aws-samples
diff --git a/‎docs/en/DEPLOY_OPTION.md
Lines changed: 72 additions & 5 deletions b/‎docs/en/DEPLOY_OPTION.md
Lines changed: 72 additions & 5 deletions
diff --git a/‎docs/ja/DEPLOY_OPTION.md
Lines changed: 72 additions & 5 deletions b/‎docs/ja/DEPLOY_OPTION.md
Lines changed: 72 additions & 5 deletions
diff --git a/‎packages/cdk/lambda/getFileDownloadSignedUrl.ts
Lines changed: 10 additions & 3 deletions b/‎packages/cdk/lambda/getFileDownloadSignedUrl.ts
Lines changed: 10 additions & 3 deletions
diff --git a/‎packages/cdk/lambda/repositoryVideoJob.ts
Lines changed: 2 additions & 2 deletions b/‎packages/cdk/lambda/repositoryVideoJob.ts
Lines changed: 2 additions & 2 deletions
diff --git a/‎packages/cdk/lambda/retrieveKnowledgeBase.ts
Lines changed: 6 additions & 13 deletions b/‎packages/cdk/lambda/retrieveKnowledgeBase.ts
Lines changed: 6 additions & 13 deletions
diff --git a/‎packages/cdk/lambda/speechToSpeechTask.ts
Lines changed: 6 additions & 4 deletions b/‎packages/cdk/lambda/speechToSpeechTask.ts
Lines changed: 6 additions & 4 deletions
@@ -1778,10 +1778,16 @@ To use Bedrock from a different AWS account, you need to create one IAM role in
 - `GenerativeAiUseCasesStack-APIPredictService`
 - `GenerativeAiUseCasesStack-APIPredictStreamService`
 - `GenerativeAiUseCasesStack-APIGenerateImageService`
+- `GenerativeAiUseCasesStack-APIGenerateVideoService`
+- `GenerativeAiUseCasesStack-APIListVideoJobsService`
+- `GenerativeAiUseCasesStack-SpeechToSpeechTaskService`
+- `GenerativeAiUseCasesStack-RagKnowledgeBaseRetrieve` (Only when using Knowledge Base)
+- `GenerativeAiUseCasesStack-APIGetFileDownloadSigned` (Only when using Knowledge Base)
 
 For details on how to specify Principals, refer to: [AWS JSON Policy Elements: Principal](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_principal.html)
 
-Principal configuration example (set in the different account)
+<details>
+  <summary>Principal configuration example (set in the different account)</summary>
 
 ```json
 {
@@ -1794,20 +1800,77 @@ Principal configuration example (set in the different account)
           "arn:aws:iam::111111111111:role/GenerativeAiUseCasesStack-APIPredictTitleServiceXXX-XXXXXXXXXXXX",
           "arn:aws:iam::111111111111:role/GenerativeAiUseCasesStack-APIPredictServiceXXXXXXXX-XXXXXXXXXXXX",
           "arn:aws:iam::111111111111:role/GenerativeAiUseCasesStack-APIPredictStreamServiceXX-XXXXXXXXXXXX",
-          "arn:aws:iam::111111111111:role/GenerativeAiUseCasesStack-APIGenerateImageServiceXX-XXXXXXXXXXXX"
+          "arn:aws:iam::111111111111:role/GenerativeAiUseCasesStack-APIGenerateImageServiceXX-XXXXXXXXXXXX",
+          "arn:aws:iam::111111111111:role/GenerativeAiUseCasesStack-APIGenerateVideoServiceXX-XXXXXXXXXXXX",
+          "arn:aws:iam::111111111111:role/GenerativeAiUseCasesStack-APIListVideoJobsServiceXX-XXXXXXXXXXXX",
+          "arn:aws:iam::111111111111:role/GenerativeAiUseCasesStack-SpeechToSpeechTaskService-XXXXXXXXXXXX",
+          "arn:aws:iam::111111111111:role/GenerativeAiUseCasesStack-RagKnowledgeBaseRetrieveX-XXXXXXXXXXXX",
+          "arn:aws:iam::111111111111:role/GenerativeAiUseCasesStack-APIGetFileDownloadSignedU-XXXXXXXXXXXX"
         ]
       },
-      "Action": "sts:AssumeRole",
-      "Condition": {}
+      "Action": "sts:AssumeRole"
     }
   ]
 }
 ```
 
