Comments (25)
These commands don't work, but why I received that the client created successfully?
This is just reflective of how boto3 works so is unfortunately outside our control for the workshop 🤷♂️ I believe actual credentials are lazily fetched only at the point an API request is attempted?
When I run !aws config, I receive this but doesn't allow me to type anything
Yes you won't be able to run aws config
from a notebook cell because it's not an interactive shell: If you're able to open up a terminal in the same environment though (e.g. VSCode integrated terminal), you should be able to configure your CLI from there: Especially if you use e.g. aws configure --profile MyCoolProfile
to create a named profile (which gets saved in local file) and then set AWS_PROFILE
env var in your notebook.
FWIW I'd probably suggest setting up a profile rather than trying to set credential environment variables like AWS_ACCESS_KEY_ID
directly from within the notebook through os.environ[]
, because of the risk of accidentally checking in any secrets hard-coded in your notebook files.
from amazon-bedrock-workshop.
Hi, it looks like your AWS credentials are not being correctly picked up from your environment.
Are you able to run other simple commands in your notebook like !aws s3 ls
or !aws sts get-caller-identity
? I assume from the other PR you're using a non-SageMaker notebook environment? in which case would suggest referring to the general docs here for tips on how to set up your credentials with the AWS CLI.
If you usually use a profile to manage your AWS credentials, please note there was a very recent fix #16 that you'd need to make sure you took before setting the AWS_PROFILE
env var.
from amazon-bedrock-workshop.
These commands don't work, but why I received that the client created successfully?
from amazon-bedrock-workshop.
When I run !aws config
, I receive this but doesn't allow me to type anything
from amazon-bedrock-workshop.
Where I assume I'm using Env vars based on the info provided here #19
from amazon-bedrock-workshop.
FWIW I'd probably suggest setting up a profile rather than trying to set credential environment variables like
AWS_ACCESS_KEY_ID
directly from within the notebook throughos.environ[]
, because of the risk of accidentally checking in any secrets hard-coded in your notebook files
I think this is what I'm doing, I have:
1- ~/.aws/credentials
which contains
[mohannad]
aws_access_key_id = YOUR_ACCESS_KEY
aws_secret_access_key = YOUR_SECRET_KEY
2- ~/.aws/config
which contains
[profile mohannad]
region = YOUR_REGION
Finally, inside the notebook, I have this setting:
# os.environ["AWS_DEFAULT_REGION"] = "us-west-2" # E.g. "us-east-1"
os.environ["AWS_PROFILE"] = "mohannad"
# os.environ["BEDROCK_ASSUME_ROLE"] = "<YOUR_ROLE_ARN>" # E.g. "arn:aws:..."
# os.environ["BEDROCK_ENDPOINT_URL"] = "<YOUR_ENDPOINT_URL>" # E.g. "https://..."
Am I missing anything?
or Do I need to get any permission to access Bedrock?
from amazon-bedrock-workshop.
After doing many things on the config file, I think no credential issues any more, but no the problem is the following
botocore.exceptions.ClientError: An error occurred (AccessDenied) when calling the AssumeRole operation: User: arn:aws:iam::432471158435:user/mohannad is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::432471158435:policy/workshop_aws
Seems I need to get some permission to access the Bedrock APIs
from amazon-bedrock-workshop.
@Mohannadcse @athewsey I'm getting the exact same issue even when I run it from SM Studio. I ensured that I gave the SM role Bedrock full access.
from amazon-bedrock-workshop.
@seabasshn so it works for you now, right? can you please elaborate more on the steps that you've taken to give the full access to Bedrock, thx
from amazon-bedrock-workshop.
@Mohannadcse No. I'm still struggling with the issue.
from amazon-bedrock-workshop.
this is the error that I'm getting now
boto3_bedrock.list_foundation_models()
botocore.errorfactory.AccessDeniedException: An error occurred (AccessDeniedException) when calling the ListFoundationModels operation: Your account is not authorized to invoke this API operation.
from amazon-bedrock-workshop.
You should be able to fix that by adding this policy to the role that's call the Bedrock endpoint:
{ "Version": "2012-10-17", "Statement": [ { "Sid": "BedrockFullAccess", "Effect": "Allow", "Action": "bedrock:*", "Resource": "*" } ] }
from amazon-bedrock-workshop.
@Mohannadcse how did you manage to fix the sts:AssumeRole issue?
from amazon-bedrock-workshop.
You should be able to fix that by adding this policy to the role that's call the Bedrock endpoint:
I already have it
from amazon-bedrock-workshop.
