BYOC: AWS Bedrock
GitGuardian authenticates to your AWS account using OpenID Connect (OIDC) federation — no long-lived AWS credentials are stored. When an LLM call is needed, GitGuardian:
- Signs a short-lived JWT token identifying your GitGuardian workspace
- Calls AWS STS
AssumeRoleWithWebIdentityto exchange the JWT for temporary AWS credentials - Uses those credentials to invoke models on your Bedrock endpoint
This mechanism is used for both SaaS and Self-Hosted deployments.
Prerequisites
- Owner or Manager role on your GitGuardian workspace
- AWS IAM permissions to create OIDC providers, roles, and policies in your AWS account
- Amazon Bedrock model access enabled in the target AWS region (see AWS documentation)
Step 1: Add GitGuardian as an OIDC provider in AWS
- Open the IAM Console → Identity providers
- Click Add provider
- Select OpenID Connect
- Configure the provider:
| Field | SaaS | Self-Hosted |
|---|---|---|
| Provider URL | https://api.gitguardian.com | https://<your-gitguardian-url>/exposed |
| Audience | sts.amazonaws.com | sts.amazonaws.com |
- Click Add provider
Step 2: Create an IAM role
- In the IAM Console → Roles, click Create role
- Select Web Identity as the trusted entity type
- Choose the OIDC provider you just created
- Select
sts.amazonaws.comas the Audience
Trust policy
Add a condition on the sub claim to restrict role assumption to your specific GitGuardian workspace:
- Click Add condition:
- Key:
<oidc-provider>:sub(e.g.api.gitguardian.com:sub) - Condition:
StringEquals - Value:
gitguardian-account-id:<your-gitguardian-account-id>
- Key:
Your account ID is visible in your GitGuardian dashboard URL: https://dashboard.gitguardian.com/workspace/<your-account-id>/
The resulting trust policy should look like this:
For SaaS users:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "sts:AssumeRoleWithWebIdentity",
"Principal": {
"Federated": "arn:aws:iam::<your-aws-account-id>:oidc-provider/api.gitguardian.com"
},
"Condition": {
"StringEquals": {
"api.gitguardian.com:sub": "gitguardian-account-id:<your-gitguardian-account-id>",
"api.gitguardian.com:aud": "sts.amazonaws.com"
}
}
}
]
}
For Self-Hosted users:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "sts:AssumeRoleWithWebIdentity",
"Principal": {
"Federated": "arn:aws:iam::<your-aws-account-id>:oidc-provider/<your-gitguardian-url>/exposed"
},
"Condition": {
"StringEquals": {
"<your-gitguardian-url>/exposed:sub": "gitguardian-account-id:<your-gitguardian-account-id>",
"<your-gitguardian-url>/exposed:aud": "sts.amazonaws.com"
}
}
}
]
}
Permission policy
- Click Next
- Attach a policy granting Bedrock invoke access. You can use the AWS managed policy
AmazonBedrockFullAccess, or create a more restrictive custom policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"bedrock:InvokeModel",
"bedrock:InvokeModelWithResponseStream"
],
"Resource": [
"arn:aws:bedrock:*::foundation-model/anthropic.*",
"arn:aws:bedrock:*:*:inference-profile/us.anthropic.*"
]
}
]
}
GitGuardian uses cross-region inference profiles to invoke models as most modern models require it. Include the inference profile ARN matching the AWS region of your Bedrock: us.anthropic.*, eu.anthropic.*.
- Click Next
- Name the role (e.g.
GitGuardianBedrockAccess) and click Create Role
Step 3: Configure the integration in GitGuardian
- In the GitGuardian platform, navigate to Settings → Workspace → AI
- Click Edit button
- Select Custom AWS Bedrock as the provider
- Enter:
- AWS Account ID: Your AWS account identifier
- Role ARN: The ARN of the role created in Step 2 (e.g.
arn:aws:iam::123456789012:role/GitGuardianBedrockAccess) - Region: The AWS region where you have Bedrock model access enabled (e.g.
us-west-2)
- Click Install — GitGuardian will perform a connectivity check to verify the configuration
That's it! GitGuardian will now use your AWS Bedrock account for LLM-powered features.
