AWS Security ChangesHomeSearch

AWS bedrock high security documentation change

Service: bedrock · 2025-08-13 · Security-related high

File: bedrock/latest/userguide/api-keys-generate.md

Summary

Added security warnings about long-term API keys, introduced documentation for short-term credential generation using client libraries, and added guidance for automatic refresh of short-term credentials. Emphasized IAM principal requirements and security best practices.

Security assessment

The changes explicitly warn against long-term API key usage and promote short-term credentials - a security best practice to reduce credential exposure risks. Added IAM principal references and links to IAM security documentation show concrete security hardening guidance.

Diff

diff --git a/bedrock/latest/userguide/api-keys-generate.md b/bedrock/latest/userguide/api-keys-generate.md
index f7ac8e8fc..39f5dee0c 100644
--- a//bedrock/latest/userguide/api-keys-generate.md
+++ b//bedrock/latest/userguide/api-keys-generate.md
@@ -5 +5 @@
-Generate an API key using the consoleGenerate an API key using the API
+Generate an API key using the consoleGenerate an API keyGenerate a short-term API key using a librarySet up automatic refresh of short-term Amazon Bedrock API keys
@@ -10,0 +11,4 @@ You can generate an Amazon Bedrock API key using either the AWS Management Conso
+###### Warning
+
+We strongly recommend restricting the use of Amazon Bedrock API keys for exploration of Amazon Bedrock. When you're ready to incorporate Amazon Bedrock into applications with greater security requirements, you should switch to short-term credentials. For more information, see [Alternatives to long-term access keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/security-creds-programmatic-access.html#security-creds-alternatives-to-long-term-access-keys) in the IAM User Guide.
+
@@ -15 +19,5 @@ You can generate an Amazon Bedrock API key using either the AWS Management Conso
-  * Generate an Amazon Bedrock API key using the API
+  * Generate a long-term Amazon Bedrock API key using the API
+
+  * Generate a short-term Amazon Bedrock API key using a client library
+
+  * Set up automatic refresh of short-term Amazon Bedrock API keys
@@ -24 +32 @@ To generate an Amazon Bedrock API key using the console, do the following:
-  1. Sign in to the AWS Management Console with an IAM identity that has permissions to use the Amazon Bedrock console. Then, open the Amazon Bedrock console at [https://console.aws.amazon.com/bedrock/](https://console.aws.amazon.com/bedrock/).
+  1. Sign in to the AWS Management Console with an [IAM principal](https://docs.aws.amazon.com/IAM/latest/UserGuide/introduction_identity-management.html#intro-structure-terms) that has permissions to use the Amazon Bedrock console. Then, open the Amazon Bedrock console at [https://console.aws.amazon.com/bedrock/](https://console.aws.amazon.com/bedrock/).
@@ -42 +50 @@ To generate an Amazon Bedrock API key using the console, do the following:
-We strongly recommend restricting the use of long-term keys for exploration of Amazon Bedrock. When you're ready to incorporate Amazon Bedrock into applications with greater security requirements, you should review the following documentation:
+We strongly recommend restricting the use of Amazon Bedrock API keys for exploration of Amazon Bedrock. When you're ready to incorporate Amazon Bedrock into applications with greater security requirements, you should switch to short-term credentials. For more information, see [Alternatives to long-term access keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/security-creds-programmatic-access.html#security-creds-alternatives-to-long-term-access-keys) in the IAM User Guide.
@@ -44 +51,0 @@ We strongly recommend restricting the use of long-term keys for exploration of A
-       * To learn about preferable alternatives to long-term keys, see [Alternatives to long-term access keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/security-creds-programmatic-access.html#security-creds-alternatives-to-long-term-access-keys) in the IAM User Guide.
@@ -46 +52,0 @@ We strongly recommend restricting the use of long-term keys for exploration of A
-       * To learn how to monitor long-term keys to prevent security breaches, see [Manage access keys for IAM users](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html) in the IAM User Guide.
@@ -49,5 +55 @@ We strongly recommend restricting the use of long-term keys for exploration of A
-
-
-## Generate an Amazon Bedrock API key using the API
-
-We recommend that you use the AWS Management Console to generate Amazon Bedrock API keys for an easy experience. However, you can also generate keys through the API. Expand the section that corresponds to your use case.
+## Generate a long-term Amazon Bedrock API key using the API
@@ -148 +150 @@ Run the following script to create an IAM user, attach permissions to perform Am
