Skip to content
English - United States
Support portal
Contact us
  • There are no suggestions because the search field is empty.

How do I set up AWS Bedrock?

AWS Bedrock IAM Role Setup 

Overview

To allow Aiceberg to invoke models in your AWS Bedrock instance, you need to create an IAM role in your AWS account that Aiceberg can assume. This guide provides the necessary policies and setup instructions.

Prerequisites

  • AWS account with Bedrock access

  • Permissions to create IAM roles in your AWS account

  • Your unique External ID from Aiceberg (found in your Bedrock model configuration page)

Setup Instructions

Step 1: Create the IAM Role

  1. Sign in to the AWS Console

  2. Navigate to IAM > Roles > Create role

  3. Select "Custom trust policy"

  4. Use the Trust Policy below (replace the External ID)

Step 2: Trust Policy (Assume Role Policy)

 
 
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::119554510492:root"
},
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals": {
"sts:ExternalId": "REPLACE_WITH_YOUR_EXTERNAL_ID"
}
}
}
]
}

Important: Replace REPLACE_WITH_YOUR_EXTERNAL_ID with the External ID provided in your Aiceberg Bedrock model configuration page.

Step 3: Permissions Policy

After creating the role with the trust policy, attach an inline policy with the following permissions:

 
 
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AicebergBedrockInvoke",
"Effect": "Allow",
"Action": [
"bedrock:InvokeModel",
"bedrock:InvokeModelWithResponseStream"
],
"Resource": "arn:aws:bedrock:*:*:foundation-model/*"
}
]
}

Step 4: Name the Role and Create

  1. Name your role (e.g., AicebergBedrockAccessRole)

  2. Add a description (e.g., "Allows Aiceberg to invoke Bedrock models")

  3. Review and create the role

Step 5: Copy the Role ARN

After creating the role:

  1. Open the role details page

  2. Copy the Role ARN (format: arn:aws:iam::YOUR_ACCOUNT_ID:role/RoleName)

  3. Enter this ARN in your Aiceberg Bedrock model configuration

Security Best Practices

External ID

The External ID is a security feature that prevents the "confused deputy problem" in cross-account access. Always use the unique External ID provided by Aiceberg - never share it publicly or reuse it across different services.

Least Privilege

The sample policy grants only the minimum permissions needed:

  • bedrock:InvokeModel - Invoke models synchronously

  • bedrock:InvokeModelWithResponseStream - Invoke models with streaming responses

Resource Restrictions (Optional)

You can further restrict access to specific models or regions by modifying the Resource ARN:

Specific Region:

 
 
"Resource": "arn:aws:bedrock:us-east-1:*:foundation-model/*"

Specific Model:

 
 
"Resource": "arn:aws:bedrock:*:*:foundation-model/anthropic.claude-3-sonnet-20240229-v1:0"

Multiple Specific Models:

 
 
"Resource": [
"arn:aws:bedrock:*:*:foundation-model/anthropic.claude-3-sonnet-20240229-v1:0",
"arn:aws:bedrock:*:*:foundation-model/anthropic.claude-3-haiku-20240307-v1:0"
]

Infrastructure as Code (IaC) Examples

CloudFormation Template

 
 
AWSTemplateFormatVersion: '2010-09-09'
Description: 'IAM Role for Aiceberg Bedrock Access'

Parameters:
ExternalId:
Type: String
Description: 'External ID provided by Aiceberg'
NoEcho: true

Resources:
AicebergBedrockRole:
Type: AWS::IAM::Role
Properties:
RoleName: AicebergBedrockAccessRole
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Principal:
AWS: 'arn:aws:iam::119554510492:root'
Action: 'sts:AssumeRole'
Condition:
StringEquals:
'sts:ExternalId': !Ref ExternalId
Policies:
- PolicyName: BedrockInvokePolicy
PolicyDocument:
Version: '2012-10-17'
Statement:
- Sid: AicebergBedrockInvoke
Effect: Allow
Action:
- 'bedrock:InvokeModel'
- 'bedrock:InvokeModelWithResponseStream'
Resource: 'arn:aws:bedrock:*:*:foundation-model/*'

Outputs:
RoleArn:
Description: 'ARN of the created IAM Role'
Value: !GetAtt AicebergBedrockRole.Arn
Export:
Name: AicebergBedrockRoleArn

Terraform

 
 
variable "aiceberg_external_id" {
description = "External ID provided by Aiceberg"
type = string
sensitive = true
}

resource "aws_iam_role" "aiceberg_bedrock" {
name = "AicebergBedrockAccessRole"

assume_role_policy = jsonencode({
Version = "2012-10-17"
Statement = [
{
Effect = "Allow"
Principal = {
AWS = "arn:aws:iam::119554510492:root"
}
Action = "sts:AssumeRole"
Condition = {
StringEquals = {
"sts:ExternalId" = var.aiceberg_external_id
}
}
}
]
})
}

resource "aws_iam_role_policy" "aiceberg_bedrock_invoke" {
name = "BedrockInvokePolicy"
role = aws_iam_role.aiceberg_bedrock.id

policy = jsonencode({
Version = "2012-10-17"
Statement = [
{
Sid = "AicebergBedrockInvoke"
Effect = "Allow"
Action = [
"bedrock:InvokeModel",
"bedrock:InvokeModelWithResponseStream"
]
Resource = "arn:aws:bedrock:*:*:foundation-model/*"
}
]
})
}

output "role_arn" {
description = "ARN of the created IAM Role"
value = aws_iam_role.aiceberg_bedrock.arn
}

Troubleshooting

Connection Test Failed

If Aiceberg cannot assume the role:

  1. Verify the Role ARN is correct

  2. Confirm the External ID matches exactly (no extra spaces)

  3. Check that the trust policy includes Aiceberg's account ID (119554510492)

  4. Ensure the permissions policy is attached to the role

Access Denied Errors

If you see access denied errors:

  1. Verify the permissions policy includes both InvokeModel and InvokeModelWithResponseStream

  2. Check that the Resource ARN allows access to your specific models

  3. Confirm the role has been saved and policies are attached

Support

If you encounter issues setting up the IAM role, please contact Aiceberg support with:

  • Your Role ARN

  • Any error messages from AWS or Aiceberg

  • The Region where your Bedrock models are located