调用Amazon Bedrock Claude 4推理配置文件模型时遭遇AccessDeniedException权限错误求助
2026-4-8
调用Amazon Bedrock Claude 4推理配置文件模型时遭遇AccessDeniedException权限错误求助
你好,我来帮你排查这个权限问题。从你提供的代码、IAM策略和错误信息来看,主要有几个可能的原因和对应的解决步骤:
一、核心排查点及解决办法
1. 确认AWS凭证是否对应正确的IAM用户/角色
有时候代码会默认加载其他AWS凭证(比如环境变量、默认profile),导致实际使用的账号不是你配置了策略的那个用户。你可以在代码里显式指定要使用的CLI profile:
import boto3 import json # 显式指定profile名称 bedrock_runtime = boto3.client( "bedrock-runtime", region_name="us-east-2", profile_name="你的目标CLI配置文件名" ) response = bedrock_runtime.invoke_model( modelId = "arn:aws:bedrock:us-east-2:436759792746:inference-profile/us.anthropic.claude-sonnet-4-20250514-v1:0", body=b'{"prompt":"Hello, Claude!", "max_tokens":100}', contentType="application/json", accept="application/json" ) print(response['body'].read())
也可以通过终端命令aws configure list查看当前生效的凭证信息,确认账号ID和区域是否匹配。
2. 检查推理配置文件ARN的完全匹配
你的IAM策略里已经包含了目标推理配置的ARN,但要仔细核对账号ID、区域、推理配置名称是否和代码里的完全一致(虽然ARN不区分大小写,但避免拼写错误):
- 代码中的ARN:
arn:aws:bedrock:us-east-2:436759792746:inference-profile/us.anthropic.claude-sonnet-4-20250514-v1:0 - IAM策略中的对应条目:
arn:aws:bedrock:us-east-2:436759792746:inference-profile/us.anthropic.claude-sonnet-4-20250514-v1:0
这部分看起来是匹配的,但可以再确认一遍。
3. 验证基础模型的访问权限
推理配置文件是基于基础模型创建的,确保你对该配置关联的基础模型也有访问权限。你的IAM策略里已经添加了arn:aws:bedrock:us-east-2::foundation-model/anthropic.claude-sonnet-4-20250514-v1:0,但需要确认该模型在us-east-2区域是否对你的AWS账号开放(部分Claude模型需要单独申请访问权限)。你可以通过Bedrock控制台的模型库查看是否能访问该基础模型。
4. 等待IAM策略生效
IAM策略更新后通常需要1-5分钟才能全局生效,如果你刚修改完策略,建议等待几分钟后再测试代码。
5. 检查是否有其他IAM权限边界或组织SCP限制
如果你的账号属于AWS组织,可能存在服务控制策略(SCP)限制了Bedrock的调用权限;或者IAM用户/角色有附加的权限边界,阻止了bedrock:InvokeModel操作。可以在IAM控制台查看用户的权限边界和组织SCP配置。
二、你提供的问题详情(供参考)
测试代码
import boto3 import json bedrock_runtime = boto3.client("bedrock-runtime", region_name="us-east-2") response = bedrock_runtime.invoke_model( #modelId="anthropic.claude-3-sonnet-20240229-v1:0", modelId = "arn:aws:bedrock:us-east-2:436759792746:inference-profile/us.anthropic.claude-sonnet-4-20250514-v1:0", body=b'{"prompt":"Hello, Claude!", "max_tokens":100}', contentType="application/json", accept="application/json" ) print(response['body'].read())
关联的IAM策略
{ "Version": "2012-10-17", "Statement": [ { "Sid": "AllowListingBedrockModels", "Effect": "Allow", "Action": [ "bedrock:ListFoundationModels" ], "Resource": "*" }, { "Sid": "AllowInvokeClaude4", "Effect": "Allow", "Action": [ "bedrock:InvokeModel", "bedrock:InvokeModelWithResponseStream" ], "Resource": [ "arn:aws:bedrock:us-west-2::foundation-model/anthropic.claude-opus-4-20250514-v1:0", "arn:aws:bedrock:us-east-1::foundation-model/anthropic.claude-sonnet-3-20240229-v1:0", "arn:aws:bedrock:us-east-2::foundation-model/anthropic.claude-sonnet-4-20250514-v1:0", "arn:aws:bedrock:us-west-2::foundation-model/anthropic.claude-sonnet-4-20250514-v1:0", "arn:aws:bedrock:us-east-1::foundation-model/anthropic.claude-sonnet-4-20250514-v1:0", "arn:aws:bedrock:us-west-2:436759792746:inference-profile/us.anthropic.claude-sonnet-3-20240229-v1:0", "arn:aws:bedrock:us-west-2:436759792746:inference-profile/us.anthropic.claude-opus-4-20250514-v1:0", "arn:aws:bedrock:us-east-2:436759792746:inference-profile/us.anthropic.claude-sonnet-4-20250514-v1:0", "arn:aws:bedrock:us-east-1:436759792746:inference-profile/us.anthropic.claude-sonnet-4-20250514-v1:0", "arn:aws:bedrock:us-west-2:436759792746:inference-profile/us.anthropic.claude-sonnet-4-20250514-v1:0" ] } ] }
错误信息
Traceback (most recent call last): File "/Users/mayukhghosh/Library/Mobile Documents/com~apple~CloudDocs/Desktop/Code/amazon-bedrock-agents-quickstart/streamlit_agent/test_model_access.py", line 7, in <module> response = bedrock_runtime.invoke_model( File "/Users/mayukhghosh/anaconda3/lib/python3.10/site-packages/botocore/client.py", line 595, in _api_call return self._make_api_call(operation_name, kwargs) File "/Users/mayukhghosh/anaconda3/lib/python3.10/site-packages/botocore/context.py", line 123, in wrapper return func(*args, **kwargs) File "/Users/mayukhghosh/anaconda3/lib/python3.10/site-packages/botocore/client.py", line 1058, in _make_api_call raise error_class(parsed_response, operation_name) botocore.errorfactory.AccessDeniedException: An error occurred (AccessDeniedException) when calling the InvokeModel operation: You don't have access to the model with the specified model ID.
内容来源于stack exchange
