Contact SupportSubmit a Ticket

How do I set up AWS Bedrock?

Overview

To allow Aiceberg to invoke models in your AWS Bedrock instance, create an IAM role in your AWS account that Aiceberg can assume. This guide provides the necessary trust policy, permissions, and setup instructions.

Prerequisites

  • AWS account with Bedrock access

  • Permissions to create IAM roles in your AWS account

  • Your unique External ID from Aiceberg (found in your Bedrock model configuration page)

1

Create the IAM Role

  • Sign in to the AWS Console

  • Navigate to IAM > Roles > Create role

  • Select "Custom trust policy"

  • Use the Trust Policy provided in the next step (replace the External ID)

2

Trust Policy (Assume Role Policy)

Use the trust policy below when creating the role. Replace REPLACE_WITH_YOUR_EXTERNAL_ID with the External ID from your Aiceberg Bedrock model configuration.

trust-policy.json
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::119554510492:root"
      },
      "Action": "sts:AssumeRole",
      "Condition": {
        "StringEquals": {
          "sts:ExternalId": "REPLACE_WITH_YOUR_EXTERNAL_ID"
        }
      }
    }
  ]
}
3

Permissions Policy

Attach an inline policy to the role granting the following permissions:

bedrock-invoke-policy.json
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "AicebergBedrockInvoke",
      "Effect": "Allow",
      "Action": [
        "bedrock:InvokeModel",
        "bedrock:InvokeModelWithResponseStream"
      ],
      "Resource": "arn:aws:bedrock:*:*:foundation-model/*"
    }
  ]
}
4

Name the Role and Create

  • Name your role (e.g., AicebergBedrockAccessRole)

  • Add a description (e.g., "Allows Aiceberg to invoke Bedrock models")

  • Review and create the role

5

Copy the Role ARN

  • Open the role details page

  • Copy the Role ARN (format: arn:aws:iam::YOUR_ACCOUNT_ID:role/RoleName)

  • Enter this ARN in your Aiceberg Bedrock model configuration

Important: Do not share your External ID publicly. Replace REPLACE_WITH_YOUR_EXTERNAL_ID in the trust policy with the exact External ID provided by Aiceberg.

Security Best Practices

External ID is a security feature that prevents the "confused deputy problem" in cross-account access. Always use the unique External ID provided by Aiceberg — never share it publicly or reuse it across different services.

Least privilege: The sample policy grants only the minimum permissions required:

  • bedrock:InvokeModel — synchronous model invocation

  • bedrock:InvokeModelWithResponseStream — streaming responses

Resource Restrictions (Optional)

You can restrict access to specific regions or models by modifying the Resource ARN.

Specific region example:

specific-region.json
"Resource": "arn:aws:bedrock:us-east-1:*:foundation-model/*"

Specific model example:

specific-model.json
"Resource": "arn:aws:bedrock:*:*:foundation-model/anthropic.claude-3-sonnet-20240229-v1:0"

Multiple specific models example:

multiple-models.json
"Resource": [
  "arn:aws:bedrock:*:*:foundation-model/anthropic.claude-3-sonnet-20240229-v1:0",
  "arn:aws:bedrock:*:*:foundation-model/anthropic.claude-3-haiku-20240307-v1:0"
]

Infrastructure as Code (IaC) Examples

CloudFormation Template

cloudformation-template.yml
AWSTemplateFormatVersion: '2010-09-09'
Description: 'IAM Role for Aiceberg Bedrock Access'

Parameters:
  ExternalId:
    Type: String
    Description: 'External ID provided by Aiceberg'
    NoEcho: true

Resources:
  AicebergBedrockRole:
    Type: AWS::IAM::Role
    Properties:
      RoleName: AicebergBedrockAccessRole
      AssumeRolePolicyDocument:
        Version: '2012-10-17'
        Statement:
          - Effect: Allow
            Principal:
              AWS: 'arn:aws:iam::119554510492:root'
            Action: 'sts:AssumeRole'
            Condition:
              StringEquals:
                'sts:ExternalId': !Ref ExternalId
      Policies:
        - PolicyName: BedrockInvokePolicy
          PolicyDocument:
            Version: '2012-10-17'
            Statement:
              - Sid: AicebergBedrockInvoke
                Effect: Allow
                Action:
                  - 'bedrock:InvokeModel'
                  - 'bedrock:InvokeModelWithResponseStream'
                Resource: 'arn:aws:bedrock:*:*:foundation-model/*'

Outputs:
  RoleArn:
    Description: 'ARN of the created IAM Role'
    Value: !GetAtt AicebergBedrockRole.Arn
    Export:
      Name: AicebergBedrockRoleArn

Terraform

main.tf
variable "aiceberg_external_id" {
  description = "External ID provided by Aiceberg"
  type        = string
  sensitive   = true
}

resource "aws_iam_role" "aiceberg_bedrock" {
  name = "AicebergBedrockAccessRole"

  assume_role_policy = jsonencode({
    Version = "2012-10-17"
    Statement = [
      {
        Effect = "Allow"
        Principal = {
          AWS = "arn:aws:iam::119554510492:root"
        }
        Action = "sts:AssumeRole"
        Condition = {
          StringEquals = {
            "sts:ExternalId" = var.aiceberg_external_id
          }
        }
      }
    ]
  })
}

resource "aws_iam_role_policy" "aiceberg_bedrock_invoke" {
  name = "BedrockInvokePolicy"
  role = aws_iam_role.aiceberg_bedrock.id

  policy = jsonencode({
    Version = "2012-10-17"
    Statement = [
      {
        Sid    = "AicebergBedrockInvoke"
        Effect = "Allow"
        Action = [
          "bedrock:InvokeModel",
          "bedrock:InvokeModelWithResponseStream"
        ]
        Resource = "arn:aws:bedrock:*:*:foundation-model/*"
      }
    ]
  })
}

output "role_arn" {
  description = "ARN of the created IAM Role"
  value       = aws_iam_role.aiceberg_bedrock.arn
}

Troubleshooting

Connection Test Failed

Steps to check if Aiceberg cannot assume the role:

  • Verify the Role ARN is correct

  • Confirm the External ID matches exactly (no extra spaces)

  • Check that the trust policy includes Aiceberg's account ID (119554510492)

  • Ensure the permissions policy is attached to the role

Access Denied Errors

If you see access denied errors:

  • Verify the permissions policy includes both InvokeModel and InvokeModelWithResponseStream

  • Check that the Resource ARN allows access to your specific models

  • Confirm the role has been saved and policies are attached

Support

If you encounter issues setting up the IAM role, contact Aiceberg support with:

  • Your Role ARN

  • Any error messages from AWS or Aiceberg

  • The Region where your Bedrock models are located

This site uses cookies to deliver its service and to analyze traffic. By browsing this site, you accept the privacy policy.

PreviousHow do I use the API?NextAiceberg with Agentic Frameworks

Last updated