Ctrlk
Contact SupportSubmit a Ticket
For the complete documentation index, see llms.txt. This page is also available as Markdown.

How do I set up AWS Bedrock?

Overview

To allow Aiceberg to invoke models in your AWS Bedrock instance, create an IAM role in your AWS account that Aiceberg can assume. This guide provides the necessary trust policy, permissions, and setup instructions.

Prerequisites

  • AWS account with Bedrock access

  • Permissions to create IAM roles in your AWS account

  • Your unique External ID from Aiceberg (found in your Bedrock model configuration page)

1

Create the IAM Role

  • Sign in to the AWS Console

  • Navigate to IAM > Roles > Create role

  • Select "Custom trust policy"

  • Use the Trust Policy provided in the next step (replace the External ID)

2

Trust Policy (Assume Role Policy)

Use the trust policy below when creating the role. Replace REPLACE_WITH_YOUR_EXTERNAL_ID with the External ID from your Aiceberg Bedrock model configuration.

trust-policy.json
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::119554510492:root"
      },
      "Action": "sts:AssumeRole",
      "Condition": {
        "StringEquals": {
          "sts:ExternalId": "REPLACE_WITH_YOUR_EXTERNAL_ID"
        }
      }
    }
  ]
}
3

Permissions Policy

Attach an inline policy to the role granting the following permissions:

bedrock-invoke-policy.json
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "AicebergBedrockInvoke",
      "Effect": "Allow",
      "Action": [
        "bedrock:InvokeModel",
        "bedrock:InvokeModelWithResponseStream"
      ],
      "Resource": "arn:aws:bedrock:*:*:foundation-model/*"
    }
  ]
}
4

Name the Role and Create

  • Name your role (e.g., AicebergBedrockAccessRole)

  • Add a description (e.g., "Allows Aiceberg to invoke Bedrock models")

  • Review and create the role

5

Copy the Role ARN

  • Open the role details page

  • Copy the Role ARN (format: arn:aws:iam::YOUR_ACCOUNT_ID:role/RoleName)

  • Enter this ARN in your Aiceberg Bedrock model configuration

Important: Do not share your External ID publicly. Replace REPLACE_WITH_YOUR_EXTERNAL_ID in the trust policy with the exact External ID provided by Aiceberg.

Security Best Practices

External ID is a security feature that prevents the "confused deputy problem" in cross-account access. Always use the unique External ID provided by Aiceberg — never share it publicly or reuse it across different services.

Least privilege: The sample policy grants only the minimum permissions required:

  • bedrock:InvokeModel — synchronous model invocation

  • bedrock:InvokeModelWithResponseStream — streaming responses

Resource Restrictions (Optional)

You can restrict access to specific regions or models by modifying the Resource ARN.

Specific region example:

Specific model example:

Multiple specific models example:

Infrastructure as Code (IaC) Examples

CloudFormation Template

Terraform

Troubleshooting

Connection Test Failed

Steps to check if Aiceberg cannot assume the role:

  • Verify the Role ARN is correct

  • Confirm the External ID matches exactly (no extra spaces)

  • Check that the trust policy includes Aiceberg's account ID (119554510492)

  • Ensure the permissions policy is attached to the role

Access Denied Errors

If you see access denied errors:

  • Verify the permissions policy includes both InvokeModel and InvokeModelWithResponseStream

  • Check that the Resource ARN allows access to your specific models

  • Confirm the role has been saved and policies are attached

Support

If you encounter issues setting up the IAM role, contact Aiceberg support with:

  • Your Role ARN

  • Any error messages from AWS or Aiceberg

  • The Region where your Bedrock models are located

This site uses cookies to deliver its service and to analyze traffic. By browsing this site, you accept the privacy policy.

PreviousHow do I use the API?NextAiceberg with Agentic Frameworks

Last updated