bedrock kb

Author: networkandcode

structured-kb-demo/.env.example

@@ -3,6 +3,10 @@ AWS_ACCESS_KEY_ID=
 AWS_REGION=
 AWS_SECRET_ACCESS_KEY=
 
+BEDROCK_KB=
+BEDROCK_KB_IAM_POLICY=
+BEDROCK_KB_IAM_ROLE=
+
 GLUE_CRAWLER=
 GLUE_CRAWLER_IAM_POLICY=
 GLUE_CRAWLER_IAM_ROLE=
@@ -13,6 +17,6 @@ REDSHIFT_NAMESPACE=
 REDSHIFT_WORKGROUP=
 
 S3_BUCKET=
-S3_BUCKET_FOLDER=
+S3_FOLDER=
 
 SQS_QUEUE=

structured-kb-demo/arns.py

@@ -1,17 +1,31 @@
+import boto3
+from botocore.exceptions import ClientError
+
+from logger import logger
 from vars import (
     AWS_ACCOUNT_ID,
     S3_BUCKET,
     GLUE_CRAWLER_IAM_POLICY,
     GLUE_CRAWLER_IAM_ROLE,
     REDSHIFT_IAM_ROLE,
+    REDSHIFT_WORKGROUP,
+    BEDROCK_KB_IAM_POLICY,
+    BEDROCK_KB_IAM_ROLE,
     AWS_REGION,
     SQS_QUEUE,
 )
 
 AWS_MANAGED_GLUE_IAM_POLICY_ARN = "arn:aws:iam::aws:policy/service-role/AWSGlueServiceRole"
 AWS_MANAGED_REDSHIFT_IAM_POLICY_ARN = "arn:aws:iam::aws:policy/AmazonRedshiftAllCommandsFullAccess"
+
+BEDROCK_KB_IAM_POLICY_ARN = f"arn:aws:iam::{AWS_ACCOUNT_ID}:policy/{BEDROCK_KB_IAM_POLICY}"
+BEDROCK_KB_IAM_ROLE_ARN = f"arn:aws:iam::{AWS_ACCOUNT_ID}:role/{BEDROCK_KB_IAM_ROLE}"
+
 S3_BUCKET_ARN = f"arn:aws:s3:::{S3_BUCKET}"
+
 GLUE_CRAWLER_IAM_POLICY_ARN = f"arn:aws:iam::{AWS_ACCOUNT_ID}:policy/{GLUE_CRAWLER_IAM_POLICY}"
 GLUE_CRAWLER_IAM_ROLE_ARN = f"arn:aws:iam::{AWS_ACCOUNT_ID}:role/{GLUE_CRAWLER_IAM_ROLE}"
+
 SQS_QUEUE_ARN = f"arn:aws:sqs:{AWS_REGION}:{AWS_ACCOUNT_ID}:{SQS_QUEUE}"
+
 REDSHIFT_IAM_ROLE_ARN = f"arn:aws:iam::{AWS_ACCOUNT_ID}:role/{REDSHIFT_IAM_ROLE}"

structured-kb-demo/get_redshift_wg_arn.py

@@ -0,0 +1,7 @@
+try:
+    client = boto3.client("redshift-serverless", region_name=AWS_REGION)
+    response = client.get_workgroup(workgroupName=REDSHIFT_WORKGROUP)
+    REDSHIFT_WORKGROUP_ARN = response["workgroup"]["workgroupArn"]
+except ClientError as e:
+    logger.error(f"Error fetching Redshift workgroup ARN: {e.response["Error"]["Message"]}")
+    REDSHIFT_WORKGROUP_ARN = None

structured-kb-demo/run_glue_crawler.py

@@ -3,10 +3,10 @@
 import boto3
 
 from logger import logger
-from vars import CRAWLER, REGION
+from vars import GLUE_CRAWLER, AWS_REGION
 
 def run_glue_crawler(crawler_name):
-    glue = boto3.client("glue", region_name=REGION)
+    glue = boto3.client("glue", region_name=AWS_REGION)
 
     try:
         glue.start_crawler(Name=crawler_name)
@@ -31,4 +31,4 @@ def run_glue_crawler(crawler_name):
     except Exception as e:
         logger.error(f"Error: {str(e)}")
 