What endpoint are you calling?
from amazon-bedrock-workshop.
I just added AWS
under the Principle field to point out to my user
from amazon-bedrock-workshop.
It seems we need to sign up to get some permission because the model isn't accessible
from amazon-bedrock-workshop.
I was granted preview access but I'm still stuck with sts issue.
"Failed to update trust policy.
Invalid principal in policy: "AWS""
from amazon-bedrock-workshop.
I got past the permissions issue and you're right it says:
An error occurred (AccessDeniedException) when calling the ListFoundationModels operation: Your account is not authorized to invoke this API operation.
from amazon-bedrock-workshop.
yeah, we need some confirmation from @athewsey because this is one of the settings of the workshop that I'm sure taken into account
from amazon-bedrock-workshop.
To try and clarify, BEDROCK_ASSUME_ROLE
is only necessary if your notebook environment needs to assume a different role than the default/current for calls to Bedrock - You shouldn't need it if you're:
- Running in SageMaker and your SageMaker Execution Role has IAM permissions for Bedrock, or
- Running with an IAM access key/secret for a user that has IAM permissions for Bedrock
The (unusual) use-case for BEDROCK_ASSUME_ROLE
is if your regular identity/role hasn't been granted Bedrock permissions, and you need to assume a special separate role to call the service.
AWS_PROFILE
you should use if (like @Mohannadcse) you're setting up credentials through the AWS CLI and choose to do so by creating a named profile. You don't need this one either, if you're running in SageMaker.
Do remember (it's caught me out in the past) that simply commenting os.environ["XYZ"] = "ABC"
lines back out won't clear environment variables! You can set them to ""
or restart your kernel to do this.
AccessDeniedException
is a different error than the original NoCredentialsError
(progress!)
For @seabasshn I see your policy has "Action": "bedrock:*"
: Could you try replacing with "Action": ["bedrock:*"]
?
For @Mohannadcse It looks like your permission error is related to sts:AssumeRole
which (as per above) I don't think you need to do? Just set your BEDROCK_ASSUME_ROLE
to empty string.
from amazon-bedrock-workshop.
- Running with an IAM access key/secret for a user that has IAM permissions for Bedrock
@athewsey thanks for the clarification, would you mind explaining how to do this?
where I already have the inline policy configured, see below
And these are all permissions that my account has
Am I missing anything?
from amazon-bedrock-workshop.
For @Mohannadcse's ask:
I think you were able to run aws configure
from terminal to create a named profile linked to this IAM User's access key & secret, right?
The screenshot looks good. So in terms of your workshop notebook environment variables for running locally:
AWS_PROFILE
should be the name of the profile you created in the CLIAWS_DEFAULT_REGION
should be the region where your Bedrock preview is enabled (for e.g.us-west-2
orus-east-1
or etc)... (Just to be safe - if region is configured in your profile, you might not need this)- Ensure
BEDROCK_ASSUME_ROLE
andBEDROCK_ENDPOINT_URL
env vars are not set, or are set to empty string.
If you see a NoCredentialsError
as originally, then Python/boto3 was not able to find the access key/secret for your profile. If you see AccessDenied
, then it could be mis-configuration of your IAM policies or your target region.
To troubleshoot, you could start from AWS basics and work up to Bedrock:
- Re-run
aws configure --profile MyCoolProfile
to check your profile actually has the access key & secret configured? Not set toNone
- Check you can perform basic/non-Bedrock expected actions via the CLI using the profile (e.g.
aws iam list-users --profile MyCoolProfile
, since your user has IAMFullAccess) - Check the same CLI commands work in a notebook cell? e.g.
!aws iam list-users --profile MyCoolProfile
- Check you can do equivalent via boto3 in notebook Python:
botosess = boto3.Session(profile_name="MyCoolProfile")
iam = botosess.client("iam")
iam.list_users()
(Steps up to this point are just relating to using AWS from Python - not specific to Bedrock or this workshop...)
- Next, when trying to
get_bedrock_client(...)
, check the profile variable is definitely getting picked up (it should print a message saying so) - If it fails with
AccessDenied
onsts:AssumeRole
then you did not properly clear out theBEDROCK_ASSUME_ROLE
env var. - If
get_bedrock_client(...)
works successfully, check the logged endpoint URL is in the AWS region you expect (us-east-1
, etc)
If get_bedrock_client(...)
works successfully, picks up your profile which you know can run other AWS commands, and returns the expected endpoint but you still get errors when you try to list_foundation_models()
, then:
- If it's an 'unknown service' error, double-check you
%pip install
ed the custom awscli, botocore and boto3 packages in the notebook's environment. - If it's 'access denied' on Bedrock, then double-check your IAM user can use the Bedrock console okay?
from amazon-bedrock-workshop.
