Skip to main content
This guide walks you through connecting your AWS account to 4MINDS so you can use Amazon Bedrock models. There are three connection methods available: choose the one that best fits your organization’s security requirements.

AWS Account Setup

Complete these steps in the AWS Console before connecting to 4MINDS.

Step 1: Note Your AWS Region

  1. Sign in to the AWS Management Console
  2. The active region appears in the top-right of the AWS console (e.g., us-east-1). You’ll need to enter this when connecting in 4MINDS
  3. Common regions include us-east-1, us-west-2, eu-west-1, eu-central-1

Step 2: Create the IAM Permissions Policy

This policy grants the minimum permissions needed for the 4MINDS Bedrock integration. You will attach it to whichever identity you use (IAM user, IAM role, or Cognito authenticated role).
  1. Go to AWS Console → IAM (search for “IAM” in the top search bar)
  2. Click Policies in the left sidebar
  3. Click Create policy
  4. Click the JSON tab (switch from the visual editor)
  5. Delete any existing content and paste the following policy:
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "BedrockFoundationModelAccess",
      "Effect": "Allow",
      "Action": [
        "bedrock:ListFoundationModels",
        "bedrock:GetFoundationModel",
        "bedrock:InvokeModel",
        "bedrock:InvokeModelWithResponseStream"
      ],
      "Resource": "*"
    },
    {
      "Sid": "BedrockCustomModelAccess",
      "Effect": "Allow",
      "Action": [
        "bedrock:ListCustomModels",
        "bedrock:GetCustomModel"
      ],
      "Resource": "*"
    },
    {
      "Sid": "IdentityVerification",
      "Effect": "Allow",
      "Action": [
        "sts:GetCallerIdentity"
      ],
      "Resource": "*"
    }
  ]
}
What each permission does:
PermissionPurpose
bedrock:ListFoundationModelsLists available foundation models (Claude, Llama, Mistral, etc.)
bedrock:GetFoundationModelRetrieves details about a specific foundation model
bedrock:InvokeModelSends prompts and receives responses from models
bedrock:InvokeModelWithResponseStreamEnables streaming responses for real-time output
bedrock:ListCustomModelsLists any custom fine-tuned models in your account
bedrock:GetCustomModelRetrieves details about a specific custom model
sts:GetCallerIdentityVerifies the connection is authenticated correctly
  1. Click Next
  2. Name the policy: 4MINDS-Bedrock-Access (or any name you prefer)
  3. Optionally add a description: “Permissions for 4MINDS platform to access Amazon Bedrock models”
  4. Click Create policy
Keep this policy name handy — you’ll attach it in the next section depending on your connection method.

Least-Privilege: Restricting to Specific Models

The policy above uses "Resource": "*" for broad access. If your organization requires least-privilege, you can scope the Resource field to specific regions or individual models. Restrict to a single region: 
arn:aws:bedrock:us-east-1::foundation-model/*
Restrict to a specific model: 
arn:aws:bedrock:us-east-1::foundation-model/anthropic.claude-3-sonnet-20240229-v1:0
Restrict to multiple specific models: 
"Resource": [
  "arn:aws:bedrock:us-east-1::foundation-model/anthropic.claude-3-sonnet-20240229-v1:0",
  "arn:aws:bedrock:us-east-1::foundation-model/anthropic.claude-3-haiku-20240307-v1:0",
  "arn:aws:bedrock:us-east-1::foundation-model/meta.llama3-70b-instruct-v1:0"
]
The ARN format is: arn:aws:bedrock:<region>::foundation-model/<model-id>
Note: If you restrict to specific models, the ListFoundationModels and ListCustomModels actions still require "Resource": "*" to function. You can split these into separate statements — one with "Resource": "*" for listing, and another scoped to specific model ARNs for InvokeModel and InvokeModelWithResponseStream.

Connection Methods

Method 1: IAM Role Federation (Recommended)

This is the most secure option. No long-lived credentials are stored — 4MINDS uses temporary AWS credentials generated on-the-fly via OIDC federation. Each request gets short-lived credentials (1 hour) that are never persisted.

