Stay up to date with the latest from the Knowledge Center. See all new Knowledge Center articles published in the last month, and re:Post's top contributors.
How do I resolve SCP conflicts that prevent access to Amazon Bedrock and related AWS Marketplace operations?
When I try to activate IAM user access to Amazon Bedrock foundation models, I get the "User is not authorized" error.
Resolution
If your AWS Organizations service control policy (SCP) has an explicit deny for AWS Marketplace actions, then you can't access your Amazon Bedrock foundation models. You might receive the following error:
"arn:aws:iam::123456789012:user/consoleUser is not authorized to perform: aws-marketplace:Subscribe on resource: * with an explicit deny in a service control policy."
To resolve this error, attach an IAM policy for your foundation models to your IAM role that allows the following AWS Marketplace actions:
- aws-marketplace:Subscribe
- aws-marketplace:Unsubscribe
- aws-marketplace:ViewSubscriptions
Then, modify or remove the explicit deny policy for the aws-marketplace:Subscribe API action request in your AWS Organizations SCP.
- Tags
- Amazon Bedrock
- Language
- English
Relevant content
- asked 3 months ago
- AWS OFFICIALUpdated 2 months ago
- AWS OFFICIALUpdated 2 months ago
