β–ˆβ–ˆFRβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆ β–ˆINTELLβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆβ–ˆ

πŸ”‘ Amazon Bedrock API Keys: Simplified Authentication for Developers


This content originally appeared on DEV Community and was authored by Elizabeth Fuentes L

Amazon Bedrock now offers two types of API Keys to simplify programmatic authentication, each designed for different use cases:

🟢 Short-term API Keys (Recommended)

  • Duration: Up to 12 hours or remaining console session time
  • Technology: Pre-signed URLs with AWS Signature Version 4
  • Permissions: Inherit the same permissions as the generating identity
  • Generation: Bedrock console, Python package aws-bedrock-token-generator
  • Security: Lower risk due to short duration

🟡 Long-term API Keys (For development)

  • Duration: From 1 day up to 36,600 days (or never expires)
  • Association: Linked to specific IAM users
  • Limit: Maximum 2 keys per IAM user
  • Auto-policy: AmazonBedrockLimitedAccess automatically attached to user
  • Security: Higher risk – requires regular rotation

🛠 How to Generate Long-term API Keys

Prerequisites

  1. Existing IAM user
  2. Required IAM permissions: 
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "iam:CreateServiceSpecificCredential",
                "iam:ListServiceSpecificCredentials",
                "iam:UpdateServiceSpecificCredential",
                "iam:DeleteServiceSpecificCredential",
                "iam:ResetServiceSpecificCredential"
            ],
            "Resource": "arn:aws:iam::*:user/username"
        }
    ]
}

🖥 Method 1: AWS Console

  1. Navigate to IAM Console β†’ Users
  2. Select the IAM user
  3. Security credentials tab
  4. API keys for Amazon Bedrock section β†’ Generate API Key

  1. Configure expiration (1, 5, 30, 90, 365 days or custom) – For long-term API key

  1. IMPORTANT! Download/copy the key immediately – you cannot retrieve it later

⌨ Method 2: AWS CLI

To generate an Amazon Bedrock long-term API key using the AWS CLI, use Generating a long-term API Key for Amazon Bedrock (AWS CLI)steps.

💻 Code Implementation 

import requests

# Configuration
url = "https://bedrock-runtime.us-east-1.amazonaws.com/model/anthropic.claude-3-sonnet-20240229-v1:0/invoke"

payload = {
    "messages": [
        {
            "role": "user", 
            "content": [{"type": "text", "text": "Hello, Bedrock!"}]
        }
    ],
    "max_tokens": 1000,
    "anthropic_version": "bedrock-2023-05-31"
}

headers = {
    "Content-Type": "application/json",
    "Authorization": "Bearer YOUR_BEDROCK_API_KEY"
}

response = requests.post(url, json=payload, headers=headers)
print(response.json())

🌐 Environment Variable Setup 

# Set as environment variable
export AWS_BEARER_TOKEN_BEDROCK=your-api-key-here

# Or use in applications
import os
api_key = os.getenv('AWS_BEARER_TOKEN_BEDROCK')

Use Amazon Bedrock API in your favorite SDK.

🎯 When to Use Each Type?

Scenario Recommendation
Production applications Short-term API keys
Development/Testing Long-term API keys
CI/CD Pipelines Short-term API keys
Personal scripts Long-term API keys
Enterprise applications Short-term + automatic rotation

📊 Key Benefits

✅ Simplified Authentication – No complex signature calculations

✅ Flexible Duration – Choose expiration that fits your needs

✅ Enhanced Security – Service-specific credentials limit scope

✅ Existing IAM Controls – Respects all current permissions

Have you tried the new API Keys yet? Share your experience in the comments! 🚀


This content originally appeared on DEV Community and was authored by Elizabeth Fuentes L