AWS Setup

A. Register 4MINDS as an OIDC Identity Provider
  1. Go to AWS Console → IAM → Identity Providers (left sidebar)
  2. Click Add Provider
  3. Select OpenID Connect as the provider type
  4. For Provider URL, enter: https://app.4MINDS.ai
  5. Click Get thumbprint — AWS will verify the provider’s SSL certificate
  6. For Audience, enter: sts.amazonaws.com
  7. Click Add provider
  8. You should now see app.4MINDS.ai in your list of identity providers
B. Create the IAM Role for 4MINDS
  1. Go to IAM → Roles (left sidebar)
  2. Click Create role
  3. Under Trusted entity type, select Web identity
  4. Under Identity provider, select app.4MINDS.ai from the dropdown
  5. Under Audience, select sts.amazonaws.com
  6. Click Next
  7. Search for the policy you created earlier (4MINDS-Bedrock-Access) and check the box next to it
  8. Click Next
  9. Enter a Role name: 4MINDS-bedrock-role (or your preferred name)
  10. Optionally add a description: “Allows 4MINDS to access Bedrock via OIDC federation”
  11. Review the trust policy and permissions, then click Create role
  12. Copy the Role ARN from the role summary page — it looks like: arn:aws:iam::123456789012:role/4MINDS-bedrock-role
C. Verify the Trust Policy After creating the role, confirm the trust policy is correct:
  1. Go to IAM → Roles and click on your new role
  2. Click the Trust relationships tab
  3. Click Edit trust policy
  4. It should look like this:
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Federated": "arn:aws:iam::<YOUR_ACCOUNT_ID>:oidc-provider/app.4MINDS.ai"
      },
      "Action": "sts:AssumeRoleWithWebIdentity",
      "Condition": {
        "StringEquals": {
          "app.4MINDS.ai:aud": "sts.amazonaws.com"
        }
      }
    }
  ]
}
Replace <YOUR_ACCOUNT_ID> with your 12-digit AWS account ID (visible in the top-right of the AWS Console under your account name).
Optional — External ID: For additional security, you can add an external ID condition. If you do, you’ll also need to enter the same External ID in 4MINDS when connecting.

Connect in 4MINDS

  1. In 4MINDS, go to Settings → Integrations → Amazon Bedrock
  2. Select the IAM Role tab
  3. Paste your IAM Role ARN (the one you copied in step B.12)
  4. If you configured an External ID in the trust policy, enter it here too
  5. Enter your AWS Region (e.g., us-east-1 — must match the region where you enabled Bedrock model access)
  6. Click Test Connection to verify, then Save Credentials

Method 2: Bedrock API Key

This is the simplest setup. You generate an API key directly from the Amazon Bedrock console — no IAM user or role creation needed.

AWS Setup

  1. Go to AWS Console → Amazon Bedrock
  2. In the left sidebar, click API keys
  3. Choose which type of key to generate: Short-term API key (recommended for production)
    • Expires when your console session expires (12 hours by default)
    • More secure — limits exposure if the key is compromised
    • Click Generate short-term API keys Long-term API key
    • Can be set to last longer than 12 hours
    • More convenient but less secure — AWS recommends using these only for exploratory purposes
    • Click Long-term API keys, configure the expiration, and generate
  4. Copy the API key once it’s generated
Note: If you use a short-term key, you’ll need to generate a new one and update your 4MINDS connection each time it expires. For a set-it-and-forget-it setup, consider IAM Role Federation (Method 1) instead.

Connect in 4MINDS

  1. In 4MINDS, go to Integrations → Amazon Bedrock → Settings
  2. Select the API Key tab
  3. Paste the Bedrock API key you copied above
  4. Enter your AWS Region (e.g., us-east-1 — must match the region where you enabled Bedrock model access)
  5. Click Test Connection to verify, then Save Credentials
Security note: We encrypt your API key at rest. For production environments requiring maximum security, we recommend IAM Role Federation (Method 1) which uses temporary credentials and stores nothing long-lived.

Method 3: Amazon Cognito

Use this method if your organization manages AWS access through Amazon Cognito user pools and identity pools. This is common in organizations that already use Cognito for identity management.
Already have Cognito set up? If your organization already has a Cognito User Pool and Identity Pool configured, skip to Gather Your Cognito Details below.

AWS Setup (Full Cognito Configuration)

