From 1976bc3431a045a1d4e89598c948c889150e6189 Mon Sep 17 00:00:00 2001 From: braginini Date: Mon, 29 Jun 2026 18:56:52 +0200 Subject: [PATCH] Add Bedrock and Claude on Bedrock docs --- src/components/NavigationDocs.jsx | 1 + .../agent-network/integrations/bedrock.mdx | 101 ++++++++++++++++++ .../agent-network/integrations/index.mdx | 2 + 3 files changed, 104 insertions(+) create mode 100644 src/pages/agent-network/integrations/bedrock.mdx diff --git a/src/components/NavigationDocs.jsx b/src/components/NavigationDocs.jsx index 3144e98e..27f1215c 100644 --- a/src/components/NavigationDocs.jsx +++ b/src/components/NavigationDocs.jsx @@ -121,6 +121,7 @@ export const docsNavigation = [ { title: 'Codex', href: '/agent-network/integrations/codex' }, { title: 'LiteLLM', href: '/agent-network/integrations/litellm' }, { title: 'Google Vertex AI', href: '/agent-network/integrations/vertex-ai' }, + { title: 'AWS Bedrock', href: '/agent-network/integrations/bedrock' }, ], }, ], diff --git a/src/pages/agent-network/integrations/bedrock.mdx b/src/pages/agent-network/integrations/bedrock.mdx new file mode 100644 index 00000000..1c022d39 --- /dev/null +++ b/src/pages/agent-network/integrations/bedrock.mdx @@ -0,0 +1,101 @@ +import { Note, Warning } from '@/components/mdx' + +export const description = + 'Connect Amazon Bedrock to NetBird Agent Network with a Bedrock API key, giving keyless, identity-based access to Claude, Llama, and Nova models on AWS.' + +# AWS Bedrock + +[Amazon Bedrock](https://aws.amazon.com/bedrock/) serves Anthropic's **Claude** models +alongside **Meta Llama** and **Amazon Nova** on AWS. Connecting it behind NetBird gives your +agents keyless access over the tunnel: NetBird holds the Bedrock API key server-side, ties +every request to a real identity from your IdP, and applies your policies, limits, and audit +on the way to Bedrock. + +Bedrock authenticates with a **Bedrock API key** — a long-term key you generate in AWS that +NetBird injects as a bearer token on every request. You create the key once, hand it to +NetBird, and it stays server-side. + +## Prerequisites + +- An AWS account with **Amazon Bedrock** available in your target region. +- **Model access** granted for the models you plan to use (Amazon Bedrock console → + **Model access**), per region. +- Permission to generate a Bedrock API key. + +## Generate a Bedrock API Key + +In the AWS console, open **Amazon Bedrock → API keys** and generate a **long-term API key**. +See [Bedrock API keys](https://docs.aws.amazon.com/bedrock/latest/userguide/api-keys.html) +for details. + + + The Bedrock API key grants access to models in your AWS account. Treat it as a secret — + store it securely, never commit it to source control, and delete the local copy once it's + stored in NetBird. + + +## Connect the Provider + +1. Go to **Agent Network → Providers** and click **Connect Provider**. +2. Select **AWS Bedrock**. Set the **Upstream URL** to your region's Bedrock runtime host — + for example `https://bedrock-runtime.us-east-1.amazonaws.com`. Bedrock is region-specific, + so the host must include the region you enabled model access in. +3. Paste the **Bedrock API key**. NetBird stores it encrypted server-side, injects it as + `Authorization: Bearer …` on each request, and never returns it to callers. +4. _(Optional)_ Restrict the **allowed models** — for example `anthropic.claude-opus-4-8`, + `anthropic.claude-sonnet-4-6`, `meta.llama3-3-70b-instruct`, or `amazon.nova-pro`. Leaving + the list empty allows any catalog model. +5. Save the provider. The key is now held server-side — the next step authorizes who can use + it. + +See [Providers](/agent-network/providers) for details. + +## Create a Policy + +By default nothing is allowed — a policy must connect a source group to the Bedrock provider +before anyone can route through it. + +1. Go to **Agent Network → Policies** and add a policy. +2. Set the **Source** to the users or agents who should be able to reach Bedrock (for example + your `Engineering` group from your IdP). +3. Set the **Provider** to the AWS Bedrock provider you just connected. +4. Optionally attach per-user or per-group [token and budget limits](/agent-network/policies/limits) + and [guardrails](/agent-network/policies/guardrails) such as a model allowlist. + +See [Policies](/agent-network/policies) for details. + +## Use Claude Code with AWS Bedrock + +If you run [Claude Code](/agent-network/integrations/claude-code) with its **Bedrock backend** +instead of the Anthropic API, point it at your agent network endpoint. NetBird holds the +Bedrock API key server-side and injects it, so Claude Code skips AWS authentication entirely +— the client stays keyless. + +First connect an **AWS Bedrock** provider in NetBird (steps above). Then add the following to +`~/.claude/settings.json`: + +```json +{ + "env": { + "ANTHROPIC_MODEL": "eu.anthropic.claude-sonnet-4-5-20250929-v1:0", + "ANTHROPIC_BEDROCK_BASE_URL": "https:///bedrock", + "CLAUDE_CODE_USE_BEDROCK": "1", + "CLAUDE_CODE_SKIP_BEDROCK_AUTH": "1" + } +} +``` + +- `CLAUDE_CODE_USE_BEDROCK=1` routes Claude Code through the Bedrock backend. +- `CLAUDE_CODE_SKIP_BEDROCK_AUTH=1` skips AWS auth on the client — NetBird injects the + Bedrock API key server-side. +- `ANTHROPIC_BEDROCK_BASE_URL` is your agent network endpoint with the `/bedrock` suffix + (the optional gateway-namespace prefix that disambiguates Bedrock from other providers). +- `ANTHROPIC_MODEL` is the full Bedrock model ID including the region prefix (e.g. + `eu.anthropic.claude-sonnet-4-5-20250929-v1:0`). Some models may not be available in all + regions — if the model above doesn't work, switch to one in your provider's allowed list, + or change it in Claude Code with `/model `. + + + Rotating the key is a single server-side change in NetBird: generate a new Bedrock API key, + update the provider's credential, then disable the old key in AWS. + \ No newline at end of file diff --git a/src/pages/agent-network/integrations/index.mdx b/src/pages/agent-network/integrations/index.mdx index bfcfc97a..64e01aa0 100644 --- a/src/pages/agent-network/integrations/index.mdx +++ b/src/pages/agent-network/integrations/index.mdx @@ -19,3 +19,5 @@ Replace `` in the snippets below with the endpoint shown on the attribution and budgets. - [Google Vertex AI](/agent-network/integrations/vertex-ai) — connect Gemini and Claude on Vertex AI with a Google Cloud service account. +- [AWS Bedrock](/agent-network/integrations/bedrock) — connect Claude, Llama, and Nova on + Bedrock with a Bedrock API key.