How Amazon Bedrock API keys work
The following image compares the default process to get credentials to the use of the Amazon Bedrock API key:
The leftmost flow in the diagram shows the default process of creating an identity in either AWS IAM Identity Center or IAM. With this process, you attach IAM policies to that identity to provide permissions to perform API operations and then generate general AWS credentials for that identity. You can then use the credentials to make API calls in AWS.
The blue nodes indicate two more flows to authenticate specifically to Amazon Bedrock. Both flows involve creating an Amazon Bedrock API key with which you can authenticate to using Amazon Bedrock actions. You can generate the following types of keys:
-
Short-term key – A secure option that inherits the permissions and expiration time of your session (and up to 12 hours). The short-term key is a pre-signed URL that uses AWS Signature Version 4.
-
Long-term key – Recommended only for exploration of Amazon Bedrock. You can set the time after which the key expires. When you generate a long-term key, it underlyingly creates an IAM user that's for you, attaches the IAM policies that you select, and associates the key with the user. After you generate the key, you can use the IAM service to modify permissions for the IAM user.
Warning
We strongly recommend restricting the use of long-term keys for exploration of Amazon Bedrock. When you're ready to incorporate Amazon Bedrock into applications with greater security requirements, you should review the following documentation:
-
To learn about preferable alternatives to long-term keys, see Alternatives to long-term access keys in the IAM User Guide.
-
To learn how to monitor long-term keys to prevent security breaches, see Manage access keys for IAM users in the IAM User Guide.
-
