Get credentials to grant programmatic access Attach Amazon Bedrock permissions to a user or role Request access to Amazon Bedrock models Try making API calls to Amazon Bedrock

Getting started with the API

This section describes how to set up your environment to make Amazon Bedrock requests through the AWS API. AWS offers the following tools to streamline your experience:

AWS Command Line Interface (AWS CLI)
AWS SDKs
Amazon SageMaker AI notebooks

To get started with the API, you need credentials to grant programmatic access. If the following sections pertain to you, expand them and follow the instructions. Otherwise, proceed through the remaining sections.

If you do not have an AWS account, complete the following steps to create one.

To sign up for an AWS account

Open https://portal.aws.amazon.com/billing/signup.
Follow the online instructions.

Part of the sign-up procedure involves receiving a phone call and entering a verification code on the phone keypad.

When you sign up for an AWS account, an AWS account root user is created. The root user has access to all AWS services and resources in the account. As a security best practice, assign administrative access to a user, and use only the root user to perform tasks that require root user access.

AWS sends you a confirmation email after the sign-up process is complete. At any time, you can view your current account activity and manage your account by going to https://aws.amazon.com/ and choosing My Account.

Secure your AWS account root user

Sign in to the AWS Management Console as the account owner by choosing Root user and entering your AWS account email address. On the next page, enter your password.

For help signing in by using root user, see Signing in as the root user in the AWS Sign-In User Guide.
Turn on multi-factor authentication (MFA) for your root user.

For instructions, see Enable a virtual MFA device for your AWS account root user (console) in the IAM User Guide.

To install the AWS CLI, follow the steps at Install or update to the latest version of the AWS CLI.

To install an AWS SDK, select the tab that corresponds to the programming language that you want to use at Tools to Build on AWS. AWS software development kits (SDKs) are available for many popular programming languages. Each SDK provides an API, code examples, and documentation that make it easier for developers to build applications in their preferred language. SDKs automatically perform useful tasks for you, such as:

Cryptographically sign your service requests
Retry requests
Handle error responses

Get credentials to grant programmatic access

Users need programmatic access if they want to interact with AWS outside of the AWS Management Console. The way to grant programmatic access depends on the type of user that's accessing AWS.

To grant users programmatic access, choose one of the following options.

Which principal needs programmatic access?	To	By
IAM users	Limit the duration of long-term credentials to sign programmatic requests to the AWS CLI, AWS SDKs, or AWS APIs.	Following the instructions for the interface that you want to use. For the AWS CLI, see Authenticating using IAM user credentials in the AWS Command Line Interface User Guide. For AWS SDKs and tools, see Authenticate using long-term credentials in the AWS SDKs and Tools Reference Guide. For AWS APIs, see Managing access keys for IAM users in the IAM User Guide.
IAM roles	Use temporary credentials to sign programmatic requests to the AWS CLI, AWS SDKs, or AWS APIs.	Following the instructions in Using temporary credentials with AWS resources in the IAM User Guide.
Workforce identity (Users managed in IAM Identity Center)	Use temporary credentials to sign programmatic requests to the AWS CLI, AWS SDKs, or AWS APIs.	Following the instructions for the interface that you want to use. For the AWS CLI, see Configuring the AWS CLI to use AWS IAM Identity Center in the AWS Command Line Interface User Guide. For AWS SDKs, tools, and AWS APIs, see IAM Identity Center authentication in the AWS SDKs and Tools Reference Guide.

Which principal needs programmatic access?

IAM users

Limit the duration of long-term credentials to sign programmatic requests to the AWS CLI, AWS SDKs, or AWS APIs.

Following the instructions for the interface that you want to use.

For the AWS CLI, see Authenticating using IAM user credentials in the AWS Command Line Interface User Guide.
For AWS SDKs and tools, see Authenticate using long-term credentials in the AWS SDKs and Tools Reference Guide.
For AWS APIs, see Managing access keys for IAM users in the IAM User Guide.

IAM roles

Use temporary credentials to sign programmatic requests to the AWS CLI, AWS SDKs, or AWS APIs.

Following the instructions in Using temporary credentials with AWS resources in the IAM User Guide.

