Guide / Bedrock Setup
Setup guide
Integrating AWS Bedrock
Mandatory for any API call at tier 2 or above. Rate limiting is not optional at tier 1 or tier 2. Follow this sequence for a new project.
Request model access in Bedrock
In the AWS console, open Bedrock, go to Model access, and request the models this project needs. Access is granted per AWS account, so confirm this has been done in the correct account before writing any integration code.
Create scoped IAM credentials
Do not use root or broad admin credentials for API calls. Create an IAM role or user scoped to bedrock:InvokeModel and bedrock:InvokeModelWithResponseStream only, limited to the specific model ARNs in use.
Call the Bedrock runtime endpoint
Use the Bedrock Runtime client for your language of choice rather than calling a model provider's API directly. This keeps every model call routed through the same governed path.
Add rate limiting before the first real call
Mandatory at tier 1 and tier 2. Implement per minute, per hour, and per 24 hour ceilings around every Bedrock call, not just a single global limit. At tier 3, the specific limits and enforcement approach are decided by the devops team as part of production readiness.
| Window | Applies at | Notes |
|---|---|---|
| Per minute | Tier 1+2 | Protects against a runaway loop or retry storm during dev |
| Per hour | Tier 1+2 | Catches sustained overuse across a working session |
| Per 24 hours | Tier 1+2 | Cost ceiling for a full day, prevents surprise billing |
| All windows | Tier 3 | Owned by devops as part of production rollout |
Log usage from day one
Even a simple counter written to Supabase is enough at tier 1 or 2. This is what lets rate limits actually be enforced rather than assumed, and gives devops real numbers to work from when they take over limits at tier 3.