> ## Documentation Index
> Fetch the complete documentation index at: https://docs.unstructured.io/llms.txt
> Use this file to discover all available pages before exploring further.

# Enterprise Connect for Amazon Bedrock

> Set up an IAM role and trust policy in AWS, then configure Amazon Bedrock in the Unstructured AI Providers UI to enable Enterprise Connect authentication.

<Note>
  Enterprise Connect is required only when Unstructured needs to access Bedrock resources in a different AWS account. If Unstructured and your Bedrock resources are in the same AWS account, use standard IAM or credentials authentication instead.
</Note>

Enterprise Connect for Amazon Bedrock requires two configurations:

1. Create an IAM role and trust policy in AWS.
2. Configure Amazon Bedrock on the Unstructured [**AI Providers**](/business/ai-providers) page by providing the role ARN and External ID from the AWS setup.

The AI Providers configuration applies to every model task in the workspace at once. Each workspace uses one role, not shared with other workspaces. Unlike connectors, Amazon Bedrock cannot be configured through the API. The AI Providers UI is the only configuration path.

## Setup requirements

Enterprise Connect requires the following:

* A dedicated instance provisioned for your Unstructured account, with Enterprise Connect enabled. Contact your Unstructured account team or [Unstructured Support](https://support.unstructured.io/) to request access and have it enabled.
* An AWS account where you can create and manage IAM roles.

## Set up Enterprise Connect authentication

This procedure covers creating an IAM role and trust policy in AWS and attaching a Bedrock permissions policy to the role. If the IAM role that Unstructured assumes already exists for this workspace, skip to Step 3. For a conceptual overview of the IAM role and trust policy, see [Enterprise Connect for AWS](/business/aws/enterprise-connect#iam-role-and-trust-policy).

1. Choose an **External ID** — a unique value that prevents unauthorized parties from assuming your IAM role. You will add this value to your AWS trust policy and enter it in the AI Providers UI. Use upper and lower case alphanumeric characters, underscores, or any of `+=,.@:\/-`; no spaces; 2–1224 characters.

2. In your AWS account, create an IAM role that Unstructured will assume to invoke Bedrock models (for example, `unstructured-bedrock-role`), or use an existing Enterprise Connect role. For more information, see [Create a role using custom trust policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-custom.html) in the *AWS IAM User Guide*.

   Attach the following trust policy, replacing the placeholder values:

   ```json theme={null}
   {
     "Version": "2012-10-17",
     "Statement": [
       {
         "Effect": "Allow",
         "Principal": {
           "AWS": "<unstructured-dedicated-instance-role-arn>"
         },
         "Action": "sts:AssumeRole",
         "Condition": {
           "StringEquals": {
             "sts:ExternalId": "<your-external-id>"
           }
         }
       }
     ]
   }
   ```

   | Placeholder                                  | Value                                                                                                                     |
   | -------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------- |
   | `<unstructured-dedicated-instance-role-arn>` | The ARN of the dedicated instance role for your Unstructured account. Get this value from your Unstructured account team. |
   | `<your-external-id>`                         | The unique value you chose as your external ID.                                                                           |

   The `sts:ExternalId` condition prevents the [confused deputy problem](https://docs.aws.amazon.com/IAM/latest/UserGuide/confused-deputy.html). It ensures only your Unstructured workspace can use this role, even if another party knows the dedicated instance role ARN.

3. Attach the following permissions policy to the role. It grants the Bedrock permissions Unstructured needs to list and invoke models.

   ```json theme={null}
   {
     "Version": "2012-10-17",
     "Statement": [
       {
         "Effect": "Allow",
         "Action": [
           "bedrock:ListFoundationModels",
           "bedrock:InvokeModel",
           "bedrock:InvokeModelWithResponseStream"
         ],
         "Resource": "*"
       }
     ]
   }
   ```

## Configure Amazon Bedrock in the Unstructured AI Providers UI

1. If you are not already signed in, sign in to your Unstructured account.
2. In the top navigation bar, in the organizational account selector, select the organizational account that the target workspace belongs to.
3. Next to the organizational account selector, click the workspace selector, and then select the target workspace.
4. In the workspace navigation bar, click the **AI Providers** tab.
5. Next to **Amazon Bedrock**, click **Configure**.
6. For **Access Method**, select **Assume role**.
7. For **AWS Region Name**, enter the AWS Region where your Bedrock access is enabled, such as `us-east-1`.
8. For **Role Arn**, enter the ARN of the IAM role you created in Step 2 of [Set up Enterprise Connect authentication](#set-up-enterprise-connect-authentication).
9. For **External Id**, enter the External ID you chose in Step 1 of [Set up Enterprise Connect authentication](#set-up-enterprise-connect-authentication).
10. Click **Save Configuration**.

Amazon Bedrock is now ready for all workflows in this workspace.

<Note>
  Amazon Bedrock Enterprise Connect can only be configured through the AI Providers UI. There is no API equivalent.
</Note>

## Troubleshoot Enterprise Connect for Bedrock

Enterprise Connect failures occur at one of two stages. Match the symptom to identify the cause and apply the fix.

* **Role assumption fails (`AssumeRole` access denied).** The AWS trust policy or External ID is misconfigured.
  * Verify that the Principal ARN in the AWS trust policy exactly matches your dedicated instance role ARN provided by your Unstructured account team. See `<unstructured-dedicated-instance-role-arn>` in Step 2 of [Set up Enterprise Connect authentication](#set-up-enterprise-connect-authentication).
  * Verify that the External ID in the Unstructured AI Providers UI exactly matches the value in the AWS trust policy. See Step 9 of [Configure Amazon Bedrock in the Unstructured AI Providers UI](#configure-amazon-bedrock-in-the-unstructured-ai-providers-ui) and `<your-external-id>` in Step 2 of [Set up Enterprise Connect authentication](#set-up-enterprise-connect-authentication).
* **Role assumption succeeds but model calls fail (Bedrock access denied).** The AWS permissions policy does not allow the requested Bedrock action.
  * Verify that the AWS permissions policy includes all three Bedrock actions. See Step 3 of [Set up Enterprise Connect authentication](#set-up-enterprise-connect-authentication).
  * Verify that the model is enabled in the AWS Region. See Step 7 of [Configure Amazon Bedrock in the Unstructured AI Providers UI](#configure-amazon-bedrock-in-the-unstructured-ai-providers-ui).