How to Intermediate · 3 min read

AWS Bedrock multi-account setup

Quick answer

To set up AWS Bedrock in a multi-account environment, configure AWS Organizations with proper IAM roles and trust policies to enable cross-account access. Use the bedrock-runtime client in each account with appropriate permissions and endpoint configurations to call Bedrock models securely.

PREREQUISITES

Python 3.8+
AWS CLI configured with AWS Organizations admin access
IAM permissions to create roles and policies
pip install boto3

Setup AWS Organizations and IAM roles

Start by organizing your AWS accounts under AWS Organizations. Create a management account and member accounts where Bedrock will be used. Define IAM roles in member accounts that trust the management account for cross-account access. Attach policies granting Bedrock runtime permissions.

bash

aws organizations create-organization

# In member account, create trust policy JSON (trust-policy.json):
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {"AWS": "arn:aws:iam::MANAGEMENT_ACCOUNT_ID:root"},
      "Action": "sts:AssumeRole"
    }
  ]
}

aws iam create-role --role-name BedrockCrossAccountRole --assume-role-policy-document file://trust-policy.json

# Attach Bedrock permissions policy (example):
aws iam attach-role-policy --role-name BedrockCrossAccountRole --policy-arn arn:aws:iam::aws:policy/AmazonBedrockFullAccess

output

An organization is created with ID o-exampleorgid
Role BedrockCrossAccountRole created
Policy AmazonBedrockFullAccess attached to role BedrockCrossAccountRole

Step by step: cross-account Bedrock API call

Use boto3 in Python to assume the cross-account role and call Bedrock runtime API. This example assumes the role in the member account and invokes a Bedrock model.

python

import boto3
import os

# Environment variables
MANAGEMENT_ACCOUNT_ID = os.environ["MANAGEMENT_ACCOUNT_ID"]
MEMBER_ACCOUNT_ID = os.environ["MEMBER_ACCOUNT_ID"]
ROLE_NAME = "BedrockCrossAccountRole"

# Assume role in member account
sts_client = boto3.client('sts')
assumed_role = sts_client.assume_role(
    RoleArn=f"arn:aws:iam::{MEMBER_ACCOUNT_ID}:role/{ROLE_NAME}",
    RoleSessionName="BedrockSession"
)
credentials = assumed_role['Credentials']

# Create Bedrock client with assumed credentials
bedrock_client = boto3.client(
    'bedrock-runtime',
    aws_access_key_id=credentials['AccessKeyId'],
    aws_secret_access_key=credentials['SecretAccessKey'],
    aws_session_token=credentials['SessionToken'],
    region_name='us-east-1'
)

# Call Bedrock model
response = bedrock_client.invoke_model(
    modelId='anthropic.claude-3-5-sonnet-20241022-v2:0',
    body={
        "inputText": "Hello from multi-account Bedrock setup!"
    }
)
print("Bedrock response:", response['body'].read().decode('utf-8'))

output

Bedrock response: {"completion": "Hello from multi-account Bedrock setup! How can I assist you today?"}

Common variations

Use AWS SDKs other than boto3 with similar assume-role patterns.
Configure AWS Single Sign-On (SSO) for easier multi-account access management.
Use environment variables or AWS profiles to manage credentials per account.
Invoke different Bedrock models by changing modelId in the API call.

Troubleshooting

If you get AccessDenied, verify the trust policy and attached permissions on the IAM role.
Ensure the bedrock-runtime client is available in the AWS region configured.
Check that the assumed role session has not expired before making API calls.
Use AWS CloudTrail logs to audit cross-account API calls for debugging.

✅

Key Takeaways

Use AWS Organizations and IAM roles to enable secure cross-account Bedrock access.
Assume roles programmatically with boto3 to call Bedrock APIs in member accounts.
Validate IAM trust policies and permissions to avoid access errors.
Leverage AWS SSO and profiles for streamlined multi-account credential management.

Verified 2026-04 · anthropic.claude-3-5-sonnet-20241022-v2:0

Verify ↗