-run_glue_crawler(CRAWLER)
+run_glue_crawler(GLUE_CRAWLER)

structured-kb-demo/setup_bedrock_kb.py

@@ -0,0 +1,41 @@
+import boto3
+
+from arns import BEDROCK_KB_IAM_ROLE_ARN, REDSHIFT_WORKGROUP_ARN
+from logger import logger
+from vars import AWS_REGION, BEDROCK_KB, GLUE_DB, S3_FOLDER
+
+GLUE_TABLE = S3_FOLDER
+
+bedrock = boto3.client("bedrock-agent", region_name=AWS_REGION)
+
+bedrock.create_knowledge_base(
+    name=BEDROCK_KB,
+    roleArn=BEDROCK_KB_IAM_ROLE_ARN,
+    knowledgeBaseConfiguration={
+        "type": "STRUCTURED",
+        "sqlKnowledgeBaseConfiguration": {
+            "type": "REDSHIFT",
+            "redshiftConfiguration": {
+                "queryEngineConfiguration": {
+                    "type": "SERVERLESS",
+                    "serverlessConfiguration": {
+                        "workgroupArn": REDSHIFT_WORKGROUP_ARN,
+                        "authConfiguration": {
+                            "type": "IAM" 
+                        }
+                    }
+                },
+                "storageConfigurations": [
+                    {
+                        "type": "AWS_DATA_CATALOG",
+                        "awsDataCatalogConfiguration": {
+                            "tableNames": [f"{GLUE_DB}.{GLUE_TABLE}"]
+                        }
+                    }
+                ]
+            }
+        }
+    }
+)
+
+logger.info(f"KB Created: {BEDROCK_KB} with Redshift Serverless as data source.")

structured-kb-demo/setup_bedrock_kb_iam_policy.py

@@ -0,0 +1,81 @@
+import boto3
+import json
+
+from logger import logger
+from vars import AWS_ACCOUNT_ID, BEDROCK_KB_IAM_POLICY
+
+iam = boto3.client("iam")
+
+# Define the policy document
+policy_document = {
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Sid": "RedshiftDataAPIStatementPermissions",
+            "Effect": "Allow",
+            "Action": [
+                "redshift-data:GetStatementResult",
+                "redshift-data:DescribeStatement",
+                "redshift-data:CancelStatement"
+            ],
+            "Resource": ["*"],
+            "Condition": {
+                "StringEquals": {
+                    "redshift-data:statement-owner-iam-userid": "${aws:userid}"
+                }
+            }
+        },
+        {
+            "Sid": "RedshiftDataAPIExecutePermissions",
+            "Effect": "Allow",
+            "Action": [
+                "redshift-data:ExecuteStatement"
+            ],
+            "Resource": [
+                f"arn:aws:redshift-serverless:us-east-1:{AWS_ACCOUNT_ID}:workgroup/*"
+            ]
+        },
+        {
+            "Sid": "RedshiftServerlessGetCredentials",
+            "Effect": "Allow",
+            "Action": "redshift-serverless:GetCredentials",
+            "Resource": [
+                f"arn:aws:redshift-serverless:us-east-1:{AWS_ACCOUNT_ID}:workgroup/*"
+            ]
+        },
+        {
+            "Sid": "SqlWorkbenchAccess",
+            "Effect": "Allow",
+            "Action": [
+                "sqlworkbench:GetSqlRecommendations",
+                "sqlworkbench:PutSqlGenerationContext",
+                "sqlworkbench:GetSqlGenerationContext",
+                "sqlworkbench:DeleteSqlGenerationContext"
+            ],
+            "Resource": "*"
+        },
+        {
+            "Sid": "KbAccess",
+            "Effect": "Allow",
+            "Action": [
+                "bedrock:GenerateQuery"
+            ],
+            "Resource": "*"
+        }
+    ]
+}
+
+try:
+    # Create the policy
+    response = iam.create_policy(
+        PolicyName=BEDROCK_KB_IAM_POLICY,
+        PolicyDocument=json.dumps(policy_document),
+        Description="Permissions for Bedrock Structured KB to query Redshift Serverless."
+    )
+    
+    logger.info(f"Successfully created policy!")
+
+except iam.exceptions.EntityAlreadyExistsException:
+    logger.info(f"Policy already exists.")
+except Exception as e:
+    logger.error(f"An error occurred: {e}")