+</details>
+
+<details>
+  <summary>Policy configuration example (set in the different account)</summary>
+
+```json
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Sid": "AllowBedrockInvokeModel",
+      "Effect": "Allow",
+      "Action": [
+        "bedrock:InvokeModel*",
+        "bedrock:Rerank",
+        "bedrock:GetInferenceProfile",
+        "bedrock:GetAsyncInvoke",
+        "bedrock:ListAsyncInvokes"
+      ],
+      "Resource": ["*"]
+    },
+    {
+      "Sid": "AllowS3PutObjectToVideoTempBucket",
+      "Effect": "Allow",
+      "Action": ["s3:PutObject"],
+      "Resource": ["arn:aws:s3:::<video-temp-bucket-name>/*"]
+    },
+    {
+      "Sid": "AllowBedrockRetrieveFromKnowledgeBase",
+      "Effect": "Allow",
+      "Action": ["bedrock:RetrieveAndGenerate*", "bedrock:Retrieve*"],
+      "Resource": [
+        "arn:aws:bedrock:<region>:<account-id>:knowledge-base/<knowledge-base-id>"
+      ]
+    },
+    {
+      "Sid": "AllowS3GetPresignedUrl",
+      "Effect": "Allow",
+      "Action": ["s3:GetObject*"],
+      "Resource": ["arn:aws:s3:::<knowledge-base-datasource-bucket-name>/*"]
+    }
+  ]
+}
+```
+
+</details>
+
 Set the following parameter:
 
 - `crossAccountBedrockRoleArn` ... The ARN of the IAM role created in advance in the different account
 
+When using Knowledge Base, you'll need to include these additional parameters:
+
+- `ragKnowledgeBaseEnabled` ... Set to `true` to enable Knowledge Base
+- `ragKnowledgeBaseId` ... Knowledge Base ID created in advance in the different account
+  - Knowledge Base must exist in the `modelRegion`
+
 **Edit [parameter.ts](/packages/cdk/parameter.ts)**
 
 ```typescript
@@ -1816,6 +1879,8 @@ const envs: Record<string, Partial<StackInput>> = {
   dev: {
     crossAccountBedrockRoleArn:
       'arn:aws:iam::AccountID:role/PreCreatedRoleName',
+    ragKnowledgeBaseEnabled: true, // Only when using Knowledge Base
+    ragKnowledgeBaseId: 'XXXXXXXXXX', // Only when using Knowledge Base
   },
 };
 ```
@@ -1826,7 +1891,9 @@ const envs: Record<string, Partial<StackInput>> = {
 // cdk.json
 {
   "context": {
-    "crossAccountBedrockRoleArn": "arn:aws:iam::AccountID:role/PreCreatedRoleName"
+    "crossAccountBedrockRoleArn": "arn:aws:iam::AccountID:role/PreCreatedRoleName",
+    "ragKnowledgeBaseEnabled": true, // Only when using Knowledge Base
+    "ragKnowledgeBaseId": "XXXXXXXXXX" // Only when using Knowledge Base
   }
 }
 ```
 
@@ -1785,10 +1785,16 @@ const envs: Record<string, Partial<StackInput>> = {
 - `GenerativeAiUseCasesStack-APIPredictService`
 - `GenerativeAiUseCasesStack-APIPredictStreamService`
 - `GenerativeAiUseCasesStack-APIGenerateImageService`
+- `GenerativeAiUseCasesStack-APIGenerateVideoService`
+- `GenerativeAiUseCasesStack-APIListVideoJobsService`
+- `GenerativeAiUseCasesStack-SpeechToSpeechTaskService`
+- `GenerativeAiUseCasesStack-RagKnowledgeBaseRetrieve` (Knowledge Base 利用時のみ)
+- `GenerativeAiUseCasesStack-APIGetFileDownloadSigned` (Knowledge Base 利用時のみ)
 
 Principal の指定方法について詳細を確認したい場合はこちらを参照ください: [AWS JSON ポリシーの要素: Principal](https://docs.aws.amazon.com/ja_jp/IAM/latest/UserGuide/reference_policies_elements_principal.html)
 
-Principal 設定例 (別アカウントにて設定)
+<details>
+  <summary>Principal 設定例 (別アカウントにて設定)</summary>
 
