> ## Documentation Index
> Fetch the complete documentation index at: https://www.truefoundry.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Authentication

> Configure authentication for AWS Bedrock using access keys, assumed roles, and Bedrock Guardrails integration.

### Authentication Methods

**Using AWS Access Key and Secret**

1. Create an IAM user (or choose an existing IAM user) following [these steps](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users_create.html).
2. Add required permission for this user. The following policy grants permission to invoke all model in your available regions (To check the list of available regions for different models, refer to [AWS Bedrock](https://docs.aws.amazon.com/bedrock/latest/userguide/inference-profiles-support.html)).
   1. <CodeGroup>
        ```json JSON lines theme={"dark"}
        {
          "Version": "2012-10-17",
          "Statement": [
            {
              "Effect": "Allow",
              "Sid": "InvokeAllModels",
              "Action": [
                "bedrock:InvokeModel",
                "bedrock:InvokeModelWithResponseStream"
              ],
              "Resource": ["arn:aws:bedrock:*::foundation-model/*"]
            }
          ]
        }
        ```
      </CodeGroup>
3. Create an access key for this user [as per this doc](https://docs.aws.amazon.com/IAM/latest/UserGuide/access-keys-admin-managed.html#admin-create-access-key).
4. Use this access key and secret while adding the provider account to authenticate requests to the Bedrock model.

**Using Assumed Role**

1. You can also directly specify a role that can be assumed by the service account attached to the pods running AI Gateway.
2. Read more about how assumed roles work [here](https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html).

### Using Bedrock Guardrails

1. Create a Guardrail in AWS. More information at this link - [https://aws.amazon.com/bedrock/guardrails](https://aws.amazon.com/bedrock/guardrails)
2. Copy the Guardrails ID and the version number
3. While calling a AWS bedrock model through TFY AI Gateway, pass the following object along with it:

   <CodeGroup>
     ```json Extra Params lines theme={"dark"}
      "guardrailConfig": {
         "guardrailIdentifier": "your-guardrail-id",
         "guardrailVersion": "1"
       }
     ```
   </CodeGroup>
4. This should ensure the response will have guardrails enforced. Consider this input where the guardrail is configured to censor PII like name, email etc.:

   <CodeGroup>
     ```json sample input lines theme={"dark"}
     {
       "model": "internal-bedrock/claude-3",
       "messages": [
         {
           "role": "user",
           "content": "What are some ideas for email for Elon Musk?"
         }
       ],
       "guardrailConfig": {
         "guardrailIdentifier": "xyz-123-768",
         "guardrailVersion": "1"
       }
     }
     ```
   </CodeGroup>
5. Sample output:

   <CodeGroup>
     ```json expected output lines theme={"dark"}
     {
         "id": "1741339101780",
         "object": "chat.completion",
         "created": 1741339101,
         "model": "",
         "provider": "aws",
         "choices": [
             {
                 "index": 0,
                 "message": {
                     "role": "assistant",
                     "content": "Here are some ideas for email addresses for {NAME}:\n\n1. {EMAIL}\n2. {EMAIL}\n3. {EMAIL}\n4. {EMAIL}\n5. {EMAIL}\n6. {EMAIL} (or any relevant year)\n7. {EMAIL}\n8. {EMAIL}\n9. {EMAIL}\n10. {EMAIL}\n11. {EMAIL}\n12. {EMAIL}\n13. {EMAIL}\n14. {EMAIL}\n15. {EMAIL}\n\nWhen creating an email address, consider the following tips:\n\n1. Keep it professional if it's for work purposes.\n2. Make it easy to spell and remember.\n3. Avoid using numbers or special characters unless necessary.\n4. Consider using a combination of first name, last name, or initials.\n5. You can use different email addresses for personal and professional purposes.\n\nRemember to replace \"example.com\" with the actual domain you'll be using for your email address."
                 },
                 "finish_reason": "guardrail_intervened"
             }
         ],
         "usage": {
             "prompt_tokens": 25,
             "completion_tokens": 320,
             "total_tokens": 345
         }
     }
     ```
   </CodeGroup>
6. If you're using a library like Langchain, you might have to pass the extra param in a parameter like `extra_body` as required by the library. For example, refer this [Langchain OpenAI class doc](https://python.langchain.com/api_reference/openai/chat_models/langchain_openai.chat_models.base.ChatOpenAI.html#langchain_openai.chat_models.base.ChatOpenAI.extra_body).
