Skip to main content

Documentation Index

Fetch the complete documentation index at: https://claude.com/docs/llms.txt

Use this file to discover all available pages before exploring further.

This page walks an IT administrator through a complete Amazon Bedrock deployment: enabling Claude in your AWS account, choosing the authentication path that fits your organization, preparing devices, and pushing the managed configuration. If you only need the list of configuration keys, skip to Configure the app.

Choose an authentication approach

Bedrock supports several ways to authenticate, and the right one depends on whether your end users already work with AWS and whether you need per-user identity in CloudTrail. Use the table below to pick a path before doing any AWS or device setup.
ScenarioUsePer-device prerequisitePer-user CloudTrail identityNotes
Proof of concept, single teamBearer token (inferenceBedrockBearerToken)NoneNo (shared key)A long-lived secret distributed in the managed profile. Simplest to start; not recommended for broad rollout.
Broad rollout to users without AWS toolingIn-app AWS sign-in (inferenceBedrockSso*)NoneYesUsers sign in through IAM Identity Center inside the app. No AWS CLI required. Requires app version 1.6.0 or later.
Developers who already use the AWS CLINamed profile (inferenceBedrockProfile)AWS CLI v2 and a pushed ~/.aws/configYesIT can distribute the AWS config file directly; users run aws sso login to refresh.
You already operate an LLM proxyGateway provider instead of BedrockNoneAt your gatewayThe proxy holds the AWS credentials; the app authenticates only to the proxy.
If a static credential in the managed profile is acceptable but a Bedrock API key is not, you can also set inferenceCredentialHelper to an executable that prints a Bedrock bearer token to stdout at runtime. When more than one credential is configured, the app uses the first one present in this order: bearer token, named profile, in-app AWS sign-in, credential helper.

Set up AWS

These steps are performed once per AWS organization, regardless of which authentication approach you chose. You need an AWS account with permission to manage Bedrock model access and IAM Identity Center.
1

Enable Claude models in Bedrock

In the Amazon Bedrock console, open Model access and request access to the Claude models you intend to deploy. Access is granted per region, so enable the models in the same region you will set as inferenceBedrockRegion.
2

Create an IAM Identity Center permission set

Skip this step if you chose the bearer-token approach. The named-profile and in-app AWS sign-in approaches both use IAM Identity Center to issue per-user AWS credentials.In the IAM Identity Center console, create a permission set with an inline policy that allows Bedrock inference. The minimal policy is:
{
  "Version": "2012-10-17",
  "Statement": [{
    "Effect": "Allow",
    "Action": [
      "bedrock:InvokeModel",
      "bedrock:InvokeModelWithResponseStream"
    ],
    "Resource": "*"
  }]
}
Set the permission set’s Session duration to between 8 and 12 hours. This value controls how long a user can run Cowork before needing to sign in to AWS again.
3

Federate Identity Center to your IdP (optional)

If your organization uses Microsoft Entra ID, Okta, or another SAML identity provider, you can configure it as the identity source for IAM Identity Center so users sign in with their existing corporate credentials. The per-device steps on this page are unchanged. See Connect to an external identity provider in the AWS documentation.
4

Assign users to the permission set

In IAM Identity Center, assign the permission set to the AWS account that hosts Bedrock, and add the users or groups who should have access.
5

Record the values you need for device configuration

From the IAM Identity Center Settings page, note:
  • AWS access portal URL: of the form https://d-xxxxxxxxxx.awsapps.com/start (or your custom subdomain)
  • Identity Center region: the region where Identity Center is enabled, which may differ from your Bedrock region
  • AWS account ID: the 12-digit ID of the account where you enabled Bedrock
  • Permission set name: the name you gave the permission set above

Prepare devices

What each end-user device needs depends on the authentication approach you chose.

In-app AWS sign-in

No per-device preparation is required. Distribute the four inferenceBedrockSso* keys in the managed configuration; the app shows a Sign in with AWS page on first launch, runs the IAM Identity Center device-authorization flow in the system browser, and stores the resulting token encrypted with the operating system’s secure storage. See Sign in with AWS for Amazon Bedrock for the full flow.

Bearer token

No per-device preparation is required. In the Amazon Bedrock console, generate an API key. The key’s underlying IAM principal must be allowed the bedrock:CallWithBearerToken action; without it, requests return an authorization error even though the key was created. You will place the key in the managed configuration in the next section.

Named profile

Each device needs AWS CLI v2 installed and an AWS config file that defines the named profile. You do not need users to run aws configure sso interactively. That command is a wizard that writes a profile stanza to ~/.aws/config (macOS) or %USERPROFILE%\.aws\config (Windows), and you can distribute that file directly through your device-management tooling instead. A profile that uses IAM Identity Center looks like: 
[profile claude-cowork]
sso_session = corp
sso_account_id = 123456789012
sso_role_name = ClaudeCoworkAccess
region = us-west-2

[sso-session corp]
sso_start_url = https://d-xxxxxxxxxx.awsapps.com/start
sso_region = us-east-1
sso_registration_scopes = sso:account:access
The recurring action for users is aws sso login --profile claude-cowork, which opens a browser for IAM Identity Center sign-in and caches a token under ~/.aws/sso/cache/. To remove that manual step, some organizations deploy a launcher that runs aws sts get-caller-identity as a probe, falls back to aws sso login if it fails, and then opens Claude. If your AWS configuration files are not at the default location, set inferenceBedrockAwsDir to the directory that contains them.

