I am trying to configure my SonarQube Server installation to use AWS Bedrock for AI Codefix, but when I configure it, it fails with a 400 and in the logs it reports that the EKS node role does not have access to perform InvokeModel.
The full error is: User: arn:aws:sts::{account id}:assumed-role/iam-eks-node/{i-00000000000000000} is not authorized to perform: bedrock:InvokeModel on resource: arn:aws:bedrock:{region}:{account id}:inference-profile/{model} because no identity-based policy allows the bedrock:InvokeModel action
The expectation is that it should use the IAM role that is attached to the ServiceAccount that is being used by the statefulset.
In an attempt to debug this, I have expanded the rules as broadly as possible, yet the error persists.
The installation is done via the official Helm chart and is on version 2026.3.1