redshift user

Author: networkandcode

structured-kb-demo/arns.py

@@ -1,7 +1,3 @@
-import boto3
-from botocore.exceptions import ClientError
-
-from logger import logger
 from vars import (
     AWS_ACCOUNT_ID,
     S3_BUCKET,

structured-kb-demo/get_bedrock_kb_id.py

@@ -0,0 +1,14 @@
+import boto3
+
+from vars import AWS_REGION, BEDROCK_KB
+
+bedrock_agent = boto3.client("bedrock-agent", region_name=AWS_REGION)
+
+def get_kb_id_by_name(kb_name):
+    response = bedrock_agent.list_knowledge_bases(maxResults=10)
+    for kb in response.get('knowledgeBaseSummaries', []):
+        if kb['name'] == kb_name:
+            return kb['knowledgeBaseId']
+    return None
+
+BEDROCK_KB_ID = get_kb_id_by_name(BEDROCK_KB)

structured-kb-demo/get_redshift_wg_arn.py

@@ -1,3 +1,9 @@
+import boto3
+from botocore.exceptions import ClientError
+
+from logger import logger
+from vars import AWS_REGION, REDSHIFT_WORKGROUP
+
 try:
     client = boto3.client("redshift-serverless", region_name=AWS_REGION)
     response = client.get_workgroup(workgroupName=REDSHIFT_WORKGROUP)

structured-kb-demo/pyproject.toml

@@ -6,5 +6,7 @@ readme = "README.md"
 requires-python = ">=3.13"
 dependencies = [
     "boto3>=1.42.97",
+    "langchain-aws>=1.4.5",
+    "langgraph>=1.1.10",
     "python-dotenv>=1.2.2",
 ]

structured-kb-demo/setup_bedrock_kb.py

@@ -1,41 +1,103 @@
+import time
 import boto3
+from botocore.exceptions import ClientError
 
-from arns import BEDROCK_KB_IAM_ROLE_ARN, REDSHIFT_WORKGROUP_ARN
+from arns import BEDROCK_KB_IAM_ROLE_ARN
+from get_redshift_wg_arn import REDSHIFT_WORKGROUP_ARN
 from logger import logger
 from vars import AWS_REGION, BEDROCK_KB, GLUE_DB, S3_FOLDER
 
-GLUE_TABLE = S3_FOLDER
+GLUE_TABLE_FULL = f"{GLUE_DB}.{S3_FOLDER}"
 
 bedrock = boto3.client("bedrock-agent", region_name=AWS_REGION)
 
