qnabot-on-aws
qnabot-on-aws copied to clipboard
User is not authorized to perform: lex:RecognizeText on resource
Describe the bug
When I attempt to send an input into the generated Lex bot via the aws-lex-web-ui iframe, I receive an error of Message: "User: arn:aws:sts::[ACCOUNT]:assumed-role/lex-web-ui-CognitoIdentityPool-Z-CognitoAuthRoleV1-[ID]/CognitoIdentityCredentials is not authorized to perform: lex:RecognizeText on resource: arn:aws:lex:[REGION]:[ACCOUNT]:bot-alias/[ID]/[ID] because no identity-based policy allows the lex:RecognizeText action"
To Reproduce Bring up the CloudFormation stack and send a message to the Lex bot.
Expected behavior The bot should be able to handle the input message and return with a message
Please complete the following information about the solution:
- [x] Version: v5.0.0
- [x] Region: us-east-1
- [x] Was the solution modified from the version published on this repository? No.
- [x] If the answer to the previous question was yes, are the changes available on GitHub? N/A
- [x] Have you checked your service quotas for the sevices this solution uses? N/A
- [x] Were there any errors in the CloudWatch Logs? Not that I could find
Screenshots N/A
Additional context CloudFormation parameters:
DefaultKendraIndexId | - |
---|---|
ElasticSearchNodeCount | 4 |
[email protected] | |
Encryption | ENCRYPTED |
FulfillmentConcurrency | 0 |
KibanaDashboardRetentionMinutes | 43200 |
LexBotVersion | LexV1 and LexV2 |
LexV2BotLocaleIds | en_US,es_US,fr_CA |
PublicOrPrivate | PRIVATE |
Username | Admin |
XraySetting | FALSE |
I was able to resolve this issue by manually attaching the QnABot-LexBotPolicy-[ID]
policy to the lex-web-ui-CognitoIdentityPool-Z-CognitoAuthRoleV1-[ID]
and lex-web-ui-CognitoIdentityPool-CognitoUnauthRoleV1-[ID]
roles, so it looks like this is related specifically to the v1 roles missing a couple actions.
Note anything between brackets is my doing for obfuscation or simplicity.
Hi @ChaseIngebritson the action lex:RecognizeText
is LexV2 specific so it shouldn't interfere with V1 roles.
Thanks for bringing this up. I'm looking into recreating this and will update this thread further.
Thanks! Hopefully this isn't related to the AWS Lex Web UI, but I can move the issue if so. It's a bit difficult to discern which of the two projects is causing the bug.
This error is from lex-web-ui and is related to that project instead of qnabot. That said, RecognizeText is an api on Lex V2. The V1 role by definition would not contain the permissions to invoke RecognizeText. The similar "V2" role also created by LexWebUi would provide a policy to allow RecognizeText.
I suspect you initially deployed LexWebUi using a V1 based bot name and then switched it over to a V2 based bot id by updating CF template parameters. Switching a deployed LexWebUi between V1 and V2 by changing bot relevant template parameters is not supported and will not work correctly.
You would need to deploy a new LexWebUi and specify the V2 parameters only: BotId, BotAliasId, and LocaleId. This LexWebUi will use the "V2" based role using policies that support LexV2.
Can you try a new deployment filling in just V2 parameters? That is, leave BotName empty.
Thank you for the quick response and apologies for the delay on testing this, I got sucked into a couple other projects. I'll update with findings once I'm able to get a chance to test the reboot.