API keys
Amazon Bedrock API keys let you authenticate API requests using a bearer token instead of AWS credentials. There are two types:
-
Short-term – Lasts up to 12 hours (or the duration of your session, whichever is shorter). Inherits permissions from the IAM principal used to generate it. Recommended for production use.
-
Long-term – Lasts until a configured expiration date. Creates an IAM user with attached policies. Recommended only for exploration.
Note
All API calls are logged in AWS CloudTrail. API keys are passed as authorization headers and are not logged.
Generate a short-term API key
Choose the tab for your preferred method, and then follow the steps:
Generate a long-term API key
Warning
Long-term keys are for exploration only. For production, use short-term keys. For more information, see Alternatives to long-term access keys.
Choose the tab for your preferred method, and then follow the steps:
Use an API key
Set the key as an environment variable:
# macOS/Linux export AWS_BEARER_TOKEN_BEDROCK=${api-key}# Windows setx AWS_BEARER_TOKEN_BEDROCK "${api-key}"
Or pass it directly in the Authorization header:
Authorization: Bearer${api-key}
Example: Make a Converse request
choose the tab for your preferred method, and then follow the steps:
Auto-refresh short-term keys
For long-running applications, call the token generator before each request. It returns a cached token if still valid or generates a new one automatically:
For more examples, see the token generator documentation: Python
Modify permissions
A long-term API key is associated with an IAM user. To change its permissions, modify the policies attached to that user. See Adding and removing IAM identity permissions.
From the console: go to API keys > Long-term API keys > select your key > Manage in IAM Console.
Compromised keys
If a key is compromised, take one of the following actions:
| Action | Key type | How |
|---|---|---|
| Deactivate | Long-term | Console: API keys > select key > Actions > Deactivate. API: UpdateServiceSpecificCredential with Status=Inactive. |
| Reset | Long-term | Console: Actions > Reset key. API: ResetServiceSpecificCredential. |
| Delete | Long-term | Console: Actions > Delete. API: DeleteServiceSpecificCredential. |
| Invalidate session | Short-term | Invalidate the session used to generate the key, or attach an IAM policy that denies CallWithBearerToken (Deny an identity the ability to make calls with an Amazon Bedrock API key). |
Control who can generate and use API keys
IAM actions control API key generation and usage:
-
iam:CreateServiceSpecificCredential– Controls generation of long-term keys. Use theiam:ServiceSpecificCredentialAgeDayscondition key to limit expiration (e.g., max 90 days). -
bedrock:CallWithBearerToken– Controls usage of an API key through the Amazon Bedrock endpoint. Use thebedrock:bearerTokenTypecondition key with valuesSHORT_TERMorLONG_TERMto target specific key types. -
bedrock-mantle:CallWithBearerToken– Controls usage of an API key through the Amazon Bedrock Mantle endpoint. Use thebedrock-mantle:bearerTokenTypecondition key with valuesSHORT_TERMorLONG_TERMto target specific key types.
Example: Prevent an identity from using any API key
Attach this policy to the identity:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Deny", "Action": [ "bedrock:CallWithBearerToken", "bedrock-mantle:CallWithBearerToken" ], "Resource": "*" } ] }
Example: Allow only short-lived keys (max 90 days)
Attach this policy to the identity:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "iam:CreateServiceSpecificCredential", "Resource": "*", "Condition": { "NumericLessThanEquals": { "iam:ServiceSpecificCredentialAgeDays": "90" }, "StringEquals": { "iam:ServiceSpecificCredentialServiceName": "bedrock.amazonaws.com" } } } ] }
For more detailed policy examples, see API keys reference.