Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

How do I resolve "Access denied" errors when I try to invoke serverless foundation models in Amazon Bedrock?

3 minute read
1

I want to resolve "Access denied" errors that I receive when I try to invoke serverless foundation models in Amazon Bedrock.

Short description

AWS Marketplace offers Amazon Bedrock foundation models that require a subscription before use.

If you don't have the required permissions, then you receive the following errors:

"Model access is denied due to IAM user or service role is not authorized to perform the required AWS Marketplace actions."

"Your AWS Marketplace subscription for this model cannot be completed at this time. If you recently fixed this issue, try again after 5 minutes."

To resolve this issue, allow automatic subscription when an AWS Identity and Access Management (IAM) role or user invokes the model. Or, you can activate the model through your administrator.

Note: For Anthropic models, if you're a first-time customer, then you must complete the First Time Use (FTU) form before you can invoke a model. To submit your use case details, use the Amazon Bedrock console or the PutUseCaseForModelAccess API operation. For more information, see Access Amazon Bedrock foundation models.

Resolution

Allow automatic subscription when you invoke the model

To allow automatic subscription to a serverless model from AWS Marketplace, create an IAM policy that allows model invocation and AWS Marketplace subscription actions.

Example IAM policy:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowModel",
            "Effect": "Allow",
            "Action": [
                "bedrock:InvokeModel",
                "bedrock:InvokeModelWithResponseStream"
            ],
            "Resource": [
                "arn:aws:bedrock:*::inference-profile/your-inference-profile-id",
                "arn:aws:bedrock:*::foundation-model/your-foundation-model-id"
            ]
        },
        {
            "Sid": "AllowModelSubscription",
            "Effect": "Allow",
            "Action": [
                "aws-marketplace:ViewSubscriptions",
                "aws-marketplace:Subscribe",
                "aws-marketplace:Unsubscribe"
            ],
            "Resource": "*",
            "Condition": {
                "ForAllValues:StringEquals": {
                    "aws-marketplace:ProductId": [
                        "your-marketplace-product-id"
                    ]
                },
                "StringEquals": {
                    "aws:CalledViaLast": "bedrock.amazonaws.com"
                }
            }
        }
    ]
}

Note: Replace your-inference-profile-id with your inference profile ID, your-foundation-model-id with your foundation model ID, and your-marketplace-product-id with your AWS Marketplace ID.

Attach the policy to an IAM role or user. When you invoke the model for the first time, the IAM policy automatically allows the AWS Marketplace subscription.

Activate models through your administrator

To activate models at your AWS account level, Make sure that your administrator has AWS Marketplace permissions. Then, to activate the models, the administrator can take one of the following actions:

After your administrator activates the AWS Marketplace models, make sure that the IAM users or roles have the required permissions to invoke the models.

Example IAM policy that allows the invocation of a model with an inference profile:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowMarketplaceModelInvocation",
            "Effect": "Allow",
            "Action": [
                "bedrock:InvokeModel",
                "bedrock:InvokeModelWithResponseStream"
            ],
            "Resource": [
                "arn:aws:bedrock:*::inference-profile/replace-inference-profile-id",
                "arn:aws:bedrock:*::foundation-model/replace-foundation-model-id"
            ]
        }
    ]
}

Note: Replace your-inference-profile-id with your inference profile ID and your-foundation-model-id with your foundation model ID.

Test your access to AWS Marketplace models

To test whether you can access AWS Marketplace models, use the AWS SDK for Python Boto3 to make an API call to Amazon Bedrock runtime. Run a command similar to the following example:

import boto3
import json
bedrock = boto3.client(service_name='bedrock-runtime')
body = json.dumps({
    "anthropic_version": "bedrock-2023-05-31",
    "max_tokens": 1024,
    "messages": [
        {
            "role": "user",
            "content": "Say hello"
        }
    ]
})
modelId = 'us.anthropic.claude-haiku-4-5-20251001-v1:0'
response = bedrock.invoke_model(
    body=body,
    modelId=modelId
)
response_body = json.loads(response.get('body').read())
print(response_body)
Topics
Machine Learning & AIGenerative AI on AWS
Tags
Amazon Bedrock
Language
English
AWS OFFICIALUpdated 2 months ago
No comments

Relevant content