Configure the app

With AWS set up and devices prepared, open the in-app configuration window (Developer → Configure third-party inference) on an evaluation device. In the Connection section, set Inference provider to Bedrock and fill in the Bedrock credentials card with the values for whichever authentication approach you chose:
FieldBearer tokenIn-app AWS sign-inNamed profile
AWS regione.g. us-west-2e.g. us-west-2e.g. us-west-2
AWS bearer tokenyour Bedrock API keyleave emptyleave empty
Bedrock base URLoptionaloptionaloptional
AWS profile nameleave emptyleave emptyclaude-cowork
AWS config directoryleave emptyleave emptyonly if not ~/.aws
AWS SSO start URLleave emptyhttps://d-xxxxxxxxxx.awsapps.com/startleave empty
AWS SSO regionleave emptye.g. us-east-1leave empty
AWS SSO account IDleave empty123456789012leave empty
AWS SSO role nameleave emptyBedrockInferenceleave empty
Bedrock service tieroptionaloptionaloptional
Under Identity & models, add a Model list entry using the Bedrock inference-profile ID (required for profile or SSO auth; optional for bearer-token auth, which auto-discovers), for example us.anthropic.claude-sonnet-4-20250514-v1:0. Then click Export to produce a .mobileconfig (macOS) or .reg (Windows) file for your MDM. See Installation and setup for the export and deployment workflow.

Configuration keys

The full set of Bedrock keys is below. Set inferenceProvider to bedrock, supply a region, and provide exactly one credential source.
SettingRequiredDescription
AWS region
inferenceBedrockRegion		YesAWS region for the Bedrock runtime endpoint, for example us-west-2 or us-gov-west-1.
AWS bearer token
inferenceBedrockBearerToken		One credential sourceBedrock API key generated from the Amazon Bedrock console.
AWS profile name
inferenceBedrockProfile		One credential sourceAWS named profile from the device’s AWS config and credentials files.
AWS SSO start URL
inferenceBedrockSsoStartUrl		One credential sourceAWS access portal URL. Enables in-app AWS sign-in (no AWS CLI needed). Set with the three SSO fields below. Ignored when a bearer token or profile is set.
AWS SSO region
inferenceBedrockSsoRegion		One credential sourceIAM Identity Center home region.
AWS SSO account ID
inferenceBedrockSsoAccountId		One credential source12-digit AWS account ID assigned to users in IAM Identity Center.
AWS SSO role name
inferenceBedrockSsoRoleName		One credential sourceIAM Identity Center permission-set name granting bedrock:InvokeModel* on the account above.
AWS config directory
inferenceBedrockAwsDir		NoAbsolute path to the directory containing the AWS config and credentials files, if not the default ~/.aws.
Bedrock base URL
inferenceBedrockBaseUrl		NoOverride the public regional endpoint, for example with a PrivateLink VPC interface endpoint. Must be https://.
Bedrock service tier
inferenceBedrockServiceTier		NoOne of flex or priority. Sent as the X-Amzn-Bedrock-Service-Tier header on every inference request. Leave unset for the default on-demand tier. Tier availability varies by model and region; reserved capacity uses a provisioned-throughput ARN as the model ID instead.
Set inferenceModels to a list of Bedrock inference-profile IDs, for example us.anthropic.claude-sonnet-4-20250514-v1:0. When using a bearer token, Cowork auto-discovers available Claude models from your account if this is unset; for profile or SSO authentication, the list is required. Application-inference-profile ARNs and provisioned-throughput ARNs are also accepted; pair them with a labelOverride so the picker shows a readable name instead of the raw ARN. See the Configuration reference.

What users experience

The first-launch and re-authentication behavior depends on the authentication approach.
ApproachFirst launchRe-authentication
Bearer tokenCowork opens directly; no user action.Never, until you rotate the key in the managed profile.
In-app AWS sign-inCowork shows a Sign in with AWS page; the user approves in the browser.When the IAM Identity Center access portal session expires (defaults to 8 hours; configurable up to 90 days). The app prompts in-app; no terminal needed.
Named profileCowork opens directly if the AWS SSO cache is fresh. If not, the first request fails and the user must run aws sso login in a terminal.When the IAM Identity Center session expires (the permission set’s session duration).
When a named-profile session has expired, requests fail with ExpiredTokenException from AWS, and the user runs aws sso login again.

Troubleshoot

To confirm which keys the app read and whether credentials validated, use Help → Troubleshooting → Copy Managed Configuration Report; see Verifying the deployment for that workflow and the common causes when the app does not enter 3P mode. Application log locations are listed in Data storage and residency.