Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[BUG] roleArn is being checked at create time instead of provision time #957

Open
derrike opened this issue Nov 12, 2024 · 1 comment
Open

[BUG] roleArn is being checked at create time instead of provision time #957

derrike opened this issue Nov 12, 2024 · 1 comment
Labels
bug Something isn't working

Comments

@derrike
Copy link

derrike commented Nov 12, 2024

What is the bug?

I am trying to setup a Workflow using the Flow Framework to connect to Claude using the create_connector provision type. I am setting up a variable for the roleArn so that I can inject the actual role when the workflow gets provisioned. Example:

"credential": {
    "roleArn": "${{ AWS_BEDROCK_ROLE_ARN }}"
}

When I go to CREATE the workflow using POST _plugins/_flow_framework/workflow, I receive a 502 error. If I replace just the variable placeholder with an actual invalid IAM Role, I get an error that says I'm not authorized to pass that role. This error tells me there the CREATE process is trying to pass a role at CREATE time. This shouldn't be happening, because the Flow Framework template wouldn't know what the role actually is at CREATE time. In this example, the Flow Framework would only know the actual role arn at PROVISION time (_provision). That is when the AWS_BEDROCK_ROLE_ARN would get injected, and would be available to be passed / validated.

How can one reproduce the bug?

You can run the following example workflow in DevTools. This will generate a 502 error because it tries to pass the placeholder variable at CREATE time. Then you can substitute it for an actual AWS Role Arn, like: arn:aws:iam::123456789012:role/MyCoolRole. This will generate a Pass Role error, demonstrating that something is happening at CREATE time that shouldn't be happening. Finally, if you want you can substitute in an actual role that has permissions.

POST _plugins/_flow_framework/workflow
{
    "name": "Deploy Claude Model",
    "description": "Deploy a model using a connector to Claude",
    "use_case": "PROVISION",
    "version": {
        "template": "1.0.0",
        "compatibility": [
            "2.12.0",
            "3.0.0"
        ]
    },
    "workflows": {
        "provision": {
            "nodes": [
                {
                    "id": "create_claude_connector",
                    "type": "create_connector",
                    "user_inputs": {
                        "name": "Claude Instant Runtime Connector",
                        "version": "1",
                        "protocol": "aws_sigv4",
                        "description": "The connector to BedRock service for Claude model",
                        "actions": [
                            {
                                "headers": {
                                    "x-amz-content-sha256": "required",
                                    "content-type": "application/json"
                                },
                                "method": "POST",
                                "request_body": "{ \"prompt\":\"${parameters.prompt}\", \"max_tokens_to_sample\":${parameters.max_tokens_to_sample}, \"temperature\":${parameters.temperature},  \"anthropic_version\":\"${parameters.anthropic_version}\" }",
                                "action_type": "predict",
                                "url": "https://bedrock-runtime.us-east-1.amazonaws.com/model/anthropic.claude-instant-v1/invoke"
                            }
                        ],
                        "credential": {
                            "roleArn": "${{ AWS_BEDROCK_ROLE_ARN }}"
                        },
                        "parameters": {
                            "endpoint": "https://bedrock-runtime.us-east-1.amazonaws.com/",
                            "content_type": "application/json",
                            "auth": "Sig_V4",
                            "max_tokens_to_sample": "8000",
                            "service_name": "bedrock",
                            "temperature": "0.0001",
                            "response_filter": "$.completion",
                            "region": "us-east-1",
                            "anthropic_version": "bedrock-2023-05-31"
                        }
                    }
                }
            ]
        }
    }
}

What is the expected behavior?

The workflow can be provisioned with a placeholder variable in the roleArn section.

What is your host/environment?

Managed OpenSearch 2.13. User that is making the call is configured as an AWS IAM Role in backend security.

Do you have any screenshots?

image

Do you have any additional context?

n/a
@derrike derrike added bug Something isn't working untriaged labels Nov 12, 2024
@dbwiddis
Copy link
Member

Attempted to reproduce this with a local cluster and it works fine; something must be different on AOS with this. Also, nothing in Flow Framework would produce a 502 error.

Placeholders work elsewhere in the template so it's possibly related to the fact that the credentials are encrypted.

@amitgalitz @owaiskazi19 do you have any ideas here?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@dbwiddis @derrike