Configure delegated access for AWS Bedrock

Overview

For AWS Bedrock, delegated access usually means using IAM role assumption (STS) and short-lived credentials instead of distributing long-lived AWS keys.

Bedrock APIs are generally authenticated with SigV4 signing. Flashback's AI LLM configuration accepts provider endpoint + secret/token fields, so production integrations often use a controlled credential flow or a signing gateway.

When to use this

Production workloads with strict key management requirements.
Teams using centralized IAM and short credential lifetime.
Multi-team environments where external access must be auditable and revocable.

Prerequisites

AWS account with Bedrock enabled in your target region.
Permissions to create/update IAM roles and trust policies.
Defined list of models/actions required by your workload.
Flashback AI LLM setup path: Configure an AI LLM.

Step-by-step (provider side)

Create an IAM role with least privilege

Create a role for delegated Bedrock access and attach only required actions, for example:

bedrock:InvokeModel
bedrock:InvokeModelWithResponseStream (if streaming is needed)
optional model discovery permissions only if your flow requires them.

Scope permissions to required model ARNs/regions whenever possible.

Configure trust policy with STS AssumeRole + External ID

Use a third-party access trust policy pattern (sts:AssumeRole) and require an External ID condition.

This reduces confused-deputy risk and keeps delegated access explicit and auditable.

Choose an integration pattern for Flashback

Because Bedrock requests are SigV4-signed, common patterns are:

Signing gateway/proxy pattern (recommended for many setups) Run an internal service that:
- assumes the IAM role,
- signs Bedrock requests with SigV4,
- exposes a stable endpoint that Flashback can call.
Direct configuration pattern (only if supported in your environment) If your Flashback environment supports direct Bedrock endpoint + secret/token flow, configure only documented fields and validate.

If direct Bedrock auth behavior is not explicitly documented in your environment, treat it as an integration pattern and validate with a non-production model first.

Configure in Flashback

Use Configure an AI LLM with the existing model:

Select the appropriate AI LLM Type for your provider/integration.
Set API Endpoint to your provider endpoint or signing proxy endpoint.
Set API Secret to the credential/token expected by that endpoint.
Use API Key only if your endpoint requires it.

Do not add undocumented fields; map provider-side delegated credentials to Flashback's existing endpoint + secret/token inputs.

PreviousConfigure Azure Blob delegated access NextConfigure delegated access for GCP Vertex AI

Last updated 10 days ago

Was this helpful?

hashtagOverview

hashtagWhen to use this

hashtagPrerequisites

hashtagStep-by-step (provider side)

hashtagCreate an IAM role with least privilege

hashtagConfigure trust policy with STS AssumeRole + External ID

hashtagChoose an integration pattern for Flashback

hashtagConfigure in Flashback