boto3 icon indicating copy to clipboard operation
boto3 copied to clipboard
verified publisher icon boto

Irrelevant error when deleting bedrock knowledge base using boto3

Open i-pedram opened this issue 3 months ago • 5 comments

Describe the bug

I am trying to delete a Bedrock knowledge base using Python SDK (Boto3)

client.delete_knowledge_base(knowledgeBaseId=kb_id)

When the provided kb_id does not follow the required format (I assume it should be ^[A-Z0-9]{10}$), for example, when I provide Knowledge Base name instead of Knowledge Base ID or when passing E94N4QO8 (8 characters), then it raises an irrelevant error:

botocore.errorfactory.AccessDeniedException:
An error occurred (AccessDeniedException) when calling the DeleteKnowledgeBase operation:
User: arn:aws:iam::?????:user/????? is not authorized to perform: bedrock:DeleteKnowledgeBase

The error is misleading because the user has permission for bedrock:DeleteKnowledgeBase.

My expected behaviour is to either validate the format of knowledgeBaseId and raise a validation error, or at least a ResourceNotFoundException

Regression Issue

  • [ ] Select this option if this issue appears to be a regression.

Expected Behavior

My expected behaviour is to either validate the format of knowledgeBaseId and raise a validation error, or at least a ResourceNotFoundException

Current Behavior

It raises botocore.errorfactory.AccessDeniedException

Reproduction Steps

client = session.client('bedrock-agent') kb_id = 'E94N4QO8' client.delete_knowledge_base(knowledgeBaseId=kb_id)

Possible Solution

Validate the provided argument and raise a relevant error

Additional Information/Context

No response

SDK version used

1.39.11

Environment details (OS name and version, etc.)

Windows 11 24H2, Python 3.11.3, VS Code

i-pedram avatar Oct 14 '25 10:10 i-pedram

Hello @i-pedram, thank you for reaching out. I have tried deleting a knowledge base and I did not get AccessDeniedException. Please re-check if there are permissions missing on your user. Could you also please add boto3.set_stream_logger('') after imports for logs, but please redact ALL security and sensitive information.

adev-code avatar Oct 15 '25 16:10 adev-code

Thanks @adev-code, this is not because of permissions. I am using a user that have "AmazonBedrockFullAccess"

I have a knowledge base with id = "E94N4QO8XY"

Scenario 1:

The knowledge base ID is available

kb_id = 'E94N4QO8XY'
client.delete_knowledge_base(knowledgeBaseId=kb_id)

This works as expected and deletes the knowledge base!

Scenario 2:

The knowledge base ID is not available and does follow the expected regex pattern

kb_id = 'E94N4QO8XX'
client.delete_knowledge_base(knowledgeBaseId=kb_id)

This will raise a meaningful error:

botocore.errorfactory.ResourceNotFoundException: An error occurred (ResourceNotFoundException) when calling the DeleteKnowledgeBase operation: KnowledgeBase with id E94N4QO8XX is not found.

Scenario 3:

The knowledge base ID is not available and does not follow the expected regex pattern

kb_id = 'E94N4QO8'
client.delete_knowledge_base(knowledgeBaseId=kb_id)

This will raise an irrelevant error: botocore.errorfactory.AccessDeniedException: An error occurred (AccessDeniedException) when calling the DeleteKnowledgeBase operation: User: arn:aws:iam::123456789:user/userX is not authorized to perform: bedrock:DeleteKnowledgeBase

My expectation in scenario 3 is to raise a ResourceNotFoundException or validate the input and provide feedback that the pattern is not correct

i-pedram avatar Oct 19 '25 21:10 i-pedram

Thanks for the information. I was able reproduce Scenario 1 and 2, and did not get to Scenario 3. To help us investigate, could you please add boto3.set_stream_logger('') for logging and only provide the Response headers and Response body which is typically found at the bottom or end of the logs.

Sample repro code I have tested:

import boto3

boto3.set_stream_logger('')

client = boto3.client('bedrock-agent', region_name='us-east-1')
response = client.delete_knowledge_base(knowledgeBaseId='[REDACTED]')
print(response)

adev-code avatar Oct 21 '25 17:10 adev-code

Thanks @adev-code, This is what I get after it raises an error: (I couldn't find any more relevant information)

botocore.parsers [DEBUG] Response headers:
{
    'Date': 'Sat, 25 Oct 2025 09:39:47 GMT',
    'Content-Type': 'application/json',
    'Content-Length': '118',
    'Connection': 'keep-alive',
    'x-amzn-RequestId': '76b3ab6b-ee13-4d9b-8671-eda594410817',
    'Access-Control-Allow-Origin': '*',
    'x-amzn-ErrorType': 'AccessDeniedException',
    'x-amz-apigw-id': 'S_0jpHW4DoEEnyQ=',
    'Access-Control-Expose-Headers': 'x-amzn-errortype,x-amzn-requestid,x-amzn-trace-id',
    'X-Amzn-Trace-Id': 'Root=1-68fc9ae3-1ce62adb480e24aa20ee50a7'
}

botocore.parsers [DEBUG] Response body:
b'{"message":"User: arn:aws:iam::123456789123:user/adminlike is not authorized to perform: bedrock:DeleteKnowledgeBase"}'

i-pedram avatar Oct 25 '25 10:10 i-pedram

Thank you for the information. As seen from the logs, the error is coming from Bedrock and that said, I have reached out to the Bedrock service team in this regard. I will update as soon as they have any updates.

Internal Ref: P328147022

adev-code avatar Oct 29 '25 15:10 adev-code