Skip to main content
Bring Your Own Key (BYOK) allows Advanced and Enterprise plan users to use their own AWS Bedrock credentials for LLM operations. This enables unlimited usage without consuming platform credits, provides cost control through your own AWS billing, and supports data residency requirements.

Benefits

  • Unlimited Usage - No credit restrictions when using your own credentials
  • Cost Control - Charges appear on your AWS bill, giving you full visibility and control
  • Data Residency - Route requests through specific AWS regions (US, EU, APAC) for compliance
  • Automatic Model Selection - System automatically chooses optimal models
  • Seamless Fallback - Automatically falls back to platform credentials if your credentials fail

Prerequisites

  • Advanced or Enterprise subscription plan - BYOK is only available for Advanced and Enterprise tier users
  • AWS account with Amazon Bedrock access enabled
  • IAM credentials with Bedrock permissions (access key ID and secret access key)
  • Model access - Both Claude Sonnet 4.5 and Opus 4.5 models must be enabled in your AWS account

Supported Providers

AWS IAM Credentials

Use your AWS IAM user or role credentials to authenticate with Amazon Bedrock.Required Credentials:
  • Access Key ID
  • Secret Access Key
  • Session Token (optional, for temporary credentials)
Benefits:
  • Works with existing IAM users and roles
  • Supports temporary credentials via AWS STS
  • Automatic token refresh for session tokens
  • Full integration with AWS security policies
Long-term credentials (AKIA prefix) enable automatic session token refresh. Temporary credentials (ASIA prefix) cannot be automatically refreshed.

AWS Bedrock Model Access

Before configuring BYOK, you must request access to Claude models in your AWS account. While AWS has simplified access for many serverless models (granted automatically upon first invocation), Claude models still require manual approval via a use case form. For more information, refer to the AWS Bedrock Model Access documentation.

Request Access to Claude Models

1

Open Amazon Bedrock Console

Log in to AWS Console and navigate to Amazon Bedrock
2

Navigate to Model Access

In the left navigation pane, click Model access
3

Modify Model Access

Click Modify model access button
4

Select Claude Models

Enable access to both:
  • Claude Sonnet 4.5 (anthropic.claude-sonnet-4-5-20250929-v1:0)
  • Claude Opus 4.5 (anthropic.claude-opus-4-5-20251101-v1:0)
5

Submit Use Case Details

Click Submit use case details and complete the form with:
  • Your use case description
  • Expected usage patterns
  • Compliance requirements (if applicable)
6

Wait for Approval

Access is typically granted immediately upon successful submission. You’ll receive confirmation when access is enabled.
Important: You must request access to both Sonnet 4.5 and Opus 4.5 models. CloudThinker automatically selects the appropriate model based on task requirements.

IAM Credentials Setup

Your AWS IAM user must have permissions to invoke Bedrock models. Follow these steps to create an IAM user with the required permissions using AWS CLI.

Step 1: Create IAM User

aws iam create-user --user-name bedrock-byok-user

Step 2: Create Policy File

cat > bedrock-policy.json << 'EOF'
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "bedrock:InvokeModel",
        "bedrock:InvokeModelWithResponseStream"
      ],
      "Resource": [
        "arn:aws:bedrock:*::foundation-model/anthropic.claude-sonnet-4-5-20250929-v1:0",
        "arn:aws:bedrock:*::foundation-model/anthropic.claude-opus-4-5-20251101-v1:0",
        "arn:aws:bedrock:*:*:inference-profile/global.anthropic.claude-sonnet-4-5-20250929-v1:0",
        "arn:aws:bedrock:*:*:inference-profile/global.anthropic.claude-opus-4-5-20251101-v1:0",
        "arn:aws:bedrock:*:*:inference-profile/us.anthropic.claude-sonnet-4-5-20250929-v1:0",
        "arn:aws:bedrock:*:*:inference-profile/us.anthropic.claude-opus-4-5-20251101-v1:0",
        "arn:aws:bedrock:*:*:inference-profile/eu.anthropic.claude-sonnet-4-5-20250929-v1:0",
        "arn:aws:bedrock:*:*:inference-profile/eu.anthropic.claude-opus-4-5-20251101-v1:0",
        "arn:aws:bedrock:*:*:inference-profile/apac.anthropic.claude-sonnet-4-5-20250929-v1:0",
        "arn:aws:bedrock:*:*:inference-profile/apac.anthropic.claude-opus-4-5-20251101-v1:0"
      ]
    },
    {
      "Effect": "Allow",
      "Action": ["sts:GetSessionToken"],
      "Resource": "*"
    }
  ]
}
EOF

Step 3: Attach Policy to User

aws iam put-user-policy \
  --user-name bedrock-byok-user \
  --policy-name BedrockInvokePolicy \
  --policy-document file://bedrock-policy.json

Step 4: Create Access Keys

aws iam create-access-key --user-name bedrock-byok-user
Save the AccessKeyId and SecretAccessKey from the output - you’ll need these for CloudThinker.

