Skip to main content
Feedback

Amazon Bedrock (Tech Preview) connector

The Amazon Bedrock connection can be authenticated in two ways. You can create Amazon access keys using the AWS Management Console consisting of an Access Key ID and a Secret Access Key. These keys are accessible from your stored secure location.

The Amazon Bedrock connection also supports authentication via AWS IAM Roles Anywhere.

tip

AWS IAM Roles Anywhere relies on public key infrastructure (PKI) to establish trust between an AWS account and a certificate authority (CA), both belonging to the customer. The CA issues X.509 certificates which can be used by the Bedrock Connector to obtain temporary credentials to invoke Bedrock runtime and control-plane APIs.

The temporary credentials are valid for a predefined bounded period configured by the user and cached to be reused across connectors using the same connection component and consecutive process executions. The connector automatically handles renewal after credentials expire.

Authenticating with Access Keys

  • Authentication Type – Select the authentication type to connect to the service, either via your access keys or AWS IAM Roles Anywhere.

    • When using Access Keys, provide both an Access Key ID and a Secret Access Key.

    • When using AWS IAM Roles Anywhere, provide trusted X.509 certificates and service configuration data required to validate trust and obtain temporary security credentials.

    • AWS IAM Roles Anywhere is the default authentication method.

  • Amazon AWS Access Key – Enter the access key for your AWS account. This key allows the connector to invoke Bedrock APIs in your account. Manage keys securely using the AWS Management Console.

  • Amazon AWS Secret Key – Enter the secret access key for your AWS account. Together with the Access Key ID, it enables signed requests to Bedrock services. Ensure this value is stored securely.

  • AWS Region – Select the AWS Region associated with your Bedrock service. If the region is not listed, use the AWS Custom Region field. The default is us-east-1.

  • AWS Custom Region – (Optional) Enter a custom AWS region in lowercase with dashes (for example, us-east-1). This value overrides the dropdown selection.

  • Connection Timeout – Enter the time in milliseconds to wait for a connection to establish before timing out. Default is -1 (no timeout).

  • Read Timeout – Enter the time in milliseconds to wait for a response after a connection is established. Default is -1 (no timeout).

Authenticating with AWS IAM Roles Anywhere

  • Authentication Type – Select the authentication type to connect to the service, either via your access keys or AWS IAM Roles Anywhere.

    • When using Access Keys, provide both an Access Key ID and a Secret Access Key.

    • When using AWS IAM Roles Anywhere, provide trusted X.509 certificates and service configuration data required to validate trust and obtain temporary security credentials.

    • AWS IAM Roles Anywhere is the default authentication method.

  • Profile ARN – Enter the Amazon Resource Name (ARN) of the IAM Roles Anywhere profile.

  • Role ARN – Enter the Amazon Resource Name (ARN) of the IAM role to assume for Bedrock access.

  • Trust Anchor ARN – Enter the ARN of the trust anchor used for validation.

  • AWS Region – Select the AWS Region associated with your IAM Roles Anywhere service. If the region is not listed, use the custom region field. The default is us-east-1.

  • AWS Custom Region – Enter the AWS region in which IAM Roles Anywhere resides. Values must be lowercase with dashes (for example, us-east-1). If set, this value overrides the region dropdown.

  • Session name – Enter a session name for the role session. This field is mandatory.

  • Duration (in seconds) – Enter the session duration in seconds. Valid range: 900 (15 minutes) to 3600 (1 hour).

    note

    The connector considers credentials with less than 60 seconds of lifetime as expired and will fetch a new set. This prevents 401 errors that can occur if temporary credentials expire just after being retrieved from cache.

  • Public Certificate – Select the client certificate issued by your trusted CA to authenticate with IAM Roles Anywhere and receive temporary credentials.

  • Private Key – Select the private key associated with the client certificate.

  • Connection Timeout – Enter the time in milliseconds to wait for a connection to establish before timing out. Default is -1 (no timeout).

  • Read Timeout – Enter the time in milliseconds to wait for a response after a connection is established. Default is -1 (no timeout).

Test connection

You can test your connection settings before using or saving them in a process. Test Connection validates credentials, region, and access to Amazon Bedrock.

  • If successful, you can save and use the connection.

  • If unsuccessful, review settings, correct errors, and retest.

The default region used for Test Connection is us-east-1.

For more information, refer to AWS Signature Version 4 Signing Process

On this Page