Configure AWS Bedrock as a Model Provider

See the steps for adding an AWS Bedrock model provider and configuring authentication.

Supported Authentication Methods

Dremio supports two authentication methods for AWS Bedrock:

• Access keys
• IAM role (role-based projects only)

Prerequisites

• AWS account with Bedrock access
• Appropriate permissions to create IAM users/roles
• For Anthropic models: Submit the model access form once per AWS account (see Enable Anthropic Models)

Access Key Authentication

Step 1: Create an Amazon Bedrock API Key

1. In your AWS account, navigate to AWS Bedrock Console > API Keys.
2. Click Create API Key.

Creating this key automatically creates a user with AmazonBedrockLimitedAccess permission.

Step 2: Generate an Access Key

1. In your AWS account, go to IAM Console > Users.

2. Select the created user (e.g., BedrockAPIKey-xxxxx).

3. Navigate to the Security credentials tab.

4. Click Create access key.

5. Save the Access Key ID and Secret Access Key.

Step 3: Configure in Dremio

1. In the Dremio console, click in the side navigation bar to go to the Settings page.

2. Select Preferences in the settings sidebar.

3. Enable the AI flag.

4. Click Add model provider.

5. In the Add model provider dialog, select Amazon Bedrock as the model provider service.

6. For Name, enter a name for the model provider.

7. For Region, select your Bedrock region (e.g., us-east-1).

8. For Authentication Method, select Access Key.

9. For Access Key ID, enter your access key ID.

10. For Secret Access Key, enter your secret access key.

11. For Default Model ID, select the model you want to use as the default.

12. (Optional) For Allowed Model IDs for AI Functions, select the models you want to make available for AI functions.

13. Click Add.

IAM Role Authentication

Step 1: Create an Amazon Bedrock IAM Role

1. In your AWS account, navigate to IAM Console > Roles > Create role.

2. On the Select trusted entity page, under Trusted entity type, select the radio button for Custom trust policy.

3. Delete the current JSON policy and paste in the custom trust policy template below.

Custom trust policy template

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "AllowAssumeRoleWithExternalId",
      "Effect": "Allow",
      "Principal": {
        "AWS": "<project data access role ARN>"
      },
      "Action": "sts:AssumeRole",
      "Condition": {
        "StringEquals": {
          "sts:ExternalId": "<organization ID>"
        }
      }
    }
  ]
}

1. Replace <project data access role ARN> with your Dremio project's data access role ARN (found in Settings > Project Storage > AWS Cross-Account Role ARN).

2. Replace <organization ID> with your Dremio organization ID (found in Settings > Organization).

3. Click Next.

4. On the Add permissions page, search for and select AmazonBedrockLimitedAccess.

5. Click Next.

6. On the Name, review, and create page, enter a role name (e.g., DremioBedrockRole).

7. Click Create role.

8. Note the Role ARN from the role summary page (e.g., arn:aws:iam::<your-account-id>:role/DremioBedrockRole).

Step 2: Update Project Data Access Role

In this step, you will add permission to assume the Bedrock role in your project's data access role.

1. In your AWS account, navigate to IAM Console > Roles.

2. Select your project's data access role.

3. Add this inline policy:

Project data access role inline policy template

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "AllowAssumeRoleForBedrock",
      "Effect": "Allow",
      "Action": "sts:AssumeRole",
      "Resource": "<bedrock role ARN>"
    }
  ]
}

1. Replace <bedrock role ARN> with the ARN of the Bedrock role created in Step 1.

Step 3: Configure in Dremio

1. In the Dremio console, click in the side navigation bar to go to the Settings page.

2. Select Preferences in the settings sidebar.

3. Enable the AI Features flag.

4. Click Add model provider.

5. In the Add model provider dialog, select Amazon Bedrock as the model provider service.

6. For Name, enter a name for the model provider.

7. For Region, select your Bedrock region (e.g., us-east-1).

8. For Authentication Method, select IAM Role.

9. For IAM Role ARN, enter the ARN from Step 1 (e.g., arn:aws:iam::<your-account-id>:role/DremioBedrockRole).

10. For Default Model ID, select the model you want to use as the default.

11. (Optional) For Allowed Model IDs for AI Functions, select the models you want to make available for AI functions.

12. Click Add.

Enable Anthropic Models

To use Anthropic models (e.g., Claude Sonnet 4.5):

1. In your AWS account, navigate to AWS Bedrock Console > Model catalog.

2. Select any Anthropic model (e.g., Claude Sonnet 4.5).

3. Click Open in Playground.

4. Complete the Anthropic use case form (one-time per AWS account).

Rate Limits

When using AWS Bedrock model providers, you may encounter rate limiting errors such as "429 Too Many Tokens (Rate Limit Exceeded)". This is particularly common with new AWS accounts that start with lower or fixed quotas.

If you experience rate limiting issues:

1. Check your current quotas in the AWS Bedrock console.
2. Request a quota increase from AWS Support by providing:
   • Quota name
   • Model ID
   • AWS region
   • Use case description
   • Projected token and request usage

For more information about AWS Bedrock quotas and limits, see the AWS Bedrock User Guide.

Troubleshoot

For access denied errors with access keys, verify you are using the correct access key, the user has AmazonBedrockLimitedAccess permission, you have signed the one-time accept terms for Claude (if using), and the region is correct for the selected model.

• For access dentied errors with an IAM role, check that the trust policies and external ID match your organization ID.

• For "Role Not Found" errors, verify the Role ARN is correct and ensure the role exists in the specified AWS account.

• For model access denied errors, check the model availability in your selected region. If using Claude models, submit the Anthropic use case form.