Step 5: Verify Credentials

Configure a local profile to test the credentials: 
aws configure --profile bedrock-byok-user
Enter the access key ID and secret access key when prompted. Then verify: 
aws sts get-caller-identity --profile bedrock-byok-user
These commands require an AWS profile with IAM administrative permissions (iam:CreateUser, iam:PutUserPolicy, iam:CreateAccessKey). Alternatively, you can create the IAM user via the AWS Console.

Setup in CloudThinker

Once you have AWS Bedrock model access and IAM credentials configured, set up BYOK in CloudThinker:
1

Navigate to BYOK Settings

Go to SettingsBYOK Settings (or navigate to /byok-settings in the app)
2

Select AWS Bedrock

Choose AWS Bedrock as your provider
3

Enter Credentials

Provide your AWS credentials:
  • Access Key ID - Your AWS access key (AKIA or ASIA prefix)
  • Secret Access Key - Your AWS secret key
  • Session Token (optional) - Required only for temporary credentials
4

Select Inference Profile

Choose an inference profile:
  • Global - Routes to any commercial AWS region
  • US - Routes within US regions only
  • EU - Routes within EU regions only (data residency)
  • APAC - Routes within APAC regions only
5

Test Connection

Click Test Connection to verify:
  • Credentials are valid
  • Both Sonnet 4.5 and Opus 4.5 models are accessible
  • Permissions are correctly configured
6

Save Configuration

After successful test, click Save to store your BYOK configuration
Credentials are encrypted and stored securely. They are never exposed in API responses or logs. Only Advanced and Enterprise plan users can configure BYOK.

Inference Profiles

Bedrock inference profiles control how requests are routed across AWS regions. Choose the profile that best matches your requirements:
ProfilePurpose
GlobalRoutes to any commercial AWS region for maximum throughput
USRoutes within US regions only for US data residency
EURoutes within EU regions only for GDPR compliance
APACRoutes within APAC regions only for regional data residency
For supported regions and inference profile details, refer to the AWS Bedrock Supported Regions and Models documentation.

How It Works

Automatic Model Selection

CloudThinker automatically selects the optimal model based on task requirements. You don’t need to manually select models - the system chooses the best option automatically. For more details about the available models, refer to the AWS Bedrock Supported Foundation Models documentation.

Workspace Owner Inheritance

When a workspace owner configures BYOK, all workspace members automatically inherit access to those credentials. This means:
  • Workspace owner configures BYOK once
  • All members can use BYOK without individual configuration
  • Credentials are managed centrally by the workspace owner
  • Members’ LLM usage routes through the owner’s AWS account

Fallback Mechanism

If your BYOK credentials fail (due to rate limits, expired tokens, or permission issues), CloudThinker automatically falls back to platform credentials. This ensures:
  • No service interruption
  • Seamless user experience
  • Automatic recovery when credentials are restored

Troubleshooting

  • Verify you’ve submitted the use case form in Bedrock Console
  • Check that both Sonnet 4.5 and Opus 4.5 models are enabled
  • Confirm access was granted (check Model access page in Bedrock Console)
  • Wait a few minutes after form submission for access to propagate
  • Verify your IAM policy includes bedrock:InvokeModel and bedrock:InvokeModelWithResponseStream
  • Check that model ARNs in the policy match the models you’re using
  • Ensure inference profile ARNs are included if using profiles (global, us, eu, apac)
  • Test IAM permissions directly in AWS Console
  • Verify access key ID and secret access key are correct
  • Check that credentials haven’t been rotated or revoked
  • For temporary credentials, ensure session token hasn’t expired
  • Test credentials using AWS CLI: aws sts get-caller-identity
  • Verify both Sonnet 4.5 and Opus 4.5 models are accessible
  • Check IAM permissions include both model ARNs
  • Ensure Bedrock service is enabled in your AWS account
  • Check AWS region selection matches your model access
  • Verify workspace owner has configured BYOK
  • Check that BYOK is enabled (not disabled) in settings
  • Confirm workspace owner’s plan is Advanced or Enterprise
  • Check workspace owner’s credentials are still valid
  • Long-term credentials (AKIA) are automatically refreshed
  • Temporary credentials (ASIA) cannot be refreshed - reconfigure with new credentials
  • Check session_token_expires_at timestamp in configuration
  • Reconfigure if automatic refresh fails