Debug Fix medium · 3 min read

Fix AWS Bedrock access denied error

Quick answer
An AWS Bedrock AccessDeniedException occurs when your IAM role or user lacks the necessary permissions to call Bedrock APIs. Ensure your IAM policy grants bedrock:InvokeModel and related permissions, and that your AWS credentials are correctly configured in your environment.
ERROR TYPE api_error
⚡ QUICK FIX
Attach an IAM policy with bedrock:InvokeModel permission to your user or role and verify AWS credentials are properly set.

Why this happens

The AccessDeniedException error in AWS Bedrock occurs when the IAM user or role making the API call does not have sufficient permissions. This typically happens if the IAM policy lacks bedrock:InvokeModel or related Bedrock permissions. Additionally, missing or misconfigured AWS credentials in your environment can trigger this error.

Example error output:

botocore.exceptions.ClientError: An error occurred (AccessDeniedException) when calling the Converse operation: User is not authorized to perform: bedrock:InvokeModel on resource

Example broken code snippet that triggers the error:

python
import boto3

client = boto3.client('bedrock-runtime', region_name='us-east-1')

response = client.converse(
    modelId='anthropic.claude-3-5-sonnet-20241022-v2:0',
    messages=[{"role": "user", "content": [{"type": "text", "text": "Hello"}]}]
)
print(response)
output 
botocore.exceptions.ClientError: An error occurred (AccessDeniedException) when calling the Converse operation: User is not authorized to perform: bedrock:InvokeModel on resource

The fix

Grant the IAM user or role the necessary Bedrock permissions by attaching a policy like the following. This policy allows invoking Bedrock models:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": ["bedrock:InvokeModel"],
      "Resource": "*"
    }
  ]
}

Also, ensure your AWS credentials are configured correctly via environment variables, AWS CLI config, or EC2/ECS roles.

Corrected example code:

python
import boto3

client = boto3.client('bedrock-runtime', region_name='us-east-1')

response = client.converse(
    modelId='anthropic.claude-3-5-sonnet-20241022-v2:0',
    messages=[{"role": "user", "content": [{"type": "text", "text": "Hello"}]}]
)
print(response['output']['message']['content'][0]['text'])
output 
Hello

Preventing it in production

Implement these best practices to avoid access denied errors in production:

  • Use least privilege IAM policies granting only necessary Bedrock actions.
  • Validate AWS credentials and region configuration before API calls.
  • Implement retry logic with exponential backoff for transient authorization issues.
  • Use AWS IAM roles for EC2, Lambda, or ECS to avoid hardcoding credentials.

Related errors

ErrorCauseQuick fix
AccessDeniedExceptionMissing bedrock:InvokeModel permissionAttach IAM policy with bedrock:InvokeModel
UnrecognizedClientExceptionInvalid or missing AWS credentialsConfigure AWS credentials correctly
ThrottlingExceptionToo many requests in short timeAdd exponential backoff retry logic

Key Takeaways

  • Always attach an IAM policy with bedrock:InvokeModel permission to your user or role.
  • Configure AWS credentials properly in your environment to authenticate API calls.
  • Use least privilege principles and validate permissions before deploying to production.
Verified 2026-04 · anthropic.claude-3-5-sonnet-20241022-v2:0
Verify ↗

People also ask

🛠 AWS Bedrock model access controls aws-bedrock-enterprise 🐛 AWS Bedrock error codes reference AWS Bedrock 🐛 Fix AWS Bedrock model not available error AWS Bedrock 🐛 Fix AWS Bedrock throttling error AWS Bedrock 🛠 How to request model access in AWS Bedrock AWS Bedrock

Up next

🐛 Fix AWS Bedrock model not available error 🐛 Fix AWS Bedrock throttling error ⚙️ How does AWS Bedrock work 💻 How to build an agent with AWS Bedrock

More in Debug & Fix

🐛 AWS Bedrock error codes reference 🐛 AWS Bedrock rate limits explained 🐛 Fix AWS Bedrock model not available error 🐛 Fix AWS Bedrock throttling error