Skip to main content
The aws-bedrock provider supports all text-output models available via the AWS Bedrock Converse API.

Quick Start

client<llm> MyClient {
  provider "aws-bedrock"
  options {
    model "anthropic.claude-3-sonnet-20240229-v1:0"
    inference_configuration {
      max_tokens 100
      temperature 0.7
    }
  }
}

Authentication

AWS Bedrock uses standard AWS authentication methods. Choose the method that best fits your environment:

AWS Profile (Development)

When developing locally, use AWS CLI profiles: 
# ~/.aws/config
[default]
sso_start_url = https://your-sso-start-url.awsapps.com/start
sso_region = us-west-2
sso_account_id = 123456789012
sso_role_name = YourSSORole
region = us-west-2
output = json
BAML automatically picks up default profile credentials. To use a specific profile: 
# Login with SSO
aws sso login --profile staging-profile

# Set profile environment variable
export AWS_PROFILE=staging-profile
Or specify the profile in BAML: 
client<llm> MyClient {
  provider "aws-bedrock"
  options {
    profile "staging-profile"
    model "anthropic.claude-3-sonnet-20240229-v1:0"
  }
}

AWS Services (Lambda/ECS/EC2)

In AWS environments, BAML automatically uses the service’s IAM role: 
client<llm> MyClient {
  provider "aws-bedrock"
  options {
    region "us-east-1"  // Only region is required
    model "anthropic.claude-3-sonnet-20240229-v1:0"
  }
}
Best Practices:
  • Use execution roles in Lambda
  • Use task roles in ECS
  • Use instance profiles in EC2
  • Never hardcode credentials in AWS environments

Environment Variables

Set AWS credentials as environment variables: 
export AWS_ACCESS_KEY_ID="your_key"
export AWS_SECRET_ACCESS_KEY="your_secret"
export AWS_REGION="us-east-1"

Explicit Credentials

Specify credentials directly in BAML configuration: 
client<llm> MyClient {
  provider "aws-bedrock"
  options {
    access_key_id env.AWS_ACCESS_KEY_ID
    secret_access_key env.AWS_SECRET_ACCESS_KEY
    region "us-east-1"
    model "anthropic.claude-3-sonnet-20240229-v1:0"
  }
}
  • Explicit credentials take precedence over environment variables
  • If specifying any credential, you must provide all required ones
  • For temporary credentials, include session_token
  • Not recommended for production AWS environments (use IAM roles instead)

Credential Resolution Order

BAML resolves AWS credentials in this order:
  1. Explicit BAML Configuration - access_key_id, secret_access_key in options
  2. Environment Variables - AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, AWS_PROFILE
  3. AWS Configuration Files - ~/.aws/credentials and ~/.aws/config
  4. Instance Metadata - IAM role credentials (EC2/ECS only)

Important Rules

All or Nothing: If you provide any credential explicitly, you must provide all required credentials. Session Token Requirements: When using session_token, provide all three: access_key_id, secret_access_key, and session_token. Profile Exclusivity: When using profile, you cannot specify other credentials.

Configuration Options

BAML-Specific Options

region
string
default:"env.AWS_REGION"
The AWS region to use.
access_key_id
string
default:"env.AWS_ACCESS_KEY_ID"
AWS access key ID.
secret_access_key
string
default:"env.AWS_SECRET_ACCESS_KEY"
AWS secret access key.
session_token
string
default:"env.AWS_SESSION_TOKEN"
Temporary session token. Required if using temporary credentials.
profile
string
default:"env.AWS_PROFILE"
AWS profile name from credentials file.
endpoint_url
string
AWS endpoint URL. Useful for using a VPC endpoint.

Supported Models

model
string
required
The Bedrock model ID to use. You must request model access before use.

Anthropic Claude (Latest Generation)

  • anthropic.claude-opus-4-1-20250805-v1:0 - Most powerful coding
  • anthropic.claude-sonnet-4-20250514-v1:0 - Best default, 1M context available
  • anthropic.claude-3-5-haiku-20241022-v1:0 - Fast and efficient

Meta Llama (Latest Generation)

  • meta.llama4-maverick-17b-instruct-v1:0 - Latest Llama 4
  • meta.llama3-3-70b-instruct-v1:0 - Enhanced Llama 3.3
Run aws bedrock list-foundation-models | jq '.modelSummaries.[].modelId' to see all available models in your region.

Model Parameters

inference_configuration
object
Model-specific inference parameters.
client<llm> MyClient {
  provider "aws-bedrock"
  options {
    model "anthropic.claude-3-sonnet-20240229-v1:0"
    inference_configuration {
      max_tokens 1000
      temperature 1.0
      top_p 0.8
    }
  }
}
See AWS Bedrock documentation for details.
additional_model_request_fields
object
Model-specific additional parameters (e.g., for Claude thinking models).
client<llm> MyClient {
  provider "aws-bedrock"
  options {
    model "anthropic.claude-3-sonnet-20240229-v1:0"
    additional_model_request_fields {
      thinking {
        type "enabled"
        budget_tokens 1030
      }
    }
  }
}

IAM Permissions

Required permissions for basic Bedrock access: 
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "bedrock:InvokeModel",
        "bedrock:InvokeModelWithResponseStream"
      ],
      "Resource": "arn:aws:bedrock:*:*:model/*"
    }
  ]
}
To restrict access to specific models: 
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "bedrock:InvokeModel",
        "bedrock:InvokeModelWithResponseStream"
      ],
      "Resource": [
        "arn:aws:bedrock:*:*:model/anthropic.claude-*",
        "arn:aws:bedrock:*:*:model/meta.llama2-*"
      ]
    }
  ]
}

Cross-Account Access

To use Bedrock from a different AWS account:
  1. Set up the target account role (where Bedrock is):
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::SOURCE_ACCOUNT_ID:root"
      },
      "Action": "sts:AssumeRole",
      "Condition": {
        "StringEquals": {
          "sts:ExternalId": "YOUR_EXTERNAL_ID"
        }
      }
    }
  ]
}
  1. Configure the source account (where your application runs):
# ~/.aws/config
[profile target-role]
role_arn = arn:aws:iam::TARGET_ACCOUNT_ID:role/ROLE_NAME
source_profile = default
region = us-east-1

client<llm> MyClient {
  provider "aws-bedrock"
  options {
    profile "target-role"
    model "anthropic.claude-3-sonnet-20240229-v1:0"
  }
}

Media Handling

AWS Bedrock converts most media to base64 by default (send_base64 for images, audio, and PDFs). Consider using S3 presigned URLs with send_url mode for large files to avoid base64 overhead.

Features

  • Streaming: Supported via InvokeModelWithResponseStream
  • Multimodal: Support depends on the specific model
  • Cross-Region: Use any AWS region where Bedrock is available
  • VPC Endpoints: Private connectivity support

Troubleshooting

AccessDeniedException

User is not authorized to perform: bedrock:InvokeModel
Solution: Check IAM permissions and verify execution role permissions in Lambda/ECS.

UnrecognizedClientException

The security token included in the request is invalid
Solution: Verify credentials are set correctly and haven’t expired.

ValidationException (Model Access)

Account is not authorized to use model
Solution: Request model access through AWS Console and wait for approval (1-2 business days).

Build docs developers (and LLMs) love

Get started for freeTalk to us