What specific IAM permissions are needed for AWS Bedrock InvokeModel to avoid INVALID_PAYMENT_INSTRUMENT error?

Question

When i run below example it will give error:
**error: Model access is denied due to INVALID_PAYMENT_INSTRUMENT:A valid payment instrument must be provided.. Your AWS Marketplace subscription for this model cannot be completed at this time**

**Environment**:
Region: us-east-1

Model: Stability AI models (us.stability.*)

Testing: Locally with AWS CLI credentials

**Policy attached**

{
            "Effect": "Allow",
            "Action": [
                "bedrock:*"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "aws-marketplace:*"
            ],
            "Resource": "*"
        }

**example:**

import boto3
import base64
import io
import json
from PIL import Image

image = "./content/input.png"

region = "us-east-1"
model_id = "us.stability.stable-image-search-recolor-v1:0"

bedrock = boto3.client("bedrock-runtime", region_name=region)

try:
    with open(image, "rb") as image_file:
        image_base64 = base64.b64encode(image_file.read()).decode('utf-8')

params = {
        "image": image_base64,
        "prompt": "pink jacket",
        "select_prompt": "jacket"
    }
    request = json.dumps(params)
    response = bedrock.invoke_model(modelId=model_id, body=request)
    model_response = json.loads(response["body"].read())
    base64_image_data = model_response["images"][0]

if not base64_image_data:
        raise ValueError("No image data found in model response.")

image_data = base64.b64decode(base64_image_data)
    image = Image.open(io.BytesIO(image_data))
    image.save("image.png")

print("Successfully saved image.")

except Exception as e:
    print(e)

Riku_Kobayashi · Answer

Hello.

There is a question with the same error as yours at the URL below.  
I think the problem is not with your IAM settings but with your AWS account's billing settings.  
https://repost.aws/ja/questions/QU0UOsutrWSSS4nOqgHcIUJg/invalid-payment-instrument-after-requesting-model-access-in-amazon-bedrock  
https://stackoverflow.com/questions/77227551/invalid-payment-instrument-after-requesting-model-access-in-amazon-bedrock

This may be related to issues with the credit card you are using or your payment method.  
Therefore, I recommend opening a case with AWS Support under "Account and billing" and asking for assistance.  
"Account and billing" inquiries are free of charge.  
https://console.aws.amazon.com/support

Manvitha Potluri · Answer

The INVALID_PAYMENT_INSTRUMENT error is not an IAM permissions problem. For me, your IAM policy is actually fine. This error comes from AWS Marketplace billing, not from access control. Here's what's actually happening and how to fix it.

**Root Cause**
Stability AI models on Amazon Bedrock (like us.stability.*) are third-party marketplace models. To use them, AWS must be able to bill you through AWS Marketplace, which requires:

A valid payment method on file for your AWS account
An active AWS Marketplace subscription to the specific Stability AI model
Your account to not be in a restricted billing state (e.g., free tier accounts, accounts with payment failures, or newly created accounts with pending verification)

The error message itself tells you this: "Your AWS Marketplace subscription for this model cannot be completed at this time" it's a billing/subscription issue, not an IAM issue.

**Steps to Resolve**

Step 1:  Verify your payment method
Go to: AWS Console → Billing and Cost Management → Payment Methods
Make sure you have a valid, non-expired credit card or payment instrument attached. Even if you have one on file, check that it hasn't expired or been flagged.

Step 2 :  Request and confirm model access in Bedrock console
Go to: AWS Console → Amazon Bedrock → Model access (left sidebar)
Find the Stability AI models you want to use and click "Request access" or "Manage model access". For marketplace models, this triggers a Marketplace subscription. You need to explicitly accept this it won't happen automatically just because you call the API.

Step 3: Check your account type
Free tier accounts and certain account types cannot subscribe to paid Marketplace models. If this is a new AWS account (less than a few days old), there can be a delay before Marketplace subscriptions are activated. Try again after 24 hours, or use a mature account with billing fully set up.

Step 4 : Verify the subscription is active
Go to: AWS Console → AWS Marketplace → Manage subscriptions
You should see the Stability AI model listed with an Active status. If it's not there, go back to the Bedrock Model Access page and complete the subscription flow.

Your IAM Policy
For completeness, the correct minimal IAM permissions for invoking Bedrock models are:

```
json{
  "Effect": "Allow",
  "Action": [
    "bedrock:InvokeModel"
  ],
  "Resource": "arn:aws:bedrock:us-east-1::foundation-model/stability.stable-image-search-recolor-v1:0"
}
```

The wildcard bedrock:* and aws-marketplace:* you already have is more than sufficient from an IAM standpoint so don't go down a rabbit hole trying to fix permissions. The blocker is entirely on the billing/subscription side.

Quick Checklist

* Valid payment method in Billing Console 
* Model access explicitly requested and approved in Bedrock Console 
* Subscription shows "Active" in AWS Marketplace
* Account is not brand new or in a restricted state

Once all four are true, your existing code and IAM policy will work without any changes.

What specific IAM permissions are needed for AWS Bedrock InvokeModel to avoid INVALID_PAYMENT_INSTRUMENT error?

Add your answer

Relevant content