Amazon Bedrock keys

Claude Code uses the AWS SDK, so aws sso login works directly. Not all tools use the AWS SDK. In those cases, you can get a short-term Bedrock token. You can use the examples at https://github.com/aws/aws-bedrock-token-generator-python, or use refresh.py, which implements those examples.

This token expires in 12 hours or when the role session credentials of the creator expire, whichever happens sooner. The SSO session itself lasts roughly eight hours; see Setting up AWS STRIDES Single Sign-On. The underlying role session credentials for the default AWSPowerUser role expire every hour. Tools using the AWS SDK refresh those automatically, but the Bedrock bearer token is fixed at creation time, so in practice it often has a maximum lifetime of about one hour. refresh.py prints the expiration context.

Note

Increasing the Bedrock token expiration would likely require AWS admins to increase the timeout for the AWSPowerUser role beyond one hour.

Prerequisites

  • AWS SSO is set up; see Setting up AWS STRIDES Single Sign-On.

  • You have successfully authenticated with aws sso login.

  • aws-bedrock-token-generator-python is installed. If you use the conda environment from env.yml in the repository root, it is already included there.

Getting a token

refresh.py requests a 12-hour Bedrock token and reports the actual maximum duration based on the current AWS SSO credential expiry.

The usual convention is to place this token in the AWS_BEARER_TOKEN_BEDROCK environment variable:

eval "$(./refresh.py --bedrock-export)"

The script prints an export AWS_BEARER_TOKEN_BEDROCK=... command, and eval runs that export in the current shell.

Tip

You know it is working when the following command returns successful JSON in response to the prompt Say hi:

curl -sS -X POST \
"https://bedrock-runtime.us-east-1.amazonaws.com/model/us.anthropic.claude-3-5-haiku-20241022-v1:0/converse" \
-H "Content-Type: application/json" \
-H "Authorization: Bearer $AWS_BEARER_TOKEN_BEDROCK" \
-d '{"messages":[{"role":"user","content":[{"text":"Say hi"}]}]}' | jq .