EC2 Not Authorized to Call Bedrock or Textract — How to Fix IAM Permissions
You set up AWS Bedrock or Textract on your backend, everything looks right, then you hit this in production: is not authorized to perform: bedrock:InvokeModel. Here is exactly what is wrong and how to fix it in under two minutes.
The Error
You will see one of these in your logs:
User: arn:aws:sts::XXXXXXXXXXXX:assumed-role/your-ec2-role/i-XXXXXXXXXXXXXXXXX
is not authorized to perform: bedrock:InvokeModel
on resource: arn:aws:bedrock:us-east-1::foundation-model/amazon.nova-lite-v1:0
because no identity-based policy allows the bedrock:InvokeModel actionUser: arn:aws:sts::XXXXXXXXXXXX:assumed-role/your-ec2-role/i-XXXXXXXXXXXXXXXXX
is not authorized to perform: textract:StartDocumentTextDetection
on resource: *Both errors mean the same thing — your EC2 instance is making AWS API calls using its IAM role, but that role has no permission to call Bedrock or Textract.
Why This Happens
When your application runs on EC2, it authenticates to AWS using the IAM instance role attached to the instance — not your personal AWS credentials. That role only has the permissions you explicitly grant it.
Most EC2 setups come with S3, SES, or ECR permissions out of the box. Bedrock and Textract are newer services — they are almost never included by default and must be added manually.
This is not a code problem. Your SDK calls are correct. The instance role just lacks the permission. IAM policy changes take effect immediately — no restart required.
Step 1 — Find Your EC2 Instance Role Name
If you do not know your role name, look it up:
aws ec2 describe-instances \
--instance-ids YOUR_INSTANCE_ID \
--query "Reservations[0].Instances[0].IamInstanceProfile.Arn" \
--output text --region us-east-1The output looks like arn:aws:iam::XXXX:instance-profile/your-ec2-role. The role name is the last segment after the slash.
Or check which policies are already attached:
aws iam list-attached-role-policies --role-name YOUR_ROLE_NAME
aws iam list-role-policies --role-name YOUR_ROLE_NAMEStep 2 — Add Bedrock Permission
This allows your EC2 to call InvokeModel andInvokeModelWithResponseStream on all foundation models:
aws iam put-role-policy \
--role-name YOUR_ROLE_NAME \
--policy-name BedrockAccess \
--policy-document '{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Action": [
"bedrock:InvokeModel",
"bedrock:InvokeModelWithResponseStream"
],
"Resource": "arn:aws:bedrock:us-east-1::foundation-model/*"
}]
}' \
--region us-east-1The wildcard foundation-model/* covers all models — Nova, Claude, Titan, Llama, etc. If you want to restrict to a specific model, replace * with the model ID, e.g. amazon.nova-lite-v1:0.
Step 3 — Add Textract Permission
If you are using Textract for document or PDF text extraction, add this separately:
aws iam put-role-policy \
--role-name YOUR_ROLE_NAME \
--policy-name TextractAccess \
--policy-document '{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Action": [
"textract:DetectDocumentText",
"textract:StartDocumentTextDetection",
"textract:GetDocumentTextDetection"
],
"Resource": "*"
}]
}' \
--region us-east-1The three actions cover:
DetectDocumentText— synchronous, single page, images and small PDFsStartDocumentTextDetection— async job start, multi-page PDFs from S3GetDocumentTextDetection— poll async job results
Step 4 — Verify
# Confirm the policies were applied
aws iam list-role-policies --role-name YOUR_ROLE_NAME
# Expected output:
# {
# "PolicyNames": [
# "BedrockAccess",
# "TextractAccess"
# ]
# }No restart needed. IAM policy changes are effective immediately. Re-run your application and the error will be gone.
One More Thing — Model Access in Bedrock Console
IAM permission is only half the requirement. AWS Bedrock also requires you to explicitly enable each model in your account before it can be called.
If you still get an error after adding the IAM policy, check this:
- Go to AWS Console → Bedrock → Model access
- Find the model you are trying to use (e.g. Amazon Nova Lite)
- Click Request access if it shows as unavailable
- Most models are approved instantly
IAM controls who can call the API. Model access controls which models are enabled in your account. You need both. Missing either one gives the same "not authorized" error, which is why it is easy to miss.
Summary
Problem EC2 role missing Bedrock / Textract permissions
Symptom "is not authorized to perform: bedrock:InvokeModel"
Fix aws iam put-role-policy → add BedrockAccess + TextractAccess
Effect Immediate — no restart needed
Gotcha Also check Bedrock Console → Model access is enabled