- Newest
- Most votes
- Most comments
I regularly use Claude Code with pay-as-you-go Bedrock API calls. It's awesome! Here are some things to check:
- Check the exact model ID Claude Code is requesting
Claude Code may be calling a model ID that doesn't match what you've enabled. For example, it might request anthropic.claude-sonnet-4-20250514-v1:0 but you only enabled an older Sonnet version. In the Bedrock console under Model Access, verify the exact model IDs that are active — not just the friendly names.
- Verify IAM permissions include bedrock:InvokeModel (not just console access)
AmazonBedrockFullAccess should cover this, but confirm there's no SCP (Service Control Policy) or permissions boundary at the organization level blocking bedrock:InvokeModel* actions. Test directly:
aws bedrock-runtime invoke-model \ --model-id anthropic.claude-sonnet-4-20250514-v1:0 \ --region us-east-1 \ --content-type application/json \ --accept application/json \ --body '{"anthropic_version":"bedrock-2023-05-31","max_tokens":100,"messages":[{"role":"user","content":"Hello"}]}' \ output.json
If this fails with AccessDenied, the issue is IAM/SCP — not Claude Code.
- Check for Organization SCPs
If this account is part of an AWS Organization, there may be a Service Control Policy denying Bedrock access. This overrides any IAM policy on the user. Check with your org admin.
- Region mismatch
Ensure the region where you enabled model access matches AWS_REGION=us-east-1 exactly. Model access is region-specific.
- Confirm the profile/credentials being used
Run aws sts get-caller-identity to verify Claude Code is actually using the claude-code-user credentials and not a different profile or role. If you have multiple profiles in ~/.aws/credentials, Claude Code might pick up the default rather than the intended one. You can explicitly set:
export AWS_PROFILE=your-profile-name export AWS_REGION=us-east-1 export CLAUDE_CODE_USE_BEDROCK=1
- Model access propagation delay
After enabling model access, it can take a few minutes to propagate. If you just enabled the models, wait 5-10 minutes and retry.
Most likely cause: Either an Organization SCP is blocking Bedrock invocations, or Claude Code is requesting a model ID you haven't explicitly enabled. Start with the aws bedrock-runtime invoke-model test above — that will isolate whether the problem is in your AWS permissions or in Claude Code's configuration.
Hello.
Is it possible to use Claude to chat in PlayGround from the Bedrock console?
https://docs.aws.amazon.com/bedrock/latest/userguide/playgrounds.html
Posts at the following URL may have restrictions that are automatically applied to new accounts with no payment history.
https://repost.aws/questions/QULXR6KB3KTmGN-3J3maUauA/validationexception-operation-not-allowed-when-invoking-amazon-bedrock-model-in-playground#ANu2UuxaBlRuaqq1Yt-KtfSw
If your AWS account is subject to the restrictions mentioned above, you will likely need to contact AWS Support for assistance.
Inquiries under "Account and billing" can be made free of charge.
https://console.aws.amazon.com/support
Relevant content
- asked 2 years ago
- asked 6 months ago
- AWS OFFICIALUpdated a year ago
