Skip to main content
Feedback

Amazon Bedrock connection

The Amazon Bedrock connection can be authenticated in two ways. You can create Amazon access keys using the AWS Management Console consisting of an Access Key ID and a Secret Access Key. These keys are accessible from your stored secure location.

The Amazon Bedrock connection also supports authentication via AWS IAM Roles Anywhere.

tip

AWS IAM Roles Anywhere relies on public key infrastructure (PKI) to establish trust between an AWS account and a certificate authority (CA), both belonging to the customer. The CA issues X.509 certificates which can be used by the Bedrock Connector to obtain temporary credentials to invoke Bedrock runtime and control-plane APIs.

The temporary credentials are valid for a predefined bounded period configured by the user and cached to be reused across connectors using the same connection component and consecutive process executions. The connector automatically handles renewal after credentials expire.

Authenticating with Access Keys

  • Authentication Type – Select the authentication type to connect to the service, either via your access keys or AWS IAM Roles Anywhere.

    • When using Access Keys, provide both an Access Key ID and a Secret Access Key.

    • When using AWS IAM Roles Anywhere, provide trusted X.509 certificates and service configuration data required to validate trust and obtain temporary security credentials.

    • AWS IAM Roles Anywhere is the default authentication method.

  • Amazon AWS Access Key – Enter the access key for your AWS account. This key allows the connector to invoke Bedrock APIs in your account. Manage keys securely using the AWS Management Console.

  • Amazon AWS Secret Key – Enter the secret access key for your AWS account. Together with the Access Key ID, it enables signed requests to Bedrock services. Ensure this value is stored securely.

  • AWS Region – Select the AWS Region associated with your Bedrock service. If the region is not listed, use the AWS Custom Region field. The default is us-east-1.

  • AWS Custom Region – (Optional) Enter a custom AWS region in lowercase with dashes (for example, us-east-1). This value overrides the dropdown selection.

  • Connection Timeout – Enter the time in milliseconds to wait for a connection to establish before timing out. Default is -1 (no timeout).

  • Read Timeout – Enter the time in milliseconds to wait for a response after a connection is established. Default is -1 (no timeout).

Authenticating with AWS IAM Roles Anywhere

  • Authentication Type – Select the authentication type to connect to the service, either via your access keys or AWS IAM Roles Anywhere.

    • When using Access Keys, provide both an Access Key ID and a Secret Access Key.

    • When using AWS IAM Roles Anywhere, provide trusted X.509 certificates and service configuration data required to validate trust and obtain temporary security credentials.

    • AWS IAM Roles Anywhere is the default authentication method.

  • Profile ARN – Enter the Amazon Resource Name (ARN) of the IAM Roles Anywhere profile.

  • Role ARN – Enter the Amazon Resource Name (ARN) of the IAM role to assume for Bedrock access.

  • Trust Anchor ARN – Enter the ARN of the trust anchor used for validation.

  • AWS Region – Select the AWS Region associated with your IAM Roles Anywhere service. If the region is not listed, use the custom region field. The default is us-east-1.

  • AWS Roles Anywhere Region - Specifies the AWS region for IAM Roles Anywhere authentication. By default, the connector automatically uses the same region as the Bedrock service specified in the AWS Bedrock Region field. Select a specific region if your IAM Roles Anywhere trust anchor and role are configured in a different region than your Bedrock service.

  • AWS Bedrock Region - Specifies the AWS region where your Amazon Bedrock service is hosted. This determines which regional Bedrock endpoint the connector will use for all operations (Generate, Converse, Invoke Agent). Default value: us-east-1

  • AWS Custom Region – Enter the AWS region in which IAM Roles Anywhere resides. Values must be lowercase with dashes (for example, us-east-1). If set, this value overrides the region dropdown.

  • AWS Roles Anywhere Custom Region - Enter a custom AWS region for IAM Roles Anywhere authentication if the region is not available in the AWS Roles Anywhere Region dropdown. When specified, this value overrides the dropdown selection. Leave blank to use the dropdown selection. Values must be lowercase with dashes (for example, eu-west-2).

  • Session name – Enter a session name for the role session. This field is mandatory.

  • Duration (in seconds) – Enter the session duration in seconds. Valid range: 900 (15 minutes) to 3600 (1 hour).

    note

    The connector considers credentials with less than 60 seconds of lifetime as expired and will fetch a new set. This prevents 401 errors that can occur if temporary credentials expire just after being retrieved from cache.

