Firebolt interacts with large language models (LLMs) through Amazon Bedrock. To call Bedrock models from SQL, you create a LOCATION object with AWS credentials and then invoke the model using AWS_BEDROCK_AI_QUERY.
If you are new to Bedrock locations, start with the reference for creating a Bedrock location: CREATE LOCATION (Amazon Bedrock) and read about account-level LOCATION objects in LOCATION objects.

Prerequisites

  1. An AWS account with access to Amazon Bedrock in your region.
  2. Model access in Bedrock for the specific model(s) you plan to use.
  3. An AWS IAM role that Firebolt can assume (optionally with an external ID).

Step 1: Create a Bedrock LOCATION with an IAM role

Create a LOCATION once and reuse it wherever you need to call Bedrock models.
  • IAM role ARN
CREATE LOCATION bedrock_role WITH
  SOURCE = AMAZON_BEDROCK
  CREDENTIALS = (
    AWS_ROLE_ARN = 'arn:aws:iam::123456789012:role/BedrockAccess'
  );
  • IAM role ARN with external ID
CREATE LOCATION bedrock_role_external_id WITH
  SOURCE = AMAZON_BEDROCK
  CREDENTIALS = (
    AWS_ROLE_ARN = 'arn:aws:iam::123456789012:role/BedrockAccess'
    AWS_ROLE_EXTERNAL_ID = '<external_id>'
  );
For all options and parameters, see CREATE LOCATION (Amazon Bedrock). For non–role-based credentials (access keys or temporary credentials), see Getting started with AI.

Step 2: Allow Firebolt to assume your IAM role (role-based access)

If you authenticate with an IAM role, you must allow Firebolt to assume your role.
  1. In the AWS IAM console, create a role for Bedrock access and attach a policy that permits invoking your target model(s). For example, to allow invoking a specific model:
{
  "Statement": [
    {
      "Sid": "BedrockInvokeModel",
      "Effect": "Allow",
      "Action": "bedrock:InvokeModel",
      "Resource": "arn:aws:bedrock:<region>::foundation-model/anthropic.claude-v2"
    }
  ]
}
Follow the AWS documentation to grant the correct Bedrock permissions for your use case.
  1. Find the principal that Firebolt uses to assume roles in your account:
SELECT trust_policy_role
FROM org_db.information_schema.accounts
WHERE account_name = '<account_name>';
  1. Set the role trust policy to allow Firebolt to assume it:
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "Statement1",
      "Effect": "Allow",
      "Principal": {
        "AWS": "<trust_policy_role>"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}
If you plan to use an external ID, include it in your CREATE LOCATION statement (see above) and configure your AWS trust policy accordingly.

Step 3: Invoke a Bedrock model from SQL

After you create the location and configure access, call a model using AWS_BEDROCK_AI_QUERY and pass the location name. 
SELECT AWS_BEDROCK_AI_QUERY(
  'amazon.nova-micro-v1:0',
  $${"schemaVersion":"messages-v1","messages":[{"role":"user","content":[{"text":"Hello"}]}]}$$,
  'bedrock_role'
) AS result;
For details on inputs and responses, see AWS_BEDROCK_AI_QUERY.