Skip to main content

Configure AWS Bedrock as a Model Provider

See the steps for adding an AWS Bedrock model provider and configuring authentication.

Supported Authentication Methods

Dremio supports two authentication methods for AWS Bedrock:

  • Access keys
  • IAM role (role-based projects only)

Prerequisites

  • AWS account with Bedrock access
  • Appropriate permissions to create IAM users/roles
  • For Anthropic models: Submit the model access form once per AWS account (see Enable Anthropic Models)

Access Key Authentication

Step 1: Create an Amazon Bedrock API Key

  1. In your AWS account, navigate to AWS Bedrock Console > API Keys.
  2. Click Create API Key.

Creating this key automatically creates a user with AmazonBedrockLimitedAccess permission.

Step 2: Generate an Access Key

  1. In your AWS account, go to IAM Console > Users.

  2. Select the created user (e.g., BedrockAPIKey-xxxxx).

  3. Navigate to the Security credentials tab.

  4. Click Create access key.

  5. Save the Access Key ID and Secret Access Key.

Step 3: Configure in Dremio

  1. In the Dremio console, click This is the Settings icon. in the side navigation bar to go to the Settings page.

  2. Select Preferences in the settings sidebar.

  3. Enable the AI Features flag.

  4. Click Add model provider.

  5. In the Add model provider dialog, select Amazon Bedrock as the model provider service.

  6. For Name, enter a name for the model provider.

  7. For Region, select your Bedrock region (e.g., us-east-1).

  8. For Authentication Method, select Access Key.

  9. For Access Key ID, enter your access key ID.

  10. For Secret Access Key, enter your secret access key.

  11. For Default Model ID, select the model you want to use as the default.

  12. (Optional) For Allowed Model IDs for AI Functions, select the models you want to make available for AI functions.

  13. Click Add.

IAM Role Authentication

Step 1: Create an Amazon Bedrock IAM Role

  1. Navigate to IAM Console > Roles > Create role.

  2. On the Select trusted entity page, under Trusted entity type, select the radio button for Custom trust policy.

  3. Delete the current JSON policy and paste in the custom trust policy template below.

Custom trust policy template 
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "AllowTagSessionFromCallerRole",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::<dremio_trust_account>:root"
      },
      "Action": "sts:TagSession"
    },
    {
      "Sid": "AllowAssumeRoleWithExternalId",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::<dremio_trust_account>:root"
      },
      "Action": "sts:AssumeRole",
      "Condition": {
        "StringEquals": {
          "sts:ExternalId": "<organization ID>"
        }
      }
    }
  ]
}

  1. Replace <dremio_trust_account> with the AWS account ID provided by Dremio for your region. Dremio's US trust account ID is 894535543691.

  2. Replace <organization ID> with your Dremio organization ID (found in Settings > Organization).

  3. Click Next.

  4. On the Add permissions page, search for and select AmazonBedrockLimitedAccess.

  5. Click Next.

  6. On the Name, review, and create page, enter a role name (e.g., DremioBedrockRole).

  7. Click Create role.

  8. Note the Role ARN from the role summary page: arn:aws:iam::<your-account-id>:role/DremioBedrockRole.

Step 2: Configure in Dremio

  1. In the Dremio console, click This is the Settings icon. in the side navigation bar to go to the Settings page.

  2. Select Preferences in the settings sidebar.

  3. Enable the AI Features flag.

  4. Click Add model provider.

  5. In the Add model provider dialog, select Amazon Bedrock as the model provider service.

  6. For Name, enter a name for the model provider.

  7. For Region, select your Bedrock region (e.g., us-east-1).

  8. For Authentication Method, select IAM Role.

  9. For IAM Role ARN, enter the ARN from Step 1 (e.g., arn:aws:iam::<your-account-id>:role/DremioBedrockRole).

  10. For Default Model ID, select the model you want to use as the default.

  11. (Optional) For Allowed Model IDs for AI Functions, select the models you want to make available for AI functions.

  12. Click Add.

Enable Anthropic Models

To use Anthropic models (e.g., Claude Sonnet 4.5):

  1. In your AWS account, navigate to AWS Bedrock Console > Model catalog.

  2. Select any Anthropic model (e.g., Claude Sonnet 4.5).

  3. Click Open in Playground.

  4. Complete the Anthropic use case form (one-time per AWS account).

Rate Limits

When using AWS Bedrock model providers, you may encounter rate limiting errors such as "429 Too Many Tokens (Rate Limit Exceeded)". This is particularly common with new AWS accounts that start with lower or fixed quotas.

If you experience rate limiting issues, you can contact AWS Support and request a quota increase by providing:

  • Quota name
  • Model ID
  • AWS region
  • Use case description
  • Projected token and request usage

For more information about AWS Bedrock quotas and limits, see the AWS Bedrock User Guide.

Troubleshoot

For access denied errors with access keys, verify you are using the correct access key, the user has AmazonBedrockLimitedAccess permission, you have signed the one-time accept terms for Claude (if using), and the region is correct for the selected model.

  • For access dentied errors with an IAM role, check that the trust policies and external ID match your organization ID.

  • For "Role Not Found" errors, verify the Role ARN is correct and ensure the role exists in the specified AWS account.

  • For model access denied errors, check the model availability in your selected region. If using Claude models, submit the Anthropic use case form.