SpyBara
Go Premium

amazon-bedrock.md 2026-03-31 21:09 UTC to 2026-04-01 21:12 UTC

11 added, 0 removed.

2026
Wed 29 21:21 Tue 28 21:21 Mon 27 21:20 Sun 26 04:08 Sat 25 21:10 Fri 24 18:11 Thu 23 18:19 Wed 22 21:15 Tue 21 21:14 Mon 20 21:14 Sat 18 18:09 Fri 17 21:13 Thu 16 21:13 Wed 15 18:20 Tue 14 21:14 Mon 13 21:14 Sat 11 00:11 Fri 10 21:09 Thu 9 21:14 Wed 8 21:13 Tue 7 21:14 Sat 4 18:05 Fri 3 21:07 Thu 2 21:08 Wed 1 21:12

Claude Code on Amazon Bedrock

Learn about configuring Claude Code through Amazon Bedrock, including setup, IAM configuration, and troubleshooting.

Prerequisites

Before configuring Claude Code with Bedrock, ensure you have:

  • An AWS account with Bedrock access enabled
  • Access to desired Claude models (for example, Claude Sonnet 4.6) in Bedrock
  • AWS CLI installed and configured (optional - only needed if you don't have another mechanism for getting credentials)
  • Appropriate IAM permissions

Setup

1. Submit use case details

First-time users of Anthropic models are required to submit use case details before invoking a model. This is done once per account.

  1. Ensure you have the right IAM permissions (see more on that below)
  2. Navigate to the Amazon Bedrock console
  3. Select Chat/Text playground
  4. Choose any Anthropic model and you will be prompted to fill out the use case form

2. Configure AWS credentials

Claude Code uses the default AWS SDK credential chain. Set up your credentials using one of these methods:

Option A: AWS CLI configuration

aws configure

Option B: Environment variables (access key)

export AWS_ACCESS_KEY_ID=your-access-key-id
export AWS_SECRET_ACCESS_KEY=your-secret-access-key
export AWS_SESSION_TOKEN=your-session-token

Option C: Environment variables (SSO profile)

aws sso login --profile=<your-profile-name>

export AWS_PROFILE=your-profile-name

Option D: AWS Management Console credentials

aws login

Learn more about aws login.

Option E: Bedrock API keys

export AWS_BEARER_TOKEN_BEDROCK=your-bedrock-api-key

Bedrock API keys provide a simpler authentication method without needing full AWS credentials. Learn more about Bedrock API keys.

Advanced credential configuration

Claude Code supports automatic credential refresh for AWS SSO and corporate identity providers. Add these settings to your Claude Code settings file (see Settings for file locations).

When Claude Code detects that your AWS credentials are expired (either locally based on their timestamp or when Bedrock returns a credential error), it will automatically run your configured awsAuthRefresh and/or awsCredentialExport commands to obtain new credentials before retrying the request.

Example configuration
{
  "awsAuthRefresh": "aws sso login --profile myprofile",
  "env": {
    "AWS_PROFILE": "myprofile"
  }
}
Configuration settings explained

awsAuthRefresh: Use this for commands that modify the .aws directory, such as updating credentials, SSO cache, or config files. The command's output is displayed to the user, but interactive input isn't supported. This works well for browser-based SSO flows where the CLI displays a URL or code and you complete authentication in the browser.

awsCredentialExport: Only use this if you can't modify .aws and must directly return credentials. Output is captured silently and not shown to the user. The command must output JSON in this format:

{
  "Credentials": {
    "AccessKeyId": "value",
    "SecretAccessKey": "value",
    "SessionToken": "value"
  }
}

3. Configure Claude Code

Set the following environment variables to enable Bedrock:

# Enable Bedrock integration
export CLAUDE_CODE_USE_BEDROCK=1
export AWS_REGION=us-east-1  # or your preferred region

# Optional: Override the region for the small/fast model (Haiku)
export ANTHROPIC_SMALL_FAST_MODEL_AWS_REGION=us-west-2

# Optional: Override the Bedrock endpoint URL for custom endpoints or gateways
# export ANTHROPIC_BEDROCK_BASE_URL=https://bedrock-runtime.us-east-1.amazonaws.com

When enabling Bedrock for Claude Code, keep the following in mind:

  • AWS_REGION is a required environment variable. Claude Code does not read from the .aws config file for this setting.
  • When using Bedrock, the /login and /logout commands are disabled since authentication is handled through AWS credentials.
  • You can use settings files for environment variables like AWS_PROFILE that you don't want to leak to other processes. See Settings for more information.

