some file

AWS Bedrock

Amazon Bedrock serves Anthropic's Claude models alongside Meta Llama and Amazon Nova on AWS. Connecting it behind NetBird gives your agents keyless access over the tunnel: NetBird holds the Bedrock API key server-side, ties every request to a real identity from your IdP, and applies your policies, limits, and audit on the way to Bedrock.

Bedrock authenticates with a Bedrock API key — a long-term key you generate in AWS that NetBird injects as a bearer token on every request. You create the key once, hand it to NetBird, and it stays server-side.

Prerequisites

  • An AWS account with Amazon Bedrock available in your target region.
  • Model access granted for the models you plan to use (Amazon Bedrock console → Model access), per region.
  • Permission to generate a Bedrock API key.

Generate a Bedrock API Key

In the AWS console, open Amazon Bedrock → API keys and generate a long-term API key. See Bedrock API keys for details.

The Bedrock API key grants access to models in your AWS account. Treat it as a secret — store it securely, never commit it to source control, and delete the local copy once it's stored in NetBird.

Connect the Provider

  1. Go to Agent Network → Providers and click Connect Provider.
  2. Select AWS Bedrock. Set the Upstream URL to your region's Bedrock runtime host — for example https://bedrock-runtime.us-east-1.amazonaws.com. Bedrock is region-specific, so the host must include the region you enabled model access in.
  3. Paste the Bedrock API key. NetBird stores it encrypted server-side, injects it as Authorization: Bearer … on each request, and never returns it to callers.
  4. (Optional) Restrict the allowed models — for example anthropic.claude-opus-4-8, anthropic.claude-sonnet-4-6, meta.llama3-3-70b-instruct, or amazon.nova-pro. Leaving the list empty allows any catalog model.
  5. Save the provider. The key is now held server-side — the next step authorizes who can use it.

See Providers for details.

Create a Policy

By default nothing is allowed — a policy must connect a source group to the Bedrock provider before anyone can route through it.

  1. Go to Agent Network → Policies and add a policy.
  2. Set the Source to the users or agents who should be able to reach Bedrock (for example your Engineering group from your IdP).
  3. Set the Provider to the AWS Bedrock provider you just connected.
  4. Optionally attach per-user or per-group token and budget limits and guardrails such as a model allowlist.

See Policies for details.

Use Claude Code with AWS Bedrock

If you run Claude Code with its Bedrock backend instead of the Anthropic API, point it at your agent network endpoint. NetBird holds the Bedrock API key server-side and injects it, so Claude Code skips AWS authentication entirely — the client stays keyless.

First connect an AWS Bedrock provider in NetBird (steps above). Then add the following to ~/.claude/settings.json:

{
  "env": {
    "ANTHROPIC_MODEL": "eu.anthropic.claude-sonnet-4-5-20250929-v1:0",
    "ANTHROPIC_BEDROCK_BASE_URL": "https://<your-endpoint>/bedrock",
    "CLAUDE_CODE_USE_BEDROCK": "1",
    "CLAUDE_CODE_SKIP_BEDROCK_AUTH": "1"
  }
}
  • CLAUDE_CODE_USE_BEDROCK=1 routes Claude Code through the Bedrock backend.
  • CLAUDE_CODE_SKIP_BEDROCK_AUTH=1 skips AWS auth on the client — NetBird injects the Bedrock API key server-side.
  • ANTHROPIC_BEDROCK_BASE_URL is your agent network endpoint with the /bedrock suffix (the optional gateway-namespace prefix that disambiguates Bedrock from other providers).
  • ANTHROPIC_MODEL is the full Bedrock model ID including the region prefix (e.g. eu.anthropic.claude-sonnet-4-5-20250929-v1:0). Some models may not be available in all regions — if the model above doesn't work, switch to one in your provider's allowed list, or change it in Claude Code with /model <model-id>.

Rotating the key is a single server-side change in NetBird: generate a new Bedrock API key, update the provider's credential, then disable the old key in AWS.