AccessDeniedException in Amazon Kendra

Question

I'm using Amazon Kendra to build a semantic search engine. Following is a piece of my Python code written in Sagemaker notebook:

kendra = boto3.client("kendra",region_name='us-east-1')    
index_id = "05d8defe-e2-a9e3-3534de"
query = "boots please"

response = kendra.query(
    QueryText = query1,
    IndexId = index_id
)

'response' is giving me the error:

AccessDeniedException: An error occurred (AccessDeniedException) when calling the Query operation: User: arn:aws:sts::9174853:assumed-role/AmazonSageMaker-ExecutionRole-2023083103184/SageMaker is not authorized to perform: kendra:Query on resource: arn:aws:kendra:us-east-1:9174853:index/5ba72cde-24e-8736-020a21bce

Here are the basic steps I've followed: Create a bucket in S3, load the dataset, create an index in Kendra & assign it a role, connect the index with the data source (S3) & assign it a new role (different from the index role), sync the data & execute the above-mentioned code.

Some clarifications:

1. I haven't assigned permissions anywhere & I'm the only user here.
2. I have created different IAM roles for the index & data source.

Why am I getting this error & how do I fix it?

Answer 1

I fixed the issue. Here's how I did it:

I attached "AmazonKendraFullAccess" policy to the SageMaker role (AmazonSageMaker-ExecutionRole-xxxxxxxx) in the AWS Identity and Access Management (IAM) console.

Answer 2

According to the error message, the Kendra's index role is not authorized to perform the query action on the Kendra index. You can add the permission explicitly and try again. Or you can try to create a new index, and let Kendra create the index role for you during the Kendra index creation step. This is recommended approach.