How do I resolve AWS Marketplace permissions errors that appear when I invoke third-party foundation models in Amazon Bedrock?

4 minute read

I want to resolve "AccessDeniedException" errors for AWS Marketplace permissions when I invoke third-party foundation models in Amazon Bedrock for the first time.

Short description

When you invoke a third-party model in Amazon Bedrock for the first time, you might get one of the following error messages:

"AccessDeniedException: Model access is denied due to IAM user or service role is not authorized to perform the required AWS Marketplace actions (aws-marketplace:ViewSubscriptions, aws-marketplace:Subscribe) to enable access to this model."
"AccessDeniedException: Model access is denied due to example-IAM-ARN is not authorized to perform: aws-marketplace:Subscribe on resource: * because no identity-based policy allows the action."

The preceding error messages can appear in model invocations, Amazon Bedrock knowledge base data sync operations, and Amazon Bedrock Agent invocations.

When you first invoke a third-party model, Amazon Bedrock automatically initiates an AWS Marketplace subscription. If the AWS Identity and Access Management (IAM) role that makes the request doesn't have the required AWS Marketplace permissions, then the automatic subscription fails. Subsequent invocations return "AccessDeniedException" errors. For more information, see Request access to models.

To automatically activate each model in each AWS account for the first time, your IAM role must have the required permissions.

Note: After you grant the necessary permissions, it might take up to 2 minutes for a subscription to complete. During this time, you might continue to receive an "AccessDeniedException" error.

After you activate a model, all the IAM roles in the account can invoke the model without AWS Marketplace permissions.

Note: Amazon, DeepSeek, Mistral AI, Meta, Qwen, and OpenAI, don't require AWS Marketplace permissions because these models aren't available in the AWS Marketplace.

If your organization must review End User License Agreements (EULAs), then review the EULA terms first before you allow access to the model. To block model access, use service control policies (SCPs) or IAM policies.

Resolution

Grant AWS Marketplace permissions to the IAM entity

Add the following IAM policy to the IAM entity that invokes the model:

}
    "Version": "2012-10-17",
    "Statement": [
         {
            "Effect": "Allow",
            "Action": [
               "aws-marketplace:Subscribe",
               "aws-marketplace:ViewSubscriptions"
            ],
            "Resource": "*"
         }
    ]
}

Have an administrator invoke the model

If you can't grant AWS Marketplace permissions to all users and roles, then an administrator with AWS Marketplace permissions must invoke the model. Then, all IAM users in the account can invoke the model without AWS Marketplace permissions. For more information, see Simplified model access in Amazon Bedrock.

Use the AWS API or CLI to activate the model

Note: If you receive errors when you run AWS Command Line Interface (AWS CLI) commands, then see Troubleshooting errors for the AWS CLI. Also, make sure that you're using the most recent AWS CLI version.

To use an IAM entity with the required AWS Marketplace permissions to programmatically activate the model but not invoke it, complete the following steps:

Run the following list-foundation-model-agreement-offers AWS CLI command:

aws bedrock list-foundation-model-agreement-offers --model-id example-model-id1

Note: Replace example-model-id with model ID. In the output, note the model's offer token to use in the next step.

Run the following create-foundation-model-agreement command to activate the model:

aws bedrock create-foundation-model-agreement \
--model-id example-model-id \
--offer-token example-offer-token

Note: Replace example-model-id with the model ID and example-offer-token with the offer token.

For more information, see Manage model access using SDK and CLI.

Note: For Anthropic models, you must complete the First Time Use (FTU) form before you run the create-foundation-model-agreement command. To submit your details, run the put-use-case-for-model-access command. For more information, see Step 2: [Required one-time for Anthropic models only] Put use case for first-time user.

Topics: Machine Learning & AI Generative AI on AWS
Tags: Amazon Bedrock
Language: English

AWS OFFICIALUpdated 13 days ago

No comments

Relevant content

What specific IAM permissions are needed for AWS Bedrock InvokeModel to avoid INVALID_PAYMENT_INSTRUMENT error?
vijay
asked 4 months ago
AWS India account "not authorized" when submitting Anthropic FTU form on Amazon Bedrock - support ticket open 2 days with no resolution
Abhinav
asked 2 months ago
When trying to activate the Anthropic models in Amazon Bedrock, I keep getting this error: Unauthorized to perform action due to private marketplace eligibility
Accepted Answer
bcastillotravelbank
asked 3 years ago
Claude models pricing after removal of model access in Bedrock
Accepted Answer
curious_dev123
asked 7 months ago
Lex was unable to invoke the Bedrock foundation model on your behalf. Check that your role has permissions to allow Lex to invoke the appropriate Bedrock model and try your request again.
rePost-User-0188643
asked 2 years ago
How do I resolve "Access denied" errors when I try to invoke serverless foundation models in Amazon Bedrock?
AWS OFFICIALUpdated 2 months ago
How do I resolve validation exceptions in Amazon Bedrock?
AWS OFFICIALUpdated a year ago
How do I resolve SCP conflicts that prevent access to Amazon Bedrock and related AWS Marketplace operations?
AWS OFFICIALUpdated a year ago
How do I resolve the "Unauthorized to perform action due to private marketplace eligibility" error I receive when I access models on Amazon Bedrock?
AWS OFFICIALUpdated a year ago
AWS re:Post Knowledge Center Spotlight: Amazon Bedrock
EXPERT
AWS Official
published 2 years ago