Back to Blog
Cloud 5 min readJun 3, 2026

EC2 Not Authorized to Call Bedrock or Textract — How to Fix IAM Permissions

You set up AWS Bedrock or Textract on your backend, everything looks right, then you hit this in production: is not authorized to perform: bedrock:InvokeModel. Here is exactly what is wrong and how to fix it in under two minutes.

The Error

You will see one of these in your logs:

text
User: arn:aws:sts::XXXXXXXXXXXX:assumed-role/your-ec2-role/i-XXXXXXXXXXXXXXXXX
is not authorized to perform: bedrock:InvokeModel
on resource: arn:aws:bedrock:us-east-1::foundation-model/amazon.nova-lite-v1:0
because no identity-based policy allows the bedrock:InvokeModel action
text
User: arn:aws:sts::XXXXXXXXXXXX:assumed-role/your-ec2-role/i-XXXXXXXXXXXXXXXXX
is not authorized to perform: textract:StartDocumentTextDetection
on resource: *

Both errors mean the same thing — your EC2 instance is making AWS API calls using its IAM role, but that role has no permission to call Bedrock or Textract.

Why This Happens

When your application runs on EC2, it authenticates to AWS using the IAM instance role attached to the instance — not your personal AWS credentials. That role only has the permissions you explicitly grant it.

Most EC2 setups come with S3, SES, or ECR permissions out of the box. Bedrock and Textract are newer services — they are almost never included by default and must be added manually.

💡

This is not a code problem. Your SDK calls are correct. The instance role just lacks the permission. IAM policy changes take effect immediately — no restart required.

Step 1 — Find Your EC2 Instance Role Name

If you do not know your role name, look it up:

bash
aws ec2 describe-instances \
  --instance-ids YOUR_INSTANCE_ID \
  --query "Reservations[0].Instances[0].IamInstanceProfile.Arn" \
  --output text --region us-east-1

The output looks like arn:aws:iam::XXXX:instance-profile/your-ec2-role. The role name is the last segment after the slash.

Or check which policies are already attached:

bash
aws iam list-attached-role-policies --role-name YOUR_ROLE_NAME
aws iam list-role-policies --role-name YOUR_ROLE_NAME

Step 2 — Add Bedrock Permission

This allows your EC2 to call InvokeModel andInvokeModelWithResponseStream on all foundation models:

bash
aws iam put-role-policy \
  --role-name YOUR_ROLE_NAME \
  --policy-name BedrockAccess \
  --policy-document '{
    "Version": "2012-10-17",
    "Statement": [{
      "Effect": "Allow",
      "Action": [
        "bedrock:InvokeModel",
        "bedrock:InvokeModelWithResponseStream"
      ],
      "Resource": "arn:aws:bedrock:us-east-1::foundation-model/*"
    }]
  }' \
  --region us-east-1
💡

The wildcard foundation-model/* covers all models — Nova, Claude, Titan, Llama, etc. If you want to restrict to a specific model, replace * with the model ID, e.g. amazon.nova-lite-v1:0.

Step 3 — Add Textract Permission

If you are using Textract for document or PDF text extraction, add this separately:

bash
aws iam put-role-policy \
  --role-name YOUR_ROLE_NAME \
  --policy-name TextractAccess \
  --policy-document '{
    "Version": "2012-10-17",
    "Statement": [{
      "Effect": "Allow",
      "Action": [
        "textract:DetectDocumentText",
        "textract:StartDocumentTextDetection",
        "textract:GetDocumentTextDetection"
      ],
      "Resource": "*"
    }]
  }' \
  --region us-east-1

The three actions cover:

  • DetectDocumentText — synchronous, single page, images and small PDFs
  • StartDocumentTextDetection — async job start, multi-page PDFs from S3
  • GetDocumentTextDetection — poll async job results

Step 4 — Verify

bash
# Confirm the policies were applied
aws iam list-role-policies --role-name YOUR_ROLE_NAME

# Expected output:
# {
#     "PolicyNames": [
#         "BedrockAccess",
#         "TextractAccess"
#     ]
# }

No restart needed. IAM policy changes are effective immediately. Re-run your application and the error will be gone.

One More Thing — Model Access in Bedrock Console

IAM permission is only half the requirement. AWS Bedrock also requires you to explicitly enable each model in your account before it can be called.

If you still get an error after adding the IAM policy, check this:

  • Go to AWS Console → Bedrock → Model access
  • Find the model you are trying to use (e.g. Amazon Nova Lite)
  • Click Request access if it shows as unavailable
  • Most models are approved instantly
💡

IAM controls who can call the API. Model access controls which models are enabled in your account. You need both. Missing either one gives the same "not authorized" error, which is why it is easy to miss.

Summary

text
Problem   EC2 role missing Bedrock / Textract permissions
Symptom   "is not authorized to perform: bedrock:InvokeModel"
Fix       aws iam put-role-policy → add BedrockAccess + TextractAccess
Effect    Immediate — no restart needed
Gotcha    Also check Bedrock Console → Model access is enabled
All postsAWS · IAM · Bedrock · Textract · EC2

naresh@gowda:~$ built with Next.js + Tailwind + Framer Motion