- Newest
- Most votes
- Most comments
Hello.
I've experienced a similar case in the past.
Even though it wasn't being denied by IAM or SCP, Bedrock wasn't activated, which prevented me from using it as an AWS service.
Inquiries to AWS Support regarding "Account and billing" are free of charge.
Please contact AWS support via the following URL.
When making an inquiry, I recommend selecting a category as shown in the image below.
https://support.console.aws.amazon.com/support/home#/
Incidentally, the "model access" mentioned in AWS re:Post Agent's AI-powered automated response feature has been discontinued and can no longer be used.
https://docs.aws.amazon.com/bedrock/latest/userguide/model-access.html
https://aws.amazon.com/about-aws/whats-new/2025/10/amazon-bedrock-automatic-enablement-serverless-foundation-models/
Amazon Bedrock now provides immediate access to all serverless foundation models by default for users in all commercial AWS regions. This update eliminates the need for manually activating model access, allowing you to instantly start using these models through the Amazon Bedrock console playground, AWS SDK, and Amazon Bedrock features including Agents, Flows, Guardrails, Knowledge Bases, Prompt Management, and Evaluations.
Incidentally, when running a third-party model from Bedrock, the first time you run it, it may fail due to subscription issues.
https://docs.aws.amazon.com/bedrock/latest/userguide/model-access.html
Understanding automatic model access When you invoke a third-party model for the first time in your account, Amazon Bedrock automatically initiates the subscription process in the background. During this setup period (up to 15 minutes), your API calls may succeed temporarily while the subscription is being finalized. If any prerequisites are missing, the subscription attempt fails and subsequent API calls will return AccessDeniedException. After granting the necessary permissions, it may take up to 2 minutes for the subscription to complete. During this time, API calls may continue to return AccessDeniedException. Once the subscription is complete, all subsequent invocations will succeed. To avoid this entirely, verify all prerequisites before invoking models in production.
Prerequisites for successful model access:
AWS Marketplace permissions: Your IAM role must have aws-marketplace:Subscribe, aws-marketplace:Unsubscribe, and aws-marketplace:ViewSubscriptions permissions. See Grant IAM permissions to request access to Amazon Bedrock foundation models with a product ID for details.
Anthropic models: For Anthropic models, you must complete the First Time Use (FTU) form before invoking the model.
Valid payment method: Your AWS account must have a valid payment method configured for AWS Marketplace purchases.
Yes, seems your AWS account has not yet been enabled for Bedrock model access. You may required to request Bedrock model access through AWS Support under “Account and billing,” which is free and does not require a paid support plan.
https://docs.aws.amazon.com/bedrock/latest/userguide/model-access.html
I understand you're encountering a ValidationException with the message "Operation not allowed" when trying to use Amazon Bedrock, even with administrator access and proper IAM permissions.
This error typically indicates that Amazon Bedrock service access needs to be explicitly enabled in your AWS account before you can use it. Even though your IAM permissions and configurations are correct (as evidenced by it working in other accounts), each AWS account requires a one-time setup to activate Bedrock access.
To resolve this without a support plan, you should:
- Navigate to the Amazon Bedrock console in the AWS region where you want to use the service
- Look for a prompt or button to enable or activate Amazon Bedrock service access for your account
- Complete any required acknowledgments or terms of service
This is a self-service process that doesn't require AWS Support intervention. The fact that this is an older account (3+ years) that hasn't previously used Bedrock means this initial setup step hasn't been completed yet, even though the account is otherwise fully functional.
Additionally, ensure you've requested access to the specific foundation models you want to use through the Bedrock console, as model access must be requested on a per-account, per-region basis. This is separate from the initial service enablement and is also a self-service process available in the Bedrock console under "Model access."
Once you complete these setup steps, your existing IAM configurations and Terraform code should work as expected, just as they do in your other accounts.
Relevant content
- AWS OFFICIALUpdated a year ago
Thanks. I've opened this ticket and am waiting to hear back -- but I have done the initial acceptance of the antrhropic models at the main account level and they are all enabled and working fine on other accounts. Its just this one account.
If you have already contacted AWS support, I think it's best to wait for their response.