π»πͺπ¨π± Dev.to Linkedin GitHub Twitter Instagram Youtube
Linktr
Amazon Bedrock now offers two types of API Keys to simplify programmatic authentication, each designed for different use cases:
π’ Short-term API Keys (Recommended)
- Duration: Up to 12 hours or remaining console session time
- Technology: Pre-signed URLs with AWS Signature Version 4
- Permissions: Inherit the same permissions as the generating identity
-
Generation: Bedrock console, Python package
aws-bedrock-token-generator
- Security: Lower risk due to short duration
π‘ Long-term API Keys (For development)
- Duration: From 1 day up to 365 days (or never expires)
- Association: Linked to specific IAM users
- Limit: Maximum 2 keys per IAM user
-
Auto-policy:
AmazonBedrockLimitedAccess
automatically attached to user - Security: Higher risk - requires regular rotation
π οΈ How to Generate Long-term API Keys
Prerequisites
- Existing IAM user
- Required IAM permissions:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"iam:CreateServiceSpecificCredential",
"iam:ListServiceSpecificCredentials",
"iam:UpdateServiceSpecificCredential",
"iam:DeleteServiceSpecificCredential",
"iam:ResetServiceSpecificCredential"
],
"Resource": "arn:aws:iam::*:user/username"
}
]
}
π₯οΈ Method 1: AWS Console
- Navigate to IAM Console β Users
- Select the IAM user
- Security credentials tab
- API keys for Amazon Bedrock section β Generate API Key
- Configure expiration (1, 5, 30, 90, 365 days or custom) - For long-term API key
- IMPORTANT! Download/copy the key immediately - you cannot retrieve it later
β¨οΈ Method 2: AWS CLI
To generate an Amazon Bedrock long-term API key using the AWS CLI, use Generating a long-term API Key for Amazon Bedrock (AWS CLI)steps.
π» Code Implementation
π Environment Variable Setup
# Set as environment variable
export AWS_BEARER_TOKEN_BEDROCK=your-api-key-here
# Or use in applications
import os
api_key = os.getenv('AWS_BEARER_TOKEN_BEDROCK')
import requests
# Configuration
url = "https://bedrock-runtime.us-east-1.amazonaws.com/model/anthropic.claude-3-sonnet-20240229-v1:0/invoke"
payload = {
"messages": [
{
"role": "user",
"content": [{"type": "text", "text": "Hello, Bedrock!"}]
}
],
"max_tokens": 1000,
"anthropic_version": "bedrock-2023-05-31"
}
headers = {
"Content-Type": "application/json",
"Authorization": "Bearer YOUR_BEDROCK_API_KEY"
}
response = requests.post(url, json=payload, headers=headers)
print(response.json())
Use Amazon Bedrock API in your favorite SDK.
π― When to Use Each Type?
Scenario | Recommendation |
---|---|
Production applications | Short-term API keys |
Development/Testing | Long-term API keys |
CI/CD Pipelines | Short-term API keys |
Personal scripts | Long-term API keys |
Enterprise applications | Short-term + automatic rotation |
π Key Benefits
β
Simplified Authentication - No complex signature calculations
β
Flexible Duration - Choose expiration that fits your needs
β
Enhanced Security - Service-specific credentials limit scope
β
Existing IAM Controls - Respects all current permissions
Have you tried the new API Keys yet? Share your experience in the comments! π
Top comments (6)
Finally!
awesome news!!
great news!!!
Really appreciate how you broke down the differences - setting up short-term keys honestly looks way simpler now. Has anyone run into issues with key rotation or automating renewals yet?
Great summary thanks!
This is extremely impressive, the setup part with code and actual steps is exactly what I wish more AWS guides had