Workforce identity

(Users managed in IAM Identity Center)

Use temporary credentials to sign programmatic requests to the AWS CLI, AWS SDKs, or AWS APIs.

Following the instructions for the interface that you want to use.

For the AWS CLI, see Configuring the AWS CLI to use AWS IAM Identity Center in the AWS Command Line Interface User Guide.
For AWS SDKs, tools, and AWS APIs, see IAM Identity Center authentication in the AWS SDKs and Tools Reference Guide.

If you decide to use access keys for an IAM user, AWS recommends that you set an expiration for the IAM user by including a restrictive inline policy.

Important

Heed the following warnings:

Do NOT use your account's root credentials to access AWS resources. These credentials provide unrestricted account access and are difficult to revoke.
Do NOT put literal access keys or credential information in your application files. If you do, you create a risk of accidentally exposing your credentials if, for example, you upload the project to a public repository.
Do NOT include files that contain credentials in your project area.
Manage your access keys securely. Do not provide your access keys to unauthorized parties, even to help find your account identifiers. By doing this, you might give someone permanent access to your account.
Be aware that any credentials stored in the shared AWS credentials file are stored in plaintext.

For more details, see Best practices for managing AWS access keys in the AWS General Reference.

Create an IAM user

On the AWS Management Console Home page, select the IAM service or navigate to the IAM console at https://console.aws.amazon.com/iam/.
In the navigation pane, select Users and then select Create user.
Follow the guidance in the IAM console to set up a programmatic user (without access to the AWS Management Console) and without permissions.

Restrict user access to a limited time window

Any IAM user access keys that you create are long-term credentials. To ensure that these credentials expire in case they are mishandled, you can make these credentials time-bound by creating an inline policy that specifies a date after which the keys will no longer be valid.

Open the IAM user that you just created. In the Permissions tab, choose Add permissions and then choose Create inline policy.

In the JSON editor, specify the following permissions. To use this policy, replace the value for aws:CurrentTime timestamp value in the example policy with your own end date.

Note

IAM recommends that you limit your access keys to 12 hours.


{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Deny",
      "Action": "*",
      "Resource": "*",
      "Condition": {
        "DateGreaterThan": {
          "aws:CurrentTime": "2024-01-01T00:00:000"
        }
      }
    }
  ]
}

Create an access key

On the User details page, select the Security credentials tab. In the Access keys section, choose Create access key.
Indicate that you plan to use these access keys as Other and choose Create access key.
On the Retrieve access key page, choose Show to reveal the value of your user's secret access key. You can copy the credentials or download a .csv file.

Important

When you no longer need this IAM user, we recommend that you remove it and align with the AWS security best practice, we recommend that you require your human users to use temporary credentials through AWS IAM Identity Center when accessing AWS.

Attach Amazon Bedrock permissions to a user or role

After setting up credentials for programmatic access, you need to configure permissions for a user or IAM role to have access a set of Amazon Bedrock-related actions. To set up these permissions, do the following:

On the AWS Management Console Home page, select the IAM service or navigate to the IAM console at https://console.aws.amazon.com/iam/.
Select Users or Roles and then select your user or role.
In the Permissions tab, choose Add permissions and then choose Add AWS managed policy. Choose the AmazonBedrockFullAccess AWS managed policy.

To allow the user or role to subscribe to models, choose Create inline policy and then specify the following permissions in the JSON editor:


{
  "Version": "2012-10-17",
  "Statement": [
      {
          "Sid": "MarketplaceBedrock",
          "Effect": "Allow",
          "Action": [
              "aws-marketplace:ViewSubscriptions",
              "aws-marketplace:Unsubscribe",
              "aws-marketplace:Subscribe"
          ],
          "Resource": "*"
      }
  ]
}

Request access to Amazon Bedrock models

Request access to the Amazon Bedrock models through the Amazon Bedrock console by following the steps at Request access to an Amazon Bedrock foundation model.

Try making API calls to Amazon Bedrock

After you've fulfilled all the prerequisites, select one of the following topics to test out making model invocation requests using Amazon Bedrock models:

Topics

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Getting started in the console

Run examples with the AWS CLI