Amazon Bedrock provides access to a range of foundation models for generative AI. Spice supports using Bedrock-hosted models by specifying the bedrock prefix in the from field and configuring the required parameters.
The following model IDs are supported:
amazon.nova-lite-v1:0amazon.nova-micro-v1:0amazon.nova-premier-v1:0amazon.nova-pro-v1:0Refer to the Amazon Bedrock documentation for details on available models and cross-region inference profiles.
To request support for a model, file a GitHub Issue or ask us on Slack.
fromSpecify the Bedrock model ID in the from field:
| Parameter | Description | Default |
|---|---|---|
aws_region | AWS region for Bedrock API requests. | - |
aws_access_key_id | AWS access key ID. If not provided, credentials will be loaded from environment variables or IAM roles. | - |
aws_secret_access_key | AWS secret access key. If not provided, credentials will be loaded from environment variables or IAM roles. | - |
aws_session_token | Session token (e.g. AWS_SESSION_TOKEN for AWS) for temporary credentials | - |
bedrock_guardrail_identifier | Identifier for the guardrail. See GuardrailConfiguration. Pattern: (([a-z0-9]+) | (arn:aws(-[^:]+)?:bedrock:[a-z0-9-]{1,20}:[0-9]{12}:guardrail/[a-z0-9]+)). Length: 0-2048. | - |
bedrock_guardrail_version | Guardrail version. Pattern: (([1-9][0-9]{0,7}) | (DRAFT)) | - |
bedrock_trace | Trace behavior for the guardrail. Valid values: enabled, disabled, . Default: . |
The following OpenAI-compatible parameters are supported and passed in the request payload:
maxTokenstemperaturetopPtopKstopSequencesSee Parameter Overrides for details.
These parameters control model behavior and are passed in the request payload:
| Parameter | Description |
|---|---|
maxTokens | Maximum number of tokens to generate. |
temperature | Sampling temperature (0.0 to 1.0). Lower is more deterministic. |
topP | Nucleus sampling probability (0.0 to 1.0). |
topK | Number of highest probability tokens to consider. |
stopSequences | Sequences that stop generation when encountered. |
See Parameter Overrides for details on setting default values.
If AWS credentials are not explicitly provided in the configuration, the connector will automatically load credentials from the following sources in order.
Environment Variables:
AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEYAWS_SESSION_TOKEN (if using temporary credentials)Shared AWS Config/Credentials Files:
Config file: ~/.aws/config (Linux/Mac) or %UserProfile%\.aws\config (Windows)
Credentials file: ~/.aws/credentials (Linux/Mac) or %UserProfile%\.aws\credentials (Windows)
The AWS_PROFILE environment variable can be used to specify a named profile, otherwise the [default] profile is used.
Supports both static credentials and SSO sessions
Example credentials file:
:::tip To set up SSO authentication:
aws configure sso to configure a new SSO profileAWS_PROFILE=sso-profileaws sso login --profile sso-profile to start a new SSO session
:::AWS STS Web Identity Token Credentials:
The connector will try each source in order until valid credentials are found. If no valid credentials are found, an authentication error will be returned.
:::note[IAM Permissions]
Regardless of the credential source, the IAM role or user must have appropriate bedrock permissions (e.g., bedrock:InvokeModel) to access the model. If the Spicepod connects to multiple different AWS services, the permissions should cover all of them.
:::
The IAM role or user needs the following permissions to access DynamoDB tables:
| Permission | Purpose |
|---|---|
bedrock:InvokeModel | Required. Used to invoke the text model. |
bedrock:InvokeModelWithResponseStream | Required. Used to invoke the text model with streaming responses. |
enabled_fulldisabled| disabled |
ECS Container Credentials:
AWS_CONTAINER_CREDENTIALS_RELATIVE_URI or AWS_CONTAINER_CREDENTIALS_FULL_URI which are automatically injected by ECS.AWS EC2 Instance Metadata Service (IMDSv2):