# Configure delegated access for AWS Bedrock ## Overview For AWS Bedrock, delegated access usually means using IAM role assumption (STS) and short-lived credentials instead of distributing long-lived AWS keys. Bedrock APIs are generally authenticated with **SigV4** signing. Flashback's AI LLM configuration accepts provider endpoint + secret/token fields, so production integrations often use a controlled credential flow or a signing gateway. ## When to use this * Production workloads with strict key management requirements. * Teams using centralized IAM and short credential lifetime. * Multi-team environments where external access must be auditable and revocable. ## Prerequisites * AWS account with Bedrock enabled in your target region. * Permissions to create/update IAM roles and trust policies. * Defined list of models/actions required by your workload. * Flashback AI LLM setup path: [Configure an AI LLM](/guides/setup-the-cloud-and-ai-gateway/start-with-cloud-storage/create-a-bucket-1.md). ## Step-by-step (provider side) {% stepper %} {% step %} #### Create an IAM role with least privilege Create a role for delegated Bedrock access and attach only required actions, for example: * `bedrock:InvokeModel` * `bedrock:InvokeModelWithResponseStream` (if streaming is needed) * optional model discovery permissions only if your flow requires them. Scope permissions to required model ARNs/regions whenever possible. {% endstep %} {% step %} #### Configure trust policy with STS AssumeRole + External ID Use a third-party access trust policy pattern (`sts:AssumeRole`) and require an External ID condition. This reduces confused-deputy risk and keeps delegated access explicit and auditable. {% endstep %} {% step %} #### Choose an integration pattern for Flashback Because Bedrock requests are SigV4-signed, common patterns are: 1. **Signing gateway/proxy pattern (recommended for many setups)**\ Run an internal service that: * assumes the IAM role, * signs Bedrock requests with SigV4, * exposes a stable endpoint that Flashback can call. 2. **Direct configuration pattern (only if supported in your environment)**\ If your Flashback environment supports direct Bedrock endpoint + secret/token flow, configure only documented fields and validate. {% hint style="info" %} If direct Bedrock auth behavior is not explicitly documented in your environment, treat it as an integration pattern and validate with a non-production model first. {% endhint %} {% endstep %} {% endstepper %} ## Configure in Flashback Use [Configure an AI LLM](/guides/setup-the-cloud-and-ai-gateway/start-with-cloud-storage/create-a-bucket-1.md) with the existing model: * Select the appropriate **AI LLM Type** for your provider/integration. * Set **API Endpoint** to your provider endpoint or signing proxy endpoint. * Set **API Secret** to the credential/token expected by that endpoint. * Use **API Key** only if your endpoint requires it. Do not add undocumented fields; map provider-side delegated credentials to Flashback's existing endpoint + secret/token inputs. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.flashback.tech/guides/configure-external-delegated-credentials/configure-delegated-access-for-aws-bedrock.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.