While building a Generative AI application on AWS, I successfully created my backend and integrated the AWS SDK. However, when sending a prompt to Amazon Bedrock, my application failed with an error similar to:
AccessDeniedException: User is not authorized to perform bedrock:InvokeModel
This issue is very common for beginners and can be confusing, especially when the code looks correct.
Why This Problem Happens
This error usually occurs because:
- Amazon Bedrock access is not enabled in the AWS account
- The IAM role or user does not have permission to invoke Bedrock models
- The application is using incorrect or missing IAM policies
- The selected AWS region does not support Amazon Bedrock
Even though the application code is correct, AWS security blocks the request by default.
Solution: Fixing Amazon Bedrock Access Step by Step
Step 1: Check Amazon Bedrock Availability in Your Region
Amazon Bedrock is not available in all AWS regions.
Action:
- Open the AWS Console
- Switch to a supported region (for example: us-east-1 or us-west-2)
- Make sure your application is configured to use the same region
This single step resolves many beginner issues.
Step 2: Request Access to Amazon Bedrock Models
Amazon Bedrock requires one-time approval before using foundation models.
Action:
- Open the Amazon Bedrock service in the AWS Console
- Navigate to “Model access”
- Request access for the available foundation models
- Wait until the status shows “Access granted”
Without this step, invoking any model will always fail.
Step 3: Verify the IAM Role or User Used by Your Application
Your application must use an IAM role or IAM user with proper permissions.
Action:
- Identify whether your application uses:
- IAM user credentials, or
- An IAM role (recommended)
- Avoid hardcoding AWS credentials in your code whenever possible
Step 4: Attach Required IAM Permissions
The IAM role or user must explicitly allow Amazon Bedrock actions.
Minimum required permission example:
{
"Version": "2026-01-20",
"Statement": [
{
"Effect": "Allow",
"Action": [
"bedrock:InvokeModel"
],
"Resource": "*"
}
]
}
Action:
- Open IAM in the AWS Console
- Attach this policy to the relevant role or user
- Save the changes
Step 5: Confirm the SDK Region in Code
Your SDK configuration must match the region where Amazon Bedrock is enabled.
Example (Node.js):
const client = new BedrockRuntimeClient({
region: "us-east-1",
});
If the region is incorrect, the request will fail even when permissions are correct.
Step 6: Test with a Simple Prompt First
Before testing a full application, try a basic prompt to validate the setup.
Example:
generateResponse("What is cloud computing?")
If this works successfully, your Amazon Bedrock configuration is correct.
Step 7: Monitor Logs for Errors
If issues still occur:
- Check CloudWatch logs
- Review the complete error message
- Reconfirm IAM permissions and model access
AWS error messages usually indicate the exact missing permission or configuration issue.
Key Lessons Learned
- :contentReference[oaicite:0]{index=0} is secure by default
- IAM permissions are required even when application code is correct
- AWS region selection plays a critical role
- Most Generative AI issues are configuration-related, not code-related
Final Thoughts
When building a Generative AI application on AWS using Amazon Bedrock, errors such as AccessDeniedException are part of the learning journey.
Instead of repeatedly modifying your code, always verify:
- AWS region
- Model access approval
- IAM permissions
Fixing these step by step helps build strong cloud fundamentals and prevents similar issues in future projects.
Top comments (0)