affecting my ability to access AWS services while the issue remains unresolved?
If you can invoke model through AWS console, this issue should not be the root cause for your problem. You may check the your AK/SK and its binded policy, if possible please provide some snapshots for us.
An another suggestion is to contact SA of aws to ask help.
Self Checks
Dify version
0.7.1
Cloud or Self Hosted
Self Hosted (Docker)
Steps to reproduce
I want to setup the AWS Bedrock Connector with my AWS Key und SecKey. The AWS User has already the BedrockFullAccess Role. Everytime i try to save the credentials: ValidationException: Operation not allowed
In the Dev Console (Network Tab) of Chrome: POST: https:///console/api/workspaces/current/model-providers/bedrock - 400 Bad Request
{ "code": "invalid_param", "message": "ValidationException: Operation not allowed", "status": 400 }
✔️ Expected Behavior
A success Saving.
❌ Actual Behavior
No response