-bedrock.create_knowledge_base(
-    name=BEDROCK_KB,
-    roleArn=BEDROCK_KB_IAM_ROLE_ARN,
-    knowledgeBaseConfiguration={
-        "type": "STRUCTURED",
-        "sqlKnowledgeBaseConfiguration": {
-            "type": "REDSHIFT",
-            "redshiftConfiguration": {
-                "queryEngineConfiguration": {
-                    "type": "SERVERLESS",
-                    "serverlessConfiguration": {
-                        "workgroupArn": REDSHIFT_WORKGROUP_ARN,
-                        "authConfiguration": {
-                            "type": "IAM" 
-                        }
+def setup_structured_kb():
+    try:
+        logger.info(f"Creating Knowledge Base: {BEDROCK_KB}...")
+        kb_response = bedrock.create_knowledge_base(
+            name=BEDROCK_KB,
+            roleArn=BEDROCK_KB_IAM_ROLE_ARN,
+            knowledgeBaseConfiguration={
+                "type": "SQL",
+                "sqlKnowledgeBaseConfiguration": {
+                    "type": "REDSHIFT",
+                    "redshiftConfiguration": {
+                        "queryEngineConfiguration": {
+                            "type": "SERVERLESS",
+                            "serverlessConfiguration": {
+                                "workgroupArn": REDSHIFT_WORKGROUP_ARN,
+                                "authConfiguration": {"type": "IAM"}
+                            }
+                        },
+                        "storageConfigurations": [
+                            {
+                                "type": "AWS_DATA_CATALOG",
+                                "awsDataCatalogConfiguration": {
+                                    "tableNames": [GLUE_TABLE_FULL]
+                                }
+                            }
+                        ]
                     }
-                },
-                "storageConfigurations": [
-                    {
-                        "type": "AWS_DATA_CATALOG",
-                        "awsDataCatalogConfiguration": {
-                            "tableNames": [f"{GLUE_DB}.{GLUE_TABLE}"]
-                        }
-                    }
-                ]
+                }
+            }
+        )
+        kb_id = kb_response['knowledgeBase']['knowledgeBaseId']
+        logger.info(f"Successfully created KB with ID: {kb_id}")
+
+    except ClientError as e:
+        if e.response['Error']['Code'] == 'ConflictException':
+            logger.info(f"KB {BEDROCK_KB} already exists. Fetching ID...")
+            # Logic to find existing ID
+            kbs = bedrock.list_knowledge_bases(maxResults=100)['knowledgeBaseSummaries']
+            kb_id = next(kb['knowledgeBaseId'] for kb in kbs if kb['name'] == BEDROCK_KB)
+        else:
+            raise e
+
+    try:
+        logger.info("Connecting Redshift Metadata Data Source...")
+        ds_response = bedrock.create_data_source(
+            knowledgeBaseId=kb_id,
+            name=f"{BEDROCK_KB}-metadata-source",
+            dataSourceConfiguration={
+                "type": "REDSHIFT_METADATA"
             }
-        }
-    }
-)
+        )
+        ds_id = ds_response['dataSource']['dataSourceId']
+        logger.info(f"Data Source Created: {ds_id}")
+
+    except ClientError as e:
+        if e.response['Error']['Code'] == 'ConflictException':
+            logger.info("Data Source already exists. Fetching ID...")
+            sources = bedrock.list_data_sources(knowledgeBaseId=kb_id)['dataSourceSummaries']
+            ds_id = sources[0]['dataSourceId']
+        else:
+            raise e
+
+    # TRIGGER SYNC (INGESTION)
+    logger.info("Starting Metadata Ingestion Job (Sync)...")
+    ingest_response = bedrock.start_ingestion_job(
+        knowledgeBaseId=kb_id,
+        dataSourceId=ds_id
+    )
+    job_id = ingest_response['ingestionJob']['ingestionJobId']
+
+    # WAIT FOR SYNC
+    while True:
+        job = bedrock.get_ingestion_job(
+            knowledgeBaseId=kb_id,
+            dataSourceId=ds_id,
+            ingestionJobId=job_id
+        )
+        status = job['ingestionJob']['status']
+        logger.info(f"Sync Status: {status}")
+        
+        if status in ['COMPLETE', 'FAILED', 'STOPPED']:
+            if status == 'FAILED':
+                logger.error(f"Sync failed. Reasons: {job['ingestionJob'].get('failureReasons')}")
+            break
+        time.sleep(10)
+
+    logger.info("Knowledge Base is now fully ready for SQL queries.")
 
-logger.info(f"KB Created: {BEDROCK_KB} with Redshift Serverless as data source.")
+if __name__ == "__main__":
+    setup_structured_kb()

structured-kb-demo/setup_bedrock_kb_iam_policy.py

@@ -1,9 +1,12 @@
 import boto3
 import json
 
+from arns import S3_BUCKET_ARN
+from get_redshift_wg_arn import REDSHIFT_WORKGROUP_ARN
 from logger import logger
-from vars import AWS_ACCOUNT_ID, BEDROCK_KB_IAM_POLICY
+from vars import AWS_ACCOUNT_ID, AWS_REGION, BEDROCK_KB_IAM_POLICY, GLUE_DB, S3_BUCKET, S3_FOLDER
 
+GLUE_TABLE = S3_FOLDER
 iam = boto3.client("iam")
 