 ```json
 {
@@ -1801,20 +1807,77 @@ Principal 設定例 (別アカウントにて設定)
           "arn:aws:iam::111111111111:role/GenerativeAiUseCasesStack-APIPredictTitleServiceXXX-XXXXXXXXXXXX",
           "arn:aws:iam::111111111111:role/GenerativeAiUseCasesStack-APIPredictServiceXXXXXXXX-XXXXXXXXXXXX",
           "arn:aws:iam::111111111111:role/GenerativeAiUseCasesStack-APIPredictStreamServiceXX-XXXXXXXXXXXX",
-          "arn:aws:iam::111111111111:role/GenerativeAiUseCasesStack-APIGenerateImageServiceXX-XXXXXXXXXXXX"
+          "arn:aws:iam::111111111111:role/GenerativeAiUseCasesStack-APIGenerateImageServiceXX-XXXXXXXXXXXX",
+          "arn:aws:iam::111111111111:role/GenerativeAiUseCasesStack-APIGenerateVideoServiceXX-XXXXXXXXXXXX",
+          "arn:aws:iam::111111111111:role/GenerativeAiUseCasesStack-APIListVideoJobsServiceXX-XXXXXXXXXXXX",
+          "arn:aws:iam::111111111111:role/GenerativeAiUseCasesStack-SpeechToSpeechTaskService-XXXXXXXXXXXX",
+          "arn:aws:iam::111111111111:role/GenerativeAiUseCasesStack-RagKnowledgeBaseRetrieveX-XXXXXXXXXXXX",
+          "arn:aws:iam::111111111111:role/GenerativeAiUseCasesStack-APIGetFileDownloadSignedU-XXXXXXXXXXXX"
         ]
       },
-      "Action": "sts:AssumeRole",
-      "Condition": {}
+      "Action": "sts:AssumeRole"
     }
   ]
 }
 ```
 
+</details>
+
+<details>
+  <summary>ポリシー設定例 (別アカウントにて設定)</summary>
+
+```json
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Sid": "AllowBedrockInvokeModel",
+      "Effect": "Allow",
+      "Action": [
+        "bedrock:InvokeModel*",
+        "bedrock:Rerank",
+        "bedrock:GetInferenceProfile",
+        "bedrock:GetAsyncInvoke",
+        "bedrock:ListAsyncInvokes"
+      ],
+      "Resource": ["*"]
+    },
+    {
+      "Sid": "AllowS3PutObjectToVideoTempBucket",
+      "Effect": "Allow",
+      "Action": ["s3:PutObject"],
+      "Resource": ["arn:aws:s3:::<video-temp-bucket-name>/*"]
+    },
+    {
+      "Sid": "AllowBedrockRetrieveFromKnowledgeBase",
+      "Effect": "Allow",
+      "Action": ["bedrock:RetrieveAndGenerate*", "bedrock:Retrieve*"],
+      "Resource": [
+        "arn:aws:bedrock:<region>:<account-id>:knowledge-base/<knowledge-base-id>"
+      ]
+    },
+    {
+      "Sid": "AllowS3GetPresignedUrl",
+      "Effect": "Allow",
+      "Action": ["s3:GetObject*"],
+      "Resource": ["arn:aws:s3:::<knowledge-base-datasource-bucket-name>/*"]
+    }
+  ]
+}
+```
+
+</details>
+
 パラメータには以下の値を設定します。
 
 - `crossAccountBedrockRoleArn` ... 別アカウントで事前に作成した IAM ロールの ARN です
 
+Knowledge Base を利用する場合は、下記パラメーターも指定します。
+
+- `ragKnowledgeBaseEnabled` ... Knowledge Base を有効化する場合は `true` とします
+- `ragKnowledgeBaseId` ... 別アカウントに事前構築した Knowledge Base の ID です
+  - Knowledge Base は `modelRegion` に存在する必要があります
+
 **[parameter.ts](/packages/cdk/parameter.ts) を編集**
 
