Using your own AWS Bedrock access keys is optional. If you don’t configure your own keys, Guardian will use Metoro’s default credentials.

Prerequisites

Before you begin, you’ll need:
  • An AWS account with access to AWS Bedrock
  • Permissions to create IAM users and access keys
  • Access to the AWS Management Console

Step 1: Create a Bedrock API Key

  1. Navigate to the AWS Console
  2. Search for and select Amazon Bedrock
  3. In the Bedrock console, go to API Keys section
  4. Click Create API Key
  5. Give your API key a descriptive name (e.g., “metoro-guardian-key”)
  6. Select the appropriate permissions and models you want to grant access to
  7. Click Create
When you create a Bedrock API Key, AWS automatically creates an associated IAM user. You’ll need to find this user in the next step.

Step 2: Find the Associated IAM User

After creating the Bedrock API Key:
  1. Navigate to the IAM Console in AWS
  2. Click on Users in the left sidebar
  3. Look for the IAM user that was automatically created for your Bedrock API Key
    • The user name typically follows a pattern related to your Bedrock API key name
    • It may have a prefix like Bedrock- or contain the API key name you specified

Step 3: Create Access Keys for the IAM User

Once you’ve found the correct IAM user:
  1. Click on the IAM user name to open the user details
  2. Navigate to the Security credentials tab
  3. Scroll down to the Access keys section
  4. Click Create access key
  5. Select Third-party service as the use case
  6. Add a description tag (optional but recommended, e.g., “Metoro Guardian Integration”)
  7. Click Create access key
Important: This is your only opportunity to view and download the access key credentials. Make sure to:
  • Copy the Access key ID
  • Copy the Secret access key
  • Store them securely
You won’t be able to view the secret access key again after this screen.

Step 4: Configure Access Keys in Metoro

Now that you have your AWS access credentials, configure them in Metoro:

Option A: During Guardian Onboarding

If you’re setting up Guardian for the first time:
  1. During the Guardian onboarding process, you’ll reach the Access Keys step
  2. Enter your Access Key ID in the “Access Key” field
  3. Enter your Secret Access Key in the “Access Secret” field
  4. Click Save to store your credentials

Option B: From Settings

If Guardian is already set up or you want to update your credentials:
  1. Navigate to SettingsAI SettingsAPI Keys
  2. In the AWS Bedrock Access Credentials section:
    • Enter your Access Key ID in the “Access Key” field
    • Enter your Secret Access Key in the “Access Secret” field
  3. Click Save to store your credentials
Your credentials are encrypted and stored securely. They are never exposed in the UI after being saved.

Managing Your Access Keys

Viewing Current Configuration

You can see if you have configured access keys by checking:
  • SettingsAI SettingsAPI Keys
  • The current access key ID (not the secret) will be displayed if configured

Updating Access Keys

To update your access keys:
  1. Go to SettingsAI SettingsAPI Keys
  2. Delete the existing key by clicking the Delete button
  3. Enter your new access credentials
  4. Click Save

Deleting Access Keys

You can remove your AWS credentials from Metoro at any time:
  1. Go to SettingsAI SettingsAPI Keys
  2. Click the Delete button next to your current access key
  3. Confirm the deletion
After deletion, Guardian will automatically fall back to using Metoro’s default credentials.

Revoking Access in AWS

To completely revoke access, you should also delete the access key in AWS:
  1. Go to the AWS IAM Console
  2. Find the IAM user associated with your Bedrock API Key
  3. Navigate to Security credentials
  4. Find the access key and click Delete

Security Best Practices

1

Use dedicated credentials

Create a separate Bedrock API Key specifically for Metoro integration rather than reusing existing credentials.
2

Rotate keys regularly

Periodically rotate your access keys by creating new ones and updating them in Metoro, then deleting the old ones.
3

Monitor usage

Regularly review AWS CloudTrail logs to monitor the usage of your Bedrock API keys.
4

Delete unused keys

If you’re no longer using Guardian or want to switch back to Metoro’s default credentials, delete your access keys from both Metoro and AWS.

Troubleshooting

Access Key Not Working

If your access keys aren’t working:
  1. Verify the credentials: Make sure you copied the access key and secret correctly
  2. Check IAM permissions: Ensure the IAM user has the necessary permissions to access Bedrock
  3. Verify Bedrock access: Confirm your AWS account has access to the Bedrock models you need

Permission Errors

If you encounter permission errors:
  1. Check that the IAM user has the bedrock:InvokeModel permission
  2. Verify the user has access to the specific models Guardian needs
  3. Ensure there are no restrictive policies blocking access

Need Help?

If you’re experiencing issues setting up your AWS Bedrock access keys:
  • Contact our support team through your dedicated support channel
  • Join our community Slack workspace and a member of our team will help you.