Skip to main content

Overview

This guide walks you through setting up Amazon Bedrock as an AI Provider in Elementum so you can use Bedrock-hosted Claude (and other foundation) models across your AI Services, automations, and agents. Running models through your own AWS account keeps AI workloads within your cloud infrastructure and compliance boundaries.
Connecting a Bedrock Agent built in AWS to an Elementum App is a separate setup. Once this provider is configured, see AWS Bedrock Agents Setup to invoke a Bedrock Agent through App Intelligence.
Time required: About 15–20 minutes, depending on your existing AWS setup.

Prerequisites

Elementum requirements

  • Organization permissions: Ability to add or edit AI Providers in Organization Settings.

AWS requirements

  • AWS Account: Active AWS account with Bedrock access.
  • Region: Bedrock available in your target region (e.g., us-east-1, us-east-2, us-west-2).
  • Bedrock Access: Amazon Bedrock service enabled for your account.
  • Foundation Model Access: Access granted to at least one foundation model (Claude, Titan, etc.).
  • IAM Permissions: Ability to create IAM users and policies.
Model access: You need access to the foundation models you plan to use. In the Amazon Bedrock console, confirm model access for your account and region; approval timing depends on AWS.

Step 1: Create IAM Credentials

Create IAM credentials that Elementum will use to call Bedrock models.
1

Navigate to IAM

In the AWS Console, go to IAMUsersCreate user.
2

Configure user

  • User name: Choose a descriptive name (e.g., elementum-bedrock-invoker).
  • Do not enable console access (programmatic access only).
3

Attach permissions

Create and attach a policy with bedrock:InvokeModel. If you also plan to connect Bedrock Agents later, include bedrock:InvokeAgent now or add it then.
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "bedrock:InvokeModel"
      ],
      "Resource": "*"
    }
  ]
}
Least privilege: For production, restrict the Resource to specific model ARNs:
"Resource": [
  "arn:aws:bedrock:us-east-2::foundation-model/*"
]
4

Create access keys

  1. Open the user details.
  2. Go to the Security credentials tab.
  3. Click Create access key.
  4. Choose a use case that matches programmatic access from outside AWS, then complete the prompts.
  5. Copy and securely store the Access Key ID and Secret Access Key.
Store credentials securely: The secret access key is only shown once. Store it in a secure password manager until you configure it in Elementum.

Step 2: Create the Bedrock AI Provider in Elementum

Configure Elementum to call AWS with the credentials from Step 1.
  1. Go to Organization Settings and open the Providers tab.
  2. Click + Provider and select Amazon Bedrock.
  3. Enter a Provider name, the Region where your Bedrock resources are deployed (for example us-east-2), Access Key ID, and Secret Access Key.
  4. Use Test Connection to confirm the credentials, then Save.
The provider is now available for creating AI Services. Tips
  • The provider Region must match the region where your Bedrock models are available.
  • Use separate providers for different AWS accounts or regions if needed.

Step 3: Create your first AI service

With the provider saved, create an AI Service that uses a Bedrock-hosted model. See AI Services for the full walkthrough, including LLM and embedding service configuration, assignment, and failover.
Bedrock-hosted models run within your AWS account, keeping AI workloads inside your own cloud infrastructure and compliance boundaries.
For a side-by-side comparison of available Bedrock models against other providers, see AI Models.

How Bedrock model invocation works

When Elementum invokes a Bedrock-hosted model:

AWS Bedrock API used

InvokeModel sends a prompt to a Bedrock-hosted foundation model and returns the model response. Used by all AI Services created with the Bedrock provider. Key parameters:
  • modelId: The identifier of the foundation model.
  • body: The request payload (prompt, parameters).
  • contentType / accept: Media types for the request and response.
Documentation: Amazon Bedrock InvokeModel API

Security model

AspectImplementation
AuthenticationIAM Access Key/Secret Key via Bedrock AI Provider
AuthorizationIAM policies control which models can be invoked
Data in transitTLS encryption for all API calls
AuditAWS CloudTrail logs all Bedrock API calls

Troubleshooting

Error: “Access Denied” or “Not authorized to perform bedrock:InvokeModel”.Possible causes:
  • IAM user missing bedrock:InvokeModel permission.
  • Policy not attached to the user.
  • Resource restrictions in policy don’t match the model ARN.
Solutions:
  1. Verify the IAM policy includes bedrock:InvokeModel and is attached to the IAM user whose keys are configured on the Bedrock AI Provider.
  2. Ensure the policy Resource matches your foundation model ARNs or uses a permitted pattern.
  3. Confirm the access keys in Elementum belong to that user.
Error: “Could not connect to endpoint” or timeout errors.Possible causes:
  • Provider configured for a different region than where the model is available.
  • Model access not granted in the configured region.
Solutions:
  1. Verify the region in your Bedrock AI Provider matches where the model is enabled.
  2. Confirm Bedrock and the model are available in your target region.
  3. Update provider configuration if needed.
Error: Connection test returns an error despite credentials looking correct.Solutions:
  1. Confirm the IAM user has at least bedrock:InvokeModel permission.
  2. Verify the Region field uses the AWS region code (for example us-east-2, not US East 2).
  3. Check that no SCP or AWS Organizations policy is blocking Bedrock for the account.

Best Practices

  • Apply least privilege; scope bedrock:InvokeModel to specific model ARNs when practical.
  • Rotate access keys on a schedule your organization defines (for example, every 90 days).
  • Use different IAM users or keys per environment (development vs production).
Pick a foundation model that balances latency, cost, and quality for your task. Available models depend on your AWS region and account. See AI Models for a comparison across providers.
Use AWS Cost Explorer (and related billing views) to monitor token-related usage and Bedrock charges tied to your provider.
Prefer smaller or faster models for straightforward classification or short replies when quality requirements allow; reserve larger models for harder reasoning.

Next Steps

AI Services

Create LLM services using Bedrock-hosted models

AI Models

Compare models across providers

AWS Bedrock Agents Setup

Connect a Bedrock Agent you’ve built in AWS to an Elementum App

AWS Bedrock Docs

Reference AWS’s official Bedrock documentation