How do I troubleshoot the InvokeModel API error in Amazon Bedrock?

Resolution

When you call the InvokeModel API in Amazon Bedrock, you might encounter the Access Denied or Validation error. These errors occur when the API can't access the base model that it's trying to invoke. The error might also appear if your account doesn't have the required permissions to run the operation.

Model access errors

Error: "An error occurred (AccessDeniedException) when calling the InvokeModel operation: Your account is not authorized to invoke this API operation."
-or-
Error: "An error occurred (AccessDeniedException) when calling the InvokeModel operation: You don't have access to the model with the specified model ID."

These errors indicate that you don't have access to the model that you are trying to invoke with the API.

To resolve this issue, complete the following steps:

1. Make sure that the model is offered in the same AWS Region from where you invoke the API. For more information, see Model support by AWS Region.
2. Verify that Access status is set to Granted. For more information, see Add model access.
   Note: This is a one-time setup for an AWS Region.

AWS Identity and Access Management (IAM) permissions errors

Error: "AccessDeniedException: An error occurred (AccessDeniedException) when calling the InvokeModel operation: User: <> is not authorized to perform: bedrock:InvokeModel on resource: <> with an explicit deny in an identity-based policy."
-or-
Error: "AccessDeniedException: An error occurred (AccessDeniedException) when calling the InvokeModel operation: User: <> is not authorized to perform: bedrock:InvokeModel on resource: <> because no identity-based policy allows the bedrock:InvokeModel action."

These errors indicate that the IAM user or role that tried to invoke the API lacks the required permissions.

To resolve the error, verify that the following conditions are met:

1. The IAM user or role that's used to invoke this API has the necessary ALLOW action as shown below. For more information, see How Amazon Bedrock works with IAM.

   {
     "Version": "2012-10-17",
     "Statement": {
       "Sid": "AllowInference",
       "Effect": "Allow",
       "Action": [
         "bedrock:InvokeModel",
         "bedrock:InvokeModelWithResponseStream"
       ],
       "Resource": "arn:aws:bedrock:*::foundation-model/model-id"
     }
   }

2. Confirm that there's no explicit DENY action specified in your Service Control Policy (SCP) at the AWS Organizations level. A DENY action can affect permissions.

API action error

Error: "ValidationException: An error occurred (ValidationException) when calling the InvokeModel operation: The requested operation is not recognized by the service."

This error appears when you use the wrong API action.

To resolve this issue, specify bedrock-runtime as a service in your API call. For more information, see Actions and BedrockRuntime.

SDK version error

Error: "UnknownServiceError: Unknown service: 'bedrock-runtime"

This error appears when you use an incompatible Boto3 SDK version to call the InvokeModel API.

To resolve this issue, upgrade the boto3/botocore SDK to the latest version. For more information, see boto3/CHANGELOG.rst on the GitHub website.

Account restriction error

Error: "An error occurred (ValidationException) when calling the InvokeModel operation: Operation not allowed"

The error appears when your AWS account has a security restriction.

To resolve this issue, open a support case in AWS Support. For more information, see Creating a support case.