You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
With the recent change to support LLM log classification using AWS Bedrock, the lambda needs to have access to that service. Otherwise, it would fail with the following error:
called `Result::unwrap()` on an `Err` value: ServiceError(ServiceError { source: AccessDeniedException(AccessDeniedException { message: Some("User: arn:aws:sts::308535385114:assumed-role/cargo-lambda-role-f8380435-1d42-4de1-93f6-49711d68eb4a/log_classifier is not authorized to perform: bedrock:InvokeModel on resource: arn:aws:bedrock:us-east-1::foundation-model/anthropic.claude-3-haiku-20240307-v1:0 because no identity-based policy allows the bedrock:InvokeModel action"), meta: ErrorMetadata { code: Some("AccessDeniedException"), message: Some("User: arn:aws:sts::308535385114:assumed-role/cargo-lambda-role-f8380435-1d42-4de1-93f6-49711d68eb4a/log_classifier is not authorized to perform: bedrock:InvokeModel on resource: arn:aws:bedrock:us-east-1::foundation-model/anthropic.claude-3-haiku-20240307-v1:0 because no identity-based policy allows the bedrock:InvokeModel action"), extras: Some({"aws_request_id": "10b527a8-2856-42a7-8fac-7c1faf7d4ffb"}) } }), raw: Response { status: StatusCode(403), headers: Headers { headers: {"date": HeaderValue { _private: H0("Thu, 26 Sep 2024 20:46:59 GMT") }, "content-type": HeaderValue { _private: H0("application/json") }, "content-length": HeaderValue { _private: H0("345") }, "x-amzn-requestid": HeaderValue { _private: H0("10b527a8-2856-42a7-8fac-7c1faf7d4ffb") }, "x-amzn-errortype": HeaderValue { _private: H0("AccessDeniedException:http://internal.amazon.com/coral/com.amazon.coral.service/") }} }, body: SdkBody { inner: Once(Some(b"{\"Message\":\"User: arn:aws:sts::308535385114:assumed-role/cargo-lambda-role-f8380435-1d42-4de1-93f6-49711d68eb4a/log_classifier is not authorized to perform: bedrock:InvokeModel on resource: arn:aws:bedrock:us-east-1::foundation-model/anthropic.claude-3-haiku-20240307-v1:0 because no identity-based policy allows the bedrock:InvokeModel action\"}")), retryable: true }, extensions: Extensions { extensions_02x: Extensions, extensions_1x: Extensions } } })
The IAM role for log classification was created manually in the past, so I grant the access to Bedrock manually there to keep it running. We could need to properly set it up on Terraform instead.
(The failure wasn't detected during local testing because my AWS credential has access to Bedrock)
With the recent change to support LLM log classification using AWS Bedrock, the lambda needs to have access to that service. Otherwise, it would fail with the following error:
The IAM role for log classification was created manually in the past, so I grant the access to Bedrock manually there to keep it running. We could need to properly set it up on Terraform instead.
(The failure wasn't detected during local testing because my AWS credential has access to Bedrock)
cc @PaliC
The text was updated successfully, but these errors were encountered: