Our automated model deployment pipeline is failing because service accounts can’t access deployed Watson Machine Learning models. The service account can create and train models successfully, but when it tries to invoke the deployed model endpoint for inference, we get an authorization error.
Error from the API call:
HTTP 403 Forbidden
{"error": "Insufficient permissions for model inference",
"trace": "watson-ml-api-gateway"}
I’ve verified the service account has the IAM role requirements including ‘Editor’ role on the Watson ML instance. The API scope seems correct as the same service account can manage model lifecycle (create, train, deploy). But the actual model invocation fails. What specific Watson ML policy bindings are needed for service accounts to perform inference on deployed models?
I added the Writer role to the deployment space and verified the service account now has both Editor (instance level) and Writer (space level) roles. However, I’m still getting the 403 error. I checked the API key scopes and don’t see a way to explicitly configure ‘watson-ml.inference’ scope. Is this something that needs to be set during service account creation, or can it be added later?
I’ve seen this before. The issue is usually a mismatch between the service account’s IAM policy and the deployment space’s access control list. Watson ML uses a dual-layer authorization model. Even with correct IAM roles, the service account must be explicitly listed in the space’s member list with appropriate permissions. Go to your deployment space settings and add the service account as a member with ‘Editor’ role at the space level.
Check if your service account API scopes include the inference endpoint. Service accounts in IBM Cloud require explicit API scope declarations. Even with correct IAM roles, if the API key doesn’t have the right scopes, requests will fail. You can verify this in the IAM service account details - look for ‘watson-ml.inference’ in the allowed scopes list.