Enterprise Connect for Amazon Bedrock

Enterprise Connect is required only when Unstructured needs to access Bedrock resources in a different AWS account. If Unstructured and your Bedrock resources are in the same AWS account, use standard IAM or credentials authentication instead.

Enterprise Connect for Amazon Bedrock requires two configurations:

Create an IAM role and trust policy in AWS.
Configure Amazon Bedrock on the Unstructured AI Providers page by providing the role ARN and External ID from the AWS setup.

The AI Providers configuration applies to every model task in the workspace at once. Each workspace uses one role, not shared with other workspaces. Unlike connectors, Amazon Bedrock cannot be configured through the API. The AI Providers UI is the only configuration path.

Setup requirements

Enterprise Connect requires the following:

A dedicated instance provisioned for your Unstructured account, with Enterprise Connect enabled. Contact your Unstructured account team or Unstructured Support to request access and have it enabled.
An AWS account where you can create and manage IAM roles.

Set up Enterprise Connect authentication

This procedure covers creating an IAM role and trust policy in AWS and attaching a Bedrock permissions policy to the role. If the IAM role that Unstructured assumes already exists for this workspace, skip to Step 3. For a conceptual overview of the IAM role and trust policy, see Enterprise Connect for AWS.

Choose an External ID — a unique value that prevents unauthorized parties from assuming your IAM role. You will add this value to your AWS trust policy and enter it in the AI Providers UI. Use upper and lower case alphanumeric characters, underscores, or any of +=,.@:\/-; no spaces; 2–1224 characters.

In your AWS account, create an IAM role that Unstructured will assume to invoke Bedrock models (for example, unstructured-bedrock-role), or use an existing Enterprise Connect role. For more information, see Create a role using custom trust policies in the AWS IAM User Guide. Attach the following trust policy, replacing the placeholder values:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "<unstructured-dedicated-instance-role-arn>"
      },
      "Action": "sts:AssumeRole",
      "Condition": {
        "StringEquals": {
          "sts:ExternalId": "<your-external-id>"
        }
      }
    }
  ]
}

Placeholder	Value
`<unstructured-dedicated-instance-role-arn>`	The ARN of the dedicated instance role for your Unstructured account. Get this value from your Unstructured account team.
`<your-external-id>`	The unique value you chose as your external ID.

The sts:ExternalId condition prevents the confused deputy problem. It ensures only your Unstructured workspace can use this role, even if another party knows the dedicated instance role ARN.

Attach the following permissions policy to the role. It grants the Bedrock permissions Unstructured needs to list and invoke models.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "bedrock:ListFoundationModels",
        "bedrock:InvokeModel",
        "bedrock:InvokeModelWithResponseStream"
      ],
      "Resource": "*"
    }
  ]
}

Configure Amazon Bedrock in the Unstructured AI Providers UI

If you are not already signed in, sign in to your Unstructured account.
In the top navigation bar, in the organizational account selector, select the organizational account that the target workspace belongs to.
Next to the organizational account selector, click the workspace selector, and then select the target workspace.
In the workspace navigation bar, click the AI Providers tab.
Next to Amazon Bedrock, click Configure.
For Access Method, select Assume role.
For AWS Region Name, enter the AWS Region where your Bedrock access is enabled, such as us-east-1.
For Role Arn, enter the ARN of the IAM role you created in Step 2 of Set up Enterprise Connect authentication.
For External Id, enter the External ID you chose in Step 1 of Set up Enterprise Connect authentication.
Click Save Configuration.

Amazon Bedrock is now ready for all workflows in this workspace.

Amazon Bedrock Enterprise Connect can only be configured through the AI Providers UI. There is no API equivalent.

Troubleshoot Enterprise Connect for Bedrock

Enterprise Connect failures occur at one of two stages. Match the symptom to identify the cause and apply the fix.

Role assumption fails (AssumeRole access denied). The AWS trust policy or External ID is misconfigured.
- Verify that the Principal ARN in the AWS trust policy exactly matches your dedicated instance role ARN provided by your Unstructured account team. See <unstructured-dedicated-instance-role-arn> in Step 2 of Set up Enterprise Connect authentication.
- Verify that the External ID in the Unstructured AI Providers UI exactly matches the value in the AWS trust policy. See Step 9 of Configure Amazon Bedrock in the Unstructured AI Providers UI and <your-external-id> in Step 2 of Set up Enterprise Connect authentication.
Role assumption succeeds but model calls fail (Bedrock access denied). The AWS permissions policy does not allow the requested Bedrock action.
- Verify that the AWS permissions policy includes all three Bedrock actions. See Step 3 of Set up Enterprise Connect authentication.
- Verify that the model is enabled in the AWS Region. See Step 7 of Configure Amazon Bedrock in the Unstructured AI Providers UI.

​Setup requirements

​Set up Enterprise Connect authentication

​Configure Amazon Bedrock in the Unstructured AI Providers UI

​Troubleshoot Enterprise Connect for Bedrock

Setup requirements

Set up Enterprise Connect authentication

Configure Amazon Bedrock in the Unstructured AI Providers UI

Troubleshoot Enterprise Connect for Bedrock