Naxi
Reputation: 2044
Failed to configure Bedrock logging: An error occurred (ValidationException) when calling the PutModelInvocationLoggingConfiguration operation
I am trying enable logging on my bedrock agent using python cdk code and a custom reource. Below is how it looks like on a high level...
agent_log_group = logs.LogGroup(
self,
"AgentLogGroup",
log_group_name="/agent/invocations",
removal_policy=RemovalPolicy.DESTROY
)
agent_log_group.add_to_resource_policy(
iam.PolicyStatement(
effect=iam.Effect.ALLOW,
principals=[iam.ServicePrincipal("bedrock.amazonaws.com")],
actions=["logs:*"],
resources=[agent_log_group.log_group_arn]
)
)
enable_logging = CustomResource(
self,
"EnableAgentLogging",
service_token=provider_logger.service_token,
removal_policy=RemovalPolicy.DESTROY,
properties={
"LogGroupName": agent_log_group.log_group_name,
"RoleArn": lambda_role.role_arn
}
)
And then in the custom resource (lambda)...
import os
import boto3
import json
from typing import Dict, Any
bedrock = boto3.client('bedrock')
def handler(event: Dict[str, Any], context: Any) -> Dict[str, Any]:
"""
Handles the Custom Resource events for Bedrock model invocation logging configuration.
"""
print(json.dumps({
"event": event
}))
request_type = event['RequestType']
properties = event.get('ResourceProperties', {})
# Skip logging configuration for Delete events
if request_type == 'Delete':
return {
'PhysicalResourceId': event.get('PhysicalResourceId', 'default-id')
}
try:
# Build CloudWatch config
cloudwatch_config = {
'logGroupName': properties['LogGroupName'],
'roleArn': properties['RoleArn']
}
# Configure logging
response = bedrock.put_model_invocation_logging_configuration(
loggingConfig={
'cloudWatchConfig': cloudwatch_config,
'textDataDeliveryEnabled': True,
'imageDataDeliveryEnabled': False,
'embeddingDataDeliveryEnabled': False,
'videoDataDeliveryEnabled': False
}
)
physical_id = f"bedrock-logging-{properties['LogGroupName']}"
return {
'PhysicalResourceId': physical_id,
'Data': {
'ConfigurationId': response.get('configurationId', ''),
'Status': 'CONFIGURED'
}
}
except Exception as e:
raise Exception(f"Failed to configure Bedrock logging: {str(e)}")
This gives me below error
An error occurred (ValidationException) when calling the PutModelInvocationLoggingConfiguration operation: Failed to validate permissions for log group: /agent/invocations, with role: arn:aws:iam::*:role/lambda-role. Verify the IAM role permissions are correct
policy.json
{
"Statement": [
{
"Effect": "Allow",
"Action": [
"logs:*"
],
"Resource": [
"*"
]
},
{
"Effect": "Allow",
"Action": [
"iam:*"
],
"Resource": [
"*"
]
},
{
"Effect": "Allow",
"Action": [
"bedrock:*"
],
"Resource": [
"*"
]
},
{
"Effect": "Allow",
"Action": [
"ec2:CreateNetworkInterface",
"ec2:DescribeNetworkInterfaces",
"ec2:DeleteNetworkInterface",
"ec2:AssignPrivateIpAddresses",
"ec2:UnassignPrivateIpAddresses"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"bedrock:StartIngestionJob",
"bedrock:GetIngestionJob",
"bedrock:ListIngestionJobs"
],
"Resource": "*"
}
]
}
What am I missing here ?
Upvotes: -1
Views: 37
Answers (0)
Related Questions
- How do I prevent the error "Index signature of object type implicitly has an 'any' type" when compiling typescript with noImplicitAny flag enabled?
- AWS Bedrock agent error as "Your request rate is too high. Reduce the frequency of requests."
- ValidationException: Invalid Model Identifier Error with Bedrock Runtime using boto3 in Python
- Failed to create the Amazon Opensearch Serverless collection when trying to create AWS Bedrock Knowledge Base
- Amazon Bedrock Agent - Access denied when calling Bedrock. Check your request permissions and retry the request
- AWS Bedrock - Not able to get access - Error - Operation not allowed
- CDK - An error occurred (AccessDenied) when calling the PutBucketNotificationConfiguration operation: