Describe the bug
The VectorKnowledgeBase construct doesn't grant s3vectors:DeleteVectors to the knowledge base execution role. An initial ingestion job on the knowledge base will succeed, but subsequent calls to bedrock:StartIngestionJob fail since Bedrock can't clear down existing vectors:
Encountered error: User: arn:aws:sts::xxxxxxxxxxxx:assumed-role/AmazonBedrockExecutionRoleForKnowledgeBasedxxxxxxxxxxxxxxxxxxxxxx/DeletingTask-xxxxxxxxxx is not authorized to perform: s3vectors:DeleteVectors on resource: arn:aws:s3vectors:eu-west-2:xxxxxxxxxxxx:bucket/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxvectorbucketxxxxxxxx-xxxxxxxxxxxx/index/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx-vectorindexxxxxxxxx-xxxxxxxxxxxx because no identity-based policy allows the s3vectors:DeleteVectors action (Service: S3Vectors, Status Code: 403, Request ID: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx) (SDK Attempt Count: 1). Call to Amazon S3 Vectors did not succeed.
Expected Behavior
Calls to bedrock:StartIngestionJob should succeed and the knowledge base should be updated.
Current Behavior
Subsequent calls to bedrock:StartIngestionJob fail since Bedrock can't clear down existing vectors:
Encountered error: User: arn:aws:sts::xxxxxxxxxxxx:assumed-role/AmazonBedrockExecutionRoleForKnowledgeBasedxxxxxxxxxxxxxxxxxxxxxx/DeletingTask-xxxxxxxxxx is not authorized to perform: s3vectors:DeleteVectors on resource: arn:aws:s3vectors:eu-west-2:xxxxxxxxxxxx:bucket/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxvectorbucketxxxxxxxx-xxxxxxxxxxxx/index/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx-vectorindexxxxxxxxx-xxxxxxxxxxxx because no identity-based policy allows the s3vectors:DeleteVectors action (Service: S3Vectors, Status Code: 403, Request ID: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx) (SDK Attempt Count: 1). Call to Amazon S3 Vectors did not succeed.
Reproduction Steps
See above
Possible Solution
It looks like a simple fix would be to add a call to grantDelete here:
|
vectorStore.vectorBucket.grantWrite(this.role, [vectorStore.vectorIndexName]); |
vectorStore.vectorBucket.grantDelete(this.role, [vectorStore.vectorIndexName]);
Additional Information/Context
No response
CDK CLI Version
0.1.314
Framework Version
No response
Node.js Version
v24
OS
N/A
Language
Typescript
Language Version
No response
Region experiencing the issue
N/A
Code modification
N/A
Other information
No response
Service quota
Describe the bug
The
VectorKnowledgeBaseconstruct doesn't grants3vectors:DeleteVectorsto the knowledge base execution role. An initial ingestion job on the knowledge base will succeed, but subsequent calls tobedrock:StartIngestionJobfail since Bedrock can't clear down existing vectors:Expected Behavior
Calls to
bedrock:StartIngestionJobshould succeed and the knowledge base should be updated.Current Behavior
Subsequent calls to
bedrock:StartIngestionJobfail since Bedrock can't clear down existing vectors:Reproduction Steps
See above
Possible Solution
It looks like a simple fix would be to add a call to
grantDeletehere:generative-ai-cdk-constructs/src/cdk-lib/bedrock/knowledge-bases/vector-knowledge-base.ts
Line 892 in c9c16e6
Additional Information/Context
No response
CDK CLI Version
0.1.314
Framework Version
No response
Node.js Version
v24
OS
N/A
Language
Typescript
Language Version
No response
Region experiencing the issue
N/A
Code modification
N/A
Other information
No response
Service quota