Skip to main content

AWS Bedrock Setup

LlamaCloud supports AWS Bedrock as part of its multimodal AI capabilities. To enable AWS Bedrock support, update the configuration to turn on the Bedrock integration. This page guides you through the necessary configuration changes and permission settings to integrate AWS Bedrock into your deployment.

  • A valid AWS account
  • Access & Quota to the supported models:
    • For LlamaParse advanced parsing features:
      • Anthropic Claude Sonnet 3.7
      • Anthropic Claude Sonnet 3.5
    • For LlamaCloud Playground:
      • Anthropic Claude Sonnet 3.5 V2
      • Cohere Rerank 3.5

Connecting to Bedrock

Below are two ways to configure a connection to AWS Bedrock:

We recommend creating a new IAM Role and Policy for LlamaCloud. You can then attach the role ARN as a service account annotation.

Below is a loose-goosey example policy to serve as a reference. Please tighten the policy as needed.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "bedrock:InvokeModel",
        "bedrock:InvokeModelWithResponseStream",
        "bedrock:CreateModelInvocationJob"
      ],
      "Resource": [
        "arn:aws:bedrock:*:*:foundation-model/*",
        "arn:aws:bedrock:*:*:inference-profile/*"
      ]
    }
  ]
}

After creating a policy similar to the above, update the LlamaParse service accounts with the EKS annotation:

# Example for the backend service account. Repeat for each of the services listed above.
llamaparse:
  awsBedrock:
    enabled: true
  serviceAccount:
    annotations:
      eks.amazonaws.com/role-arn: arn:aws:iam::<account-id>:role/<role-name>

For more information, refer to the official AWS documentation about this topic.

IAM Role w/ Static AWS Credentials

Create a user with a policy attached for Bedrock Model Invocation. Afterwards, configure the platform to use the AWS credentials of that user by setting the following values in your values.yaml file:

llamaparse:
  awsBedrock:
    enabled: true
    region: "<your-aws-region>"
    accessKeyId: "<your-access-key-id>"
    secretAccessKey: "<your-secret-access-key>"