Generate an API key using the console Generate an API key using the API

Generate an Amazon Bedrock API key

You can generate an Amazon Bedrock API key using either the AWS Management Console or the AWS API. We recommend that you use the AWS Management Console to easily generate an Amazon Bedrock API key with few steps.

Topics

Generate an Amazon Bedrock API key using the console
Generate an Amazon Bedrock API key using the API

Generate an Amazon Bedrock API key using the console

To generate an Amazon Bedrock API key using the console, do the following:

Sign in to the AWS Management Console with an IAM identity that has permissions to use the Amazon Bedrock console. Then, open the Amazon Bedrock console at https://console.aws.amazon.com/bedrock/.
In the left navigation pane, select API keys.
Generate one of the following types of keys:
- Short-term API key – In the Short-term API keys tab, choose Generate short-term API keys. The key expires when your console session expires (and no longer than 12 hours) and lets you make calls to the AWS Region that you generated it from. You can modify the Region directly in the generated key.
- Long-term API key – In the Long-term API keys tab, choose Generate long-term API keys.
  1. In the API key expiration section, choose a time after which the key will expire.
  2. (Optional) By default, the AmazonBedrockLimitedAccess AWS-managed policy, which grants access to core Amazon Bedrock API operations, is attached to the IAM user associated with the key. To select more policies to attach to the user, expand the Advanced permissions section and select the policies that you want to add.
  3. Choose Generate.
  Warning
  We strongly recommend restricting the use of long-term keys for exploration of Amazon Bedrock. When you're ready to incorporate Amazon Bedrock into applications with greater security requirements, you should review the following documentation:
  To learn about preferable alternatives to long-term keys, see Alternatives to long-term access keys in the IAM User Guide.
  
  To learn how to monitor long-term keys to prevent security breaches, see Manage access keys for IAM users in the IAM User Guide.

Generate an Amazon Bedrock API key using the API

We recommend that you use the AWS Management Console to generate Amazon Bedrock API keys for an easy experience. However, you can also generate keys through the API. Expand the section that corresponds to your use case.

The general steps for creating a long-term Amazon Bedrock API key in the API are as follows:

Create an IAM user by sending a CreateUser request with an IAM endpoint.
Attach the AmazonBedrockLimitedAccess to the IAM user by sending an AttachUserPolicy request with an IAM endpoint. You can repeat this step to attach other managed or custom policies as necessary to the user.

Note
As a best security practice, we strongly recommend that you attach IAM policies to the IAM user to restrict the use of Amazon Bedrock API keys. For examples of time-bounding policies and restricting the IP addresses that can use the key, see Control the use of access keys by attaching an inline policy to an IAM user.
Generate the long-term Amazon Bedrock API key by sending a CreateServiceSpecificCredential request with an IAM endpoint and specifying bedrock.amazonaws.com as the ServiceName.
- The ServiceApiKeyValue returned in the response is your long-term Amazon Bedrock API key.
- The ServiceSpecificCredentialId returned in the response can be used to carry out API operations related to the key.

To learn how to generate a long-term Amazon Bedrock API key, choose the tab for your preferred method, and then follow the steps:

CLI

To create a long-term Amazon Bedrock API key, you use AWS Identity and Access Management API operations. First, make sure that you've fulfilled the prerequisite:

Prerequisite

Ensure that your setup allows the AWS CLI to automatically recognize your AWS credentials. To learn more, see Configuring settings for the AWS CLI.

Open a terminal and run the following commands:

Create an IAM user. You can replace the name with one of your choice:
```
aws iam create-user --user-name bedrock-api-user
```
Attach the AmazonBedrockLimitedAccess to the user. You can repeat this step with the ARNs of any other AWS-managed or custom policies you want to add to the API key:
```
aws iam attach-user-policy --user-name bedrock-api-user --policy-arn arn:aws:iam::aws:policy/AmazonBedrockLimitedAccess
```

Create the long-term Amazon Bedrock API key, replacing ${NUMBER-OF-DAYS} with the number of days for which you want the key to last:


aws iam create-service-specific-credential \
    --user-name bedrock-api-user \
    --service-name bedrock.amazonaws.com \
    --credential-age-days ${NUMBER-OF-DAYS}

Python

To create a long-term Amazon Bedrock API key, you use AWS Identity and Access Management API operations. First, make sure that you've fulfilled the prerequisite:

Prerequisite

Ensure that your setup allows Python to automatically recognize your AWS credentials. To learn more, see Configuring settings for the AWS CLI.

