- Newest
- Most votes
- Most comments
Hello.
Please check not only the IAM policy used by the IAM user but also the IAM policy of the IAM role used by the prompt flow.
If you also created an IAM role when creating a prompt flow from the management console, I think the appropriate IAM policy has been set, but please double check.
https://docs.aws.amazon.com/bedrock/latest/userguide/flows-permissions.html
You can check the IAM role used by Prompt Flow from the screen below.
If configured correctly, the IAM policy for executing InvokeModel should be set as shown in the image below.
Also, just to be sure, make sure that model access is enabled for the model you want to use in the region where you created the prompt flow.
https://docs.aws.amazon.com/bedrock/latest/userguide/model-access-modify.html
In addition to verifying the above details , please make sure you validate the Trust Relationships section of the IAM role and see if there are added conditions defined with existing flow ARN. This mostly could be the case , if you are re using the service role for your flow which may have been created for some other flow. Look for something like this and change accordingly
"Condition": {
"StringEquals": {
"aws:SourceAccount": "<< Account>>"
},
"ArnLike": {
// Verify if your flow is appearing here or remove the condition
Relevant content
- asked 2 months ago
AWS OFFICIALUpdated 23 days ago- AWS OFFICIALUpdated a year ago
