Amazon Bedrock provides access to a range of foundation models for generative AI. Spice supports using Bedrock-hosted models by specifying the bedrock prefix in the from field and configuring the required parameters.
The following model IDs are supported:
amazon.nova-lite-v1:0amazon.nova-micro-v1:0amazon.nova-premier-v1:0amazon.nova-pro-v1:0Refer to the Amazon Bedrock documentation for details on available models and cross-region inference profiles.
To request support for a model, file a GitHub Issue or ask us on Discord.
fromSpecify the Bedrock model ID in the from field:
| Parameter | Description | Default |
|---|---|---|
aws_region | AWS region for Bedrock API requests. | - |
aws_access_key_id | AWS access key ID. If not provided, credentials will be loaded from environment variables or IAM roles. | - |
aws_secret_access_key | AWS secret access key. If not provided, credentials will be loaded from environment variables or IAM roles. | - |
aws_session_token | Session token (e.g. AWS_SESSION_TOKEN for AWS) for temporary credentials | - |
bedrock_guardrail_identifier | Identifier for the guardrail. See GuardrailConfiguration. Pattern: (([a-z0-9]+) | (arn:aws(-[^:]+)?:bedrock:[a-z0-9-]{1,20}:[0-9]{12}:guardrail/[a-z0-9]+)). Length: 0-2048. | - |
bedrock_guardrail_version | Guardrail version. Pattern: (([1-9][0-9]{0,7}) | (DRAFT)) | - |
bedrock_trace | Trace behavior for the guardrail. Valid values: enabled, disabled, . Default: . |
The following OpenAI-compatible parameters are supported and passed in the request payload:
maxTokenstemperaturetopPtopKstopSequencesSee Parameter Overrides for details.
If AWS credentials are not explicitly provided in the configuration, the connector will automatically load credentials from the following sources in order.
Environment Variables:
AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEYAWS_SESSION_TOKEN (if using temporary credentials)Shared AWS Config/Credentials Files:
Config file: ~/.aws/config (Linux/Mac) or %UserProfile%\.aws\config (Windows)
Credentials file: ~/.aws/credentials (Linux/Mac) or %UserProfile%\.aws\credentials (Windows)
The AWS_PROFILE environment variable can be used to specify a named profile, otherwise the [default] profile is used.
Supports both static credentials and SSO sessions
Example credentials file:
:::tip To set up SSO authentication:
aws configure sso to configure a new SSO profileAWS_PROFILE=sso-profileaws sso login --profile sso-profile to start a new SSO session
:::AWS STS Web Identity Token Credentials:
The connector will try each source in order until valid credentials are found. If no valid credentials are found, an authentication error will be returned.
:::note[IAM Permissions]
Regardless of the credential source, the IAM role or user must have appropriate bedrock permissions (e.g., bedrock:InvokeModel) to access the model. If the Spicepod connects to multiple different AWS services, the permissions should cover all of them.
:::
The IAM role or user needs the following permissions to access DynamoDB tables:
| Permission | Purpose |
|---|---|
bedrock:InvokeModel | Required. Used to invoke the text model. |
bedrock:InvokeModelWithResponseStream | Required. Used to invoke the text model with streaming responses. |
enabled_fulldisabled| disabled |
ECS Container Credentials:
AWS_CONTAINER_CREDENTIALS_RELATIVE_URI or AWS_CONTAINER_CREDENTIALS_FULL_URI which are automatically injected by ECS.AWS EC2 Instance Metadata Service (IMDSv2):