Bedrock authorization errors with regional access

Applies to:

Plan:
Deployment:

Summary

AWS Bedrock Claude model requests fail with authorization errors like:

User: arn:aws:iam::XXXXXXXXXXXX:user/service-accounts/braintrust/braintrust-XXXXXXX is not authorized to perform: bedrock:InvokeModelWithResponseStream on resource: arn:aws:bedrock:us-east-2::foundation-model/anthropic.claude-haiku-4-5-20251001-v1:0 because no identity-based policy allows the bedrock:InvokeModelWithResponseStream action

When service account policies lack regional access permissions. The issue is resolved by updating the AWS service account IAM policy to include bedrock:InvokeModel and bedrock:InvokeModelWithResponseStream permissions for the target regions.

Resolution Steps

Step 1: Validate service account policy

Make sure you IAM account has access to Bedrock invocation permissions to your AWS service account IAM policy.

Multi-region access example

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "BedrockInvokeFoundationModelsMultiRegion",
      "Effect": "Allow",
      "Action": [
        "bedrock:InvokeModel",
        "bedrock:InvokeModelWithResponseStream"
      ],
      "Resource": "arn:aws:bedrock:*::foundation-model/*"
    }
  ]
}

Step 2: Verify regional access

Ensure the service account policy allows access to the specific AWS region where your Bedrock models are hosted. This is especially important when using inference profiles that require access to specific regions.

Region specific policy example

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "BedrockInvokeFoundationModelsTwoRegions",
      "Effect": "Allow",
      "Action": [
        "bedrock:InvokeModel",
        "bedrock:InvokeModelWithResponseStream"
      ],
      "Resource": [
        "arn:aws:bedrock:us-east-1::foundation-model/*",
        "arn:aws:bedrock:us-west-2::foundation-model/*"
      ]
    }
  ]
}

Step 3: Test invocation

Make a test call to your Bedrock Claude model to confirm authorization is working.

Note that the policies here are just examples, you should validate the AWS documentation for accurate guidance on how to set up your IAM policy for access to Bedrock

​Summary

​Resolution Steps

​Step 1: Validate service account policy

​Multi-region access example

​Step 2: Verify regional access

​Region specific policy example

​Step 3: Test invocation

​Note that the policies here are just examples, you should validate the AWS documentation for accurate guidance on how to set up your IAM policy for access to Bedrock

​Relevant Links

Summary

Resolution Steps

Step 1: Validate service account policy

Multi-region access example

Step 2: Verify regional access

Region specific policy example

Step 3: Test invocation

Note that the policies here are just examples, you should validate the AWS documentation for accurate guidance on how to set up your IAM policy for access to Bedrock

Relevant Links