  • Public Certificate – Select the client certificate issued by your trusted CA to authenticate with IAM Roles Anywhere and receive temporary credentials.

  • Private Key – Select the private key associated with the client certificate.

  • Connection Timeout – Enter the time in milliseconds to wait for a connection to establish before timing out. Default is -1 (no timeout).

  • Read Timeout – Enter the time in milliseconds to wait for a response after a connection is established. Default is -1 (no timeout).

Understanding Multi-Region configuration

By default, the AWS Roles Anywhere Region is set to Auto (Same as Bedrock Service), which means:

  • The connector uses the same region for both IAM Roles Anywhere authentication and Bedrock API calls.
  • This is the simplest configuration and suitable for most deployments.
  • No additional region configuration is required.

Example: If AWS Bedrock Region is set to us-east-1, the connector will authenticate using IAM Roles Anywhere in us-east-1 and call Bedrock APIs in us-east-1.

Multi-Region Scenarios

In some AWS deployments, you may need to authenticate in one region but access Bedrock services in another. This can occur when:

  • Your IAM Roles Anywhere trust anchors and roles are centrally managed in a specific region.
  • Bedrock models or agents are deployed in a different region than your authentication infrastructure.
  • Organizational policies require authentication to occur in a designated region.

Example Multi-Region Setup

  • AWS Roles Anywhere Region: us-west-2 (where your trust anchor and role exist)
  • AWS Bedrock Region: us-east-1 (where your Bedrock models are deployed)

In this configuration:

  1. The connector authenticates to AWS using IAM Roles Anywhere in us-west-2.
  2. After obtaining credentials, it uses them to call Bedrock APIs in us-east-1.
  3. IAM policies must grant Bedrock permissions across regions.

Important Considerations

  • IAM Cross-Region Permissions: Ensure your IAM role policies grant Bedrock permissions without region restrictions, or explicitly include the Bedrock service region. Verify that your role's trust policy allows cross-region API calls.
  • Region Availability: Not all AWS regions support IAM Roles Anywhere. Verify that your selected authentication region supports this service.
  • Bedrock Availability: Confirm that your target models and features are available in your selected Bedrock region. Refer to AWS Regional Services for current availability.
  • Performance: Using the same region (Auto mode) typically provides the best performance. Cross-region configurations may introduce minimal additional latency during credential acquisition.
  • Connection Testing: The "Test Connection" feature validates both authentication and Bedrock access across the specified regions.

Configuration Examples

Example 1: Single Region (Default)

  • Authentication Type: IAM Roles Anywhere
  • Profile ARN: arn:aws:rolesanywhere:us-east-1:123456789012:profile/xxx
  • Role ARN: arn:aws:iam::123456789012:role/BedrockRole
  • Trust Anchor ARN: arn:aws:rolesanywhere:us-east-1:123456789012:trust-anchor/xxx
  • AWS Roles Anywhere Region: Auto (Same as Bedrock Service)
  • AWS Bedrock Region: us-east-1
  • Result: Authentication and Bedrock access both use us-east-1.

Example 2: Multi-Region Configuration

  • Authentication Type: IAM Roles Anywhere
  • Profile ARN: arn:aws:rolesanywhere:us-west-2:123456789012:profile/xxx
  • Role ARN: arn:aws:iam::123456789012:role/BedrockRole
  • Trust Anchor ARN: arn:aws:rolesanywhere:us-west-2:123456789012:trust-anchor/xxx
  • AWS Roles Anywhere Region: us-west-2
  • AWS Bedrock Region: us-east-1
  • Result: Authentication uses us-west-2, Bedrock access uses us-east-1.

Example 3: Custom Region

  • Authentication Type: IAM Roles Anywhere
  • AWS Roles Anywhere Region: (Other - use dropdown or custom field)
  • AWS Roles Anywhere Custom Region: eu-central-1
  • AWS Bedrock Region: us-east-1
  • Result: Authentication uses eu-central-1, Bedrock access uses us-east-1.

Test connection

You can test your connection settings before using or saving them in a process. Test Connection validates credentials, region, and access to Amazon Bedrock.

  • If successful, you can save and use the connection.

  • If unsuccessful, review settings, correct errors, and retest.

The default region used for Test Connection is us-east-1.

For more information, refer to AWS Signature Version 4 Signing Process

On this Page