Got "access deny" in Bedrock Agent with Cross-region inference

1

I created an agent and select Claude 3.5 Sonnet v2 (Cross-region inference). When I test my agent , I got "Access denied when calling Bedrock. Check your request permissions and retry the request." . I change model to "Llama 3.2 90B" or "Llama 3.2 11B" with Cross-region inference. The result is the same. I do have the grant access of the above models. And test becomes available when I change to "on demand", but when I do more chat, I got "Your request rate is too high. Reduce the frequency of requests." , this is another story though.
My question is how can I test my agent using Cross-region inference? Very appreciate for any help.

asked 2 months ago478 views
3 Answers
1

Hi,

I would strongly suggest that you read section "Identity and Access Management" of https://aws.amazon.com/blogs/machine-learning/getting-started-with-cross-region-inference-in-amazon-bedrock/

It fully details the IAM policy that you need to set up for cross-region inferences witb Bedrock. Based on their example, a sample policy is

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": ["bedrock:InvokeModel*"],
      "Resource: [
          "arn:aws:bedrock:us-east-1:<account_id>:inference-profile/*",
          "arn:aws:bedrock:us-east-1::foundation-model/*",
          "arn:aws:bedrock:us-west-2::foundation-model/*"
      ]
    }
  ]
}

In such policies, the part "arn:aws:bedrock:us-east-1:<account_id>:inference-profile/*" is new for cross-region inference and may well be what's missing in your use case.

Best,

Didier

profile pictureAWS
EXPERT
answered 2 months ago
profile picture
EXPERT
reviewed 2 months ago
0

To test your agent using cross-region inference, you need to ensure that your IAM role has the correct permissions for cross-region inference API actions. The "access denied" error you're encountering suggests that your current IAM role lacks the necessary permissions for cross-region inference.

Here are the steps you should take:

  1. Review your IAM role: Make sure it has permissions for the cross-region inference API actions.

  2. Update IAM policy: You need to add permissions for both the inference profile and the foundation models in the regions you want to use. For example, if you're using us-east-1 and us-west-2, your policy should include permissions for these regions.

  3. Example policy: An IAM policy that allows cross-region inference might look like this:

    { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": ["bedrock:InvokeModel*"], "Resource": [ "arn:aws:bedrock:us-east-1:<account_id>:inference-profile/", "arn:aws:bedrock:us-east-1::foundation-model/", "arn:aws:bedrock:us-west-2::foundation-model/*" ] } ] }

    Replace <account_id> with your AWS account ID and adjust the regions as needed.

  4. Apply the updated policy: After updating the IAM policy, apply it to the role used by your Bedrock agent.

  5. Retry the test: Once the permissions are correctly set, try testing your agent again with cross-region inference.

Regarding the "request rate too high" error you encountered with on-demand inference, this is related to the service quotas. Cross-region inference can actually help with this issue, as it allows for higher throughput - up to double the allocated quotas in some cases.

If you continue to face issues after updating your IAM permissions, you may need to contact AWS support for further assistance.
Sources
Getting started with cross-region inference in Amazon Bedrock | AWS Machine Learning Blog
Improve resilience with cross-region inference - Amazon Bedrock

profile picture
answered 2 months ago
profile pictureAWS
EXPERT
reviewed 2 months ago
0

I do have AmazonBedrockFullAccess policy attached, and still invocation returns:

Error 403: You don't have access to the model with the specified model ID.

I am totally confused. I have been granted access to Anthropic models in Model Catalog. The experience in AWS Bedrock has been terrible so far.

Please advise.

Roberto

answered a month ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions