Help improve AWS Support Official channel in re:Post and share your experience - complete a quick three-question survey to earn a re:Post badge!
Bedrock InvokeModel/Converse with Managed Prompt - AccessDenied
I created a Lambda function to invoke a Nova Pro model with a simple text prompt. Everything works as designed. Now I want to use that same Lambda function to InvokeModel (Also tried Converse) but this time the ModelID is the ARN of the created prompt. When I test the Lambda function I get below error. No other errors appear in CloudTrail. Do I need to request an limit increase?
An error occurred (AccessDeniedException) when calling the Converse operation: Your account is not authorized to invoke this API operation with a prompt resource.
Code:
MODEL_ID = 'arn:aws:bedrock:us-east-1:123456789012:prompt/3BUHJ3WTTP:1'
response = bedrock_runtime.converse(
modelId=MODEL_ID,
promptVariables={
"animal": {
"text": "crocodile"
}
}
)
- Newest
- Most votes
- Most comments
There seems to be no documentation on this, but i'm getting this to work with some actions i don't fully understand... good enough i guess
{
"Action": [
"bedrock:InvokeModel",
"bedrock:ListInvocations",
"bedrock:ListSessions",
"bedrock:GetSession",
"bedrock:RenderPrompt",
"bedrock:CreateInvocation",
"bedrock:CreateSession"
],
"Resource": "*",
"Effect": "Allow"
}
The error you're encountering suggests that your account doesn't have the necessary permissions to use the Converse operation with a prompt resource in Amazon Bedrock. This is not likely related to a limit increase, but rather to permissions and access settings. Here are some steps you can take to troubleshoot and resolve this issue:
-
Verify that you have the correct permissions in your IAM policy. Ensure that the IAM role associated with your Lambda function has the "bedrock:Converse" action allowed.
-
Double-check that you have access to the specific prompt you're trying to use. In Bedrock's Prompt Management, make sure the prompt is published and that your account has the necessary permissions to access it.
-
Confirm that you're using the correct ARN for the prompt. The ARN should be in the format you've provided: arn:aws:bedrock:[region]:[account-id]:prompt/[prompt-id]:[version]
-
Ensure that the region in your boto3 client matches the region where your prompt is located.
-
Verify that Bedrock and the specific foundation model associated with your prompt are enabled for your account in the region you're working in.
-
Check that you're using the latest version of the AWS SDK (boto3) that supports Bedrock operations.
If you've verified all these points and are still encountering the issue, it may be worth opening a support case with AWS to investigate any account-specific factors that could be causing this problem.
Also, note that when using a managed prompt, you should structure your request body differently. Instead of using "promptVariables" as a top-level key, include your variables directly in the top level of the request body. For example:
response = bedrock_runtime.converse(
modelId=MODEL_ID,
animal={
"text": "crocodile"
}
)
This structure aligns with how Bedrock expects the variables for a managed prompt to be passed.
Sources
Bedrock Prompt Management - Access Denied | AWS re:Post
Using Bedrock invokeModel API with prompt created in prompt management | AWS re:Post
Resolve InvokeModel API error in Amazon Bedrock | AWS re:Post
Prompt Management for Amazon Bedrock - AWS
Relevant content
- asked 24 days ago
- asked 4 months ago
- asked 2 months ago