 ```typescript
@@ -1823,6 +1886,8 @@ const envs: Record<string, Partial<StackInput>> = {
   dev: {
     crossAccountBedrockRoleArn:
       'arn:aws:iam::アカウントID:role/事前に作成したロール名',
+    ragKnowledgeBaseEnabled: true, // Knowledge Base を利用する場合のみ
+    ragKnowledgeBaseId: 'XXXXXXXXXX', // Knowledge Base を利用する場合のみ
   },
 };
 ```
@@ -1833,7 +1898,9 @@ const envs: Record<string, Partial<StackInput>> = {
 // cdk.json
 {
   "context": {
-    "crossAccountBedrockRoleArn": "arn:aws:iam::アカウントID:role/事前に作成したロール名"
+    "crossAccountBedrockRoleArn": "arn:aws:iam::アカウントID:role/事前に作成したロール名",
+    "ragKnowledgeBaseEnabled": true, // Knowledge Base を利用する場合のみ
+    "ragKnowledgeBaseId": "XXXXXXXXXX" // Knowledge Base を利用する場合のみ
   }
 }
 ```
 
@@ -2,16 +2,23 @@ import { APIGatewayProxyEvent, APIGatewayProxyResult } from 'aws-lambda';
 import { getSignedUrl } from '@aws-sdk/s3-request-presigner';
 import { GetObjectCommand, S3Client } from '@aws-sdk/client-s3';
 import { GetFileDownloadSignedUrlRequest } from 'generative-ai-use-cases';
+import { initKnowledgeBaseS3Client } from './utils/bedrockClient';
+
+const MODEL_REGION = process.env.MODEL_REGION as string;
 
 export const handler = async (
   event: APIGatewayProxyEvent
 ): Promise<APIGatewayProxyResult> => {
   try {
     const req = event.queryStringParameters as GetFileDownloadSignedUrlRequest;
 
-    const client = new S3Client({
-      region: req.region,
-    });
+    // We pass `s3Type` parameter since Knowledge Base may need to reference S3 in a different account
+    const client =
+      req.s3Type === 'knowledgeBase'
+        ? await initKnowledgeBaseS3Client({
+            region: req.region ?? MODEL_REGION,
+          })
+        : new S3Client({ region: req.region });
     const command = new GetObjectCommand({
       Bucket: req.bucketName,
       Key: req.filePrefix,
 
@@ -15,13 +15,13 @@ import {
   GetAsyncInvokeCommand,
   ValidationException,
 } from '@aws-sdk/client-bedrock-runtime';
-import { initBedrockClient } from './utils/bedrockApi';
 import { CopyVideoJobParams } from './copyVideoJob';
 import {
   LambdaClient,
   InvokeCommand,
   InvocationType,
 } from '@aws-sdk/client-lambda';
+import { initBedrockRuntimeClient } from './utils/bedrockClient';
 
 const BUCKET_NAME: string = process.env.BUCKET_NAME!;
 const TABLE_NAME: string = process.env.TABLE_NAME!;
@@ -90,7 +90,7 @@ const checkAndUpdateJob = async (
   job: VideoJob
 ): Promise<'InProgress' | 'Completed' | 'Failed' | 'Finalizing'> => {
   try {
-    const client = await initBedrockClient(job.region);
+    const client = await initBedrockRuntimeClient({ region: job.region });
     const command = new GetAsyncInvokeCommand({
       invocationArn: job.invocationArn,
     });
 
