STATERATECH // ENG

Guide / Bedrock Setup

Setup guide

Integrating AWS Bedrock

Mandatory for any API call at tier 2 or above. Rate limiting is not optional at tier 1 or tier 2. Follow this sequence for a new project.

Request model access in Bedrock

In the AWS console, open Bedrock, go to Model access, and request the models this project needs. Access is granted per AWS account, so confirm this has been done in the correct account before writing any integration code.

Create scoped IAM credentials

Do not use root or broad admin credentials for API calls. Create an IAM role or user scoped to bedrock:InvokeModel and bedrock:InvokeModelWithResponseStream only, limited to the specific model ARNs in use.

Call the Bedrock runtime endpoint

Use the Bedrock Runtime client for your language of choice rather than calling a model provider's API directly. This keeps every model call routed through the same governed path.

// Node.js example const client = new BedrockRuntimeClient({ region: "eu-west-2" }); const command = new InvokeModelCommand({ modelId: "anthropic.claude-sonnet-4-6-v1:0", contentType: "application/json", body: JSON.stringify({ anthropic_version: "bedrock-2023-05-31", max_tokens: 1000, messages: [{ role: "user", content: prompt }] }) }); const response = await client.send(command);

Add rate limiting before the first real call

Mandatory at tier 1 and tier 2. Implement per minute, per hour, and per 24 hour ceilings around every Bedrock call, not just a single global limit. At tier 3, the specific limits and enforcement approach are decided by the devops team as part of production readiness.

WindowApplies atNotes
Per minuteTier 1+2Protects against a runaway loop or retry storm during dev
Per hourTier 1+2Catches sustained overuse across a working session
Per 24 hoursTier 1+2Cost ceiling for a full day, prevents surprise billing
All windowsTier 3Owned by devops as part of production rollout

Log usage from day one

Even a simple counter written to Supabase is enough at tier 1 or 2. This is what lets rate limits actually be enforced rather than assumed, and gives devops real numbers to work from when they take over limits at tier 3.