Set up Amazon Bedrock

Configure an Amazon Bedrock provider in Aperture so your team can access AWS foundation models through your tailnet. Bedrock uses region-specific URLs and has its own model naming conventions, both of which you configure in the provider definition.

Prerequisites

Before you begin, you need:

• An Aperture instance accessible from your device. Refer to get started with Aperture if you have not set this up.
• An AWS account with Bedrock model access enabled in your target region.
• A Bedrock API key. Generate a long-term API key in the Amazon Bedrock console. Aperture sends this key as a bearer token in the Authorization header and does not perform AWS signature verification or generate temporary credentials.

Configure the provider

Add Amazon Bedrock as a provider in your Aperture configuration. Bedrock URLs are region-specific, using the format https://bedrock-runtime.<region>.amazonaws.com. Check the AWS Bedrock documentation to confirm your target models are available in your chosen region.

The following example shows a configuration for the US East region with Anthropic Claude models. Model names must match exactly, including the region prefix and version suffix. Refer to the AWS Bedrock documentation for the full list of available model names.

{
  "providers": {
    "bedrock": {
      "baseurl": "https://bedrock-runtime.us-east-1.amazonaws.com",
      "apikey": "<your-bedrock-api-key>",
      "authorization": "bearer",
      "models": [
        "us.anthropic.claude-haiku-4-5-20251001-v1:0",
        "us.anthropic.claude-sonnet-4-6",
        "us.anthropic.claude-opus-4-6-v1",
        "us.anthropic.claude-opus-4-7"
      ],
      "cost_basis": "bedrock-us",
      "compatibility": {
        "bedrock_model_invoke": true,
        "bedrock_converse": true
      }
    }
  }
}

Replace <your-bedrock-api-key> with your Bedrock API key.

The configuration fields work as follows:

• bedrock_model_invoke enables the Bedrock InvokeModel endpoint, which is the standard Bedrock API. Most coding tools use this endpoint. If your tools use the Bedrock Converse API instead, add "bedrock_converse": true to the compatibility section. You can enable both flags simultaneously.
• cost_basis controls how Aperture calculates costs for requests. Use bedrock-us for US-region pricing, bedrock-eu for EU-region pricing, or bedrock for default Bedrock pricing. You must set this field explicitly because Aperture cannot auto-infer pricing for Bedrock providers.
• authorization is set to bearer because Aperture passes the API key directly as a bearer token in the Authorization header.

For the full list of compatibility flags, refer to the provider compatibility reference.

After configuring the provider:

1. Grant model access to the users or groups that need the Bedrock models.
2. Set up LLM clients to connect coding tools through Aperture.

Verify the provider

The best way to verify a connection to a specific model is to send a test request through the Models tab of the Aperture dashboard.

1. Open the Aperture dashboard and select the Models tab.
2. Find the model you want to test in the list of configured models. If the model is not listed, check your provider configuration and ensure the model name is correct.
3. Select the Play icon to the left of the model name to send a test request. If the request succeeds, the icon changes to a green check mark. If it fails, the icon changes to a red "X".

This sends a request from your web browser to the tailnet to verify that Aperture can successfully route requests to the model through the configured provider and that your user account has the necessary permissions to access the model.

Next steps

• Grant model access to users or groups that need the Bedrock models.
• Set up LLM clients to connect coding tools through Aperture.
• Refer to the provider compatibility reference for the full list of compatibility flags and configuration options.
• Refer to the Aperture configuration reference for details on multi-region provider setups and credential rotation.