-You can generate a short-term Amazon Bedrock API key that lasts as long as the session used to generate it (and no longer than 12 hours).
+## Generate a short-term Amazon Bedrock API key using a client library
@@ -150 +152 @@ You can generate a short-term Amazon Bedrock API key that lasts as long as the s
-###### Prerequisites
+Short term keys have the following properties:
@@ -152 +154 @@ You can generate a short-term Amazon Bedrock API key that lasts as long as the s
-  * Ensure that your setup allows Python to automatically recognize your AWS credentials. To learn more, see [Configuring settings for the AWS CLI](https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-configure.html).
+  * Valid for the shorter of the following values:
@@ -154 +156 @@ You can generate a short-term Amazon Bedrock API key that lasts as long as the s
-  * Open a terminal and download the Amazon Bedrock token generator with the command that corresponds to the SDK that you're using:
+    * 12 hours
@@ -156 +158 @@ You can generate a short-term Amazon Bedrock API key that lasts as long as the s
-    * **Python**
+    * The duration of the session generated by the IAM principal used to generate the key.
@@ -158 +160 @@ You can generate a short-term Amazon Bedrock API key that lasts as long as the s
-                python3 -m pip install aws-bedrock-token-generator
+  * Inherit the permissions attached to the principal used to generate the key.
@@ -160 +162 @@ You can generate a short-term Amazon Bedrock API key that lasts as long as the s
-    * **Javascript**
+  * Can be used only in the AWS Region from which you generated it.
@@ -162 +163,0 @@ You can generate a short-term Amazon Bedrock API key that lasts as long as the s
-                npm install @aws/bedrock-token-generator
@@ -164 +164,0 @@ You can generate a short-term Amazon Bedrock API key that lasts as long as the s
-  * Ensure that the IAM identity that you're using to make API calls minimally has permissions to assume a role and create a role session:
@@ -166 +165,0 @@ You can generate a short-term Amazon Bedrock API key that lasts as long as the s
-    * The IAM identity must have permissions to assume the role. If the identity has restricted permissions, you can attach the following identity-based policy to the identity (replace `${arn:aws:iam::111122223333:role/SessionRole}` with the actual ARN of the role for the session):
@@ -168 +167 @@ You can generate a short-term Amazon Bedrock API key that lasts as long as the s
-JSON
+For long-running applications, the [aws-bedrock-token-generator](https://github.com/aws/aws-bedrock-token-generator-js/blob/main/README.md) client library can create new Amazon Bedrock short-term API keys as needed when credentials are refreshed. For more information, see Set up automatic refresh of short-term Amazon Bedrock API keys.
@@ -169,0 +169 @@ JSON
+###### Prerequisites
@@ -171 +171 @@ JSON
-****
+  * Ensure that the IAM principal that you use to generate the key is set up with the proper permissions to use Amazon Bedrock. For experimentation, you can attach the AWS-managed [AmazonBedrockLimitedAccess](./security-iam-awsmanpol.html#security-iam-awsmanpol-AmazonBedrockLimitedAccess) policy to the principal. You can refer to the [Security best practices in IAM](https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html) for protecting your credentials.
@@ -172,0 +173 @@ JSON
+  * Ensure that your setup allows Python to automatically recognize your AWS credentials. The default method by which credentials are retrieved follows a defined hierarchy. You can see the hierarchy for a specific SDK or tool at [AWS SDKs and Tools standardized credential providers](https://docs.aws.amazon.com/sdkref/latest/guide/standardized-credentials.html).
@@ -174,10 +175 @@ JSON
-                {
-            "Version": "2012-10-17",
-            "Statement": [
-                {
-                    "Effect": "Allow",
-                    "Action": "sts:AssumeRole",
-                    "Resource": "${arn:aws:iam::111122223333:role/SessionRole}"
-                }
-            ]
-        }
+  * Install the Amazon Bedrock token generator. Choose the tab for your preferred method, and then follow the steps:
@@ -186 +177,0 @@ JSON
-For more information about granting an identity permissions to assume a role, see [Grant a user permissions to switch roles](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_permissions-to-switch.html#roles-usingrole-createpolicy).
@@ -188 +178,0 @@ For more information about granting an identity permissions to assume a role, se
-    * The IAM role must have a trust policy that allows the IAM identity to assume it. You can attach the following trust policy to an IAM role to allow the principal specified in the `Principal` field to assume the role to create the key. This example specifies an IAM user as the principal. Replace it with the actual ARN of the user.
