AWS Bedrock STS setup
AWS Bedrock setup guide
You can connect AWS Bedrock to AI Actions using your own AWS account. This allows AI Actions to discover and invoke Bedrock foundation models using credentials you control.
Authentication methods
When adding the Amazon Bedrock provider, you can choose between two authentication methods:
- Access keys: use AWS access key ID and secret access key.
- Role delegation (AWS STS): uses short-lived credentials and lets Contentful assume a role in your AWS account.
Role delegation (recommended)
Role delegation lets Contentful assume an IAM role in your AWS account using AWS Security Token Service (STS). This approach avoids storing long-lived AWS credentials and gives you fine-grained control over permissions.
During setup, Contentful provides a setup guide that includes:
- AWS account ID that must be trusted.
- External ID.
- IAM policy and role templates.
You’ll copy these values into your AWS account when creating the required resources.
Step 1: Create an IAM policy
In your AWS account, go to IAM → Policies and create a new policy.
Paste the following JSON template. This policy allows Contentful to:
- List available Bedrock models
- Invoke foundation models and inference profiles
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"bedrock:InvokeModel",
"bedrock:InvokeModelWithResponseStream"
],
"Resource": [
"arn:aws:bedrock:*:*:foundation-model/*",
"arn:aws:bedrock:*:*:inference-profile/*"
]
},
{
"Effect": "Allow",
"Action": [
"bedrock:ListFoundationModels",
"bedrock:ListInferenceProfiles",
"bedrock:GetFoundationModel",
"bedrock:GetInferenceProfile"
],
"Resource": "*"
}
]
}Give the policy a recognizable name (for example, contentful-bedrock-policy).
Step 2: Create an IAM role
Next, create a new IAM role with a custom trust policy.
Important:
Replace the placeholders with the exact values shown in the Contentful setup guide:
- “Trusted AWS account ID”.
- “External ID”.
In the trust policy editor, paste the following JSON:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::${contentfulAwsAccountId}:root"
},
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals": {
"sts:ExternalId": "${externalId}"
}
}
}
]
}Step 3: Increase role session duration
To allow Contentful to cache credentials and reduce repeated role assumptions:
- Open the newly created role in IAM.
- Edit Maximum session duration.
- Increase it to 12 hours.
This ensures more stable access when invoking and listing models.
Step 4: Complete setup in Contentful
Return to Organization settings → AI → Providers and finish the Bedrock setup.
You’ll need to provide:
- AWS region where your Bedrock models are available.
- IAM role ARN you just created.
- AWS account ID (formatted as shown in the setup guide).
Once submitted:
- Contentful verifies the credentials.
- Available Bedrock models are discovered automatically.
Models become selectable for AI Actions.
