Skip to main content

Connect Your Own AWS Bedrock Account

This guide explains how to configure "Bring Your Own Key" (BYOK) for AWS Bedrock. This allows our platform to utilize the Large Language Models (LLMs) hosted in your own AWS environment, ensuring that data processing and costs are governed by your specific AWS agreements.

Prerequisites

Before configuring the integration, ensure your AWS account meets the following requirements.

Supported AWS Regions

Your Knowledge Base must be located in the same region as the AWS models you intend to use. We currently support:

  • AWS US East (Ohio): us-east-2
  • AWS Europe (Frankfurt): eu-central-1
  • AWS Israel (Tel Aviv): il-central-1

Enable Model Access (First-Time Setup)

AWS Bedrock uses an "auto-enablement" workflow for third-party models. When a model is invoked for the first time, AWS attempts to automatically subscribe the account to that model. This requires aws-marketplace:Subscribe permissions.

The Cross-Account Role you will create for this integration will not have Marketplace permissions (for security reasons). Therefore, an user with marketplace permissions must manually trigger this one-time activation before the integration can work.

  1. Log in to the AWS Console with Administrator permissions.

  2. Go to the Amazon Bedrock console.

  3. Select Playgrounds (Chat or Text) in the left menu.

  4. Select the model you intend to use.

  5. Submit a simple test prompt.

Exceptions (Non-Marketplace Models): Models from the following providers are not sold through AWS Marketplace and do not require this specific subscription step: Amazon (Titan), Meta (Llama), Mistral AI, DeepSeek, Qwen, and OpenAI.

Special Requirement for Anthropic Models

If you intend to use Anthropic Claude models, there is an additional requirement. Anthropic requires first-time customers to submit use case details before invoking a model.

How to submit: You can submit these details by selecting an Anthropic model from the Model catalog in the Amazon Bedrock console.

Scope: This must be done once per account or once at the organization's management account.

Inheritance: If the form is submitted at the root account level, it will be automatically inherited by other accounts in the same AWS Organization.

Reference: For more details on these requirements, please refer to the official AWS Bedrock Model Access Documentation.

For more details on these requirements, please refer to the official AWS Bedrock Model Access Documentation.

Generate Configuration in Progress Agentic RAG

  1. Log in to Progress Agentic RAG and navigate to Manage Account > Models > AWS Bedrock Integration.

  2. Select Set up integration.

  3. The UI will generate two critical values. Keep this tab open; you will need them for the next step:

  4. Account ID: 123456789012 (The account that will assume your role)

  5. External ID: 54dcc7-YOUR-UNIQUE-ID (A unique security identifier)

Create the Cross-Account IAM Role

  1. Open the AWS IAM Console in a new tab.

  2. Go to Roles > Create role.

  3. Select Trusted Entity:

    • Choose AWS account.

    • Select Another AWS account.

    • Account ID: Paste the Account ID provided in Step 1.

  4. Options:

    • Check Require external ID.

    • External ID: Paste the External ID provided in Step 1.

  5. Click Next.

  6. Add Permissions: Skip this for now (we will create a custom policy in the next step). Click Next.

  7. Name, Review, and Create:

    • Role name: You must name the role: NucliaBedrockAccessRole.

    • Click Create role.

Attach Permissions Policy

To allow us to invoke models, you must attach a permission policy. Choose one of the options below based on your internal security requirements.

Option A: Standard Policy (Recommended) Best for: Ease of use and low maintenance. Automatically supports new models (e.g., Claude 4) when they are released.

  1. In the IAM Console, click on the role you just created.

  2. Click the Add permissions dropdown > Create inline policy.

  3. Select JSON and paste the following:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowBedrockInvocation",
            "Effect": "Allow",
            "Action": [
                "bedrock:InvokeModel",
                "bedrock:InvokeModelWithResponseStream"
            ],
            "Resource": [
                "arn:aws:bedrock:*::foundation-model/*",
                "arn:aws:bedrock:*:*:inference-profile/*"
            ]
        }
    ]
}

Option B: Restricted Policy (Advanced) Strict compliance requirements. You must manually update this policy every time you want to use a new model.

  1. In the IAM Console, click on the role you just created.

  2. Click the Add permissions dropdown > Create inline policy.

  3. Follow the steps above but use this JSON structure. You must explicitly list the ARNs for the specific models you want to allow. If a model can only be use through a cross-region inference endpoint, the IAM policy needs to include the ARN of the endpoint and the ARNs of the foundational models that are used by the cross-inference endpoint.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowSpecificModels",
            "Effect": "Allow",
            "Action": [
                "bedrock:InvokeModel",
                "bedrock:InvokeModelWithResponseStream"
            ],
            "Resource": [
                "arn:aws:bedrock:us-east-2:123456789:inference-profile/us.anthropic.claude-3-5-sonnet-20240620-v1:0" # Cross-region inference ARN.
                "arn:aws:bedrock:us-east-1::foundation-model/anthropic.claude-3-sonnet-20240229-v1:0", # Foundational model ARN.
                "arn:aws:bedrock:us-east-2::foundation-model/anthropic.claude-3-sonnet-20240229-v1:0", # Foundational model ARN.
                "arn:aws:bedrock:us-west-2::foundation-model/anthropic.claude-3-sonnet-20240229-v1:0", # Foundational model ARN.
            ]
        }
    ]
}

NOTE: Some models can be invoked directly without using a cross-region inference endpoint. For that use case, your policy should only include the ARN for the foundational model that you want to use.

Finalize Connection

  1. Copy the Role ARN of the role you just created (it looks like arn:aws:iam::123456789:role/NucliaBedrockAccessRole).

  2. Return to the Progress Agentc RAG configuration tab.

  3. Paste the Role ARN into the input field.

  4. Click Connect & Verify.

Common Troubleshooting

Error MessageLikely CauseSolution
User is not authorized to perform: sts:AssumeRoleThe Trust Policy is wrong.Check that the External ID and the Account ID in your role matches exactly what is shown in our UI.
Access Denied (Marketplace)You have not subscribed to the model.Go to AWS Bedrock > Model Access and ensure the model status is "Access Granted."
Resource Not Found (Inference Profile)You are using a Restricted Policy (Option B) but missed the inference profile ARN.Switch to Option A (Standard Policy) or find the specific Inference Profile ARN in the Bedrock API to add to your policy.