The AWS Bedrock Token Generator for Java is a lightweight utility library that generates short-term bearer tokens for AWS Bedrock API authentication. This library simplifies the process of creating secure, time-limited tokens that can be used to authenticate with AWS Bedrock services without exposing long-term credentials.
Add the following dependency to your pom.xml:
<dependency>
<groupId>software.amazon.bedrock</groupId>
<artifactId>aws-bedrock-token-generator</artifactId>
<version>1.1.0</version>
</dependency>Add the following to your build.gradle:
implementation 'software.amazon.bedrock:aws-bedrock-token-generator:1.1.0'NOTE - You may specify a custom token duration (e.g., 1 hour, 6 hours), but the actual token lifetime will be: min(specified duration, credentials expiry, 12 hours). Default is set to 12 hours
import software.amazon.bedrock.token.BedrockTokenGenerator;
// Credentials and region will be picked up from the default provider chain
BedrockTokenGenerator tokenGenerator = BedrockTokenGenerator.builder().build();
tokenGenerator.getToken();import software.amazon.bedrock.token.BedrockTokenGenerator;
import software.amazon.awssdk.auth.credentials.AwsCredentialsProvider;
import software.amazon.awssdk.auth.credentials.StsAssumeRoleCredentialsProvider;
import software.amazon.awssdk.regions.Region;
import software.amazon.awssdk.services.sts.model.AssumeRoleRequest;
// Example provider STS Assume Role credentials provider
AwsCredentialsProvider assumeRoleProvider = StsAssumeRoleCredentialsProvider.builder()
.refreshRequest(AssumeRoleRequest.builder()
.roleArn("arn:aws:iam::123456789012:role/BedrockRole")
.roleSessionName("bedrock-token-session")
.durationSeconds(3600) // 1 hour
.build())
.build();
// Use provider and region with the token generator
BedrockTokenGenerator tokenGenerator = BedrockTokenGenerator.builder()
.region(Region.US_EAST_1)
.credentialsProvider(assumeRoleProvider)
.build();
tokenGenerator.getToken();import software.amazon.bedrock.token.BedrockTokenGenerator;
import software.amazon.awssdk.auth.credentials.AwsCredentials;
import software.amazon.awssdk.auth.credentials.DefaultCredentialsProvider;
import software.amazon.awssdk.regions.Region;
import java.time.Duration;
// Resolve credentials from default provider for example
AwsCredentials credentials = DefaultCredentialsProvider.create().resolveCredentials();
// Generate bearer token using static method
String bearerToken = BedrockTokenGenerator.getToken(
credentials,
Region.US_WEST_2,
Duration.ofHours(12)
);Generates a bearer token for AWS Bedrock API authentication using static method.
Parameters:
credentials(AwsCredentials): AWS credentials to use for signingregion(Region): AWS region object (e.g., Region.US_WEST_2)expiry(Duration): Token expiration duration (e.g., Duration.ofHours(12))
Returns:
String: A bearer token valid for specified duration, prefixed with "bedrock-api-key-"
Example:
String token = BedrockTokenGenerator.getToken(credentials, Region.US_WEST_2, Duration.ofHours(12));Creates a BedrockTokenGenerator instance using the builder pattern.