Much appreciated for the detailed response.
AWS_DEFAULT_REGION
should be the region where your Bedrock preview is enabled (for e.g.us-west-2
orus-east-1
or etc)... (Just to be safe - if region is configured in your profile, you might not need this)
How can I check this point? I did try both regions but none of them works.
See the below screenshots that show there is no problem with the user configurations.
At this point, there error that I constantly receive is this: Your account is not authorized to invoke this API operation, which indicates I need to get some authorization from somewhere I don't know. Though I did setup the inline policy (see the next screenshot)
See below the entire error.
AccessDeniedException Traceback (most recent call last)
Cell In[8], line 1
----> 1 boto3_bedrock.list_foundation_models()
File [~/Downloads/repos/bedrock/.venv/lib/python3.11/site-packages/botocore/client.py:530](https://file+.vscode-resource.vscode-cdn.net/Users/moh/Downloads/repos/bedrock/00_Intro/~/Downloads/repos/bedrock/.venv/lib/python3.11/site-packages/botocore/client.py:530), in ClientCreator._create_api_method.._api_call(self, *args, **kwargs)
526 raise TypeError(
527 f"{py_operation_name}() only accepts keyword arguments."
528 )
529 # The "self" in this scope is referring to the BaseClient.
--> 530 return self._make_api_call(operation_name, kwargs)
File [~/Downloads/repos/bedrock/.venv/lib/python3.11/site-packages/botocore/client.py:964](https://file+.vscode-resource.vscode-cdn.net/Users/moh/Downloads/repos/bedrock/00_Intro/~/Downloads/repos/bedrock/.venv/lib/python3.11/site-packages/botocore/client.py:964), in BaseClient._make_api_call(self, operation_name, api_params)
962 error_code = parsed_response.get("Error", {}).get("Code")
963 error_class = self.exceptions.from_code(error_code)
--> 964 raise error_class(parsed_response, operation_name)
965 else:
966 return parsed_response
AccessDeniedException: An error occurred (AccessDeniedException) when calling the ListFoundationModels operation: Your account is not authorized to invoke this API operation.
from amazon-bedrock-workshop.
Please retest using the latest version of the repo and SDK now that Amazon Bedrock is Generally Available. You need to enable access in your AWS account (AWS Console > Bedrock > Providers > Model Access), but is now immediate. Apart from Titan Text Express, the other models are GA.
from amazon-bedrock-workshop.
Related Issues (20)
- missing policies for 02_qa_w_rag_claude_opensearch.ipynb
- notebook missing
- Error: AttributeError: 'Bedrock' object has no attribute 'invoke_model' encountered in chatbot session HOT 2
- 00_Intro bedrock_boto3_setup.ipynb has an error setting up dependencies. HOT 1
- Error missing numexpr dependency when running 07_Agents/00_Function_DIY_Agents.ipynb
- Cannot create pinecone index HOT 1
- "apt-get update && apt-get install g++ -y" in bedrock_boto3_setup.jpynb returned error when using latest JupyterLab app in SageMaker Studio HOT 3
- Could not import anthropic python package. This is needed in order to accurately tokenize the text for anthropic models. Please install it with `pip install anthropic`. HOT 4
- S3 bucket creation for Regions other than us-east-1
- 00_Chatbot_Claude ValueError: Error: Prompt must alternate between ' Human:' and ' Assistant:'. HOT 2
- How do I contribute javascript version of this repo? HOT 1
- pysqlite3 is not installable from osx.
- How to resolve Authorizations errors when running lab 03_QuestionAnswering/02_qa_w_rag_claude_opensearch
- Invalid LocationConstraint error in lab 03_QuestionAnswering/knowledge-bases /0_create_ingest_documents_test_kb.ipynb HOT 1
- Possible Typo in IAM Policy for 07_Agents/insurance_claims_agent/without_kb/create_and_invoke_agent.ipynb HOT 1
- aws-bedrock agent failing infrequently with failureReason': 'LLM prediction format incorrect' HOT 1
- Python 3.7 is no longer supported for for creating or updating Lambda function
- No matching distribution for packages throughout Setup script HOT 1
- knowledge base notebook with Llama-index fails with Import error HOT 1
- How to access Code Llama using AWS Bedrock?
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from amazon-bedrock-workshop.