Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.4minds.ai/llms.txt

Use this file to discover all available pages before exploring further.

This guide walks you through connecting your AWS account to 4MINDS so you can use Amazon Bedrock foundation models. There are three connection methods available:
  1. IAM Role Federation (recommended) — no credentials stored; temporary STS credentials minted per request
  2. Bedrock API Key — simplest setup, generated directly in the Bedrock console
  3. Amazon Cognito — use if your organization already manages AWS access through Cognito
Methods 1 and 3 share AWS setup with every other 4MINDS AWS integration (S3, SageMaker, Lake Formation). The steps below focus on what’s specific to Bedrock; for the generic role/Cognito setup, see AWS Integrations.

Bedrock IAM Permissions Policy

Whichever IAM-based method you pick (IAM Role Federation or Cognito), you’ll attach this policy to the role: 
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "BedrockFoundationModelAccess",
      "Effect": "Allow",
      "Action": [
        "bedrock:ListFoundationModels",
        "bedrock:GetFoundationModel",
        "bedrock:InvokeModel",
        "bedrock:InvokeModelWithResponseStream"
      ],
      "Resource": "*"
    },
    {
      "Sid": "BedrockCustomModelAccess",
      "Effect": "Allow",
      "Action": [
        "bedrock:ListCustomModels",
        "bedrock:GetCustomModel"
      ],
      "Resource": "*"
    },
    {
      "Sid": "IdentityVerification",
      "Effect": "Allow",
      "Action": "sts:GetCallerIdentity",
      "Resource": "*"
    }
  ]
}
What each permission does:
PermissionPurpose
bedrock:ListFoundationModelsLists available foundation models (Claude, Llama, Mistral, etc.)
bedrock:GetFoundationModelRetrieves details about a specific foundation model
bedrock:InvokeModelSends prompts and receives responses from models
bedrock:InvokeModelWithResponseStreamEnables streaming responses for real-time output
bedrock:ListCustomModelsLists custom fine-tuned models in your account
bedrock:GetCustomModelRetrieves details about a specific custom model
sts:GetCallerIdentityVerifies the connection is authenticated correctly
Name the policy something memorable like 4MINDS-Bedrock-Access — you’ll reference it when attaching permissions in the role/Cognito setup.

Least-Privilege: Restricting to Specific Models

The policy above uses "Resource": "*" for broad access. To scope to specific regions or models: Restrict to a single region: 
arn:aws:bedrock:us-east-1::foundation-model/*
Restrict to specific models: 
"Resource": [
  "arn:aws:bedrock:us-east-1::foundation-model/anthropic.claude-3-sonnet-20240229-v1:0",
  "arn:aws:bedrock:us-east-1::foundation-model/anthropic.claude-3-haiku-20240307-v1:0",
  "arn:aws:bedrock:us-east-1::foundation-model/meta.llama3-70b-instruct-v1:0"
]
The ARN format is: arn:aws:bedrock:<region>::foundation-model/<model-id>
Note: ListFoundationModels and ListCustomModels still require "Resource": "*". Split these into a separate statement if you scope InvokeModel to specific model ARNs.

Connection Methods

Method 1: IAM Role Federation (Recommended)

Follow the full role federation setup in AWS Integrations → IAM Role Federation. Attach the 4MINDS-Bedrock-Access policy (from above) when creating the IAM role. Then, in 4MINDS:
  1. Open Integrations from the main navigation bar and select Amazon Bedrock
  2. Select the IAM Role tab
  3. Paste your IAM Role ARN
  4. Optionally enter an External ID if you configured one in the trust policy
  5. Enter your AWS Region (must match the region where you’ve enabled Bedrock model access)
  6. Click Test Connection, then Save Credentials

Method 2: Bedrock API Key

The simplest setup — generate an API key directly from the Bedrock console. No IAM role or Cognito pool needed.

AWS Setup

  1. Go to AWS Console → Amazon Bedrock
  2. In the left sidebar, click API keys
  3. Choose your key type:
    • Short-term API key (recommended for production) — expires when your console session expires (12 hours). Click Generate short-term API keys
    • Long-term API key — can last longer than 12 hours. Click Long-term API keys, configure expiration, and generate
  4. Copy the API key once generated
Note: Short-term keys require regenerating and updating your 4MINDS connection when they expire. For a set-it-and-forget-it setup, use IAM Role Federation (Method 1).

Connect in 4MINDS

  1. Open Integrations and select Amazon Bedrock
  2. Select the API Key tab
  3. Paste the Bedrock API key
  4. Enter your AWS Region
  5. Click Test Connection, then Save Credentials
Security note: API keys are encrypted at rest. For production environments requiring maximum security, prefer IAM Role Federation (Method 1) — it stores nothing long-lived.

Method 3: Amazon Cognito

Follow the full Cognito setup in AWS Integrations → Amazon Cognito. Attach the 4MINDS-Bedrock-Access policy (from above) to the Cognito authenticated role. Then, in 4MINDS:
  1. Open Integrations and select Amazon Bedrock
  2. Select the Cognito tab
  3. Fill in the Cognito fields (User Pool ID, App Client ID, App Client Secret if used, Identity Pool ID, Username, Password)
  4. Enter your AWS Region (must match your User Pool and Identity Pool region)
  5. Click Test Connection, then Save Credentials

After Connecting: Adding Models

Once connected:
  1. Open Integrations and select Amazon Bedrock
  2. Browse the list of available foundation models — all supported models appear automatically
  3. Click to register models you want to use in your workspace
  4. Registered models appear in your model selector for conversations

Supported AWS Regions

Amazon Bedrock is available in select regions. Common options:
  • us-east-1 (N. Virginia)
  • us-east-2 (Ohio)
  • us-west-2 (Oregon)
  • eu-west-1 (Ireland)
  • eu-central-1 (Frankfurt)
  • ap-southeast-1 (Singapore)
  • ap-northeast-1 (Tokyo)
Check the AWS Regional Services List for current availability.

Troubleshooting

IssueSolution
”No models found”Verify the region is correct and that your IAM policy includes bedrock:ListFoundationModels
Connection times outVerify the region is correct and Bedrock is enabled there
”Access Denied”Confirm the IAM policy is attached to the correct identity
”Unrecognized client”Wrong region, or Bedrock isn’t enabled in that region
API key expiredGenerate a new short-term key or use a long-term key / IAM Role Federation
For method-specific issues (OIDC trust policy, Cognito password states, etc.), see AWS Integrations → Troubleshooting.

Disconnecting

  1. Open Integrations and select Amazon Bedrock
  2. Click Disconnect
This removes stored credentials from 4MINDS. Your AWS resources are not affected.