Skip to main content

Authentication Methods

Onyx supports 3 authentication methods for Amazon Bedrock:
  • Manual credential management using an Access Key ID and Secret Access Key
  • Recommended for accessing Bedrock from non-AWS environments
To connect Onyx to Bedrock using Access Keys, create an IAM User with the AmazonBedrockLimitedAccess policy. Optionally, you can attach the AmazonBedrockFullAccess and AmazonBedrockMarketplaceAccess policies.Once created, go to your IAM User’s Security Credentials tab. Create a new Access Key and copy the Access Key ID and Secret Access Key.Provide these credentials to Onyx using one of the following methods:
  • Add them to your Onyx .env file as AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY
  • Add them to your AWS CLI config in ~/.aws/credentials
  • Enter them directly in the Onyx Bedrock configuration UI
  • New method to access Bedrock generated from the AWS Bedrock Console
  • Recommended for accessing Bedrock from non-AWS environments
To connect Onyx to Bedrock using an API Key, navigate to the Bedrock console, select API keys and create a Long-term API key. AWS will automatically create a new IAM User with the AmazonBedrockLimitedAccess policy.Submit your API key to Onyx through the Onyx Bedrock configuration UI.
When using an IAM role, the role credentials must be attached to the Onyx environment. When using Access Keys or a Bedrock API Key, you must provide the credentials in the Onyx LLM configuration UI.

Guide

1

Set up your Authentication Method

Determine if IAM, Access Keys, or a Bedrock API Key is the best authentication method for your environment.Click the above accordions to learn more about each method and how to set them up.
2

Enable Desired Models

Navigate to the Model Catalog and decide the models you want to use with Onyx.If you don’t already have access to your desired models, you can request access through the Bedrock Console.
If your models are not enabled, you will not be able to see them in Onyx! Ensure your models are available before continuing.
3

Navigate to AI Model Configuration Page

Access the Admin Panel from your user profile icon → Admin PanelLLM
4

Configure Bedrock Provider

Select AWS Bedrock from the available providers.Give your provider a Display Name.Determine your AWS region and enter it in AWS Region Name.
Certain models are only available in specific regions or through cross-region inference profiles. Onyx will automatically determine what is available in your region.
Depending on your authentication method, fill out AWS Access Key ID and AWS Secret Access Key or AWS Bedrock API Key.Once your region and credentials are set, click the Fetch Available Model for Region button.
If you do not click the Fetch Available Model for Region button, you will see all Bedrock models listed even if you cannot use them.
Bedrock Provider Configuration
5

Configure Default and Fast Models

The Default Model is selected automatically for new custom Agents and Chat sessions.Designating a Fast Model is optional. This Fast Model is used behind the scenes for quick operations such as evaluating the type of message, generating different queries (query expansion), and naming the chat session.
If you select a Fast Model, make sure it is a relatively quick and cost-effective model like GPT-4.1-mini or Claude 3.7 Sonnet.
6

Choose Visible Models

In the Advanced Options, you will see a list of all models available from this provider. You may choose which models are visible to your users in Onyx.Setting visible models is useful when a provider publishes multiple models and versions of the same model.
7

Designate Provider Access

Lastly, you may select whether or not the provider is public to all users in Onyx.If set to private, the provider’s models will be available to Admins and User Groups you explicitly assign the provider to.
I