search

langgenius / dify

Dify is an open-source LLM app development platform. Dify's intuitive interface combines AI workflow, RAG pipeline, agent capabilities, model management, observability features and more, letting you quickly go from prototype to production.
https://dify.ai
Other
45.26k stars 6.35k forks source link

Setting up AWS Bedrock: ValidationException: Operation not allowed #7488

Closed wwwDESIGN-basti closed 1 week ago

wwwDESIGN-basti commented 3 weeks ago

Self Checks

Dify version

0.7.1

Cloud or Self Hosted

Self Hosted (Docker)

Steps to reproduce

I want to setup the AWS Bedrock Connector with my AWS Key und SecKey. The AWS User has already the BedrockFullAccess Role. Everytime i try to save the credentials: ValidationException: Operation not allowed

In the Dev Console (Network Tab) of Chrome: POST: https:///console/api/workspaces/current/model-providers/bedrock - 400 Bad Request { "code": "invalid_param", "message": "ValidationException: Operation not allowed", "status": 400 }

✔️ Expected Behavior

A success Saving.

❌ Actual Behavior

No response

dosubot[bot] commented 3 weeks ago

To resolve the "ValidationException: Operation not allowed" error when setting up the AWS Bedrock Connector with your AWS Key and SecKey in a self-hosted Dify version 0.7.1, ensure that you have correctly configured the required credentials and region. Here is the relevant configuration schema from the bedrock.yaml file:

provider: bedrock
label:
  en_US: AWS
description:
  en_US: AWS Bedrock's models.
icon_small:
  en_US: icon_s_en.svg
icon_large:
  en_US: icon_l_en.svg
background: "#FCFDFF"
help:
  title:
    en_US: Get your Access Key and Secret Access Key from AWS Console
  url:
    en_US: https://console.aws.amazon.com/
supported_model_types:
  - llm
  - text-embedding
configurate_methods:
  - predefined-model
provider_credential_schema:
  credential_form_schemas:
    - variable: aws_access_key_id
      required: false
      label:
        en_US: Access Key (If not provided, credentials are obtained from the running environment.)
        zh_Hans: Access Key
      type: secret-input
      placeholder:
        en_US: Enter your Access Key
        zh_Hans: 在此输入您的 Access Key
    - variable: aws_secret_access_key
      required: false
      label:
        en_US: Secret Access Key
        zh_Hans: Secret Access Key
      type: secret-input
      placeholder:
        en_US: Enter your Secret Access Key
        zh_Hans: 在此输入您的 Secret Access Key
    - variable: aws_region
      required: true
      label:
        en_US: AWS Region
        zh_Hans: AWS 地区
      type: select
      default: us-east-1
      options:
        - value: us-east-1
          label:
            en_US: US East (N. Virginia)
            zh_Hans: 美国东部 (弗吉尼亚北部)
        - value: us-west-2
          label:
            en_US: US West (Oregon)
            zh_Hans: 美国西部 (俄勒冈州)
        - value: ap-southeast-1
          label:
            en_US: Asia Pacific (Singapore)
            zh_Hans: 亚太地区 (新加坡)
        - value: ap-northeast-1
          label:
            en_US: Asia Pacific (Tokyo)
            zh_Hans: 亚太地区 (东京)
        - value: eu-central-1
          label:
            en_US: Europe (Frankfurt)
            zh_Hans: 欧洲 (法兰克福)
        - value: eu-west-2
          label:
            en_US: Eu west London (London)
            zh_Hans: 欧洲西部 (伦敦)
        - value: us-gov-west-1
          label:
            en_US: AWS GovCloud (US-West)
            zh_Hans: AWS GovCloud (US-West)
        - value: ap-southeast-2
          label:
            en_US: Asia Pacific (Sydney)
            zh_Hans: 亚太地区 (悉尼)
    - variable: model_for_validation
      required: false
      label:
        en_US: Available Model Name
        zh_Hans: 可用模型名称
      type: text-input
      placeholder:
        en_US: A model you have access to (e.g. amazon.titan-text-lite-v1) for validation.
        zh_Hans: 为了进行验证,请输入一个您可用的模型名称 (例如:amazon.titan-text-lite-v1)

Ensure that:

  1. You have provided the correct aws_access_key_id and aws_secret_access_key.
  2. You have selected the correct aws_region from the provided options.
  3. If required, you have specified a valid model_for_validation.

If the credentials and region are correctly set and you still encounter the error, verify that the IAM user associated with the provided keys has the necessary permissions to access AWS Bedrock services.

Additionally, you can validate your credentials programmatically as shown in the integration test for the Bedrock provider:

import os

import pytest

from core.model_runtime.errors.validate import CredentialsValidateFailedError
from core.model_runtime.model_providers.bedrock.bedrock import BedrockProvider

def test_validate_provider_credentials():
    provider = BedrockProvider()

    with pytest.raises(CredentialsValidateFailedError):
        provider.validate_provider_credentials(
            credentials={}
        )

    provider.validate_provider_credentials(
        credentials={
            "aws_region": os.getenv("AWS_REGION"),
            "aws_access_key": os.getenv("AWS_ACCESS_KEY"),
            "aws_secret_access_key": os.getenv("AWS_SECRET_ACCESS_KEY")
        }
    )

This test ensures that the credentials are validated correctly. Make sure to set the environment variables AWS_REGION, AWS_ACCESS_KEY, and AWS_SECRET_ACCESS_KEY appropriately before running the test [1][2].

To continue talking to Dosu, mention @dosu.

ybalbert001 commented 3 weeks ago
  1. Please tell me the model_id you provided.
  2. Please make sure you grant the model access, you can change it through "Bedrock -> Bedrock configurations -> model access" @wwwDESIGN-basti
ybalbert001 commented 3 weeks ago

I tried it, but can't reproduce this issue on 0.7.1 (on my ec2)

wwwDESIGN-basti commented 3 weeks ago

@ybalbert001 Thanks for your comments. I had to reconfigure my AWS Bedrock connection after swapping my AWS key. The new key includes the BedRockFullAccess policy. I have requested and been granted model access for the North Virginia region. During the configuration in Dify, I didn’t enter a model name (which I hadn’t done before either). However, recently, AWS notified me of a security incident. Could it be that this incident is affecting my ability to access AWS services while the issue remains unresolved?

nsvrana commented 3 weeks ago

I needed the model name (e.g. anthropic.claude-3-sonnet-20240229-v1:0) to verify the first time.

ybalbert001 commented 3 weeks ago

@ybalbert001 Thanks for your comments. I had to reconfigure my AWS Bedrock connection after swapping my AWS key. The new key includes the BedRockFullAccess policy. I have requested and been granted model access for the North Virginia region. During the configuration in Dify, I didn’t enter a model name (which I hadn’t done before either). However, recently, AWS notified me of a security incident. Could it be that this incident is affecting my ability to access AWS services while the issue remains unresolved?

If you can invoke model through AWS console, this issue should not be the root cause for your problem. You may check the your AK/SK and its binded policy, if possible please provide some snapshots for us.

An another suggestion is to contact SA of aws to ask help.