> ## Documentation Index
> Fetch the complete documentation index at: https://braintrust.dev/docs/llms.txt
> Use this file to discover all available pages before exploring further.

# Bedrock authorization errors with regional access

export const plans_0 = "Enterprise"

export const deployments_0 = "Self-hosted"

export const data_plane_version_0 = undefined

export const use_case_0 = "Use case - AWS Bedrock Claude models with service account authentication"

<Note>
  **Applies to:**

  * Plan - {plans_0}
  * Deployment - {deployments_0}
  * {data_plane_version_0}
  * {use_case_0}
</Note>

## Summary

AWS Bedrock Claude model requests fail with authorization errors like:

```text theme={"theme":{"light":"github-light","dark":"github-dark-dimmed"}}
User: arn:aws:iam::XXXXXXXXXXXX:user/service-accounts/braintrust/braintrust-XXXXXXX is not authorized to perform: bedrock:InvokeModelWithResponseStream on resource: arn:aws:bedrock:us-east-2::foundation-model/anthropic.claude-haiku-4-5-20251001-v1:0 because no identity-based policy allows the bedrock:InvokeModelWithResponseStream action

```

When service account policies lack regional access permissions. The issue is resolved by updating the AWS service account IAM policy to include `bedrock:InvokeModel` and `bedrock:InvokeModelWithResponseStream` permissions for the target regions.

## Resolution Steps

### Step 1: Validate service account policy

Make sure you IAM account has access to Bedrock invocation permissions to your AWS service account IAM policy.

#### Multi-region access example

```text theme={"theme":{"light":"github-light","dark":"github-dark-dimmed"}}
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "BedrockInvokeFoundationModelsMultiRegion",
      "Effect": "Allow",
      "Action": [
        "bedrock:InvokeModel",
        "bedrock:InvokeModelWithResponseStream"
      ],
      "Resource": "arn:aws:bedrock:*::foundation-model/*"
    }
  ]
}

```

#### Step 2: Verify regional access

Ensure the service account policy allows access to the specific AWS region where your Bedrock models are hosted. This is especially important when using inference profiles that require access to specific regions.

#### Region specific policy example

```text theme={"theme":{"light":"github-light","dark":"github-dark-dimmed"}}
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "BedrockInvokeFoundationModelsTwoRegions",
      "Effect": "Allow",
      "Action": [
        "bedrock:InvokeModel",
        "bedrock:InvokeModelWithResponseStream"
      ],
      "Resource": [
        "arn:aws:bedrock:us-east-1::foundation-model/*",
        "arn:aws:bedrock:us-west-2::foundation-model/*"
      ]
    }
  ]
}

```

### Step 3: Test invocation

Make a test call to your Bedrock Claude model to confirm authorization is working.

### Note that the policies here are just examples, you should validate the AWS documentation for accurate guidance on how to set up your IAM policy for access to Bedrock

## Relevant Links

* [AWS Bedrock IAM policy examples](https://docs.aws.amazon.com/bedrock/latest/userguide/security_iam_id-based-policy-examples.html)