High severity HTTP 403 beginner · Fix: 2-5 min

AccessDeniedException

aws_bedrock.AccessDeniedException

What this error means
AWS Bedrock AccessDeniedException occurs when your IAM role or user lacks permission to access the specified Bedrock model.

Stack trace

traceback 
botocore.exceptions.ClientError: An error occurred (AccessDeniedException) when calling the InvokeModel operation: User is not authorized to perform this action on the specified model.
QUICK FIX
Update your IAM policy to grant 'bedrock:InvokeModel' permission on the model ARN to your AWS credentials.

Why it happens

This error happens because the AWS credentials used do not have the necessary IAM permissions to invoke or access the Bedrock model. Bedrock enforces strict access control, and missing or incorrect policies cause this denial.

Detection

Monitor AWS CloudTrail logs for AccessDeniedException events on Bedrock API calls and catch ClientError exceptions in your code to log permission issues before retrying.

Causes & fixes

1

IAM role or user lacks bedrock:InvokeModel permission for the target model ARN

✓ Fix

Attach or update the IAM policy to include 'bedrock:InvokeModel' permission on the specific model ARN or resource.

2

Using incorrect or expired AWS credentials that do not match the authorized IAM entity

✓ Fix

Ensure your AWS SDK is configured with valid, current credentials for an IAM user or role authorized to access Bedrock models.

3

Bedrock model resource policy explicitly denies access to your IAM principal

✓ Fix

Review and modify the Bedrock model resource policy to allow your IAM user or role to invoke the model.

Code: broken vs fixed

Broken - triggers the error
python
import boto3

client = boto3.client('bedrock')

response = client.invoke_model(
    modelId='model-1234',
    contentType='application/json',
    body=b'{"input": "Hello"}'
)  # This line raises AccessDeniedException
print(response)
Fixed - works correctly
python
import os
import boto3

# Ensure AWS credentials are set in environment variables
os.environ['AWS_ACCESS_KEY_ID'] = os.environ.get('AWS_ACCESS_KEY_ID', 'YOUR_ACCESS_KEY')
os.environ['AWS_SECRET_ACCESS_KEY'] = os.environ.get('AWS_SECRET_ACCESS_KEY', 'YOUR_SECRET_KEY')
os.environ['AWS_SESSION_TOKEN'] = os.environ.get('AWS_SESSION_TOKEN', 'YOUR_SESSION_TOKEN')  # if applicable

client = boto3.client('bedrock')

response = client.invoke_model(
    modelId='model-1234',
    contentType='application/json',
    body=b'{"input": "Hello"}'
)  # Fixed by using authorized credentials and proper permissions
print(response)
Configured AWS credentials properly and ensured IAM permissions allow invoking the Bedrock model, preventing AccessDeniedException.

Workaround

Catch the ClientError exception, detect AccessDeniedException, and log detailed permission info; then alert your DevOps team to update IAM policies promptly.

Prevention

Implement least-privilege IAM policies granting only necessary Bedrock permissions, use AWS IAM Access Analyzer to validate policies, and automate permission audits to avoid access denials.

Python 3.9+ · boto3 >=1.26.0 · tested on 1.28.x
Verified 2026-04
Verify ↗

Related errors

AWS Bedrock ThrottlingException: Rate Limit Exceeded AWS Bedrock InvalidParameterException: Bad Request Parameters

Related guides

'' aws bedrock iam permissions guide guide '' how to handle aws clienterror exceptions debug

Community Notes

No notes yetBe the first to share a version-specific fix or tip.