How to Intermediate · 3 min read

AWS Bedrock with AWS IAM Identity Center

Quick answer
Use boto3 with the bedrock-runtime client configured to authenticate via AWS IAM Identity Center by setting up your AWS CLI with SSO login. Then call client.converse() to interact with AWS Bedrock models securely without embedding static API keys.

PREREQUISITES

  • Python 3.8+
  • AWS CLI v2 configured with AWS IAM Identity Center SSO
  • boto3 installed (pip install boto3)
  • AWS Bedrock access granted in your AWS account

Setup AWS CLI with IAM Identity Center

Configure your AWS CLI to use AWS IAM Identity Center (formerly AWS SSO) for authentication. Run aws configure sso and follow prompts to select your AWS account and role with Bedrock permissions.

This setup enables boto3 to automatically use your SSO credentials for API calls without manual API key management.

bash
aws configure sso
output 
SSO session name (Recommended): my-sso-session
SSO start URL [None]: https://my-sso-portal.awsapps.com/start
SSO region [None]: us-east-1
SSO registration scopes [None]: sso:account:access

There are 2 AWS accounts available to you.
Using the account ID 123456789012
There are 3 roles available to you.
Using the role name BedrockAccessRole
CLI default client Region [None]: us-east-1
CLI default output format [None]: json

Step by step: Python code to call AWS Bedrock

Use boto3 to create a bedrock-runtime client. The client automatically uses your AWS IAM Identity Center credentials from the CLI configuration. Then call converse() to send chat messages to a Bedrock model.

python
import boto3
import json

# Create Bedrock client using boto3
client = boto3.client('bedrock-runtime', region_name='us-east-1')

# Define chat messages
messages = [
    {"role": "user", "content": [{"type": "text", "text": "Hello from AWS Bedrock with IAM Identity Center!"}]}
]

# Call Bedrock converse API
response = client.converse(
    modelId='anthropic.claude-3-5-sonnet-20241022-v2:0',
    messages=messages,
    maxTokens=512
)

# Extract and print response text
output = response['output']['message']['content'][0]['text']
print("Bedrock response:", output)
output 
Bedrock response: Hello! How can I assist you today?

Common variations

  • Async calls: Use aiobotocore or async boto3 wrappers for asynchronous Bedrock calls.
  • Different models: Change modelId to other Bedrock models like amazon.titan-text-express-v1 or anthropic.claude-opus-4.
  • Custom regions: Specify region_name if your Bedrock endpoint is in a different AWS region.

Troubleshooting

  • If you get UnauthorizedOperation, verify your IAM Identity Center role has Bedrock permissions.
  • If botocore.exceptions.NoCredentialsError occurs, ensure you ran aws sso login and your session is active.
  • Check your AWS CLI profile is correctly set or specify profile_name in boto3.Session() if using multiple profiles.

Key Takeaways

  • Use AWS CLI SSO configuration to authenticate boto3 calls to AWS Bedrock without static keys.
  • The boto3 bedrock-runtime client supports IAM Identity Center credentials automatically.
  • Run aws sso login before executing your Python scripts to refresh credentials.
  • Specify the correct Bedrock modelId and region for your use case.
  • Troubleshoot permissions and credential errors by verifying IAM roles and active SSO sessions.
Verified 2026-04 · anthropic.claude-3-5-sonnet-20241022-v2:0, amazon.titan-text-express-v1, anthropic.claude-opus-4
Verify ↗

People also ask

🛠 AWS Bedrock audit logging aws-bedrock-enterprise 🛠 AWS Bedrock CloudTrail integration aws-bedrock-enterprise 🛠 AWS Bedrock compliance certifications aws-bedrock-enterprise 🛠 AWS Bedrock cost monitoring with CloudWatch aws-bedrock-enterprise 🛠 AWS Bedrock cost optimization strategies aws-bedrock-enterprise

Up next

🛠 AWS Bedrock with AWS Lake Formation 🛠 How to evaluate AWS Bedrock for enterprise

More in Guides

🛠 AWS Bedrock audit logging 🛠 AWS Bedrock CloudTrail integration 🛠 AWS Bedrock compliance certifications 🛠 AWS Bedrock cost monitoring with CloudWatch