search

maxtybar / bedrock-agents-cdk

Custom AWS CDK Constructs written in Typescript and transpiled to Go and Python using jsii. The project is open-sourced and published to npm package repository and Construct Hub. Using these constructs developers can easily integrate provisioning of Amazon Bedrock Agents and Amazon Knowledge Bases into their infrastructure.
Apache License 2.0
11 stars 5 forks source link

The knowledge base storage configuration provided is invalid... Bad Authorization #9

Closed santoshsg1308 closed 6 months ago

santoshsg1308 commented 8 months ago

Hi I am trying to create a knowledgebase using the construct but keep getting the error below

"Received response status [FAILED] from custom resource. Message returned: Error: An error occurred (ValidationException) when calling the CreateKnowledgeBase operation: The knowledge base storage configuration provided is invalid... Bad Authorization"

Below is my code

` // Create managed policies for the role const s3ListBucketStatement = new iam.PolicyStatement({ actions: ["s3:ListBucket"], resources: ["arn:aws:s3:::bucketName"], }); const s3GetObjectStatement = new iam.PolicyStatement({ actions: ["s3:GetObject"], resources: ["arn:aws:s3:::bucketName/*"], }); const s3ManagedPolicy = new iam.ManagedPolicy( this, "AmazonBedrockS3PolicyForKnowledgeBase_test", { managedPolicyName: "AmazonBedrockS3PolicyForKnowledgeBase_test", statements: [s3ListBucketStatement, s3GetObjectStatement], } );

const ossStatement = new iam.PolicyStatement({
  actions: ["aoss:APIAccessAll"],
  resources: [
   "arn:aws:aoss:yourCollectionRegion:yourAWSAccountId:collection/yourCollectionId",
  ],
});
const ossManagedPolicy = new iam.ManagedPolicy(
  this,
  `AmazonBedrockOSSPolicyForKnowledgeBase_test_${environment}`,
  {
    managedPolicyName: `AmazonBedrockOSSPolicyForKnowledgeBase_test_${environment}`,
    statements: [ossStatement],
  }
);

const fmStatement = new iam.PolicyStatement({
  actions: ["bedrock:InvokeModel"],
  resources: [
    "arn:aws:bedrock:us-east-1::foundation-model/amazon.titan-embed-text-v1",
  ],
});
const fmManagedPolicy = new iam.ManagedPolicy(
  this,
  `AmazonBedrockFoundationModelPolicyForKnowledgeBase_test_${environment}`,
  {
    managedPolicyName: `AmazonBedrockFoundationModelPolicyForKnowledgeBase_test_${environment}`,
    statements: [fmStatement],
  }
);

// Bedrock Knowledge Base IAM role
const kbRole = new iam.Role(
  this,
  `AmazonBedrockExecutionRoleForKnowledgeBase_test_${environment}`,
  {
    roleName: `AmazonBedrockExecutionRoleForKnowledgeBase_test_${environment}`,
    assumedBy: new iam.ServicePrincipal("bedrock.amazonaws.com", {
      conditions: {
        StringEquals: {
          "aws:SourceAccount": `${aws-account-number}`, 
        },
        ArnLike: {
          "aws:SourceArn":
            `arn:aws:bedrock:us-east-1:${aws-account-number}:knowledge-base/*`, 
        },
      },
    }),
    managedPolicies: [s3ManagedPolicy, ossManagedPolicy, fmManagedPolicy],
  }
);

// Create Bedrock Knowledge Base backed by OpenSearch Servereless
const knowledgeBase = new BedrockKnowledgeBase(
  this,
  `cdk-knowedgebase-${environment}`,
  {
    name: `cdk-knowedgebase-${environment}`,       
    roleArn: kbRole.roleArn,
    storageConfiguration: {
      opensearchServerlessConfiguration: {
        collectionArn:
         "arn:aws:aoss:yourCollectionRegion:yourAWSAccountId:collection/yourCollectionId",
        fieldMapping: {
          metadataField: "AMAZON_BEDROCK_METADATA",
          textField: "AMAZON_BEDROCK_TEXT_CHUNK",
          vectorField: "cdk-vector", 
        },
        vectorIndexName: "cdk-index", 
      },
      type: "OPENSEARCH_SERVERLESS",
    },
    dataSource: {
      name: `datasource-${environment}`,
      dataSourceConfiguration: {
        s3Configuration: {
          bucketArn: bucketArn,
        },
        type: "S3",
      },
    },
  }
);`

There is something to do with role here I believe because if I replace rolearn with role that was automatically created during creation of another knowledgebase through console then the knowledgebase creation goes through successfully. As you see I have tried to attach the policies required for the role to mimic to the automatically created role. Also tried attaching the AdministratorAccess policy to the role but no luck !

Below are the error details from cloudformation I see Received response status [FAILED] from custom resource. Message returned: Error: An error occurred (ValidationException) when calling the CreateKnowledgeBase operation: The knowledge base storage configuration provided is invalid... Bad Authorization Logs: /aws/lambda/IngestionStack-dev1-BedrockAgentCus-PXN9dyVk0gcz at invokeUserFunction (/var/task/framework.js:2:6) at process.processTicksAndRejections (node:internal/process/task_queues:95:5) at async onEvent (/var/task/framework.js:1:369) at async Runtime.handler (/var/task/cfn-response.js:1:1573) (RequestId: ec2bc795-366c-45d0-8064-7b991920d1a3)

Can you please help?

maxtybar commented 6 months ago

Hi @santoshsg1308, I am sorry for the late reply. Please refer to the generative-ai-cdk-constructs repo for the latest constructs. I don't have currently time to maintain my construct and will focus my attention on contributing to the mentioned repo as it is maintained by AWS team.

Thanks!