AWS Bedrock
Run Claude Code through Amazon Bedrock to keep all data within your AWS infrastructure. This guide covers authentication methods, endpoint configuration, and troubleshooting for using Claude models via AWS Bedrock.
What Is AWS Bedrock?
Amazon Bedrock is a fully managed AWS service that provides access to foundation models (including Claude) through a unified API. When your organization uses AWS infrastructure, you can run Claude Code through Bedrock instead of directly through Anthropic's API, keeping all data within your AWS account.
Prerequisites
Before configuring Claude Code to use AWS Bedrock, ensure you have the following:
- An AWS account with Bedrock access
- Claude model enabled in your AWS region (check AWS Console > Bedrock > Model access)
- AWS CLI installed and configured (
aws --version) - Appropriate IAM permissions for Bedrock model invocation
Verify your setup with these commands:
# Check AWS CLI is configured
aws sts get-caller-identity
# Check Bedrock model access
aws bedrock list-foundation-models --query "modelSummaries[?contains(modelId, 'claude')].[modelId,modelName]" --output tableAuthentication
Three authentication methods are available. Choose based on your security requirements and use case.
Decision Matrix
Compare authentication methods to select the best approach for your needs:
| Method | Best For | Security Level | Setup Complexity | Credential Lifetime |
|---|---|---|---|---|
| API Keys (Short-term) | Production workloads (recommended) | High — inherits IAM principal permissions | Simple — requires IAM principal | Up to 12 hours |
| API Keys (Long-term) | Quick testing and exploration | Moderate — fixed permissions | Simple — one-click generation | Up to 30 days |
| IAM Roles | Enterprise environments, CI/CD pipelines | High — auto-rotating credentials | Complex — requires IAM configuration | Temporary (auto-rotated) |
API Keys Setup
Generate API keys in the AWS Console under Bedrock > API keys. Short-term keys are region-specific and tied to your IAM principal.
# Set Bedrock API key as environment variable
export ANTHROPIC_API_KEY="your-bedrock-api-key"
# Or configure in Claude Code settings
claude config set api_key "your-bedrock-api-key"IAM Roles
For enterprise deployments, use IAM roles with temporary credentials. This is the most secure option as credentials rotate automatically.
# Configure AWS profile for Bedrock
aws configure --profile bedrock
# Enter: Access Key ID, Secret Access Key, Region, Output format
# Set environment variables for Claude Code
export AWS_PROFILE=bedrock
export AWS_REGION=us-east-1Endpoint Configuration
AWS Bedrock provides two types of endpoints. Use the Runtime endpoint for Claude Code model invocation:
| Endpoint Type | URL Pattern | Purpose |
|---|---|---|
| Control Plane | bedrock.{region}.amazonaws.com |
Resource management (create, list, delete) |
| Runtime (Inference) | bedrock-runtime.{region}.amazonaws.com |
Model invocation (recommended for Claude Code) |
# Configure Claude Code to use Bedrock endpoint
export ANTHROPIC_BASE_URL="https://bedrock-runtime.us-east-1.amazonaws.com"
# Verify connectivity
aws bedrock-runtime invoke-model \
--model-id anthropic.claude-sonnet-4-20250514-v1:0 \
--body '{"prompt": "Hello", "max_tokens": 10}' \
--region us-east-1 \
output.jsonTroubleshooting
Common issues and solutions when using Claude Code with AWS Bedrock:
"Access Denied" when calling Bedrock
- Check IAM permissions include
bedrock:InvokeModel - Verify Claude model is enabled in your region
- Confirm API key is valid and not expired
"Model not found" error
- Verify model ID matches available models:
aws bedrock list-foundation-models - Check region — not all models available in all regions
- Use full model ID format:
anthropic.claude-sonnet-4-20250514-v1:0
"Endpoint connection failed"
- Verify
AWS_REGIONmatches your endpoint URL region - Check VPC/firewall allows outbound HTTPS to Bedrock endpoints
- Try the inference endpoint:
bedrock-runtime.{region}.amazonaws.com
Quick Reference
Quick Reference: Bedrock Configuration
| Variable | Value |
|---|---|
ANTHROPIC_API_KEY | Your Bedrock API key |
ANTHROPIC_BASE_URL | https://bedrock-runtime.{region}.amazonaws.com |
AWS_PROFILE | AWS profile name (if using profiles) |
AWS_REGION | e.g., us-east-1 |
AWS_WEB_IDENTITY_TOKEN_FILE | Path to OIDC token (for federation) |
AWS_ROLE_ARN | IAM role ARN (for federation) |