Run the following script to create an IAM user, attach permissions to perform Amazon Bedrock actions, and generate a long-term Amazon Bedrock API key to associate with the user:


import boto3
from datetime import datetime, timedelta

# Replace with name for your IAM user
username = "bedrock-api-user"
# Add any AWS-managed or custom policies that you want to the user
bedrock_policies = [
    "arn:aws:iam::aws:policy/AmazonBedrockLimitedAccess",        # Limited access
#    "arn:aws:iam::aws:policy/AmazonBedrockMarketplaceAccess",   # Optional: Access to Amazon Bedrock Marketplace actions
]
# Set the key expiration time to a number of your choice
expiration_time_in_days = 30

iam_client = boto3.client("iam")
    
# Create IAM user
user = iam_client.create_iam_user(username)

# Attach policies to user
for policy_arn in bedrock_policies:
    iam_client.attach_managed_policy(username, policy_arn)

# Create long-term Amazon Bedrock API key and return it
service_credentials = iam_client.create_service_specific_credential(
    user_name=username, 
    service_name="bedrock",
    credential_age_days=expiration_time_in_days
) 
api_key = service_credentials["ServiceApiKeyValue"]
print(api_key)

You can generate a short-term Amazon Bedrock API key that lasts as long as the session used to generate it (and no longer than 12 hours).

Prerequisites

Ensure that your setup allows Python to automatically recognize your AWS credentials. To learn more, see Configuring settings for the AWS CLI.
Open a terminal and download the Amazon Bedrock token generator with the command that corresponds to the SDK that you're using:
- Python
```
python3 -m pip install aws-bedrock-token-generator
```
- Javascript
```
npm install @aws/bedrock-token-generator
```
Ensure that the IAM identity that you're using to make API calls minimally has permissions to assume a role and create a role session:
- The IAM identity must have permissions to assume the role. If the identity has restricted permissions, you can attach the following identity-based policy to the identity (replace ${arn:aws:iam::111122223333:role/SessionRole} with the actual ARN of the role for the session):
```
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "sts:AssumeRole",
            "Resource": "${arn:aws:iam::111122223333:role/SessionRole}"
        }
    ]
}
```
  For more information about granting an identity permissions to assume a role, see Grant a user permissions to switch roles.
- The IAM role must have a trust policy that allows the IAM identity to assume it. You can attach the following trust policy to an IAM role to allow the principal specified in the Principal field to assume the role to create the key. This example specifies an IAM user as the principal. Replace it with the actual ARN of the user.
```
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "${arn:aws:iam::111122223333:user/UserId}"
            },
            "Action": "sts:AssumeRole"
        }
    ]
}
```
  For more information about principals, see AWS JSON policy elements: Principal. To learn how to update a trust policy for a role, see Update a role trust policy.

Choose the tab that corresponds to the SDK that you're using and run the script to generate a short-term Amazon Bedrock API key from your session credentials:

Python


from aws_bedrock_token_generator import BedrockTokenGenerator
import boto3

# Replace with a region of your choice
region = "us-east-1"

# Fetch credentials
session = boto3.Session()
credentials = session.get_credentials()

# Initialize token generator
generator = BedrockTokenGenerator()

# Generate one-time token
token = generator.get_token(credentials, region)

Javascript


import { BedrockTokenGenerator } from '@aws/bedrock-token-generator';
import { fromNodeProviderChain } from '@aws-sdk/credential-providers';

async function example() {
    // Set region
    const region = 'us-east-1'
    
    // Create token generator
    const generator = new BedrockTokenGenerator();
    
    // Get credentials from default provider chain
    const credentials = fromNodeProviderChain();
    
    // Generate token
    const token = await generator.generateToken(credentials, region);
    
    // Use the token for API calls (valid for 12 hours)
    console.log(`Bearer Token: ${token}`);
}

Java

Maven import


<dependency>
    <groupId>software.amazon.bedrock</groupId>
    <artifactId>aws-bedrock-token-generator</artifactId>
    <version>1.0.0</version>
</dependency>

Gradle import


implementation 'software.amazon.bedrock:aws-bedrock-token-generator:1.0.0'

Usage


import software.amazon.bedrock.token.BedrockTokenGenerator;
import software.amazon.awssdk.auth.credentials.DefaultCredentialsProvider;
import software.amazon.awssdk.regions.Region;

// Create token generator
BedrockTokenGenerator tokenGenerator = new BedrockTokenGenerator();

// Generate token using default credentials
String bearerToken = tokenGenerator.getToken(
    DefaultCredentialsProvider.create().resolveCredentials(),
    Region
);

// Use the token for API calls (valid for 12 hours)
System.out.println("Bearer Token: " + bearerToken);

Note

The permissions of the short-term key will be the intersection of the following:

The permissions attached to the session used to generate the key.
The permissions granted by the AmazonBedrockLimitedAccess.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Supported Regions and SDKs

Use an API key