AWS / Bedrock
On AWS, the Anyray gateway speaks Bedrock natively — it holds the Bedrock credentials and does the SigV4 signing itself. You don't need a separate signing layer.
Endpoint redirect on EKS (config-based)
Workloads set their SDK base-URL env to point at the in-cluster Anyray gateway (:8787) —
via the pod/Deployment spec or your config management. The gateway routes Bedrock requests
(x-anyray-provider: bedrock) to AWS Bedrock. No org CA, no TLS-MITM, no HTTPS_PROXY.
Bedrock signing: handled by the gateway
Bedrock requires SigV4-signed requests. The Anyray gateway, as a multi-provider proxy, signs the upstream Bedrock call itself using the credentials it holds (e.g. an attached IAM role / IRSA):
worker (Bedrock SDK) ──▶ Anyray gateway (:8787, base URL)
│ SigV4-sign the upstream call
▼
AWS Bedrock
- Workers don't hold Bedrock-signing credentials for the gateway hop.
- The gateway's IAM identity (e.g. its IRSA role) is what's authorized to call Bedrock.
:::info Roadmap Zero-touch admission-webhook auto-injection of the base URL, and an interception design that re-signs Bedrock upstream with the proxy's IRSA role as a transparent layer, are roadmap. Today, lead with the explicit, config-based base-URL redirect above; the gateway handles signing as part of its native Bedrock support. :::
Where signing lives
The Anyray gateway holds AWS credentials and signs Bedrock requests. The optimizer only decides request transforms; it never signs or holds AWS credentials.