Available on all plans.

Select AWS Assumed Role Authentication

Create a new virtual key on Portkey, select Bedrock as the provider and AWS Assumed Role as the authentication method.

Create an AWS Role for Portkey to Assume

This role you create will be used by Porktey to execute InvokeModel commands on Bedrock models in your AWS account. The setup process will establish a minimal-permission (“least privilege”) role and set it up to allow Porktey to assume this role.

Create a permission policy in your AWS account using the following JSON

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "BedrockConsole",
      "Effect": "Allow",
      "Action": [
        "bedrock:InvokeModel",
        "bedrock:InvokeModelWithResponseStream"
        ],
      "Resource": "*"
    }
  ]
}

Create a new IAM role

Choose AWS account as the trusted entity type. If you set an external ID be sure to copy it, we will need it later.

Add the above policy to the role

Search for the policy you created above and add it to the role.

Configure Trust Relationship for the role

Once the role is created, open the role and navigate to the Trust relationships tab and click Edit trust policy. This is where you will add the Portkey AWS account as a trusted entity.

Portkey Account ARN
arn:aws:iam::299329113195:role/portkey-app

The above ARN only works for our hosted app.

To enable Assumed Role for AWS in your Portkey Enterprise deployment, please reach out to your Portkey representative or contact us on [email protected]. (Link to our Helm chart docs)

Paste the following JSON into the trust policy editor and click Update Trust Policy.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::299329113195:role/portkey-app"
      },
      "Action": "sts:AssumeRole",
      "Condition": {}
}
]
}

If you set an external ID, add it to the condition as shown below.

  {
    "Version": "2012-10-17",
    "Statement": [
      {
        "Effect": "Allow",
        "Principal": {
          "AWS": "<Portkey Account ARN>"
        },
        "Action": "sts:AssumeRole",
        "Condition": {
          "StringEquals": {
            "sts:ExternalId": "<your external ID>"
          }
        }
      }
    ]
}

Configure the virtual key with the role ARN

Once the role is created, copy the role ARN and paste it into the Bedrock integrations modal in Portkey along with the external ID if you set one and the AWS region you are using.

You’re all set! You can now use the virtual key to invoke Bedrock models.