Skip to main content
OpenClaw can use Amazon Bedrock models via its Bedrock Converse streaming provider. Bedrock auth uses the AWS SDK default credential chain, not an API key.

Getting started

Choose your preferred auth method and follow the setup steps.
Best for: developer machines, CI, or hosts where you manage AWS credentials directly.
1

Set AWS credentials on the gateway host

2

Add a Bedrock provider and model to your config

No apiKey is required. Configure the provider with auth: "aws-sdk":
3

Verify models are available

With env-marker auth (AWS_ACCESS_KEY_ID, AWS_PROFILE, or AWS_BEARER_TOKEN_BEDROCK), OpenClaw auto-enables the implicit Bedrock provider for model discovery without extra config.

Automatic model discovery

OpenClaw can automatically discover Bedrock models that support streaming and text output. Discovery uses bedrock:ListFoundationModels and bedrock:ListInferenceProfiles, and results are cached (default: 1 hour). How the implicit provider is enabled:
  • If plugins.entries.amazon-bedrock.config.discovery.enabled is true, OpenClaw will try discovery even when no AWS env marker is present.
  • If plugins.entries.amazon-bedrock.config.discovery.enabled is unset, OpenClaw only auto-adds the implicit Bedrock provider when it sees one of these AWS auth markers: AWS_BEARER_TOKEN_BEDROCK, AWS_ACCESS_KEY_ID + AWS_SECRET_ACCESS_KEY, or AWS_PROFILE.
  • The actual Bedrock runtime auth path still uses the AWS SDK default chain, so shared config, SSO, and IMDS instance-role auth can work even when discovery needed enabled: true to opt in.
For explicit models.providers["amazon-bedrock"] entries, OpenClaw can still resolve Bedrock env-marker auth early from AWS env markers such as AWS_BEARER_TOKEN_BEDROCK without forcing full runtime auth loading. The actual model-call auth path still uses the AWS SDK default chain.
Config options live under plugins.entries.amazon-bedrock.config.discovery:
The Bedrock ListFoundationModels and GetFoundationModel APIs return no token-limit metadata, only model ID, name, modalities, and lifecycle status. OpenClaw ships a lookup table of known context windows and output limits for popular Bedrock models (Claude, Nova, Llama, Mistral, DeepSeek, and others) so session management, compaction thresholds, and context-overflow detection work correctly for those models.Discovered models not in the table fall back to defaultContextWindow and defaultMaxTokens. If a model you use is missing accurate limits, override it with an explicit models.providers["amazon-bedrock"].models entry.

Quick setup (AWS path)

This walkthrough creates an IAM role, attaches Bedrock permissions, associates the instance profile, and enables OpenClaw discovery on the EC2 host.

