How do I set up AWS Bedrock?

Overview

To allow Aiceberg to invoke models in your AWS Bedrock instance, create an IAM role in your AWS account that Aiceberg can assume. This guide provides the necessary trust policy, permissions, and setup instructions.

Prerequisites

AWS account with Bedrock access
Permissions to create IAM roles in your AWS account
Your unique External ID from Aiceberg (found in your Bedrock model configuration page)

Create the IAM Role

Sign in to the AWS Console
Navigate to IAM > Roles > Create role
Select "Custom trust policy"
Use the Trust Policy provided in the next step (replace the External ID)

Trust Policy (Assume Role Policy)

Use the trust policy below when creating the role. Replace REPLACE_WITH_YOUR_EXTERNAL_ID with the External ID from your Aiceberg Bedrock model configuration.

trust-policy.json

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::119554510492:root"
      },
      "Action": "sts:AssumeRole",
      "Condition": {
        "StringEquals": {
          "sts:ExternalId": "REPLACE_WITH_YOUR_EXTERNAL_ID"
        }
      }
    }
  ]
}

Permissions Policy

Attach an inline policy to the role granting the following permissions:

bedrock-invoke-policy.json

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "AicebergBedrockInvoke",
      "Effect": "Allow",
      "Action": [
        "bedrock:InvokeModel",
        "bedrock:InvokeModelWithResponseStream"
      ],
      "Resource": "arn:aws:bedrock:*:*:foundation-model/*"
    }
  ]
}

Name the Role and Create

Name your role (e.g., AicebergBedrockAccessRole)
Add a description (e.g., "Allows Aiceberg to invoke Bedrock models")
Review and create the role

Copy the Role ARN

Open the role details page
Copy the Role ARN (format: arn:aws:iam::YOUR_ACCOUNT_ID:role/RoleName)
Enter this ARN in your Aiceberg Bedrock model configuration

Important: Do not share your External ID publicly. Replace REPLACE_WITH_YOUR_EXTERNAL_ID in the trust policy with the exact External ID provided by Aiceberg.

Security Best Practices

External ID is a security feature that prevents the "confused deputy problem" in cross-account access. Always use the unique External ID provided by Aiceberg — never share it publicly or reuse it across different services.

Least privilege: The sample policy grants only the minimum permissions required:

bedrock:InvokeModel — synchronous model invocation
bedrock:InvokeModelWithResponseStream — streaming responses

Resource Restrictions (Optional)

You can restrict access to specific regions or models by modifying the Resource ARN.

Specific region example:

specific-region.json

"Resource": "arn:aws:bedrock:us-east-1:*:foundation-model/*"

Specific model example:

specific-model.json

"Resource": "arn:aws:bedrock:*:*:foundation-model/anthropic.claude-3-sonnet-20240229-v1:0"

Multiple specific models example:

multiple-models.json

"Resource": [
  "arn:aws:bedrock:*:*:foundation-model/anthropic.claude-3-sonnet-20240229-v1:0",
  "arn:aws:bedrock:*:*:foundation-model/anthropic.claude-3-haiku-20240307-v1:0"
]

Infrastructure as Code (IaC) Examples

CloudFormation Template

cloudformation-template.yml

AWSTemplateFormatVersion: '2010-09-09'
Description: 'IAM Role for Aiceberg Bedrock Access'

Parameters:
  ExternalId:
    Type: String
    Description: 'External ID provided by Aiceberg'
    NoEcho: true

Resources:
  AicebergBedrockRole:
    Type: AWS::IAM::Role
    Properties:
      RoleName: AicebergBedrockAccessRole
      AssumeRolePolicyDocument:
        Version: '2012-10-17'
        Statement:
          - Effect: Allow
            Principal:
              AWS: 'arn:aws:iam::119554510492:root'
            Action: 'sts:AssumeRole'
            Condition:
              StringEquals:
                'sts:ExternalId': !Ref ExternalId
      Policies:
        - PolicyName: BedrockInvokePolicy
          PolicyDocument:
            Version: '2012-10-17'
            Statement:
              - Sid: AicebergBedrockInvoke
                Effect: Allow
                Action:
                  - 'bedrock:InvokeModel'
                  - 'bedrock:InvokeModelWithResponseStream'
                Resource: 'arn:aws:bedrock:*:*:foundation-model/*'

Outputs:
  RoleArn:
    Description: 'ARN of the created IAM Role'
    Value: !GetAtt AicebergBedrockRole.Arn
    Export:
      Name: AicebergBedrockRoleArn

Terraform

main.tf

variable "aiceberg_external_id" {
  description = "External ID provided by Aiceberg"
  type        = string
  sensitive   = true
}

resource "aws_iam_role" "aiceberg_bedrock" {
  name = "AicebergBedrockAccessRole"

  assume_role_policy = jsonencode({
    Version = "2012-10-17"
    Statement = [
      {
        Effect = "Allow"
        Principal = {
          AWS = "arn:aws:iam::119554510492:root"
        }
        Action = "sts:AssumeRole"
        Condition = {
          StringEquals = {
            "sts:ExternalId" = var.aiceberg_external_id
          }
        }
      }
    ]
  })
}

resource "aws_iam_role_policy" "aiceberg_bedrock_invoke" {
  name = "BedrockInvokePolicy"
  role = aws_iam_role.aiceberg_bedrock.id

  policy = jsonencode({
    Version = "2012-10-17"
    Statement = [
      {
        Sid    = "AicebergBedrockInvoke"
        Effect = "Allow"
        Action = [
          "bedrock:InvokeModel",
          "bedrock:InvokeModelWithResponseStream"
        ]
        Resource = "arn:aws:bedrock:*:*:foundation-model/*"
      }
    ]
  })
}

output "role_arn" {
  description = "ARN of the created IAM Role"
  value       = aws_iam_role.aiceberg_bedrock.arn
}

Troubleshooting

Connection Test Failed

Steps to check if Aiceberg cannot assume the role:

Verify the Role ARN is correct
Confirm the External ID matches exactly (no extra spaces)
Check that the trust policy includes Aiceberg's account ID (119554510492)
Ensure the permissions policy is attached to the role

Access Denied Errors

If you see access denied errors:

Verify the permissions policy includes both InvokeModel and InvokeModelWithResponseStream
Check that the Resource ARN allows access to your specific models
Confirm the role has been saved and policies are attached

Support

If you encounter issues setting up the IAM role, contact Aiceberg support with:

Your Role ARN
Any error messages from AWS or Aiceberg
The Region where your Bedrock models are located

This site uses cookies to deliver its service and to analyze traffic. By browsing this site, you accept the privacy policy.

PreviousHow do I use the API?NextAiceberg with Agentic Frameworks

Last updated 1 month ago

Good night

hashtagOverview

hashtagPrerequisites

hashtagCreate the IAM Role

hashtagTrust Policy (Assume Role Policy)

hashtagPermissions Policy

hashtagName the Role and Create

hashtagCopy the Role ARN

hashtagSecurity Best Practices

hashtagResource Restrictions (Optional)

hashtagInfrastructure as Code (IaC) Examples

hashtagCloudFormation Template

hashtagTerraform

hashtagTroubleshooting

hashtagSupport

Overview

Prerequisites

Create the IAM Role

Trust Policy (Assume Role Policy)

Permissions Policy

Name the Role and Create

Copy the Role ARN

Security Best Practices

Resource Restrictions (Optional)

Infrastructure as Code (IaC) Examples

CloudFormation Template

Terraform

Troubleshooting

Support