LOCATION object with AWS credentials and then invoke the model using AWS_BEDROCK_AI_QUERY.
If you are new to Bedrock locations, start with the reference for creating a Bedrock location: CREATE LOCATION (Amazon Bedrock) and read about account-level
LOCATION objects in LOCATION objects.Prerequisites
- An AWS account with access to Amazon Bedrock in your region.
- Model access in Bedrock for the specific model(s) you plan to use.
- An AWS IAM role that Firebolt can assume (optionally with an external ID).
Step 1: Create a Bedrock LOCATION with an IAM role
Create aLOCATION once and reuse it wherever you need to call Bedrock models.
- IAM role ARN with external ID (recommended)
For role-based AWS access you can additionally set an external ID. An external ID is a value you choose and control that AWS checks when Firebolt assumes your role, adding a second condition on top of your account’s unique IAM principal. Configuring one is a recommended best practice. See IAM roles.
- IAM role ARN only
Step 2: Allow Firebolt to assume your IAM role (role-based access)
If you authenticate with an IAM role, you must allow Firebolt to assume your role.- In the AWS IAM console, create a role for Bedrock access and attach a policy that permits invoking your target model(s). For example, to allow invoking a specific model:
- Find the principal that Firebolt uses to assume roles in your account:
- Set the role trust policy to allow Firebolt to assume it. Use the variant that matches how you created the location. The
<trust_policy_role>principal is unique to your account, so only your account can assume the role. For background on why this matters, see IAM roles.
- With external ID (recommended)
AWS_ROLE_EXTERNAL_ID in your CREATE LOCATION statement, add a Condition that requires the same external ID. Firebolt then passes this value when it assumes the role, and the policy denies any assume call without it.
For role-based AWS access you can additionally set an external ID. An external ID is a value you choose and control that AWS checks when Firebolt assumes your role, adding a second condition on top of your account’s unique IAM principal. Configuring one is a recommended best practice. See IAM roles.
- Without external ID
Step 3: Invoke a Bedrock model from SQL
After you create the location and configure access, call a model usingAWS_BEDROCK_AI_QUERY and pass the location name.
AWS_BEDROCK_AI_QUERY.