Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

Converse API to interact with Bedrock Prompt is throwing AccessDeniedException

0

I’m using ConverseAPI to invoke a prompt created in Bedrock Prompt Management. This prompt is being invoked from an ECS cluster with a role that has been granted the following permissions:

- "bedrock:InvokeModel"
- "bedrock:InvokeModelWithResponseStream"
- "bedrock:GetInferenceProfile"
- "bedrock:GetPrompt"

In the Resource field, I’ve tried specifying the exact prompt ARN, along with the foundational model and inference profile ARNs used by this prompt version:

- !Sub arn:aws:bedrock:eu-central-1:${AWS::AccountId}:prompt/<prompt_id>:4
- !Sub arn:aws:bedrock:eu-central-1:${AWS::AccountId}:inference-profile/eu.anthropic.claude-3-7-sonnet-20250219-v1:0
- arn:aws:bedrock:eu-central-1::foundation-model/anthropic.claude-3-7-sonnet-20250219-v1:0
- arn:aws:bedrock:eu-west-1::foundation-model/anthropic.claude-3-7-sonnet-20250219-v1:0
- arn:aws:bedrock:eu-north-1::foundation-model/anthropic.claude-3-7-sonnet-20250219-v1:0
- arn:aws:bedrock:eu-west-3::foundation-model/anthropic.claude-3-7-sonnet-20250219-v1:0

I also tried setting "Resource": "*" and gave the role full Bedrock access, but I’m still getting the following error:

An error occurred (AccessDeniedException) when calling the Converse operation: Your account is not authorized to invoke this API operation with a prompt resource. What am I missing in my IAM permissions?

Topics
Machine Learning & AISecurity, Identity, & ComplianceGenerative AI on AWS
Tags
Amazon Bedrock Prompt ManagementIAM Policies
Language
English
asked 8 months ago557 views
3 Answers
0

Based on your error message, it appears you're missing specific permissions needed to use the Converse operation with a Bedrock managed prompt.

When working with Bedrock's Prompt Management feature and the Converse API, you need to include additional permissions beyond just the standard InvokeModel permissions. The error specifically mentions that your account is not authorized to invoke the Converse operation with a prompt resource.

Try adding these additional permissions to your IAM role:

- "bedrock:Converse"
- "bedrock:RenderPrompt"
- "bedrock:CreateInvocation"
- "bedrock:CreateSession"
- "bedrock:ListInvocations"
- "bedrock:ListSessions"
- "bedrock:GetSession"

Make sure these permissions apply to the appropriate resources. You can either specify the exact ARNs or use a wildcard ("*") for testing purposes.

Also, verify that you're using the correct prompt identifier in your code. The prompt identifier should be the 10-character alphanumeric code found in the ARN (the part after "prompt/" in your ARN). Some users have encountered issues when passing the name of the prompt instead of this identifier.

If you're still experiencing issues after adding these permissions, check your CloudTrail logs to see if there are any additional clues about what specific permission might be missing.
Sources
Bedrock InvokeModel/Converse with Managed Prompt - AccessDenied | AWS re:Post
Bedrock Prompt Management - Access Denied | AWS re:Post

answered 8 months ago
0

The auto-generated answer is correct for adding bedrock:Converse and may also need bedrock:ConverseStream. However, can you check CloudTrail for a more detailed error message about what access is being denied, since this isn't an explicit deny?

You may also need more than the noted List and Get actions for foundation models:

ListFoundationModels GetFoundationModels

AWS
answered 8 months ago
0

I got the same error message and only adding the "bedrock:RenderPrompt" action on the "arn:aws:bedrock:${AWS::Region}:${AWS::AccountId}:prompt/*" resource solved the issue.

As far as I could see the other actions do not exist (converse uses invokeModel) or are only needed for Bedrock session management.

answered 5 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content