4. Pin model versions

Set these environment variables to specific Bedrock model IDs:

export ANTHROPIC_DEFAULT_OPUS_MODEL='us.anthropic.claude-opus-4-6-v1'
export ANTHROPIC_DEFAULT_SONNET_MODEL='us.anthropic.claude-sonnet-4-6'
export ANTHROPIC_DEFAULT_HAIKU_MODEL='us.anthropic.claude-haiku-4-5-20251001-v1:0'

These variables use cross-region inference profile IDs (with the us. prefix). If you use a different region prefix or application inference profiles, adjust accordingly. For current and legacy model IDs, see Models overview. See Model configuration for the full list of environment variables.

Claude Code uses these default models when no pinning variables are set:

Model type Default value
Primary model global.anthropic.claude-sonnet-4-6
Small/fast model us.anthropic.claude-haiku-4-5-20251001-v1:0

To customize models further, use one of these methods:

# Using inference profile ID
export ANTHROPIC_MODEL='global.anthropic.claude-sonnet-4-6'
export ANTHROPIC_DEFAULT_HAIKU_MODEL='us.anthropic.claude-haiku-4-5-20251001-v1:0'

# Using application inference profile ARN
export ANTHROPIC_MODEL='arn:aws:bedrock:us-east-2:your-account-id:application-inference-profile/your-model-id'

# Optional: Disable prompt caching if needed
export DISABLE_PROMPT_CACHING=1

Map each model version to an inference profile

The ANTHROPIC_DEFAULT_*_MODEL environment variables configure one inference profile per model family. If your organization needs to expose several versions of the same family in the /model picker, each routed to its own application inference profile ARN, use the modelOverrides setting in your settings file instead.

This example maps three Opus versions to distinct ARNs so users can switch between them without bypassing your organization's inference profiles:

{
  "modelOverrides": {
    "claude-opus-4-6": "arn:aws:bedrock:us-east-2:123456789012:application-inference-profile/opus-46-prod",
    "claude-opus-4-5-20251101": "arn:aws:bedrock:us-east-2:123456789012:application-inference-profile/opus-45-prod",
    "claude-opus-4-1-20250805": "arn:aws:bedrock:us-east-2:123456789012:application-inference-profile/opus-41-prod"
  }
}

When a user selects one of these versions in /model, Claude Code calls Bedrock with the mapped ARN. Versions without an override fall back to the built-in Bedrock model ID or any matching inference profile discovered at startup. See Override model IDs per version for details on how overrides interact with availableModels and other model settings.

IAM configuration

Create an IAM policy with the required permissions for Claude Code:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "AllowModelAndInferenceProfileAccess",
      "Effect": "Allow",
      "Action": [
        "bedrock:InvokeModel",
        "bedrock:InvokeModelWithResponseStream",
        "bedrock:ListInferenceProfiles"
      ],
      "Resource": [
        "arn:aws:bedrock:*:*:inference-profile/*",
        "arn:aws:bedrock:*:*:application-inference-profile/*",
        "arn:aws:bedrock:*:*:foundation-model/*"
      ]
    },
    {
      "Sid": "AllowMarketplaceSubscription",
      "Effect": "Allow",
      "Action": [
        "aws-marketplace:ViewSubscriptions",
        "aws-marketplace:Subscribe"
      ],
      "Resource": "*",
      "Condition": {
        "StringEquals": {
          "aws:CalledViaLast": "bedrock.amazonaws.com"
        }
      }
    }
  ]
}

For more restrictive permissions, you can limit the Resource to specific inference profile ARNs.

For details, see Bedrock IAM documentation.

AWS Guardrails

Amazon Bedrock Guardrails let you implement content filtering for Claude Code. Create a Guardrail in the Amazon Bedrock console, publish a version, then add the Guardrail headers to your settings file. Enable Cross-Region inference on your Guardrail if you're using cross-region inference profiles.

Example configuration:

{
  "env": {
    "ANTHROPIC_CUSTOM_HEADERS": "X-Amzn-Bedrock-GuardrailIdentifier: your-guardrail-id\nX-Amzn-Bedrock-GuardrailVersion: 1"
  }
}

Troubleshooting

Authentication loop with SSO and corporate proxies

If browser tabs spawn repeatedly when using AWS SSO, remove the awsAuthRefresh setting from your settings file. This can occur when corporate VPNs or TLS inspection proxies interrupt the SSO browser flow. Claude Code treats the interrupted connection as an authentication failure, re-runs awsAuthRefresh, and loops indefinitely.

If your network environment interferes with automatic browser-based SSO flows, use aws sso login manually before starting Claude Code instead of relying on awsAuthRefresh.

Region issues

If you encounter region issues:

  • Check model availability: aws bedrock list-inference-profiles --region your-region
  • Switch to a supported region: export AWS_REGION=us-east-1
  • Consider using inference profiles for cross-region access

If you receive an error "on-demand throughput isn’t supported":

Claude Code uses the Bedrock Invoke API and does not support the Converse API.

Additional resources