Available on all plans.

Set Up Bedrock Authentication for Enterprise

On the Enterprise plan and need to connect to Bedrock using an AWS assumed role? Check out the documentation here.

Select AWS Assumed Role Authentication

Create a new integration on Portkey, select Bedrock as the provider and AWS Assumed Role as the authentication method.

Create an AWS Role for Portkey to Assume

This role you create will be used by Portkey to execute InvokeModel commands on Bedrock models in your AWS account. The setup process will establish a minimal-permission (“least privilege”) role and set it up to allow Portkey to assume this role.

Create a permission policy in your AWS account using the following JSON

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "BedrockConsole",
      "Effect": "Allow",
      "Action": [
        "bedrock:InvokeModel",
        "bedrock:InvokeModelWithResponseStream"
        ],
      "Resource": "*"
    }
  ]
}

Create a new IAM role

Choose AWS account as the trusted entity type. If you set an external ID be sure to copy it, we will need it later.

Add the above policy to the role

Search for the policy you created above and add it to the role.

Configure Trust Relationship for the role

Once the role is created, open the role and navigate to the Trust relationships tab and click Edit trust policy. This is where you will add the Portkey AWS account as a trusted entity.

Portkey Account ARN
arn:aws:iam::299329113195:role/portkey-app

The above ARN only works for our hosted app.

To enable Assumed Role for AWS in your Portkey Enterprise deployment, you can refer to this guide. If you face any issue, please reach out to us at support@portkey.ai.

Paste the following JSON into the trust policy editor and click Update Trust Policy.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::299329113195:role/portkey-app"
      },
      "Action": "sts:AssumeRole",
      "Condition": {}
}
]
}

If you set an external ID, add it to the condition as shown below.

  {
    "Version": "2012-10-17",
    "Statement": [
      {
        "Effect": "Allow",
        "Principal": {
          "AWS": "<Portkey Account ARN>"
        },
        "Action": "sts:AssumeRole",
        "Condition": {
          "StringEquals": {
            "sts:ExternalId": "<your external ID>"
          }
        }
      }
    ]
}

Configure the integration with the role ARN

Once the role is created, copy the role ARN and paste it into the Bedrock integrations modal in Portkey along with the external ID if you set one and the AWS region you are using.

You’re all set! You can now use the providers inherited from your integration to invoke Bedrock models.