🇻🇪🇨🇱 Dev.to Linkedin GitHub Twitter Instagram Youtube
Linktr
Amazon Bedrock now offers two types of API Keys to simplify programmatic authentication, each designed for different use cases:
🟢 Short-term API Keys (Recommended)
- Duration: Up to 12 hours or remaining console session time
- Technology: Pre-signed URLs with AWS Signature Version 4
- Permissions: Inherit the same permissions as the generating identity
-
Generation: Bedrock console, Python package
aws-bedrock-token-generator - Security: Lower risk due to short duration
🟡 Long-term API Keys (For development)
- Duration: From 1 day up to 365 days (or never expires)
- Association: Linked to specific IAM users
- Limit: Maximum 2 keys per IAM user
-
Auto-policy:
AmazonBedrockLimitedAccessautomatically attached to user - Security: Higher risk - requires regular rotation
🛠️ How to Generate Long-term API Keys
Prerequisites
- Existing IAM user
- Required IAM permissions:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"iam:CreateServiceSpecificCredential",
"iam:ListServiceSpecificCredentials",
"iam:UpdateServiceSpecificCredential",
"iam:DeleteServiceSpecificCredential",
"iam:ResetServiceSpecificCredential"
],
"Resource": "arn:aws:iam::*:user/username"
}
]
}
🖥️ Method 1: AWS Console
- Navigate to IAM Console → Users
- Select the IAM user
- Security credentials tab
- API keys for Amazon Bedrock section → Generate API Key
- Configure expiration (1, 5, 30, 90, 365 days or custom) - For long-term API key
- IMPORTANT! Download/copy the key immediately - you cannot retrieve it later
⌨️ Method 2: AWS CLI
To generate an Amazon Bedrock long-term API key using the AWS CLI, use Generating a long-term API Key for Amazon Bedrock (AWS CLI)steps.
💻 Code Implementation
🌐 Environment Variable Setup
# Set as environment variable
export AWS_BEARER_TOKEN_BEDROCK=your-api-key-here
# Or use in applications
import os
api_key = os.getenv('AWS_BEARER_TOKEN_BEDROCK')
import requests
# Configuration
url = "https://bedrock-runtime.us-east-1.amazonaws.com/model/anthropic.claude-3-sonnet-20240229-v1:0/invoke"
payload = {
"messages": [
{
"role": "user",
"content": [{"type": "text", "text": "Hello, Bedrock!"}]
}
],
"max_tokens": 1000,
"anthropic_version": "bedrock-2023-05-31"
}
headers = {
"Content-Type": "application/json",
"Authorization": "Bearer YOUR_BEDROCK_API_KEY"
}
response = requests.post(url, json=payload, headers=headers)
print(response.json())
Use Amazon Bedrock API in your favorite SDK.
🎯 When to Use Each Type?
| Scenario | Recommendation |
|---|---|
| Production applications | Short-term API keys |
| Development/Testing | Long-term API keys |
| CI/CD Pipelines | Short-term API keys |
| Personal scripts | Long-term API keys |
| Enterprise applications | Short-term + automatic rotation |
📊 Key Benefits
✅ Simplified Authentication - No complex signature calculations
✅ Flexible Duration - Choose expiration that fits your needs
✅ Enhanced Security - Service-specific credentials limit scope
✅ Existing IAM Controls - Respects all current permissions
Have you tried the new API Keys yet? Share your experience in the comments! 🚀
Finally!