Authentication Methods

Using AWS Access Key and Secret

  1. Create an IAM user (or choose an existing IAM user) following these steps.
  2. Add required permission for this user. The following policy grants permission to invoke all model 
    1. {
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Sid": "InvokeAllModels",
      "Action": [
        "bedrock:InvokeModel",
        "bedrock:InvokeModelWithResponseStream"
      ],
      "Resource": ["arn:aws:bedrock:us-east-1::foundation-model/*"]
    }
  ]
}
  3. Create an access key for this user as per this doc.
  4. Use this access key and secret while adding the provider account to authenticate requests to the Bedrock model.

Using Assumed Role

  1. You can also directly specify a role that can be assumed by the service account attached to the pods running AI Gateway.
  2. Read more about how assumed roles work here.

Using Bedrock Guardrails

  1. Create a Guardrail in AWS. More information at this link - https://aws.amazon.com/bedrock/guardrails

  2. Copy the Guardrails ID and the version number

  3. While calling a AWS bedrock model through TFY AI Gateway, pass the following object along with it:

     "guardrailConfig": {
    "guardrailIdentifier": "your-guardrail-id",
    "guardrailVersion": "1"
  }

  4. This should ensure the response will have guardrails enforced. Consider this input where the guardrail is configured to censor PII like name, email etc.:

    {
  "model": "internal-bedrock/claude-3",
  "messages": [
    {
      "role": "user",
      "content": "What are some ideas for email for Elon Musk?"
    }
  ],
  "guardrailConfig": {
    "guardrailIdentifier": "xyz-123-768",
    "guardrailVersion": "1"
  }
}

  5. Sample output:

    {
    "id": "1741339101780",
    "object": "chat.completion",
    "created": 1741339101,
    "model": "",
    "provider": "aws",
    "choices": [
        {
            "index": 0,
            "message": {
                "role": "assistant",
                "content": "Here are some ideas for email addresses for {NAME}:\n\n1. {EMAIL}\n2. {EMAIL}\n3. {EMAIL}\n4. {EMAIL}\n5. {EMAIL}\n6. {EMAIL} (or any relevant year)\n7. {EMAIL}\n8. {EMAIL}\n9. {EMAIL}\n10. {EMAIL}\n11. {EMAIL}\n12. {EMAIL}\n13. {EMAIL}\n14. {EMAIL}\n15. {EMAIL}\n\nWhen creating an email address, consider the following tips:\n\n1. Keep it professional if it's for work purposes.\n2. Make it easy to spell and remember.\n3. Avoid using numbers or special characters unless necessary.\n4. Consider using a combination of first name, last name, or initials.\n5. You can use different email addresses for personal and professional purposes.\n\nRemember to replace \"example.com\" with the actual domain you'll be using for your email address."
            },
            "finish_reason": "guardrail_intervened"
        }
    ],
    "usage": {
        "prompt_tokens": 25,
        "completion_tokens": 320,
        "total_tokens": 345
    }
}

  6. If you’re using a library like Langchain, you might have to pass the extra param in a parameter like extra_body as required by the library. For example, refer this Langchain OpenAI class doc.