Builder Methods:
region(Region region): Set the AWS regioncredentialsProvider(AwsCredentialsProvider provider): Set credentials providerexpiry(Duration expiry): Set token expiration durationbuild(): Create the BedrockTokenGenerator instance
Instance Method:
getToken(): Generate token using configured settings
Example:
BedrockTokenGenerator generator = BedrockTokenGenerator.builder()
.region(Region.US_EAST_1)
.credentialsProvider(DefaultCredentialsProvider.create())
.expiry(Duration.ofHours(6))
.build();
String token = generator.getToken();The generated tokens follow this format:
bedrock-api-key-<base64-encoded-presigned-url>&Version=1
- Prefix:
bedrock-api-key-identifies the token type - Payload: Base64-encoded presigned URL with embedded credentials
- Version:
&Version=1for future compatibility - Expiration: The token has a default expiration of 12 hour. If the expiresIn parameter is specified during token creation, the expiration can be configured up to a maximum of 12 hours. However, the actual token validity period will always be the minimum of the requested expiration time and the AWS credentials' expiry time
- Token Expiration: The token has a default expiration of 12 hour. If the expiry parameter is specified during token creation, the expiration can be configured up to a maximum of 12 hours. However, the actual token validity period will always be the minimum of the requested expiration time and the AWS credentials' expiry time. The token must be generated again once it expires, as it cannot be refreshed or extended
- Secure Storage: Store tokens securely and avoid logging them
- Credential Management: Use IAM roles and temporary credentials when possible
- Network Security: Always use HTTPS when transmitting tokens
- Principle of Least Privilege: Ensure underlying credentials have minimal required permissions
- Java: 8 or later
- AWS SDK: 2.25.28 or later
- Dependencies: Minimal - only AWS SDK auth and HTTP components
import software.amazon.bedrock.token.BedrockTokenGenerator;
import software.amazon.awssdk.auth.credentials.DefaultCredentialsProvider;
import software.amazon.awssdk.regions.Region;
import software.amazon.awssdk.core.exception.SdkException;
import java.time.Duration;
public class BedrockTokenExample {
public static void main(String[] args) {
try {
// Using static method
String token = BedrockTokenGenerator.getToken(
DefaultCredentialsProvider.create().resolveCredentials(),
Region.US_WEST_2,
Duration.ofHours(12)
);
System.out.println("Successfully generated token: " +
token.substring(0, 30) + "...");
} catch (SdkException e) {
System.err.println("Failed to generate token: " + e.getMessage());
}
}
}import software.amazon.awssdk.auth.credentials.*;
import software.amazon.awssdk.regions.Region;
import java.time.Duration;
// Default credentials (recommended)
AwsCredentials defaultCreds = DefaultCredentialsProvider.create().resolveCredentials();
// Environment variables
AwsCredentials envCreds = EnvironmentVariableCredentialsProvider.create().resolveCredentials();
// System properties
AwsCredentials sysCreds = SystemPropertyCredentialsProvider.create().resolveCredentials();
// Profile-based credentials
AwsCredentials profileCreds = ProfileCredentialsProvider.create("my-profile").resolveCredentials();
// Generate tokens with any credential provider using static method
String token = BedrockTokenGenerator.getToken(defaultCreds, Region.US_WEST_2, Duration.ofHours(12));import software.amazon.awssdk.auth.credentials.DefaultCredentialsProvider;
import software.amazon.awssdk.regions.Region;
import java.time.Duration;
// Builder with custom expiry
BedrockTokenGenerator shortLivedGenerator = BedrockTokenGenerator.builder()
.region(Region.US_EAST_1)
.credentialsProvider(DefaultCredentialsProvider.create())
.expiry(Duration.ofHours(1))
.build();
BedrockTokenGenerator defaultGenerator = BedrockTokenGenerator.builder()
.credentialsProvider(DefaultCredentialsProvider.create())
.build();
String shortToken = shortLivedGenerator.getToken();
String defaultToken = defaultGenerator.getToken();# Clone the repository
git clone https://github.com/aws/aws-bedrock-token-generator-java.git
cd aws-bedrock-token-generator-java
# Build with Maven
mvn clean compile
# Run tests
mvn test
# Create JAR
mvn packageThe build will generate:
aws-bedrock-token-generator-1.1.0.jar- Main library with dependenciesaws-bedrock-token-generator-1.1.0-sources.jar- Source codeaws-bedrock-token-generator-1.1.0-javadoc.jar- API documentation
We welcome contributions! Please see CONTRIBUTING.md for details on how to contribute to this project.
- Prerequisites: Java 8+, Maven 3.6+
- Clone:
git clone https://github.com/aws/aws-bedrock-token-generator-java.git - Build:
mvn clean compile - Test:
mvn test5. Package:mvn package
- Documentation: AWS Bedrock Documentation
- Issues: GitHub Issues
- AWS Support: AWS Support Center
This project is licensed under the Apache License 2.0 - see the LICENSE file for details.
See CHANGELOG.md for a list of changes and version history.