structured-kb-demo/setup_bedrock_kb_iam_role.py

@@ -0,0 +1,49 @@
+import boto3
+import json
+
+from arns import BEDROCK_KB_IAM_POLICY_ARN
+from logger import logger
+from vars import AWS_ACCOUNT_ID, AWS_REGION, BEDROCK_KB_IAM_ROLE
+
+iam = boto3.client("iam", region_name=AWS_REGION)
+
+trust_policy = {
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Sid": "TrustPolicyStatement",
+            "Effect": "Allow",
+            "Principal": {
+                "Service": "bedrock.amazonaws.com"
+            },
+            "Action": "sts:AssumeRole",
+            "Condition": {
+                "StringEquals": {
+                    "aws:SourceAccount": AWS_ACCOUNT_ID
+                },
+                "ArnLike": {
+                    "aws:SourceArn": f"arn:aws:bedrock:{AWS_REGION}:{AWS_ACCOUNT_ID}:knowledge-base/*"
+                }
+            }
+        }
+    ]
+}
+
+try:
+    iam.create_role(
+        RoleName=BEDROCK_KB_IAM_ROLE,
+        AssumeRolePolicyDocument=json.dumps(trust_policy),
+        Description='IAM Role for Bedrock Knowledge Base to access Redshift Serverless'
+    )
+    logger.info(f"Created role: {BEDROCK_KB_IAM_ROLE}")
+
+    iam.attach_role_policy(
+        RoleName=BEDROCK_KB_IAM_ROLE,
+        PolicyArn=BEDROCK_KB_IAM_POLICY_ARN
+    )
+    logger.info(f"Attached IAM policy to BedrockKB IAM role.")
+
+except iam.exceptions.EntityAlreadyExistsException:
+    logger.warning(f"Role {BEDROCK_KB_IAM_ROLE} already exists.")
+except Exception as e:
+    logger.error(f"Error: {e}")

structured-kb-demo/setup_glue_crawler.py

@@ -1,22 +1,22 @@
 import boto3
 
-from arns import GLUE_CRAWLER_IAM_ROLE_ARN, QUEUE_ARN
+from arns import GLUE_CRAWLER_IAM_ROLE_ARN, SQS_QUEUE_ARN
 from logger import logger
-from vars import BUCKET, CRAWLER, DB, FOLDER
+from vars import  AWS_REGION, GLUE_CRAWLER, GLUE_DB, S3_BUCKET, S3_FOLDER
 
-S3_PATH = f"s3://{BUCKET}/{FOLDER}"
+S3_PATH = f"s3://{S3_BUCKET}/{S3_FOLDER}"
 
-glue = boto3.client("glue", region_name="us-east-1")
+glue = boto3.client("glue", region_name=AWS_REGION)
 
 CRAWLER_CONFIG = {
     "Role": GLUE_CRAWLER_IAM_ROLE_ARN,
-    "DatabaseName": DB,
+    "DatabaseName": GLUE_DB,
     "Description": "Crawler for inventory data triggered by SQS events",
     "Targets": {
         "S3Targets": [
             {
                 "Path": S3_PATH,
-                "EventQueueArn": QUEUE_ARN,
+                "EventQueueArn": SQS_QUEUE_ARN,
             }
         ]
     },
@@ -28,10 +28,10 @@
 }
 
 try:
-    glue.create_crawler(Name=CRAWLER, **CRAWLER_CONFIG)
+    glue.create_crawler(Name=GLUE_CRAWLER, **CRAWLER_CONFIG)
     logger.info("Crawler created successfully.")
 except glue.exceptions.AlreadyExistsException:
-    glue.update_crawler(Name=CRAWLER, **CRAWLER_CONFIG)
+    glue.update_crawler(Name=GLUE_CRAWLER, **CRAWLER_CONFIG)
     logger.info("Crawler already exists. Updated configuration successfully.")
 except Exception as e:
     logger.error(f"Error creating crawler: {e}")

structured-kb-demo/setup_glue_crawler_iam_policy.py

@@ -2,7 +2,7 @@
 
 import json
 
-from arns import BUCKET_ARN, GLUE_CRAWLER_IAM_POLICY_ARN, QUEUE_ARN
+from arns import S3_BUCKET_ARN, GLUE_CRAWLER_IAM_POLICY_ARN, SQS_QUEUE_ARN
 
 from logger import logger
 from vars import GLUE_CRAWLER_IAM_POLICY
@@ -19,7 +19,7 @@
                 "s3:ListBucket"
             ],
             "Resource": [
-                f"{BUCKET_ARN}/*"
+                f"{S3_BUCKET_ARN}/*"
             ]
         },
         {
@@ -32,7 +32,7 @@
                 "sqs:ReceiveMessage",
                 "sqs:SetQueueAttributes"
             ],
-            "Resource": QUEUE_ARN
+            "Resource": SQS_QUEUE_ARN
         },
     ]
 }

structured-kb-demo/setup_glue_crawler_iam_role.py

@@ -4,7 +4,7 @@
 
 from arns import AWS_MANAGED_GLUE_IAM_POLICY_ARN, GLUE_CRAWLER_IAM_POLICY_ARN
 from logger import logger
-from vars import ACCOUNT_ID, GLUE_CRAWLER_IAM_ROLE
+from vars import AWS_ACCOUNT_ID, GLUE_CRAWLER_IAM_ROLE
 
 iam = boto3.client("iam")
 
@@ -19,7 +19,7 @@
             "Action": "sts:AssumeRole",
             "Condition": {
                 "StringEquals": {
-                    "aws:SourceAccount": ACCOUNT_ID
+                    "aws:SourceAccount": AWS_ACCOUNT_ID
                 }
             }
         }