Advanced configuration

OpenClaw discovers regional and global inference profiles alongside foundation models. When a profile maps to a known foundation model, the profile inherits that model’s capabilities (context window, max tokens, reasoning, vision) and the correct Bedrock request region is injected automatically. This means cross-region Claude profiles work without manual provider overrides. Global cross-region profiles (global.*) are listed first in openclaw models list since they generally offer better capacity and automatic failover.Inference profile IDs look like us.anthropic.claude-opus-4-6-v1:0 (regional) or anthropic.claude-opus-4-6-v1:0 (global). If the backing model is already in the discovery results, the profile inherits its full capability set; otherwise safe defaults apply.No extra configuration is needed. As long as discovery is enabled and the IAM principal has bedrock:ListInferenceProfiles, profiles appear alongside foundation models in openclaw models list.
Some Bedrock models support a service_tier parameter to optimize for cost or latency. The following tiers are available:Set serviceTier (or service_tier) via agents.defaults.params for Bedrock model requests, or per-model in agents.defaults.models["<model-key>"].params:
Valid values are default, flex, priority, and reserved. Claude Fable 5 and Sonnet 5 only support the default tier; OpenClaw warns and ignores flex, priority, or reserved requested for those models. For other models, not every model supports every tier — an unsupported tier returns a Bedrock validation error, and the error message can be misleading (for example “The provided model identifier is invalid” rather than naming the tier as the problem). If you see this error, check whether the model supports the requested tier.
Bedrock rejects the temperature parameter for Claude Opus 4.7 and Opus 4.8. OpenClaw omits temperature automatically for any matching Bedrock ref, including foundation model ids, named inference profiles, application inference profiles whose underlying model resolves to Opus 4.7/4.8 via bedrock:GetInferenceProfile, and dotted opus-4.7/opus-4.8 variants with optional region prefixes (us., eu., ap., apac., au., jp., global.). No config knob is required, and the omission applies to both the request options object and the inferenceConfig payload field.
Use amazon-bedrock/anthropic.claude-fable-5 in us-east-1, or the regional inference ids such as us.anthropic.claude-fable-5. OpenClaw applies Fable’s 1M context window, 128K output limit, always-on adaptive thinking, and supported effort mapping. /think off and /think minimal map to low; temperature and forced tool choice controls are omitted, matching the Opus 4.7/4.8 route. Streaming output is held until Bedrock returns a terminal status so mid-stream refusals do not expose partial text.AWS requires an explicit provider_data_share data-retention opt-in before Fable is available. Prompts and completions are shared with Anthropic and retained for up to 30 days for trust and safety. Review and configure Bedrock data retention before enabling the model.
Claude Mythos 5 is available through Bedrock only for accounts with the required limited-access approval. OpenClaw recognizes the foundation model anthropic.claude-mythos-5 and regional or global inference profiles such as us.anthropic.claude-mythos-5.OpenClaw applies the 1,000,000-token context window, 128,000-token output limit, image input, prompt caching, refusal-safe streaming, and native effort levels. Adaptive thinking is always enabled: /think off and /think minimal map to low, while xhigh and max remain available. Custom sampling and forced tool choice values are omitted.
AWS documents Sonnet 5 for both the bedrock-runtime and bedrock-mantle endpoints. OpenClaw recognizes the Bedrock foundation model anthropic.claude-sonnet-5 and regional or global inference profiles such as us.anthropic.claude-sonnet-5. It applies the 1,000,000-token context window, 128,000-token output limit, image input, native effort levels, prompt caching, and refusal-safe streaming.Bedrock keeps adaptive thinking enabled for Sonnet 5. OpenClaw defaults to high; /think off and /think minimal map to low because this route cannot disable thinking. Custom temperature and forced tool choice values are omitted while adaptive thinking is active.
You can apply Amazon Bedrock Guardrails to all Bedrock model invocations by adding a guardrail object to the amazon-bedrock plugin config. Guardrails let you enforce content filtering, topic denial, word filters, sensitive information filters, and contextual grounding checks.
guardrailIdentifier and guardrailVersion are required.
The IAM principal used by the gateway must have the bedrock:ApplyGuardrail permission in addition to the standard invoke permissions.
Bedrock can also serve as the embedding provider for memory search. This is configured separately from the inference provider — set agents.defaults.memorySearch.provider to "bedrock":
Bedrock embeddings use the same AWS SDK credential chain as inference (instance roles, SSO, access keys, shared config, and web identity). No API key is needed.Supported embedding models include Amazon Titan Embed (v1, v2), Amazon Nova Embed, Cohere Embed (v3, v4), and TwelveLabs Marengo. See Memory configuration reference — Bedrock for the full model list and dimension options.
  • Bedrock requires model access enabled in your AWS account/region.
  • Automatic discovery needs the bedrock:ListFoundationModels and bedrock:ListInferenceProfiles permissions.
  • If you rely on auto mode, set one of the supported AWS auth env markers on the gateway host. If you prefer IMDS/shared-config auth without env markers, set plugins.entries.amazon-bedrock.config.discovery.enabled: true.
  • OpenClaw surfaces the credential source in this order: AWS_BEARER_TOKEN_BEDROCK, then AWS_ACCESS_KEY_ID + AWS_SECRET_ACCESS_KEY, then AWS_PROFILE, then the default AWS SDK chain.
  • Reasoning support depends on the model; check the Bedrock model card for current capabilities.
  • If you prefer a managed key flow, you can also place an OpenAI-compatible proxy in front of Bedrock and configure it as an OpenAI provider instead.

Model selection

Choosing providers, model refs, and failover behavior.

Memory search

Bedrock embeddings for memory search configuration.

Memory config reference

Full Bedrock embedding model list and dimension options.

Troubleshooting

General troubleshooting and FAQ.