AWS Exception: Error executing "InvokeModel"

0

I'm building a chatbot that will work with Claude 3 Haiku as a plugin for my WordPress site (so it is in PHP). The exact error is:

AWS Exception: Error executing "InvokeModel" on "https://bedrock-runtime.us-east-1.amazonaws.com/model/anthropic.claude-3-haiku-20240307-v1%3A0/invoke"; AWS HTTP error: Client error: POST https://bedrock-runtime.us-east-1.amazonaws.com/model/anthropic.claude-3-haiku-20240307-v1%3A0/invoke resulted in a 400 Bad Request response: {"message":"Operation not allowed"} ValidationException (client): Operation not allowed - {"message":"Operation not allowed"}

And the request is built like this:

$path="anthropic.claude-3-haiku-20240307-v1:0"; $result = $client->invokeModel([ 'modelId' =>$path, 'contentType' => 'application/json', 'accept' => '/', 'body' => json_encode([ 'messages'=> [ [ 'role' => 'user', 'content' => $user_message ], [ 'role' => 'assistant', 'content' => $context ] ], 'max_tokens' => 1000 ]), ]);

My IAM user has all the permissions and policies for Bedrock and the model is available for aws region (us-east-1) and for my aws account itself. Also, I verified the credentials are correct.

I want to note that the Client is being created like this:

$client = new BedrockRuntimeClient([ 'version' => 'latest', 'region' => $this->aws_region, 'credentials' => $credentials, 'endpoint' => 'https://bedrock-runtime.us-east-1.amazonaws.com', 'http' => [ 'handler' => $stack, ], 'debug' => true, 'validate' => false, ]);

Hope someone can help me to solve this, because I'm figthing with it since a week ago.

Thank you for your time

3 Answers
2

Hello.

The error may be due to restrictions on your AWS account.
Please open a case with AWS Support under "Account and billing" following the instructions in the document below.
Inquiries under "Account and billing" can be made free of charge.
https://docs.aws.amazon.com/awssupport/latest/user/case-management.html

https://repost.aws/knowledge-center/bedrock-invokemodel-api-error

Account restriction error
Error: "An error occurred (ValidationException) when calling the InvokeModel operation: Operation not allowed"
The error appears when your AWS account has a security restriction.
To resolve this issue, open a support case in AWS Support. For more information, see Creating a support case.

By the way, just to be sure, do you have model access enabled?
https://docs.aws.amazon.com/bedrock/latest/userguide/model-access.html

profile picture
EXPERT
answered a month ago
profile picture
EXPERT
reviewed a month ago
profile picture
EXPERT
reviewed a month ago
  • Hi, Thank you for your answer.

    I have access to all Anthropic models.

    I just opened an Account and billing case, hope they can help me.

1

Hi,

Did you check the identity under which you PHP script runs?

To do this, include the equivalent in the AWS PHP SDK of aws sts get-caller -identity See https://docs.aws.amazon.com/cli/latest/reference/sts/get-caller-identity.html. You then get the IAM principal (user / role) under which your code executes.

Then, go to IAM and validate that this IAM principal has invokeModel for the the model that you use in its credentials. See example policies here: https://docs.aws.amazon.com/step-functions/latest/dg/bedrock-iam.html#bedrock-policy-invoke-foundation-model

Best

Didier

profile pictureAWS
EXPERT
answered a month ago
profile picture
EXPERT
reviewed a month ago
  • Hi,

    Thank you for your answer.

    I just checked the IAM principal and it is my user. Then I checked the poilicies for that user (specifically the BedrockFullAccess policy) and I see this code:

    { "Version": "2012-10-17", "Statement": [ { "Sid": "BedrockAll", "Effect": "Allow", "Action": [ "bedrock:" ], "Resource": "" }, { "Sid": "DescribeKey", "Effect": "Allow", "Action": [ "kms:DescribeKey" ], "Resource": "arn::kms::::" }, { "Sid": "APIsWithAllResourceAccess", "Effect": "Allow", "Action": [ "iam:ListRoles", "ec2:DescribeVpcs", "ec2:DescribeSubnets", "ec2:DescribeSecurityGroups" ], "Resource": "" }, { "Sid": "PassRoleToBedrock", "Effect": "Allow", "Action": [ "iam:PassRole" ], "Resource": "arn:aws:iam::*:role/AmazonBedrock", "Condition": { "StringEquals": { "iam:PassedToService": [ "bedrock.amazonaws.com" ] } } } ] }

0

Hello, Vicente!

Based on your setup, here are a few steps to troubleshoot the error:

  1. Model Availability: Ensure the Claude 3 Haiku model is available for your AWS account and region.
  2. IAM Permissions: Double-check that your IAM role has the "bedrock:InvokeModel" permission.
  3. Request Format: Simplify your request to include only required parameters.
  4. Check Region and Endpoint: Ensure they are consistent and correct.

Try simplifying your request:

$result = $client->invokeModel([
    'modelId' => 'anthropic.claude-3-haiku-20240307-v1:0',
    'contentType' => 'application/json',
    'accept' => 'application/json',
    'body' => json_encode([
        'prompt' => $user_message,
        'max_tokens_to_sample' => 1000
    ])
]);

I'm here to help.

profile picture
EXPERT
answered a month ago
  • Hi,

    I just cheked it with the request you shared but the same error is showing up. Hope the support team can help me.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions