Skip to main content
Firebolt interacts with large language models (LLMs) through Amazon Bedrock. To call Bedrock models from SQL, you create a LOCATION object with AWS credentials and then invoke the model using AWS_BEDROCK_AI_QUERY.
If you are new to Bedrock locations, start with the reference for creating a Bedrock location: CREATE LOCATION (Amazon Bedrock) and read about account-level LOCATION objects in LOCATION objects.

Prerequisites

  1. An AWS account with access to Amazon Bedrock in your region.
  2. Model access in Bedrock for the specific model(s) you plan to use.
  3. An AWS IAM role that Firebolt can assume (optionally with an external ID).

Step 1: Create a Bedrock LOCATION with an IAM role

Create a LOCATION once and reuse it wherever you need to call Bedrock models.
  • IAM role ARN with external ID (recommended)
CREATE LOCATION bedrock_role_external_id WITH
  SOURCE = AMAZON_BEDROCK
  CREDENTIALS = (
    AWS_ROLE_ARN = 'arn:aws:iam::123456789012:role/BedrockAccess'
    AWS_ROLE_EXTERNAL_ID = '<external_id>'
  );
For role-based AWS access you can additionally set an external ID. An external ID is a value you choose and control that AWS checks when Firebolt assumes your role, adding a second condition on top of your account’s unique IAM principal. Configuring one is a recommended best practice. See IAM roles.
  • IAM role ARN only
CREATE LOCATION bedrock_role WITH
  SOURCE = AMAZON_BEDROCK
  CREDENTIALS = (
    AWS_ROLE_ARN = 'arn:aws:iam::123456789012:role/BedrockAccess'
  );
For all options and parameters, see CREATE LOCATION (Amazon Bedrock). For non-role-based credentials (access keys or temporary credentials), see Getting started with AI.

Step 2: Allow Firebolt to assume your IAM role (role-based access)

If you authenticate with an IAM role, you must allow Firebolt to assume your role.
  1. In the AWS IAM console, create a role for Bedrock access and attach a policy that permits invoking your target model(s). For example, to allow invoking a specific model:
{
  "Statement": [
    {
      "Sid": "BedrockInvokeModel",
      "Effect": "Allow",
      "Action": "bedrock:InvokeModel",
      "Resource": "arn:aws:bedrock:<region>::foundation-model/anthropic.claude-v2"
    }
  ]
}
Follow the AWS documentation to grant the correct Bedrock permissions for your use case.
  1. Find the principal that Firebolt uses to assume roles in your account:
SELECT trust_policy_role
FROM org_db.information_schema.accounts
WHERE account_name = '<account_name>';
  1. Set the role trust policy to allow Firebolt to assume it. Use the variant that matches how you created the location. The <trust_policy_role> principal is unique to your account, so only your account can assume the role. For background on why this matters, see IAM roles.
  • With external ID (recommended)
If you set AWS_ROLE_EXTERNAL_ID in your CREATE LOCATION statement, add a Condition that requires the same external ID. Firebolt then passes this value when it assumes the role, and the policy denies any assume call without it.
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "Statement1",
      "Effect": "Allow",
      "Principal": {
        "AWS": "<trust_policy_role>"
      },
      "Action": "sts:AssumeRole",
      "Condition": {
        "StringEquals": {
          "sts:ExternalId": "<external_id>"
        }
      }
    }
  ]
}
For role-based AWS access you can additionally set an external ID. An external ID is a value you choose and control that AWS checks when Firebolt assumes your role, adding a second condition on top of your account’s unique IAM principal. Configuring one is a recommended best practice. See IAM roles.
  • Without external ID
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "Statement1",
      "Effect": "Allow",
      "Principal": {
        "AWS": "<trust_policy_role>"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

Step 3: Invoke a Bedrock model from SQL

After you create the location and configure access, call a model using AWS_BEDROCK_AI_QUERY and pass the location name.
SELECT AWS_BEDROCK_AI_QUERY(
  'amazon.nova-micro-v1:0',
  $${"schemaVersion":"messages-v1","messages":[{"role":"user","content":[{"text":"Hello"}]}]}$$,
  'bedrock_role'
) AS result;
For details on inputs and responses, see AWS_BEDROCK_AI_QUERY.