> ## Documentation Index
> Fetch the complete documentation index at: https://docs.firebolt.io/llms.txt
> Use this file to discover all available pages before exploring further.

> Learn how to use AWS IAM roles to allow Firebolt to invoke Bedrock models in your AWS account.

# Use AWS roles to access Bedrock

Firebolt interacts with large language models (LLMs) through Amazon Bedrock. To call Bedrock models from SQL, you create a `LOCATION` object with AWS credentials and then invoke the model using `AWS_BEDROCK_AI_QUERY`.

<Note>
  If you are new to Bedrock locations, start with the reference for creating a Bedrock location: [CREATE LOCATION (Amazon Bedrock)](/reference-sql/commands/data-definition/create-location-bedrock) and read about account-level `LOCATION` objects in [LOCATION objects](/security/guides/location).
</Note>

## Prerequisites

1. An AWS account with access to Amazon Bedrock in your region.
2. Model access in Bedrock for the specific model(s) you plan to use.
3. An AWS IAM role that Firebolt can assume (optionally with an external ID).

## Step 1: Create a Bedrock LOCATION with an IAM role

Create a `LOCATION` once and reuse it wherever you need to call Bedrock models.

* **IAM role ARN with external ID (recommended)**

```sql theme={"theme":{"light":"css-variables","dark":"css-variables"}}
CREATE LOCATION bedrock_role_external_id WITH
  SOURCE = AMAZON_BEDROCK
  CREDENTIALS = (
    AWS_ROLE_ARN = 'arn:aws:iam::123456789012:role/BedrockAccess'
    AWS_ROLE_EXTERNAL_ID = '<external_id>'
  );
```

<Note>
  For role-based AWS access you can additionally set an external ID. An external ID is a value you choose and control that AWS checks when Firebolt assumes your role, adding a second condition on top of your account's unique IAM principal. Configuring one is a recommended best practice. See [IAM roles](/security#iam-roles).
</Note>

* **IAM role ARN only**

```sql theme={"theme":{"light":"css-variables","dark":"css-variables"}}
CREATE LOCATION bedrock_role WITH
  SOURCE = AMAZON_BEDROCK
  CREDENTIALS = (
    AWS_ROLE_ARN = 'arn:aws:iam::123456789012:role/BedrockAccess'
  );
```

For all options and parameters, see [CREATE LOCATION (Amazon Bedrock)](/reference-sql/commands/data-definition/create-location-bedrock). For non-role-based credentials (access keys or temporary credentials), see [Getting started with AI](/guides/ai/getting-started-with-ai).

## Step 2: Allow Firebolt to assume your IAM role (role-based access)

If you authenticate with an IAM role, you must allow Firebolt to assume your role.

1. In the AWS IAM console, create a role for Bedrock access and attach a policy that permits invoking your target model(s). For example, to allow invoking a specific model:

```json theme={"theme":{"light":"css-variables","dark":"css-variables"}}
{
  "Statement": [
    {
      "Sid": "BedrockInvokeModel",
      "Effect": "Allow",
      "Action": "bedrock:InvokeModel",
      "Resource": "arn:aws:bedrock:<region>::foundation-model/anthropic.claude-v2"
    }
  ]
}
```

Follow the [AWS documentation](https://docs.aws.amazon.com/bedrock/latest/userguide/security-iam.html) to grant the correct Bedrock permissions for your use case.

2. Find the principal that Firebolt uses to assume roles in your account:

```sql theme={"theme":{"light":"css-variables","dark":"css-variables"}}
SELECT trust_policy_role
FROM org_db.information_schema.accounts
WHERE account_name = '<account_name>';
```

3. Set the role trust policy to allow Firebolt to assume it. Use the variant that matches how you created the location. The `<trust_policy_role>` principal is unique to your account, so only your account can assume the role. For background on why this matters, see [IAM roles](/security#iam-roles).

* **With external ID (recommended)**

If you set `AWS_ROLE_EXTERNAL_ID` in your `CREATE LOCATION` statement, add a `Condition` that requires the same external ID. Firebolt then passes this value when it assumes the role, and the policy denies any assume call without it.

```json theme={"theme":{"light":"css-variables","dark":"css-variables"}}
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "Statement1",
      "Effect": "Allow",
      "Principal": {
        "AWS": "<trust_policy_role>"
      },
      "Action": "sts:AssumeRole",
      "Condition": {
        "StringEquals": {
          "sts:ExternalId": "<external_id>"
        }
      }
    }
  ]
}
```

<Note>
  For role-based AWS access you can additionally set an external ID. An external ID is a value you choose and control that AWS checks when Firebolt assumes your role, adding a second condition on top of your account's unique IAM principal. Configuring one is a recommended best practice. See [IAM roles](/security#iam-roles).
</Note>

* **Without external ID**

```json theme={"theme":{"light":"css-variables","dark":"css-variables"}}
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "Statement1",
      "Effect": "Allow",
      "Principal": {
        "AWS": "<trust_policy_role>"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}
```

## Step 3: Invoke a Bedrock model from SQL

After you create the location and configure access, call a model using `AWS_BEDROCK_AI_QUERY` and pass the location name.

```sql theme={"theme":{"light":"css-variables","dark":"css-variables"}}
SELECT AWS_BEDROCK_AI_QUERY(
  'amazon.nova-micro-v1:0',
  $${"schemaVersion":"messages-v1","messages":[{"role":"user","content":[{"text":"Hello"}]}]}$$,
  'bedrock_role'
) AS result;
```

For details on inputs and responses, see [`AWS_BEDROCK_AI_QUERY`](/reference-sql/functions-reference/ai/aws-bedrock-ai-query).

## Related resources

* [CREATE LOCATION (Amazon Bedrock)](/reference-sql/commands/data-definition/create-location-bedrock)
* [LOCATION objects](/security/guides/location)
* [`AWS_BEDROCK_AI_QUERY`](/reference-sql/functions-reference/ai/aws-bedrock-ai-query)
