AI Models
Amazon Bedrock
Configure Amazon Bedrock models for use with Onyx
Authentication Methods
Onyx supports 3 authentication methods for Amazon Bedrock:IAM (Recommended for AWS environments)
IAM (Recommended for AWS environments)
- Automatically authorizes Onyx through an IAM Role attached to the environment
- Use when running on AWS infrastructure (EC2, EKS)
AmazonBedrockLimitedAccess policy. Optionally,
you can attach the AmazonBedrockFullAccess and AmazonBedrockMarketplaceAccess policies.Once created, attach the IAM Role to the environment that Onyx is running in. For example,
attach the IAM Role to your Onyx EC2 instance or EKS service account.Access Key (for non-AWS environments)
Access Key (for non-AWS environments)
- Manual credential management using an Access Key ID and Secret Access Key
- Recommended for accessing Bedrock from non-AWS environments
AmazonBedrockLimitedAccess policy.
Optionally, you can attach the AmazonBedrockFullAccess and AmazonBedrockMarketplaceAccess policies.Once created, go to your IAM User’s Security Credentials tab.
Create a new Access Key and copy the Access Key ID and Secret Access Key.Provide these credentials to Onyx using one of the following methods:- Add them to your Onyx
.envfile asAWS_ACCESS_KEY_IDandAWS_SECRET_ACCESS_KEY - Add them to your AWS CLI config in
~/.aws/credentials - Enter them directly in the Onyx Bedrock configuration UI
Bedrock API Key (for non-AWS environments)
Bedrock API Key (for non-AWS environments)
- New method to access Bedrock generated from the AWS Bedrock Console
- Recommended for accessing Bedrock from non-AWS environments
AmazonBedrockLimitedAccess policy.Submit your API key to Onyx through the Onyx Bedrock configuration UI.When using an IAM role, the role credentials must be attached to the Onyx environment.
When using Access Keys or a Bedrock API Key, you must provide the credentials in the Onyx LLM configuration UI.
Guide
1
Set up your Authentication Method
Determine if IAM, Access Keys, or a Bedrock API Key is the best authentication method for your environment.Click the above accordions to learn more about each method and how to set them up.
2
Enable Desired Models
Navigate to the Model Catalog and decide the models you want to use with Onyx.If you don’t already have access to your desired models, you can request access through the Bedrock Console.
If your models are not enabled, you will not be able to see them in Onyx!
Ensure your models are available before continuing.
3
Navigate to AI Model Configuration Page
Access the Admin Panel from your user profile icon → Admin Panel → LLM
4
Configure Bedrock Provider
Select AWS Bedrock from the available providers.Give your provider a Display Name.Determine your AWS region and enter it in AWS Region Name.Depending on your authentication method,
fill out 
Certain models are only available in specific regions or through cross-region inference profiles.
Onyx will automatically determine what is available in your region.
AWS Access Key ID and AWS Secret Access Key or AWS Bedrock API Key.Once your region and credentials are set, click the Fetch Available Model for Region button.If you do not click the Fetch Available Model for Region button,
you will see all Bedrock models listed even if you cannot use them.
5
Configure Default and Fast Models
The Default Model is selected automatically for new custom Agents and Chat sessions.Designating a Fast Model is optional.
This Fast Model is used behind the scenes for quick operations such as evaluating the type of message,
generating different queries (query expansion), and naming the chat session.
If you select a Fast Model,
make sure it is a relatively quick and cost-effective model like GPT-4.1-mini or Claude 3.7 Sonnet.
6
Choose Visible Models
In the Advanced Options, you will see a list of all models available from this provider.
You may choose which models are visible to your users in Onyx.Setting visible models is useful when a provider publishes multiple models and versions of the same model.
7
Designate Provider Access
Lastly, you may select whether or not the provider is public to all users in Onyx.If set to private,
the provider’s models will be available to Admins and User Groups you explicitly assign the provider to.