Amplify AI Access Denied: Missing bedrock:InvokeModelWithResponseStream Permission #3162
Comments
|
I am on us-east-2 if that makes a difference |
|
Hey @mnai01, Thank you for bringing this up and sharing the extra details. I'll look into reproducing the issue and follow up with you. |
Awesome, for some more context to help you repro here is my data resource.ts. Everything else is basically default config from the amplify gen 2 docs import { a, ClientSchema, defineData } from '@aws-amplify/backend';
const schema = a
.schema({
testConvo: a
.conversation({
aiModel: a.ai.model({
resourcePath: 'us.anthropic.claude-3-5-haiku-20241022-v1:0',
}),
inferenceConfiguration: { maxTokens: 1000 },
systemPrompt: 'test',
})
.authorization((allow) => allow.owner()),
})
export type Schema = ClientSchema<typeof schema>;
export const data = defineData({
name: `test`,
schema,
authorizationModes: {
defaultAuthorizationMode: 'userPool',
},
}); |
|
A little bit more research, it definitely seems like its related to the AI Kit not supporting cross-region inference |
That's right. We plan to add first class support for cross-region inference (no shareable timeline currently). In the meantime here's a reference implementation for cross-region inference that you can use. |
|
My Amplify AI app is in ca-central-1 which is not part of any cross-region inference profile. Is there any way, or better an example of how to call a model outside this region with a custom handler? |
Environment information
Data packages
Description
In Amplify Gen2, using
a.ai.model('Claude 3.5 Sonnet v2')isn't supported due to on-demand throughput limitations. While switching to the resourcePath approach withaiModel: { resourcePath: 'us.anthropic.claude-3-5-haiku-20241022-v1:0' }, we encounter an AccessDeniedException where the Lambda's execution role lacks permissions forbedrock:InvokeModelWithResponseStream. Despite attempts to configure IAM permissions, the Lambda role isn't being granted the necessary Bedrock access, suggesting a potential issue with how Amplify Gen2 handles IAM permissions for Bedrock streaming operations in conversation handlers.{ "timestamp":"2025-02-12T02:56:04.274Z", "level":"ERROR", "requestId":"XXXX", "message":{ "errorType":"AccessDeniedException", "errorMessage":"User: arn:aws:sts::XXXX:assumed-role/amplify-chromeextensionbo-WebNavigatorDefaultConver-XXXX/amplify-chromeextensionbo-WebNavigatorDefaultConve-XXXX is not authorized to perform: bedrock:InvokeModelWithResponseStream on resource: arn:aws:bedrock:us-east-2:XXXX:inference-profile/us.anthropic.claude-3-5-haiku-20241022-v1:0 because no identity-based policy allows the bedrock:InvokeModelWithResponseStream action", "stackTrace":[ "AccessDeniedException: User: arn:aws:sts::XXXX:assumed-role/amplify-chromeextensionbo-WebNavigatorDefaultConver-XXXX/amplify-chromeextensionbo-WebNavigatorDefaultConve-XXXX is not authorized to perform: bedrock:InvokeModelWithResponseStream on resource: arn:aws:bedrock:us-east-2:XXXX:inference-profile/us.anthropic.claude-3-5-haiku-20241022-v1:0 because no identity-based policy allows the bedrock:InvokeModelWithResponseStream action", " at de_AccessDeniedExceptionRes (/var/runtime/node_modules/@aws-sdk/client-bedrock-runtime/dist-cjs/index.js:1061:21)", " at de_CommandError (/var/runtime/node_modules/@aws-sdk/client-bedrock-runtime/dist-cjs/index.js:1013:19)", " at process.processTicksAndRejections (node:internal/process/task_queues:95:5)", " at async /var/runtime/node_modules/@aws-sdk/middleware-serde/dist-cjs/index.js:35:20", " at async /var/runtime/node_modules/@smithy/core/dist-cjs/index.js:165:18", " at async /var/runtime/node_modules/@smithy/middleware-retry/dist-cjs/index.js:320:38", " at async /var/runtime/node_modules/@aws-sdk/middleware-logger/dist-cjs/index.js:34:22", " at async BedrockConverseAdapter.askBedrockStreaming (/var/task/index.js:813:29)", " at async ConversationTurnExecutor.execute (/var/task/index.js:1025:32)", " at async Runtime.handleConversationTurnEvent [as handler] (/var/task/index.js:1059:7)" ], "$fault":"client", "$metadata":{ "httpStatusCode":403, "requestId":"XXXX", "attempts":1, "totalRetryDelay":0 } } }The text was updated successfully, but these errors were encountered: