🔑 Amazon Bedrock API Keys: Simplified Authentication for Developers

Posted on by No Comments ↓

Amazon Bedrock now offers two types of API Keys to simplify programmatic authentication, each designed for different use cases:

🟢 Short-term API Keys (Recommended)

  • Duration: Up to 12 hours or remaining console session time
  • Technology: Pre-signed URLs with AWS Signature Version 4
  • Permissions: Inherit the same permissions as the generating identity
  • Generation: Bedrock console, Python package aws-bedrock-token-generator
  • Security: Lower risk due to short duration

🟡 Long-term API Keys (For development)

  • Duration: From 1 day up to 36,600 days (or never expires)
  • Association: Linked to specific IAM users
  • Limit: Maximum 2 keys per IAM user
  • Auto-policy: AmazonBedrockLimitedAccess automatically attached to user
  • Security: Higher risk – requires regular rotation

🛠️ How to Generate Long-term API Keys

Prerequisites

  1. Existing IAM user
  2. Required IAM permissions: 
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "iam:CreateServiceSpecificCredential",
                "iam:ListServiceSpecificCredentials",
                "iam:UpdateServiceSpecificCredential",
                "iam:DeleteServiceSpecificCredential",
                "iam:ResetServiceSpecificCredential"
            ],
            "Resource": "arn:aws:iam::*:user/username"
        }
    ]
}

🖥️ Method 1: AWS Console

  1. Navigate to IAM ConsoleUsers
  2. Select the IAM user
  3. Security credentials tab
  4. API keys for Amazon Bedrock section → Generate API Key

  1. Configure expiration (1, 5, 30, 90, 365 days or custom) – For long-term API key

  1. IMPORTANT! Download/copy the key immediately – you cannot retrieve it later

⌨️ Method 2: AWS CLI

To generate an Amazon Bedrock long-term API key using the AWS CLI, use Generating a long-term API Key for Amazon Bedrock (AWS CLI)steps.

💻 Code Implementation

import requests

# Configuration
url = "https://bedrock-runtime.us-east-1.amazonaws.com/model/anthropic.claude-3-sonnet-20240229-v1:0/invoke"

payload = {
    "messages": [
        {
            "role": "user", 
            "content": [{"type": "text", "text": "Hello, Bedrock!"}]
        }
    ],
    "max_tokens": 1000,
    "anthropic_version": "bedrock-2023-05-31"
}

headers = {
    "Content-Type": "application/json",
    "Authorization": "Bearer YOUR_BEDROCK_API_KEY"
}

response = requests.post(url, json=payload, headers=headers)
print(response.json())

🌐 Environment Variable Setup

# Set as environment variable
export AWS_BEARER_TOKEN_BEDROCK=your-api-key-here

# Or use in applications
import os
api_key = os.getenv('AWS_BEARER_TOKEN_BEDROCK')

Use Amazon Bedrock API in your favorite SDK.

🎯 When to Use Each Type?

Scenario Recommendation
Production applications Short-term API keys
Development/Testing Long-term API keys
CI/CD Pipelines Short-term API keys
Personal scripts Long-term API keys
Enterprise applications Short-term + automatic rotation

📊 Key Benefits

Simplified Authentication – No complex signature calculations

Flexible Duration – Choose expiration that fits your needs

Enhanced Security – Service-specific credentials limit scope

Existing IAM Controls – Respects all current permissions

Have you tried the new API Keys yet? Share your experience in the comments! 🚀

Leave a Reply