A comprehensive guide for developers to set up AWS credentials for Amazon Bedrock with Claude 3.7 Sonnet model access.
- Prerequisites
- Environment Setup
- Option 1 - Accessing Amazon Bedrock Without Root-User Privileges
- Option 2 - Accessing Amazon Bedrock with Root-User Privileges
- Integration with Project
Before beginning this setup process, ensure you have:
- AWS Account: Active AWS account with administrative privileges
- Console Access: Ability to log into AWS Management Console
- Permissions: Authority to create IAM users, policies, and access keys
The Okta Cross App Access MCP demo will need these environment variables:
AWS_REGION=us-east-1
AWS_ACCESS_KEY_ID=<your-access-key>
AWS_SECRET_ACCESS_KEY=<your-secret-key>Important: This guide uses us-east-1 (US East - N. Virginia) as it has the broadest Amazon Bedrock model availability, including Claude Opus.
If you are an IAM user in a shared AWS account (not the root user), you can still work with Amazon Bedrock once an administrator grants you the necessary permissions and model access. This section outlines both what to request from an admin and how to proceed after approval.
Share this checklist with your AWS admin:
-
Attach a Bedrock policy to your IAM user, group, or role:
- AmazonBedrockFullAccess – full console & API access (development use).
- AmazonBedrockReadOnlyAccess – console view only, no model invocations.
- AmazonBedrockLimitedAccess – restricted scope for specific API keys and Marketplace subscriptions.
-
Model Access Approval:
- In the Bedrock console, the admin must grant your user or role model access to the Claude 3.7 Sonnet model under Bedrock → Model access.
-
(Optional) Role-based Access:
- For security, the admin can create a dedicated IAM role with Bedrock permissions, and let you assume that role when needed.
-
API Key Creation Rights (if you'll need long-term Bedrock API keys):
- Admin must allow
iam:CreateServiceSpecificCredentialso you can generate Bedrock-specific credentials.
- Admin must allow
Once your admin has granted access:
- Sign in to the AWS Console as an IAM user.
- If you have a dedicated Bedrock role, go to Account menu → Switch role, enter the role ARN, and switch.
- Ensure the region is set to US East (N. Virginia) – us-east-1.
- Search for Amazon Bedrock in the console search bar and open it.
- If you still see a “Sign-up” or “Request access” prompt, your model access hasn’t been approved—ask your admin to complete that step.
Option 1 – Temporary Credentials via STS (recommended)
aws sts assume-role \
--role-arn arn:aws:iam::123456789012:role/BedrockAccessRole \
--role-session-name bedrock-dev
# Use AccessKeyId, SecretAccessKey, and SessionToken from the outputOption 2 – Long-term Bedrock API Key
- In IAM Console → Security credentials (for your IAM user), choose Create Bedrock API key.
- Save the key ID and secret securely.
Set environment variables locally:
export AWS_REGION=us-east-1
export AWS_ACCESS_KEY_ID=...
export AWS_SECRET_ACCESS_KEY=...
export AWS_SESSION_TOKEN=... # if using STS# List models
aws bedrock list-foundation-models --region us-east-1
# Check if Claude Opus/Sonnet is visible
aws bedrock list-foundation-models \
--region us-east-1 \
--query "modelSummaries[?contains(modelId,'claude-3-opus')]"If both commands return results, you're ready to integrate Bedrock into your app.
- Navigate to AWS Console
URL: https://aws.amazon.com
- Sign In Process
- Click "Sign In to Console"
- Now, Click on "Sign in using root user email"
- Select "Root user" or "IAM user" based on your account type
- Enter your email address and password
- Complete MFA authentication (if enabled)
- Verify Console Access
- Confirm you can see the AWS Management Console dashboard
- Check the region selector in the top-right corner
- Switch to US East (N. Virginia) us-east-1 if not already selected
- Service Navigation
- Use the search bar at the top of AWS Console
- Type:
Bedrock - Click "Amazon Bedrock" from the dropdown results
- Initial Setup Check
- If first-time access, you may see a welcome/onboarding screen
- Click "Get Started" if prompted
- Review the service overview and pricing information
- Navigate to Model Access
Amazon Bedrock Console → Model access (left sidebar)
- Locate Claude Opus
- Find "Anthropic Claude 3.7 Sonnet" in the available models list
- Note the current access status
- Request Access Process
Status: "Available to request" → Click "Request model access"
- Complete Access Request Form
- Use Case Description: Provide a clear description of your intended use
- Example: "Development of AI-powered application using Claude Opus for natural language processing and content generation"
- Submit the request
- Wait for Approval
- Approval typically takes: 5 minutes to 2 hours
- Status will change to: "Access granted"
- You'll receive an email notification when approved
- Access IAM Console
AWS Console → Search "IAM" → Identity and Access Management
- User Management
IAM Dashboard → Users (left sidebar) → Create user
- User Details
Username: bedrock-developer-[project-name]
Example: bedrock-developer-caa-mcp-demo
- Note: Since this user is for programmatic access only, Do not check "Provide user access to the AWS Management Console - optional"
- Click "Next" to continue to permissions configuration
Choose the appropriate permission level based on your needs:
Policy: AmazonBedrockFullAccess
Policy: AmazonBedrockReadOnlyAccess
- Permission Assignment Method
- Select: "Attach policies directly"
- Policy Search and Selection
Search: "bedrock"
Select: ☑ AmazonBedrockFullAccess
- Click "Next" to review
- Verify username, attached policies and review permissions summary ( if added )
- Click "Create user"
- Note the success message
- User "bedrock-developer-caa-mcp-demo" should appear in the Users list.
- Navigate to User Details:
IAM → Users → [Your created username] bedrock-developer-caa-mcp-demo - Security Credentials Tab
User Details Page → Security credentials tab
- Initialize Key Creation
Access keys section → Create access key
-
Use Case Selection
Select: "Application running outside AWS"☑ Confirmation checkbox
-
Add Description
Description tag value: "Bedrock API access for [project-name]"Example: "Bedrock API access for caa-mcp-demo"
Critical: This is your only opportunity to view the secret access key!
AWS_REGION=us-east-1
AWS_ACCESS_KEY_ID=AKIA[16-character-string]
AWS_SECRET_ACCESS_KEY=[40-character-secret-string]Notes:
- Copy both values to a secure location
- Store in your password manager
- Never commit these to version control
- Never share in plain text communication
Now that your AWS credentials for Bedrock have been successfully generated, integrate them into your project:
- Navigate to Project Directory:
Open your terminal or command prompt and go to the
okta-cross-app-access-mcp-node-exampleproject folder. - Locate
.envFile: Find the.envfile within thepackages/agent0/directory. - Paste Credentials:
Open the
.envfile and paste theAWS_REGION,AWS_ACCESS_KEY_ID, andAWS_SECRET_ACCESS_KEYvalues you obtained in the previous step. Ensure they are in the following format:
AWS_REGION=us-east-1
AWS_ACCESS_KEY_ID=<your-access-key>
AWS_SECRET_ACCESS_KEY=<your-secret-key>
Important: Replace <your-access-key> and <your-secret-key> with your actual generated credentials.
- Save the File:
Save the
.envfile after adding the credentials.
You have now successfully configured your AWS Bedrock credentials within your project, allowing your application to interact with the Claude 3.7 Sonnet model.