@@ -190 +180 @@ For more information about granting an identity permissions to assume a role, se
-JSON
+Python
@@ -193 +183 @@ JSON
-****
+Open a terminal and run the following command:
@@ -196,12 +186 @@ JSON
-                {
-            "Version": "2012-10-17",
-            "Statement": [
-                {
-                    "Effect": "Allow",
-                    "Principal": {
-                        "AWS": "${arn:aws:iam::111122223333:user/UserId}"
-                    },
-                    "Action": "sts:AssumeRole"
-                }
-            ]
-        }
+    pip install aws-bedrock-token-generator
@@ -208,0 +188 @@ JSON
+Javascript
@@ -210 +189,0 @@ JSON
-For more information about principals, see [AWS JSON policy elements: Principal](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_principal.html). To learn how to update a trust policy for a role, see [Update a role trust policy](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_update-role-trust-policy.html).
@@ -211,0 +191 @@ For more information about principals, see [AWS JSON policy elements: Principal]
+Open a terminal and run the following command:
@@ -213,0 +194 @@ For more information about principals, see [AWS JSON policy elements: Principal]
+    npm install @aws/bedrock-token-generator
@@ -215 +196 @@ For more information about principals, see [AWS JSON policy elements: Principal]
-Choose the tab that corresponds to the SDK that you're using and run the script to generate a short-term Amazon Bedrock API key from your session credentials:
+Java
@@ -217 +197,0 @@ Choose the tab that corresponds to the SDK that you're using and run the script
-Python
@@ -218,0 +199 @@ Python
+If you use Maven, add the following dependency to your `pom.xml`:
@@ -221,2 +202,5 @@ Python
-    from aws_bedrock_token_generator import BedrockTokenGenerator
-    import boto3
+    <dependency>
+        <groupId>software.amazon.bedrock</groupId>
+        <artifactId>aws-bedrock-token-generator</artifactId>
+        <version>1.1.0</version>
+    </dependency>
@@ -224,2 +208 @@ Python
-    # Replace with a region of your choice
-    region = "us-east-1"
+If you use Gradle, add the following to your `build.gradle`:
@@ -227,3 +209,0 @@ Python
-    # Fetch credentials
-    session = boto3.Session()
-    credentials = session.get_credentials()
@@ -231,2 +211 @@ Python
-    # Initialize token generator
-    generator = BedrockTokenGenerator()
+    implementation 'software.amazon.bedrock:aws-bedrock-token-generator:1.1.0'
@@ -234,2 +213 @@ Python
-    # Generate one-time token
-    token = generator.get_token(credentials, region)
+###### Examples
@@ -237 +215 @@ Python
-Javascript
+To see examples for using the token generator to generate a short-term Amazon Bedrock API key with your default credentials in different languages, choose the tab for your preferred method, and then follow the steps:
@@ -238,0 +217 @@ Javascript
+Python
@@ -241,2 +219,0 @@ Javascript
-    import { BedrockTokenGenerator } from '@aws/bedrock-token-generator';
-    import { fromNodeProviderChain } from '@aws-sdk/credential-providers';
@@ -244,3 +221,8 @@ Javascript
-    async function example() {
-        // Set region
-        const region = 'us-east-1'
+    from aws_bedrock_token_generator import provide_token
+    
+    token = provide_token()
+    print(f"Token: {token}")
+
+Javascript
+    
+    
@@ -248,2 +230 @@ Javascript
-        // Create token generator
-        const generator = new BedrockTokenGenerator();
+    import { getTokenProvider } from "@aws/bedrock-token-generator";
@@ -251,2 +232,3 @@ Javascript
-        // Get credentials from default provider chain
-        const credentials = fromNodeProviderChain();
+    // Create a token provider that uses default credentials and region providers.
+    // You can configure it to use other credential providers.
+    const provideToken = getTokenProvider();
@@ -254,2 +236,3 @@ Javascript
-        // Generate token
-        const token = await generator.generateToken(credentials, region);
+    async function example() {
+        
+      const token = await provideToken();
@@ -257 +240,5 @@ Javascript
-        // Use the token for API calls (valid for 12 hours)
+      // Use the token for API calls. The token has a default expiration of 12 hour.
+      // If the expiresInSeconds parameter is specified during token creation, the 
+      // expiration can be configured up to a maximum of 12 hours. However, the actual 
+      // token validity period will always be the minimum of the requested expiration 
+      // time and the AWS credentials' expiry time
@@ -264 +250,0 @@ Java
-**Maven import**
@@ -265,0 +252 @@ Java
+    import software.amazon.bedrock.token.BedrockTokenGenerator;
@@ -267,5 +254,3 @@ Java
-    <dependency>
-        <groupId>software.amazon.bedrock</groupId>
-        <artifactId>aws-bedrock-token-generator</artifactId>
-        <version>1.0.0</version>