내용으로 건너뛰기
AWS re:Post을(를) 사용하면 다음에 동의하게 됩니다. AWS re:Post 이용 약관
AWS re:Postre:Post
re:Post 소개

ValidationException: Operation not allowed for ALL bedrock-runtime invocations on AISPL account

0

Region tested: us-east-1 and ap-south-1 Account type: AISPL India AWS Activate credits: Yes ($1000, Bedrock in eligible services list)

Problem: Every bedrock-runtime Converse call returns: "ValidationException: Operation not allowed"

Tested models:

  • amazon.nova-pro-v1:0
  • amazon.nova-micro-v1:0
  • meta.llama3-8b-instruct-v1:0

What works fine:

  • bedrock:ListFoundationModels ✅
  • STS get-caller-identity ✅

What I've already checked/ruled out:

  • IAM: AmazonBedrockFullAccess attached ✅
  • AWS Organizations: Not in any org, no SCPs ✅
  • Payment method: Added with autopay ✅
  • Marketplace permissions: Added inline policy ✅
  • Model access page: Shows "retired, models auto-enabled" ✅

This appears to be a backend account-level block specific to AISPL accounts on bedrock-runtime invocations. Has anyone resolved this? Did AWS Support fix it on their backend?

주제
머신 러닝 및 AIAWS의 생성형 AI
태그
아마존 Bedrock
언어
English
질문됨 한 달 전69회 조회
1개 답변
0

The "ValidationException: Operation not allowed" error you're experiencing with Amazon Bedrock runtime invocations on your AISPL (Amazon Internet Services Private Limited) India account appears to be related to permissions for AWS Marketplace model subscriptions, which is a common cause of access issues with Bedrock models.

Even though you have AmazonBedrockFullAccess attached and can list foundation models successfully, you need to ensure your IAM policy explicitly includes permissions for both model invocation AND AWS Marketplace subscription actions. The fact that the Model access page shows "retired, models auto-enabled" suggests the models may need proper activation.

Here are the key steps to resolve this:

  1. Verify IAM Policy Permissions: Ensure your IAM role or user has an explicit policy that allows both bedrock:InvokeModel and bedrock:InvokeModelWithResponseStream actions on the specific model ARNs you're trying to use. The policy should look like:
  • Action: bedrock:InvokeModel and bedrock:InvokeModelWithResponseStream
  • Resource: The ARN of your foundation models (e.g., arn:aws:bedrock:*::foundation-model/amazon.nova-pro-v1:0)

  1. AWS Marketplace Activation: For AISPL accounts, there may be additional requirements around AWS Marketplace model activation. Your administrator may need to explicitly activate these models at the account level through API calls before they can be invoked.

  2. Contact AWS Support: Given that this appears to be specific to AISPL accounts and you've already verified standard permissions, this may require AWS Support intervention to enable Bedrock runtime operations on your AISPL account backend. AISPL accounts sometimes have different service availability or activation requirements compared to standard AWS accounts.

The issue is likely not a bug but rather a permissions or account activation requirement specific to how Bedrock integrates with AWS Marketplace on AISPL accounts.
Sources
Resolve Amazon Bedrock serverless foundation model access denied errors | AWS re:Post

답변함 한 달 전
전문가
검토됨 한 달 전

로그인하지 않았습니다. 로그인해야 답변을 게시할 수 있습니다.

좋은 답변은 질문에 명확하게 답하고 건설적인 피드백을 제공하며 질문자의 전문적인 성장을 장려합니다.

관련 콘텐츠