AWS announces preview of AWS Interconnect - multicloud

AWS announces AWS Interconnect – multicloud (preview), providing simple, resilient, high-speed private connections to other cloud service providers. AWS Interconnect - multicloud is easy to configure and provides high-speed, resilient connectivity with dedicated bandwidth, enabling customers to interconnect AWS networking services such as AWS Transit Gateway, AWS Cloud WAN, and Amazon VPC to other cloud service providers with ease.

How do I resolve SCP conflicts that prevent access to Amazon Bedrock and related AWS Marketplace operations?

1 minute read

When I try to activate IAM user access to Amazon Bedrock foundation models, I get the "User is not authorized" error.

Resolution

If your AWS Organizations service control policy (SCP) has an explicit deny for AWS Marketplace actions, then you can't access your Amazon Bedrock foundation models. You might receive the following error:

"arn:aws:iam::123456789012:user/consoleUser is not authorized to perform: aws-marketplace:Subscribe on resource: * with an explicit deny in a service control policy."

To resolve this error, attach an IAM policy for your foundation models to your IAM role that allows the following AWS Marketplace actions:

aws-marketplace:Subscribe
aws-marketplace:Unsubscribe
aws-marketplace:ViewSubscriptions

Then, modify or remove the explicit deny policy for the aws-marketplace:Subscribe API action request in your AWS Organizations SCP.

Topics: Machine Learning & AI Generative AI on AWS
Tags: Amazon Bedrock
Language: English

AWS OFFICIALUpdated 6 months ago

2 Comments

I'm getting this, which seems related, in an SCP when I'm trying to add a Condition to exempt a Group in IDC from an aws-marketplace:Subscribe Deny.

• Jamba-Instruct - User: arn:aws:sts::123456789012:assumed-role/AWSReservedSSO_AdministratorAccess_817631e09ff1e93f/michaelg is not authorized to perform: aws-marketplace:Subscribe on resource: * with an explicit deny in a service control policy

IF I'm using IDC, I do not need to Allow the Subscribe. I want to Deny the ability to Subscribe unless you have a specific PermissionSet. This will not work for me

Clearly there is a bug in the way the SCP is processed. Maybe AWS could just fix the bug?

Michael

replied 5 months ago

Thank you for your comment. We'll review and update the Knowledge Center article as needed.

MODERATOR

AWS Official

replied 5 months ago

Relevant content

[Error] ValidationException: Operation not allowed
Jordan
asked 2 months ago
Bedrock API user is getting created after preventing the creation of Long Term API Keys
Rajesh
asked 4 months ago
Cannot get access to Bedrock models even after successfully subscribing to them in marketplace
potater
asked 2 years ago
Why do I get Your account is not authorized to invoke this API operation on Bedrock?
jonathan
asked 2 years ago
RDS postgres hot_standby_feedback not preventing recovery conflict
KrisO
asked 3 years ago
How do I resolve the "Unauthorized to perform action due to private marketplace eligibility" error I receive when I access models on Amazon Bedrock?
AWS OFFICIALUpdated 6 months ago
How do I troubleshoot InvokeModel API errors in Amazon Bedrock?
AWS OFFICIALUpdated 7 months ago
How do I resolve the "AccessDeniedException" error that I get when I use an Amazon Bedrock cross-Region inference profile in an Organizations account?
AWS OFFICIALUpdated 4 months ago
How do I troubleshoot and resolve issues with SCPs that use IAM tag-based restrictions?
AWS OFFICIALUpdated 2 months ago
Knowledge Center Monthly Newsletter - July 2025
EXPERT
Shannon Lewis
published 5 months ago