# How do I set up AWS Bedrock?

## Overview

To allow Aiceberg to invoke models in your AWS Bedrock instance, create an IAM role in your AWS account that Aiceberg can assume. This guide provides the necessary trust policy, permissions, and setup instructions.

## Prerequisites

* AWS account with Bedrock access
* Permissions to create IAM roles in your AWS account
* Your unique External ID from Aiceberg (found in your Bedrock model configuration page)

{% stepper %}
{% step %}

### Create the IAM Role

* Sign in to the AWS Console
* Navigate to IAM > Roles > Create role
* Select "Custom trust policy"
* Use the Trust Policy provided in the next step (replace the External ID)
  {% endstep %}

{% step %}

### Trust Policy (Assume Role Policy)

Use the trust policy below when creating the role. Replace REPLACE\_WITH\_YOUR\_EXTERNAL\_ID with the External ID from your Aiceberg Bedrock model configuration.

{% code title="trust-policy.json" %}

```json
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::119554510492:root"
      },
      "Action": "sts:AssumeRole",
      "Condition": {
        "StringEquals": {
          "sts:ExternalId": "REPLACE_WITH_YOUR_EXTERNAL_ID"
        }
      }
    }
  ]
}
```

{% endcode %}
{% endstep %}

{% step %}

### Permissions Policy

Attach an inline policy to the role granting the following permissions:

{% code title="bedrock-invoke-policy.json" %}

```json
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "AicebergBedrockInvoke",
      "Effect": "Allow",
      "Action": [
        "bedrock:InvokeModel",
        "bedrock:InvokeModelWithResponseStream"
      ],
      "Resource": "arn:aws:bedrock:*:*:foundation-model/*"
    }
  ]
}
```

{% endcode %}
{% endstep %}

{% step %}

### Name the Role and Create

* Name your role (e.g., AicebergBedrockAccessRole)
* Add a description (e.g., "Allows Aiceberg to invoke Bedrock models")
* Review and create the role
  {% endstep %}

{% step %}

### Copy the Role ARN

* Open the role details page
* Copy the Role ARN (format: arn:aws:iam::YOUR\_ACCOUNT\_ID:role/RoleName)
* Enter this ARN in your Aiceberg Bedrock model configuration
  {% endstep %}
  {% endstepper %}

{% hint style="warning" %}
Important: Do not share your External ID publicly. Replace REPLACE\_WITH\_YOUR\_EXTERNAL\_ID in the trust policy with the exact External ID provided by Aiceberg.
{% endhint %}

## Security Best Practices

External ID is a security feature that prevents the "confused deputy problem" in cross-account access. Always use the unique External ID provided by Aiceberg — never share it publicly or reuse it across different services.

Least privilege: The sample policy grants only the minimum permissions required:

* bedrock:InvokeModel — synchronous model invocation
* bedrock:InvokeModelWithResponseStream — streaming responses

## Resource Restrictions (Optional)

You can restrict access to specific regions or models by modifying the Resource ARN.

Specific region example:

{% code title="specific-region.json" %}

```json
"Resource": "arn:aws:bedrock:us-east-1:*:foundation-model/*"
```

{% endcode %}

Specific model example:

{% code title="specific-model.json" %}

```json
"Resource": "arn:aws:bedrock:*:*:foundation-model/anthropic.claude-3-sonnet-20240229-v1:0"
```

{% endcode %}

Multiple specific models example:

{% code title="multiple-models.json" %}

```json
"Resource": [
  "arn:aws:bedrock:*:*:foundation-model/anthropic.claude-3-sonnet-20240229-v1:0",
  "arn:aws:bedrock:*:*:foundation-model/anthropic.claude-3-haiku-20240307-v1:0"
]
```

{% endcode %}

## Infrastructure as Code (IaC) Examples

### CloudFormation Template

{% code title="cloudformation-template.yml" %}

```yaml
AWSTemplateFormatVersion: '2010-09-09'
Description: 'IAM Role for Aiceberg Bedrock Access'

Parameters:
  ExternalId:
    Type: String
    Description: 'External ID provided by Aiceberg'
    NoEcho: true

Resources:
  AicebergBedrockRole:
    Type: AWS::IAM::Role
    Properties:
      RoleName: AicebergBedrockAccessRole
      AssumeRolePolicyDocument:
        Version: '2012-10-17'
        Statement:
          - Effect: Allow
            Principal:
              AWS: 'arn:aws:iam::119554510492:root'
            Action: 'sts:AssumeRole'
            Condition:
              StringEquals:
                'sts:ExternalId': !Ref ExternalId
      Policies:
        - PolicyName: BedrockInvokePolicy
          PolicyDocument:
            Version: '2012-10-17'
            Statement:
              - Sid: AicebergBedrockInvoke
                Effect: Allow
                Action:
                  - 'bedrock:InvokeModel'
                  - 'bedrock:InvokeModelWithResponseStream'
                Resource: 'arn:aws:bedrock:*:*:foundation-model/*'

Outputs:
  RoleArn:
    Description: 'ARN of the created IAM Role'
    Value: !GetAtt AicebergBedrockRole.Arn
    Export:
      Name: AicebergBedrockRoleArn
```

{% endcode %}

### Terraform

{% code title="main.tf" %}

```hcl
variable "aiceberg_external_id" {
  description = "External ID provided by Aiceberg"
  type        = string
  sensitive   = true
}

resource "aws_iam_role" "aiceberg_bedrock" {
  name = "AicebergBedrockAccessRole"

  assume_role_policy = jsonencode({
    Version = "2012-10-17"
    Statement = [
      {
        Effect = "Allow"
        Principal = {
          AWS = "arn:aws:iam::119554510492:root"
        }
        Action = "sts:AssumeRole"
        Condition = {
          StringEquals = {
            "sts:ExternalId" = var.aiceberg_external_id
          }
        }
      }
    ]
  })
}

resource "aws_iam_role_policy" "aiceberg_bedrock_invoke" {
  name = "BedrockInvokePolicy"
  role = aws_iam_role.aiceberg_bedrock.id

  policy = jsonencode({
    Version = "2012-10-17"
    Statement = [
      {
        Sid    = "AicebergBedrockInvoke"
        Effect = "Allow"
        Action = [
          "bedrock:InvokeModel",
          "bedrock:InvokeModelWithResponseStream"
        ]
        Resource = "arn:aws:bedrock:*:*:foundation-model/*"
      }
    ]
  })
}

output "role_arn" {
  description = "ARN of the created IAM Role"
  value       = aws_iam_role.aiceberg_bedrock.arn
}
```

{% endcode %}

## Troubleshooting

<details>

<summary>Connection Test Failed</summary>

Steps to check if Aiceberg cannot assume the role:

* Verify the Role ARN is correct
* Confirm the External ID matches exactly (no extra spaces)
* Check that the trust policy includes Aiceberg's account ID (119554510492)
* Ensure the permissions policy is attached to the role

</details>

<details>

<summary>Access Denied Errors</summary>

If you see access denied errors:

* Verify the permissions policy includes both InvokeModel and InvokeModelWithResponseStream
* Check that the Resource ARN allows access to your specific models
* Confirm the role has been saved and policies are attached

</details>

## Support

If you encounter issues setting up the IAM role, contact Aiceberg support with:

* Your Role ARN
* Any error messages from AWS or Aiceberg
* The Region where your Bedrock models are located

***

This site uses cookies to deliver its service and to analyze traffic. By browsing this site, you accept the [privacy policy](https://aiceberg.ai/privacy-policy).


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.aiceberg.ai/developers/model-integrations/how-do-i-set-up-aws-bedrock.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.