aws-bedrock
aws-bedrock
AWS Bedrock provider for BAML
aws-bedrock
The aws-bedrock provider supports all text-output models available via the Converse API.
AWS Bedrock uses standard AWS authentication methods. We recommend using AWS profiles in development and AWS services’ IAM roles in production, but all of the following are supported:
When developing locally, you can use the AWS CLI in combination with profiles to manage your credentials.
For example, if you run aws sso login with a default profile, BAML will automatically pick up those credentials:
You can also choose a specific profile by setting the AWS_PROFILE environment variable.
In the BAML playground, you can set this by clicking the “API Keys” button in
the top right (you’ll also need to set AWS_REGION to the same region as your
profile).
The BAML-generated clients will also respect AWS_PROFILE if it is set:
Alternatively, you can also explicitly specify the profile directly in the BAML config itself (this will take precedence over the environment variable):
BAML follows a specific order when resolving AWS credentials:
Explicit BAML Configuration
Environment Variables
AWS Configuration Files
Instance Metadata (EC2/ECS only)
All or Nothing
Session Token Requirements
session_token, you must provide all three:
access_key_idsecret_access_keysession_tokenProfile Exclusivity
profile, you cannot specify other credentials:
Environment Variable Override
AWS Lambda/ECS/EC2
You can map your own environment variable names:
To use Bedrock from a different AWS account:
The following IAM permissions are required for basic Bedrock access:
Depending on your setup, you might need additional permissions:
See Cross-Account Access section for the required trust relationships and permissions.
optionsThese unique parameters (aka options) are modify the API request sent to the provider.
You can use this to modify the region, access_key_id, secret_access_key, and session_token sent to the provider.
The AWS region to use. Default: AWS_REGION environment variable
AWS access key ID. Default: AWS_ACCESS_KEY_ID environment variable
AWS secret access key. Default: AWS_SECRET_ACCESS_KEY environment variable
Temporary session token. Required if using temporary credentials. Default: AWS_SESSION_TOKEN environment variable
AWS profile name from credentials file. Default: AWS_PROFILE environment variable
AWS endpoint URL. Useful for using a VPC endpoint.
The role to use if the role is not in the allowed_roles. Default: "user" usually, but some models like OpenAI’s gpt-5 will use "system"
Picked the first role in allowed_roles if not “user”, otherwise “user”.
Which roles should we forward to the API? Default: ["system", "user", "assistant"] usually, but some models like OpenAI’s o1-mini will use ["user", "assistant"]
When building prompts, any role not in this list will be set to the default_role.
A mapping to transform role names before sending to the API. Default: {} (no remapping)
For google-ai provider, the default is: { "assistant": "model" }
This allows you to use standard role names in your prompts (like “user”, “assistant”, “system”) but send different role names to the API. The remapping happens after role validation and default role assignment.
Example:
With this configuration, {{ _.role("user") }} in your prompt will result in a message with role “human” being sent to the API.
Which role metadata should we forward to the API? Default: []
For example you can set this to ["foo", "bar"] to forward the cache policy to the API.
If you do not set allowed_role_metadata, we will not forward any role metadata to the API even if it is set in the prompt.
Then in your prompt you can use something like:
You can use the playground to see the raw curl request to see what is being sent to the API.
Whether the internal LLM client should use the streaming API. Default: true
Then in your prompt you can use something like:
Which finish reasons are allowed? Default: null
Will raise a BamlClientFinishReasonError if the finish reason is not in the allow list. See Exceptions for more details.
Note, only one of finish_reason_allow_list or finish_reason_deny_list can be set.
For example you can set this to ["stop"] to only allow the stop finish reason, all other finish reasons (e.g. length) will treated as failures that PREVENT fallbacks and retries (similar to parsing errors).
Then in your code you can use something like:
Which finish reasons are denied? Default: null
Will raise a BamlClientFinishReasonError if the finish reason is in the deny list. See Exceptions for more details.
Note, only one of finish_reason_allow_list or finish_reason_deny_list can be set.
For example you can set this to ["length"] to stop the function from continuing if the finish reason is length. (e.g. LLM was cut off because it was too long).
Then in your code you can use something like:
b.request returns a fully signed SigV4 HTTPRequest pointing at the
Converse API.Authorization, X-Amz-Date, and (if needed) X-Amz-Security-Token.media_url_handlerControls how media URLs are processed before sending to the provider. This allows you to override the default behavior for handling images, audio, PDFs, and videos.
Each media type can be configured with one of these modes:
send_base64 - Always download URLs and convert to base64 data URIssend_url - Pass URLs through unchanged to the providersend_url_add_mime_type - Ensure MIME type is present (may require downloading to detect)send_base64_unless_google_url - Only process non-gs:// URLs (keep Google Cloud Storage URLs as-is)If not specified, each provider uses these defaults:
send_base64 when your provider doesn’t support external URLs and you need to embed media contentsend_url when your provider handles URL fetching and you want to avoid the overhead of base64 conversionsend_url_add_mime_type when your provider requires MIME type information (e.g., Vertex AI)send_base64_unless_google_url when working with Google Cloud Storage and want to preserve gs:// URLsURL fetching happens at request time and may add latency. Consider caching or pre-converting frequently used media when using send_base64 mode.
AWS Bedrock converts most media to base64 by default (send_base64 for images, audio, and PDFs). Consider using S3 presigned URLs with send_url mode for large files to avoid base64 overhead.
These are other options that are passed through to the provider, without modification by BAML. For example if the request has a temperature field, you can define it in the client here so every call has that set.
Consult the specific provider’s documentation for more information.
The model to use.
anthropic.claude-opus-4-1-20250805-v1:0 - Most powerful codinganthropic.claude-sonnet-4-20250514-v1:0 - Best default, 1M context availableanthropic.claude-3-5-haiku-20241022-v1:0 - Fast and efficientmeta.llama4-maverick-17b-instruct-v1:0 - Latest Llama 4meta.llama3-3-70b-instruct-v1:0 - Enhanced Llama 3.3Run aws bedrock list-foundation-models | jq '.modelSummaries.[].modelId' to see available models.
Note: You must request model access before use.
Model-specific inference parameters. See AWS Bedrock documentation.
Solution:
Solution:
Solution:
Solution:
AWS_PROFILE to manage multiple profilesaws configure list to verify configuration