[BUG] Cannot access Claude 3.5 Haiku and Claude 3.5 Sonnet v2 after adding cross-region inference feature

[tingyao-chang]

🚨 Please Note 🚨

To ensure efficient investigation of the issue, please fill out the fields below with as much detail as possible. Reports that do not follow this template may be closed without notification. We appreciate your cooperation.

Describe the bug

When select Claude 3.5 Haiku and Claude 3.5 Sonnet v2, it will response An error occurred while responding.

To Reproduce

Steps to reproduce the behavior:

• The account is under a AWS organization which only allow use us-east-1 (N. Virginia) and us-west-2 (Oregon), other regions are been denied by service control policy.

• Deploy the stack by ./bin.sh --bedrock-region "us-west-2"

• Select Claude 3.5 Haiku or Claude 3.5 Sonnet v2

Screenshots

Additional context

Check the CloudWatch log, found that it has been denied because it will invoke model in us-east-2 (Ohio) region.

[ERROR] 2024-11-05T13:42:26.411Z    4c63b737-0dfa-4ffc-956d-57f78f45398f    Failed to run stream handler: An error occurred (AccessDeniedException) when calling the ConverseStream operation: User: arn:aws:sts::************:assumed-role/BedrockChatStack-WebSocketHandlerRole4D6EDDA6-Av5OfHcgsnfg/BedrockChatStack-WebSocketHandler7115E6CA-XKOKP72I8qkE is not authorized to perform: bedrock:InvokeModelWithResponseStream on resource: arn:aws:bedrock:us-east-2::foundation-model/anthropic.claude-3-5-haiku-20241022-v1:0 with an explicit deny in a service control policy

[statefb]

Based on the error message, it seems to be blocked by SCP. Please check again and this falls outside the scope of this sample. Thank you