- Newest
- Most votes
- Most comments
Hello.
The error may be due to restrictions on your AWS account.
Please open a case with AWS Support under "Account and billing" following the instructions in the document below.
Inquiries under "Account and billing" can be made free of charge.
https://docs.aws.amazon.com/awssupport/latest/user/case-management.html
https://repost.aws/knowledge-center/bedrock-invokemodel-api-error
Account restriction error
Error: "An error occurred (ValidationException) when calling the InvokeModel operation: Operation not allowed"
The error appears when your AWS account has a security restriction.
To resolve this issue, open a support case in AWS Support. For more information, see Creating a support case.
By the way, just to be sure, do you have model access enabled?
https://docs.aws.amazon.com/bedrock/latest/userguide/model-access.html
Hi,
Did you check the identity under which you PHP script runs?
To do this, include the equivalent in the AWS PHP SDK of aws sts get-caller -identity
See https://docs.aws.amazon.com/cli/latest/reference/sts/get-caller-identity.html. You then get the IAM principal (user / role) under which your code executes.
Then, go to IAM and validate that this IAM principal has invokeModel for the the model that you use in its credentials. See example policies here: https://docs.aws.amazon.com/step-functions/latest/dg/bedrock-iam.html#bedrock-policy-invoke-foundation-model
Best
Didier
Hi,
Thank you for your answer.
I just checked the IAM principal and it is my user. Then I checked the poilicies for that user (specifically the BedrockFullAccess policy) and I see this code:
{ "Version": "2012-10-17", "Statement": [ { "Sid": "BedrockAll", "Effect": "Allow", "Action": [ "bedrock:" ], "Resource": "" }, { "Sid": "DescribeKey", "Effect": "Allow", "Action": [ "kms:DescribeKey" ], "Resource": "arn::kms::::" }, { "Sid": "APIsWithAllResourceAccess", "Effect": "Allow", "Action": [ "iam:ListRoles", "ec2:DescribeVpcs", "ec2:DescribeSubnets", "ec2:DescribeSecurityGroups" ], "Resource": "" }, { "Sid": "PassRoleToBedrock", "Effect": "Allow", "Action": [ "iam:PassRole" ], "Resource": "arn:aws:iam::*:role/AmazonBedrock", "Condition": { "StringEquals": { "iam:PassedToService": [ "bedrock.amazonaws.com" ] } } } ] }
Hello, Vicente!
Based on your setup, here are a few steps to troubleshoot the error:
- Model Availability: Ensure the Claude 3 Haiku model is available for your AWS account and region.
- IAM Permissions: Double-check that your IAM role has the "bedrock:InvokeModel" permission.
- Request Format: Simplify your request to include only required parameters.
- Check Region and Endpoint: Ensure they are consistent and correct.
Try simplifying your request:
$result = $client->invokeModel([ 'modelId' => 'anthropic.claude-3-haiku-20240307-v1:0', 'contentType' => 'application/json', 'accept' => 'application/json', 'body' => json_encode([ 'prompt' => $user_message, 'max_tokens_to_sample' => 1000 ]) ]);
I'm here to help.
Hi,
I just cheked it with the request you shared but the same error is showing up. Hope the support team can help me.
Relevant content
- asked 6 months ago
- AWS OFFICIALUpdated 2 months ago
- AWS OFFICIALUpdated 6 months ago
- AWS OFFICIALUpdated 3 months ago
- AWS OFFICIALUpdated 5 months ago
Hi, Thank you for your answer.
I have access to all Anthropic models.
I just opened an Account and billing case, hope they can help me.