Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

[Error] ValidationException: Operation not allowed

0

I'm following the steps in the AgentCore Gateway quick start (https://aws.github.io/bedrock-agentcore-starter-toolkit/user-guide/gateway/quickstart.html) the only change I did is changing the region to: eu-west-1 and agent model to be Nova Lite (as Antropic models from the example requires additional approval)

I execute this from with full account permission so it is not that. { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "", "Resource": "" } ] }

All good until I try to run the agent step getting following error: botocore.errorfactory.ValidationException: An error occurred (ValidationException) when calling the ConverseStream operation: Operation not allowed While troubleshooting this it appears same error is returned even if I try any any model in Bedrock Chat/Text playground at: https://eu-west-1.console.aws.amazon.com/bedrock/home?region=eu-west-1#text-generation-playground

What the point of getting started guides that do not work? Any help how to resolve this error?

Topics
Machine Learning & AIGenerative AI on AWS
Tags
Amazon Bedrock AgentCoreAmazon Bedrock
Language
English
asked 3 months ago576 views
2 Answers
0

Hi,

Did you programmatically check the identity under which you run the Python script ?

Please, do it, either via CLI on the machine where you run Python. Use https://docs.aws.amazon.com/cli/latest/reference/sts/get-caller-identity.html

Or (better), modify the python code to add:

import boto3
boto3.client('sts').get_caller_identity().get('Account')

Best,

Didier

EXPERT
answered 3 months ago
  • Jordan
    3 months ago

    Thanks Didier, for prompt response it was not roles or permissions as same error happens in AWS Bedrock console (as mentioned in the initial post).

    Looks like it is account related, probably because account was created just 2 days ago (for my Talk on AWS Community Day this weekend), and is somehow restricted for now.

    GOOD NEWS: Another account in same org with same user and permissions successfully allows invocation of models in EU.

    Happy to try any other suggestions.

-1

The "Operation not allowed" error you're encountering is likely related to model access permissions in Amazon Bedrock. Even though you have full account permissions via your IAM policy, you still need to explicitly enable access to the specific foundation models you want to use in Amazon Bedrock.

To resolve this issue:

  1. Navigate to the Amazon Bedrock console
  2. In the navigation pane, expand "Bedrock configurations" and select "Model access"
  3. Check the "Access status" column for the models you're trying to use (Nova Lite in your case)
  4. If the model is not enabled, you need to request access to it

Additionally, make sure that:

  • You're in the correct region (eu-west-1) and that the model you're trying to use is available in that region
  • If your organization uses Service Control Policies (SCPs), check if there are any explicit denies for AWS Marketplace actions, as these can prevent access to Bedrock foundation models

For the AgentCore Gateway specifically, verify that:

  • The execution role has the necessary permissions to invoke the model
  • The trust relationship for the role is properly configured to allow bedrock.amazonaws.com to assume the role

If you continue to experience issues, you can check CloudTrail event history for more detailed error information about what might be causing the "Operation not allowed" error.
Sources
Amazon Bedrock batch job: Validation Error: Operation Not Allowed | AWS re:Post
Resolve access denied errors for Amazon Bedrock Agents | AWS re:Post
Resolve SCP conflicts that prevent access to Amazon Bedrock | AWS re:Post
Troubleshoot AgentCore built-in tools - Amazon Bedrock AgentCore

answered 3 months ago
  • Jordan
    3 months ago

    It is definitely not related to model access permissions in Amazon Bedrock.

    According to the message in that Bedrock console screen: https://eu-west-1.console.aws.amazon.com/bedrock/home?region=eu-west-1#/modelaccess

    Model access page has been retired Access to all serverless foundation models are now automatically enabled for your AWS account. You no longer need to manually request or enable model access through this page. Use IAM policies and Service Control Policies to restrict model access as needed.

    To get started, simply select a model from the Model catalog and open it it in the playground. Note that for Anthropic models, some first-time users may need to submit use case details before they can access the model. Review our documentation for the complete list of available models.

  • Philly
    2 months ago

    Did you find a solution?

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content