If you need to set up Cognito from scratch, follow all steps below. If you already have Cognito infrastructure, skip to the relevant step. A. Create a Cognito User Pool
  1. Go to AWS Console → Amazon Cognito (search for “Cognito” in the top search bar)
  2. Click Create user pool
  3. Under Sign-in experience:
    • For Cognito user pool sign-in options, check User name (and optionally Email)
    • Click Next
  4. Under Security requirements:
    • Configure your password policy as desired (the defaults are fine)
    • For Multi-factor authentication, select No MFA for simplest setup (or configure MFA if required by your organization)
    • Click Next
  5. Under Sign-up experience:
    • Uncheck Enable self-registration (you’ll create the user manually)
    • Click Next
  6. Under Message delivery:
    • Select Send email with Cognito for simplest setup
    • Click Next
  7. Under Integrate your app:
    • Enter a User pool name: 4MINDS-bedrock-pool (or your preferred name)
    • Under App client, enter an App client name: 4MINDS-bedrock-client
    • For Client secret, select Generate a client secret (optional — 4MINDS supports both with and without)
    • Under Authentication flows, ensure ALLOW_USER_PASSWORD_AUTH is checked (this is required)
    • Click Next
  8. Review and click Create user pool
  9. Copy the User Pool ID from the overview page — it looks like: us-east-1_aBcDeFgHi
B. Get the App Client Details
  1. In your new User Pool, go to the App integration tab
  2. Scroll down to App clients and analytics
  3. Click on the app client you just created
  4. Copy the Client ID — looks like: 1abc2def3ghi4jkl5mno6pqr
  5. If you generated a client secret, click Show client secret and copy it
C. Create a User in the Pool
  1. In your User Pool, go to the Users tab
  2. Click Create user
  3. For User name, enter: 4MINDS-bedrock-user (or your preferred name)
  4. Enter a Temporary password or set a permanent password
  5. Optionally enter an email address
  6. Click Create user
  7. If you used a temporary password, you’ll need to sign in once to set a permanent password (the user status will show “Force change password” until then)
Note: If the user has a temporary password and status shows “FORCE_CHANGE_PASSWORD”, you need to complete the password change before 4MINDS can authenticate. You can do this via the AWS CLI: 
aws cognito-idp admin-set-user-password \
  --user-pool-id us-east-1_aBcDeFgHi \
  --username 4MINDS-bedrock-user \
  --password "YourPermanentPassword123!" \
  --permanent
D. Create a Cognito Identity Pool The Identity Pool maps authenticated Cognito users to IAM roles.
  1. Go to Amazon Cognito → Identity pools (or Federated Identities in older console)
  2. Click Create identity pool
  3. Under User access, select Authenticated access
  4. Under Authenticated identity sources, select Amazon Cognito user pool
  5. Click Next
  6. Under Configure permissions:
    • Select Create a new IAM role
    • Enter a role name: 4MINDS-bedrock-cognito-role
    • Click Next
  7. Under Connect identity providers:
    • For User Pool ID, enter the User Pool ID from step A.9
    • For App Client ID, enter the Client ID from step B.4
    • Click Next
  8. Enter an Identity pool name: 4MINDS-bedrock-identity-pool
  9. Review and click Create identity pool
  10. Copy the Identity Pool ID — it looks like: us-east-1:12345678-abcd-1234-efgh-123456789012
E. Attach Bedrock Permissions to the Cognito Authenticated Role
  1. Go to IAM → Roles
  2. Search for the role created in step D.6 (e.g., 4MINDS-bedrock-cognito-role)
  3. Click on the role
  4. Click Add permissions → Attach policies
  5. Search for the 4MINDS-Bedrock-Access policy you created earlier
  6. Check the box and click Add permissions

Gather Your Cognito Details

Before connecting in 4MINDS, make sure you have all of these values:
FieldWhere to find itExample
User Pool IDCognito → User Pools → select your pool → Overviewus-east-1_aBcDeFgHi
App Client IDCognito → User Pools → App integration → App clients1abc2def3ghi4jkl5mno6pqr
App Client SecretSame as above (only if you generated one)abcdef123456...
Identity Pool IDCognito → Identity Pools → select your poolus-east-1:12345678-abcd-1234-efgh-123456789012
UsernameThe Cognito user you created in step C4MINDS-bedrock-user
PasswordThe permanent password for that user

Connect in 4MINDS

  1. In 4MINDS, go to Integrations → Amazon Bedrock → Settings
  2. Select the Cognito tab
  3. Fill in all the fields from the table above
  4. If your app client has a secret, toggle on the App Client Secret option and enter it
  5. Enter your AWS Region (e.g., us-east-1 — must match the region of your User Pool and Identity Pool)
  6. Click Test Connection to verify, then Save Credentials

Testing Your Connection

After entering your credentials via any method:
  1. Click Test Connection — this validates your credentials and checks permissions
  2. On success, you’ll see a message like: “Connection successful! Found X foundation model(s) and Y custom model(s).”
  3. Click Save Credentials to persist the connection
If the test fails, check:
  • “Invalid Access Key ID” — Double-check the access key
  • “Invalid Secret Access Key” — The secret may have been copied incorrectly
  • “Access Denied” — The IAM policy is missing or not attached to the correct identity
  • “Unrecognized client” — Wrong region, or Bedrock isn’t enabled in that region

After Connecting: Adding Models

Once connected:
  1. Go to Integrations → Amazon Bedrock
  2. Browse the list of available foundation models — all supported models will be listed automatically
  3. Click to register models you want to use in your 4MINDS workspace
  4. Registered models will appear in your model selector for conversations

Supported AWS Regions

Amazon Bedrock is available in select regions. Common options:
  • us-east-1 (N. Virginia)
  • us-east-2 (Ohio)
  • us-west-2 (Oregon)
  • eu-west-1 (Ireland)
  • eu-central-1 (Frankfurt)
  • ap-southeast-1 (Singapore)
  • ap-northeast-1 (Tokyo)
Check the AWS Regional Services List for the most current availability.

Troubleshooting

IssueSolution
”No models found”Verify the region is correct and that your IAM policy includes bedrock:ListFoundationModels
Connection times outVerify the region is correct and Bedrock is enabled there
”Access Denied” after connectingAttach the IAM policy to the correct user/role — check for typos in the policy
Cognito auth challengeYour Cognito user may need to complete a password change or MFA setup first
Role federation failsVerify the OIDC provider URL is exactly https://app.4MINDS.ai with audience sts.amazonaws.com

Disconnecting

To remove your Bedrock connection:
  1. Go to Settings → Integrations → Amazon Bedrock
  2. Click Disconnect
This removes your stored credentials from 4MINDS. Your AWS resources (IAM roles, users, policies) are not affected — clean those up in the AWS Console if no longer needed.