@shinyaz

Bedrock Foundation Model ARNs have an empty account ID

1 min read
#bedrock#iam#aws

When granting Nova Sonic permissions to an AgentCore Runtime execution role, I replaced the ACCOUNT_ID placeholder in the sample bedrock-iam-policy.json with my actual account ID. But Foundation Model ARNs don't include an account ID, so this replacement is wrong.

Wrong
"Resource": "arn:aws:bedrock:us-west-2:123456789012:foundation-model/amazon.nova-2-sonic-v1:0"
Correct
"Resource": "arn:aws:bedrock:us-west-2::foundation-model/amazon.nova-2-sonic-v1:0"

Note the :: — the account ID portion is empty. You can verify this with aws bedrock get-foundation-model, which shows the modelArn with no account ID.

When sample code has an ACCOUNT_ID placeholder, it's tempting to sed replace everything at once. Bedrock Foundation Model resources are the exception.

Share this post

Shinya Tahara

Shinya Tahara

Solutions Architect @ AWS

I'm a Solutions Architect at AWS, providing technical guidance primarily to financial industry customers. I share learnings about cloud architecture and AI/ML on this site.The views and opinions expressed on this site are my own and do not represent the official positions of my employer.

Read more