Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

ValidationException: Operation not allowed for ALL bedrock-runtime invocations on AISPL account

0

Region tested: us-east-1 and ap-south-1 Account type: AISPL India AWS Activate credits: Yes ($1000, Bedrock in eligible services list)

Problem: Every bedrock-runtime Converse call returns: "ValidationException: Operation not allowed"

Tested models:

  • amazon.nova-pro-v1:0
  • amazon.nova-micro-v1:0
  • meta.llama3-8b-instruct-v1:0

What works fine:

  • bedrock:ListFoundationModels ✅
  • STS get-caller-identity ✅

What I've already checked/ruled out:

  • IAM: AmazonBedrockFullAccess attached ✅
  • AWS Organizations: Not in any org, no SCPs ✅
  • Payment method: Added with autopay ✅
  • Marketplace permissions: Added inline policy ✅
  • Model access page: Shows "retired, models auto-enabled" ✅

This appears to be a backend account-level block specific to AISPL accounts on bedrock-runtime invocations. Has anyone resolved this? Did AWS Support fix it on their backend?

Topics
Machine Learning & AIGenerative AI on AWS
Tags
Amazon Bedrock
Language
English
asked 21 days ago44 views
1 Answer
0

The "ValidationException: Operation not allowed" error you're experiencing with Amazon Bedrock runtime invocations on your AISPL (Amazon Internet Services Private Limited) India account appears to be related to permissions for AWS Marketplace model subscriptions, which is a common cause of access issues with Bedrock models.

Even though you have AmazonBedrockFullAccess attached and can list foundation models successfully, you need to ensure your IAM policy explicitly includes permissions for both model invocation AND AWS Marketplace subscription actions. The fact that the Model access page shows "retired, models auto-enabled" suggests the models may need proper activation.

Here are the key steps to resolve this:

  1. Verify IAM Policy Permissions: Ensure your IAM role or user has an explicit policy that allows both bedrock:InvokeModel and bedrock:InvokeModelWithResponseStream actions on the specific model ARNs you're trying to use. The policy should look like:
  • Action: bedrock:InvokeModel and bedrock:InvokeModelWithResponseStream
  • Resource: The ARN of your foundation models (e.g., arn:aws:bedrock:*::foundation-model/amazon.nova-pro-v1:0)

  1. AWS Marketplace Activation: For AISPL accounts, there may be additional requirements around AWS Marketplace model activation. Your administrator may need to explicitly activate these models at the account level through API calls before they can be invoked.

  2. Contact AWS Support: Given that this appears to be specific to AISPL accounts and you've already verified standard permissions, this may require AWS Support intervention to enable Bedrock runtime operations on your AISPL account backend. AISPL accounts sometimes have different service availability or activation requirements compared to standard AWS accounts.

The issue is likely not a bug but rather a permissions or account activation requirement specific to how Bedrock integrates with AWS Marketplace on AISPL accounts.
Sources
Resolve Amazon Bedrock serverless foundation model access denied errors | AWS re:Post

answered 21 days ago
EXPERT
reviewed 21 days ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content