> ## Documentation Index
> Fetch the complete documentation index at: https://docs.firebolt.io/llms.txt
> Use this file to discover all available pages before exploring further.

> Learn how to use AWS IAM roles to allow Firebolt to invoke Bedrock models in your AWS account.

# Use AWS roles to access Bedrock

Firebolt interacts with large language models (LLMs) through Amazon Bedrock. To call Bedrock models from SQL, you create a `LOCATION` object with AWS credentials and then invoke the model using `AWS_BEDROCK_AI_QUERY`.

<Note>
  If you are new to Bedrock locations, start with the reference for creating a Bedrock location: [CREATE LOCATION (Amazon Bedrock)](/reference-sql/commands/data-definition/create-location-bedrock) and read about account-level `LOCATION` objects in [LOCATION objects](/guides/security/location).
</Note>

## Prerequisites

1. An AWS account with access to Amazon Bedrock in your region.
2. Model access in Bedrock for the specific model(s) you plan to use.
3. An AWS IAM role that Firebolt can assume (optionally with an external ID).

## Step 1: Create a Bedrock LOCATION with an IAM role

Create a `LOCATION` once and reuse it wherever you need to call Bedrock models.

* **IAM role ARN**

```sql theme={"theme":{"light":"github-light","dark":"github-dark"}}
CREATE LOCATION bedrock_role WITH
  SOURCE = AMAZON_BEDROCK
  CREDENTIALS = (
    AWS_ROLE_ARN = 'arn:aws:iam::123456789012:role/BedrockAccess'
  );
```

* **IAM role ARN with external ID**

```sql theme={"theme":{"light":"github-light","dark":"github-dark"}}
CREATE LOCATION bedrock_role_external_id WITH
  SOURCE = AMAZON_BEDROCK
  CREDENTIALS = (
    AWS_ROLE_ARN = 'arn:aws:iam::123456789012:role/BedrockAccess'
    AWS_ROLE_EXTERNAL_ID = '<external_id>'
  );
```

For all options and parameters, see [CREATE LOCATION (Amazon Bedrock)](/reference-sql/commands/data-definition/create-location-bedrock). For non–role-based credentials (access keys or temporary credentials), see [Getting started with AI](/guides/ai/getting-started-with-ai).

## Step 2: Allow Firebolt to assume your IAM role (role-based access)

If you authenticate with an IAM role, you must allow Firebolt to assume your role.

1. In the AWS IAM console, create a role for Bedrock access and attach a policy that permits invoking your target model(s). For example, to allow invoking a specific model:

```json theme={"theme":{"light":"github-light","dark":"github-dark"}}
{
  "Statement": [
    {
      "Sid": "BedrockInvokeModel",
      "Effect": "Allow",
      "Action": "bedrock:InvokeModel",
      "Resource": "arn:aws:bedrock:<region>::foundation-model/anthropic.claude-v2"
    }
  ]
}
```

Follow the [AWS documentation](https://docs.aws.amazon.com/bedrock/latest/userguide/security-iam.html) to grant the correct Bedrock permissions for your use case.

2. Find the principal that Firebolt uses to assume roles in your account:

```sql theme={"theme":{"light":"github-light","dark":"github-dark"}}
SELECT trust_policy_role
FROM org_db.information_schema.accounts
WHERE account_name = '<account_name>';
```

3. Set the role trust policy to allow Firebolt to assume it:

```json theme={"theme":{"light":"github-light","dark":"github-dark"}}
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "Statement1",
      "Effect": "Allow",
      "Principal": {
        "AWS": "<trust_policy_role>"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}
```

If you plan to use an external ID, include it in your `CREATE LOCATION` statement (see above) and configure your AWS trust policy accordingly.

## Step 3: Invoke a Bedrock model from SQL

After you create the location and configure access, call a model using `AWS_BEDROCK_AI_QUERY` and pass the location name.

```sql theme={"theme":{"light":"github-light","dark":"github-dark"}}
SELECT AWS_BEDROCK_AI_QUERY(
  'amazon.nova-micro-v1:0',
  $${"schemaVersion":"messages-v1","messages":[{"role":"user","content":[{"text":"Hello"}]}]}$$,
  'bedrock_role'
) AS result;
```

For details on inputs and responses, see [`AWS_BEDROCK_AI_QUERY`](/reference-sql/functions-reference/ai/aws-bedrock-ai-query).

## Related resources

* [CREATE LOCATION (Amazon Bedrock)](/reference-sql/commands/data-definition/create-location-bedrock)
* [LOCATION objects](/guides/security/location)
* [`AWS_BEDROCK_AI_QUERY`](/reference-sql/functions-reference/ai/aws-bedrock-ai-query)