> ## Documentation Index
> Fetch the complete documentation index at: https://metoro.io/docs/llms.txt
> Use this file to discover all available pages before exploring further.

# AWS Bedrock Access Keys

> Learn how to create and configure AWS Bedrock access keys for AI SRE

<Info>
  Using your own AWS Bedrock access keys is **optional**. If you don't configure your own keys, Metoro will use its default credentials.
</Info>

## Pricing

AI SRE billing works as follows:

* If you provide your own AWS Bedrock credentials, you only pay Metoro's normal ingest price. Your LLM usage is billed by AWS through your own Bedrock account.
* If you do not provide your own credentials, Metoro calculates LLM usage based on the tokens consumed in your account and passes that usage through to you at cost, with no markup added.

## Prerequisites

Before you begin, you'll need:

* An AWS account with access to AWS Bedrock
* Permissions to create IAM users and access keys
* Access to the AWS Management Console

## Step 0: Enable Bedrock and get access to models

1. Navigate to the [AWS Console](https://console.aws.amazon.com)
2. Search for and select **Amazon Bedrock**
3. In the Bedrock console, go to the **Model Catalog** section
4. Ensure that your account has access to the following models:
   * `Claude Opus 4.5 - anthropic.claude-opus-4-5-20251101-v1:0`

<Note>
  Metoro will likely need access to more models in the future. If Metoro does not have access to a required model, we will notify you in the product.
</Note>

## Step 1: Create a Bedrock API Key

1. Navigate to the [AWS Console](https://console.aws.amazon.com)
2. Search for and select **Amazon Bedrock**
3. In the Bedrock console, go to **API Keys** section
4. Click **Long-term API Keys**
5. Click **Generate Long-term API Keys**
6. Set the expiration date for your API key (e.g., 3 months) - you will need to update this in Metoro before it expires
7. Click **Generate**

<Note>
  When you create a Bedrock API Key, AWS automatically creates an associated IAM user. You'll need to find this user in the next step.
</Note>

## Step 2: Find the Associated IAM User

After creating the Bedrock API Key:

1. Navigate to the **IAM Console** in AWS
2. Click on **Users** in the left sidebar
3. Look for the IAM user that was automatically created for your Bedrock API Key
   * The user name typically follows a pattern related to your Bedrock API key name
   * It may have a prefix like `BedrockAPIKey-` or contain the API key name you specified

## Step 3: Create Access Keys for the IAM User

Once you've found the correct IAM user:

1. Click on the IAM user name to open the user details
2. Navigate to the **Security credentials** tab
3. Scroll down to the **Access keys** section
4. Click **Create access key**
5. Select **Third-party service** as the use case
6. Add a description tag (optional but recommended, e.g., "Metoro AI SRE Integration")
7. Click **Create access key**

<Warning>
  **Important:** This is your only opportunity to view and download the access key credentials. Make sure to:

  * Copy the **Access key ID**
  * Copy the **Secret access key**
  * Store them securely

  You won't be able to view the secret access key again after this screen.
</Warning>

## Step 4: Configure Access Keys in Metoro

Now that you have your AWS access credentials, configure them in Metoro:

1. Navigate to **Settings** → **Features** → **AI SRE**
2. In the **AWS Bedrock Access Credentials** section:
   * Enter your **Access Key ID** in the "Access Key" field
   * Enter your **Secret Access Key** in the "Access Secret" field
3. Click **Save** to store your credentials

<Info>
  Your credentials are encrypted and stored securely. They are never exposed in the UI after being saved.
</Info>

## Validating Your Configuration

You can create a dummy alert to test your AWS Bedrock access keys.

1. Create a new alert that will breach immediately in Metoro
2. Enable AI investigation for the alert
3. Specify a dummy runbook that Metoro should execute
4. Create the alert

After the alert has been created, it should immediately fire and execute the dummy runbook.
Now in the AWS Console, navigate to **CloudTrail** and filter for events with the **AWS Access Key** matching your the key you entered in Metoro.

## Managing Your Access Keys

### Viewing Current Configuration

You can see if you have configured access keys by checking:

* **Settings** → **Features** → **AI SRE** → **AWS Bedrock Access Credentials**
* The current access key ID (not the secret) will be displayed if configured

### Updating Access Keys

To update your access keys:

1. Go to **Settings** → **Features** → **AI SRE** → **AWS Bedrock Access Credentials**
2. Delete the existing key by clicking the **Delete** button
3. Enter your new access credentials
4. Click **Save**

### Deleting Access Keys

You can remove your AWS credentials from Metoro at any time:

1. Go to **Settings** → **Features** → **AI SRE** → **AWS Bedrock Access Credentials**
2. Click the **Delete** button next to your current access key
3. Confirm the deletion

After deletion, Metoro will automatically fall back to its default credentials.

### Revoking Access in AWS

To completely revoke access, you should also delete the access key in AWS:

1. Go to the AWS IAM Console
2. Find the IAM user associated with your Bedrock API Key
3. Navigate to **Security credentials**
4. Find the access key and click **Delete**

## Security Best Practices

<Steps>
  <Step title="Use dedicated credentials">
    Create a separate Bedrock API Key specifically for Metoro integration rather than reusing existing credentials.
  </Step>

  <Step title="Rotate keys regularly">
    Periodically rotate your access keys by creating new ones and updating them in Metoro, then deleting the old ones.
  </Step>

  <Step title="Monitor usage">
    Regularly review AWS CloudTrail logs to monitor the usage of your Bedrock API keys.
  </Step>

  <Step title="Delete unused keys">
    If you're no longer using AI SRE or want to switch back to Metoro's default credentials, delete your access keys from both Metoro and AWS.
  </Step>
</Steps>

## Troubleshooting

### Access Key Not Working

If your access keys aren't working:

1. **Verify the credentials**: Make sure you copied the access key and secret correctly
2. **Check IAM permissions**: Ensure the IAM user has the necessary permissions to access Bedrock
3. **Verify Bedrock access**: Confirm your AWS account has access to the Bedrock models you need

### Permission Errors

If you encounter permission errors:

1. Check that the IAM user has the `bedrock:InvokeModel` permission
2. Verify the user has access to the specific models Metoro needs
3. Ensure there are no restrictive policies blocking access

### Need Help?

If you're experiencing issues setting up your AWS Bedrock access keys:

* Contact our support team through your dedicated support channel
* Join our community [Slack workspace](https://join.slack.com/t/metorocommunity/shared_invite/zt-2makpjl5j-F0WcpGnPcdc8anbNGcewqw) and a member of our team will help you.
