For the most recent update on ongoing service disruptions affecting the AWS Middle East (UAE) Region (ME-CENTRAL-1), refer to the AWS Health Dashboard. For information on AWS Service migration, see How do I migrate my services to another region?
How do I troubleshoot InvokeModel API errors in Amazon Bedrock?
I want to resolve the AccessDeniedException or ValidationException error that I get when I call the InvokeModel API in Amazon Bedrock.
Resolution
AccessDeniedException and ValidationException errors occur when the InvokeModel API can't access the base model that it's invoking. The errors might also occur if your AWS account doesn't have the required AWS Identity and Access Management (IAM) permissions to run the operation.
Model access errors
If you don't have access to the model that the API tried to invoke, then you receive an error message similar to the following examples:
"An error occurred (AccessDeniedException) when calling the InvokeModel operation: Your account is not authorized to invoke this API operation."
-or-
"An error occurred (AccessDeniedException) when calling the InvokeModel operation: You don't have access to the model with the specified model ID."
To resolve this issue, verify the following configurations:
- The model is available in the AWS Region where you invoke the API.
- You set the Access status to Granted.
Note: Configure Access status only once for each Region.
IAM permissions errors
If the IAM user or role that invoked the API lacks the required permissions, then you receive an error message similar to the following examples:
"AccessDeniedException: An error occurred (AccessDeniedException) when calling the InvokeModel operation: User: username is not authorized to perform: bedrock:InvokeModel on resource: resourcename with an explicit deny in an identity-based policy."
-or-
"AccessDeniedException: An error occurred (AccessDeniedException) when calling the InvokeModel operation: User: username is not authorized to perform: bedrock:InvokeModel on resource: resourcename because no identity-based policy allows the bedrock:InvokeModel action."
To resolve this issue, confirm that the IAM user or role that invokes the API has the following required permissions:
{ "Version": "2012-10-17", "Statement": { "Sid": "AllowInference", "Effect": "Allow", "Action": [ "bedrock:InvokeModel", "bedrock:InvokeModelWithResponseStream" ], "Resource": "arn:aws:bedrock:*::foundation-model/model-id" } }
SCP error
If a service control policy (SCP) has specific restrictions on your account, then you receive the following error message:
"User: username is not authorized to perform: bedrock:InvokeModel on resource: username with an explicit deny in a service control policy"
The preceding error occurs even if you provided the required permissions to the IAM role that invoked the API. Typically, this error occurs when you use cross-Region interference that routes the call to a Region that the SCP blocks.
To resolve the issue, check your AWS CloudTrail events for the API call and Region that it's directed to. Then, check whether the SCP restricts actions for that API or Region. Also, check for other SCP restrictions such as the restrictions on a specific model ID.
API action error
If you used the incorrect API action, then you receive the following error message:
"ValidationException: An error occurred (ValidationException) when calling the InvokeModel operation: The requested operation is not recognized by the service."
To resolve the preceding error, specify bedrock-runtime as a service in your API call. For more information, see BedrockRuntime on the Boto3 website.
You might also receive the following error messages:
"An error occurred (ValidationException) when calling the InvokeModel operation: The provided model identifier is invalid"
-or-
"ResourceNotFoundException: An error occurred (ResourceNotFoundException) when calling the InvokeModel operation: Could not resolve the foundation model from the provided model identifier."
The preceding errors occur because of configuration issues. To troubleshoot this issue, verify the following configurations:
- You set the Access status to Granted.
Note: Configure Access status only once for each Region. - The model is available in the Region where you invoke the API.
- The model ID is correct.
SDK version error
If you use an incompatible AWS SDK for Python (Boto3) version to call the InvokeModel API, then you receive the following error message:
"UnknownServiceError: Unknown service: 'bedrock-runtime"
To resolve this issue, upgrade the SDK to the latest version. To view the latest version of the SDK, see boto3/CHANGELOG.rst on the GitHub website.
Account restriction error
If your account has a security restriction, then you receive the following error:
"An error occurred (ValidationException) when calling the InvokeModel operation: Operation not allowed"
To resolve this issue, you must open a support case.
- Tags
- Amazon Bedrock
- Language
- English
Relevant content
- asked 2 years ago
- AWS OFFICIALUpdated 10 months ago
- AWS OFFICIALUpdated 6 months ago