@@ -1,12 +1,10 @@
 import * as lambda from 'aws-lambda';
-import {
-  BedrockAgentRuntimeClient,
-  RetrieveCommand,
-} from '@aws-sdk/client-bedrock-agent-runtime';
+import { RetrieveCommand } from '@aws-sdk/client-bedrock-agent-runtime';
 import { RetrieveKnowledgeBaseRequest } from 'generative-ai-use-cases';
+import { initBedrockAgentRuntimeClient } from './utils/bedrockClient';
 
 const KNOWLEDGE_BASE_ID = process.env.KNOWLEDGE_BASE_ID;
-const MODEL_REGION = process.env.MODEL_REGION;
+const MODEL_REGION = process.env.MODEL_REGION as string;
 
 exports.handler = async (
   event: lambda.APIGatewayProxyEvent
@@ -25,23 +23,18 @@ exports.handler = async (
     };
   }
 
-  const kb = new BedrockAgentRuntimeClient({
-    region: MODEL_REGION,
-  });
+  const client = await initBedrockAgentRuntimeClient({ region: MODEL_REGION });
   const retrieveCommand = new RetrieveCommand({
     knowledgeBaseId: KNOWLEDGE_BASE_ID,
-    retrievalQuery: {
-      text: query,
-    },
+    retrievalQuery: { text: query },
     retrievalConfiguration: {
       vectorSearchConfiguration: {
         numberOfResults: 10,
         overrideSearchType: 'HYBRID',
       },
     },
   });
-
-  const retrieveRes = await kb.send(retrieveCommand);
+  const retrieveRes = await client.send(retrieveCommand);
 
   return {
     statusCode: 200,
 
@@ -3,7 +3,6 @@ import { events, EventsChannel } from 'aws-amplify/data';
 import { fromNodeProviderChain } from '@aws-sdk/credential-providers';
 import { randomUUID } from 'crypto';
 import {
-  BedrockRuntimeClient,
   InvokeModelWithBidirectionalStreamCommand,
   InvokeModelWithBidirectionalStreamInput,
   InvokeModelWithBidirectionalStreamCommandOutput,
@@ -15,9 +14,12 @@ import {
   SpeechToSpeechEvent,
   Model,
 } from 'generative-ai-use-cases';
+import { initBedrockRuntimeClient } from './utils/bedrockClient';
 
 Object.assign(global, { WebSocket: require('ws') });
 
+const MODEL_REGION = process.env.MODEL_REGION as string;
+
 const MAX_AUDIO_INPUT_QUEUE_SIZE = 200;
 const MIN_AUDIO_OUTPUT_QUEUE_SIZE = 10;
 const MAX_AUDIO_OUTPUT_PER_BATCH = 20;
@@ -422,8 +424,8 @@ export const handler = async (event: { channelId: string; model: Model }) => {
 
     console.log('promptName', promptName);
 
-    const bedrock = new BedrockRuntimeClient({
-      region: event.model.region,
+    const bedrockRuntimeClient = await initBedrockRuntimeClient({
+      region: event.model.region ?? MODEL_REGION,
       requestHandler: new NodeHttp2Handler({
         requestTimeout: 300000,
         sessionTimeout: 300000,
@@ -514,7 +516,7 @@ export const handler = async (event: { channelId: string; model: Model }) => {
 
     console.log('Async iterator created');
 
-    const response = await bedrock.send(
+    const response = await bedrockRuntimeClient.send(
       new InvokeModelWithBidirectionalStreamCommand({
         modelId: event.model.modelId,
         body: asyncIterator,