AWS Bedrock
LogicGrid talks to AWS Bedrock through the Converse API, which gives a single, unified message format across model families (Anthropic Claude, Meta Llama, Mistral, Cohere, Amazon Nova, etc.) — so the same client works regardless of the underlying model.
Authentication uses AWS Signature V4 (HMAC-SHA256). The signing is implemented inline; you do not need the AWS SDK.
- Console: console.aws.amazon.com/bedrock
- Models: aws.amazon.com/bedrock
- Pricing: aws.amazon.com/bedrock/pricing
Use it
There are three equivalent ways to instantiate the Bedrock LLM client.
Option 1 — static factory (recommended)
using LogicGrid.Core.Llm;
var llm = LlmClientBase.Bedrock(
accessKeyId: Environment.GetEnvironmentVariable("AWS_ACCESS_KEY_ID")!,
secretAccessKey: Environment.GetEnvironmentVariable("AWS_SECRET_ACCESS_KEY")!,
region: "us-east-1",
modelId: "anthropic.claude-3-5-haiku-20241022-v1:0");
With a temporary STS session token:
var llm = LlmClientBase.Bedrock(
accessKeyId: Environment.GetEnvironmentVariable("AWS_ACCESS_KEY_ID")!,
secretAccessKey: Environment.GetEnvironmentVariable("AWS_SECRET_ACCESS_KEY")!,
region: "us-east-1",
modelId: "anthropic.claude-3-5-haiku-20241022-v1:0",
sessionToken: Environment.GetEnvironmentVariable("AWS_SESSION_TOKEN"));
| Parameter | Type | Default | Notes |
|---|---|---|---|
accessKeyId | string | (required) | AWS access key ID. Used to sign requests with SigV4. |
secretAccessKey | string | (required) | AWS secret access key. |
region | string | (required) | AWS region where the model is enabled, e.g. us-east-1. |
modelId | string | (required) | Bedrock model identifier (e.g. anthropic.claude-3-5-haiku-20241022-v1:0). |
sessionToken | string? | null | Optional STS session token for temporary credentials. |
Option 2 — direct construction
using LogicGrid.Core.Providers;
var llm = new BedrockClient(
accessKeyId: "...",
secretAccessKey: "...",
region: "us-east-1",
modelId: "anthropic.claude-3-5-haiku-20241022-v1:0");
Identical parameters to the factory. Use direct construction when you need an injected HttpClient explained below (for retries, proxies, or testing).
Option 3 — injected HttpClient
using LogicGrid.Core.Providers;
var llm = new BedrockClient(
httpClient: myHttpClient,
accessKeyId: Environment.GetEnvironmentVariable("AWS_ACCESS_KEY_ID")!,
secretAccessKey: Environment.GetEnvironmentVariable("AWS_SECRET_ACCESS_KEY")!,
region: "us-east-1",
modelId: "anthropic.claude-3-5-haiku-20241022-v1:0",
sessionToken: Environment.GetEnvironmentVariable("AWS_SESSION_TOKEN"),
utcNow: () => DateTime.UtcNow);
Unlike the OpenAI / Azure clients, this overload still takes the AWS credentials — Bedrock signs each request with SigV4, so the credentials are used to compute a per-request Authorization header rather than a static one set on the HttpClient. Use this constructor when you need to supply your own HttpClient (for retries, proxies, mocked transports in tests). The optional utcNow parameter lets tests inject a deterministic clock so signature generation is reproducible.
Models currently available
Bedrock exposes models from many providers under their AWS identifiers — for the live list, browse the Bedrock model catalog in the console. A few examples:
| Bedrock model id | Underlying |
|---|---|
anthropic.claude-3-5-sonnet-20241022-v2:0 | Claude 3.5 Sonnet v2 |
anthropic.claude-3-5-haiku-20241022-v1:0 | Claude 3.5 Haiku |
meta.llama3-1-70b-instruct-v1:0 | Llama 3.1 70B Instruct |
mistral.mistral-large-2407-v1:0 | Mistral Large 2407 |
amazon.nova-pro-v1:0 | Amazon Nova Pro |
Models must be enabled for your account in the region you're calling ��— do this once from the Bedrock console under "Model access".
Tool calling
The Converse API supports tools across model families that implement
them (Claude, Llama 3.1+, Mistral, Nova). Enable native via the same
strategy switch as the other providers; the default
PromptSchemaStrategy is the safe fallback. See
Tool calling strategy.
Troubleshooting
AccessDeniedException— the IAM identity you're signing with doesn't havebedrock:InvokeModel(orbedrock:Converse) on the requested model ARN.ValidationException: model … not enabled— open the Bedrock console, go to Model access, and request access for the model in this region.InvalidSignatureException— clock skew or wrong region. Confirm your machine's clock is correct and thatregionmatches the endpoint where the model is enabled.