 # Define the policy document
@@ -32,15 +35,15 @@
                 "redshift-data:ExecuteStatement"
             ],
             "Resource": [
-                f"arn:aws:redshift-serverless:us-east-1:{AWS_ACCOUNT_ID}:workgroup/*"
+                REDSHIFT_WORKGROUP_ARN
             ]
         },
         {
             "Sid": "RedshiftServerlessGetCredentials",
             "Effect": "Allow",
             "Action": "redshift-serverless:GetCredentials",
             "Resource": [
-                f"arn:aws:redshift-serverless:us-east-1:{AWS_ACCOUNT_ID}:workgroup/*"
+                REDSHIFT_WORKGROUP_ARN
             ]
         },
         {
@@ -61,6 +64,35 @@
                 "bedrock:GenerateQuery"
             ],
             "Resource": "*"
+        },
+        {
+            "Sid": "VisualEditor0",
+            "Effect": "Allow",
+            "Action": [
+                "glue:GetDatabases",
+                "glue:GetDatabase",
+                "glue:GetTables",
+                "glue:GetTable",
+                "glue:GetPartitions",
+                "glue:GetPartition",
+                "glue:SearchTables"
+            ],
+            "Resource": [
+                f"arn:aws:glue:{AWS_REGION}:{AWS_ACCOUNT_ID}:table/{GLUE_DB}/{GLUE_TABLE}",
+                f"arn:aws:glue:{AWS_REGION}:{AWS_ACCOUNT_ID}:database/{GLUE_DB}",
+                f"arn:aws:glue:{AWS_REGION}:{AWS_ACCOUNT_ID}:catalog"
+            ]
+        },
+        {
+            "Effect": "Allow",
+            "Action": [
+                "s3:ListBucket",
+                "s3:GetObject"
+            ],
+            "Resource": [
+                f"{S3_BUCKET_ARN}",
+                f"{S3_BUCKET_ARN}/*"
+            ]
         }
     ]
 }
@@ -76,6 +108,17 @@
     logger.info(f"Successfully created policy!")
 
 except iam.exceptions.EntityAlreadyExistsException:
-    logger.info(f"Policy already exists.")
+    logger.info(f"Policy already exists, updating it.")
+    # Get the policy ARN
+    policies = iam.list_policies(Scope='Local')
+    policy_arn = next(p['Arn'] for p in policies['Policies'] if p['PolicyName'] == BEDROCK_KB_IAM_POLICY)
+    
+    # Create a new version and set it as default
+    iam.create_policy_version(
+        PolicyArn=policy_arn,
+        PolicyDocument=json.dumps(policy_document),
+        SetAsDefault=True
+    )
+    logger.info(f"Successfully updated policy!")
 except Exception as e:
     logger.error(f"An error occurred: {e}")

structured-kb-demo/setup_bedrock_kb_user_on_redshift.py

@@ -0,0 +1,42 @@
+import time
+
+import boto3
+
+from logger import logger
+from vars import AWS_REGION, BEDROCK_KB_IAM_ROLE, GLUE_DB, REDSHIFT_WORKGROUP
+
+redshift_user = f"IAMR:{BEDROCK_KB_IAM_ROLE}"
+
+# Initialize Redshift Data Client
+client = boto3.client("redshift-data", region_name=AWS_REGION)
+
+# Define the SQL commands
+sql_statements = [
+    f'CREATE USER "{redshift_user}" WITH PASSWORD DISABLE;',
+    f'GRANT USAGE ON DATABASE awsdatacatalog TO "IAMR:StructKbIamRole";',
+]
+
+try:
+    # Execute as a batch
+    response = client.batch_execute_statement(
+        WorkgroupName=REDSHIFT_WORKGROUP,
+        Database="awsdatacatalog",
+        Sqls=sql_statements
+    )
+    
+    execution_id = response['Id']
+    logger.info(f"Execution started. ID: {execution_id}")
+
+    # (Optional) Wait for completion
+    while True:
+        status = client.describe_statement(Id=execution_id)
+        state = status['Status']
+        if state in ['FINISHED', 'FAILED', 'ABORTED']:
+            logger.info(f"Final Status: {state}")
+            if state == 'FAILED':
+                logger.error(f"Error: {status.get('Error')}")
+            break
+        time.sleep(2)
+
+except Exception as e:
+    logger.error(f"Failed to execute: {e}")