Provider Deployment — Amazon Bedrock & Mantle - Claude Code Documentation (June 2026)

Key Principle

Bedrock routes Claude Code through your AWS account (IAM, billing, region residency) instead of Anthropic's API. The through-line is provider neutrality with caveats: Bedrock is one of four backends, each with feature gaps and version-availability quirks the operator must work around. Two setup paths — interactive wizard for one machine, manual env vars for CI / enterprise rollout (Section: Claude Code on Amazon Bedrock).

Why This Matters

Claude Code uses the Bedrock Invoke API, not the Converse API, and Mantle has its own model lineup — so first-party inference-profile IDs don't transfer. Knowing which knob to turn (region resolution, refresh, model pinning, guardrails) is what keeps an enterprise rollout from silently failing (p. 9, 10).

Good Examples

Wizard: run claude → login prompt → 3rd-party platform → Amazon Bedrock. It picks up your region, verifies invokable models, lets you pin, and writes to the env block of user settings. Reopen any time with /setup-bedrock (Section: Wizard path).

Manual setup (Section: Manual setup):

export CLAUDE_CODE_USE_BEDROCK=1
export AWS_REGION=us-east-1  # optional if your AWS profile already sets a region

Credentials use the default AWS SDK chain — aws configure, access keys, aws sso login, or simplest: export AWS_BEARER_TOKEN_BEDROCK=your-bedrock-api-key.

Model pinning (Section: Pin model versions). Without pinning, opus on Bedrock resolves to Opus 4.6 — set it for the latest:

export ANTHROPIC_DEFAULT_OPUS_MODEL='us.anthropic.claude-opus-4-8'
export ANTHROPIC_DEFAULT_SONNET_MODEL='us.anthropic.claude-sonnet-4-6'
export ANTHROPIC_DEFAULT_HAIKU_MODEL='us.anthropic.claude-haiku-4-5-20251001-v1:0'

Profile IDs use the cross-region us. prefix (GovCloud us-gov.). Default when nothing is pinned: primary us.anthropic.claude-sonnet-4-5-20250929-v1:0, with small/fast model same as primary (so background tasks never fail on a missing Haiku) (Section: Default models on Bedrock).

modelOverrides — map each version to its own application inference profile ARN, switchable in /model without bypassing org profiles (Section: modelOverrides):

{
  "modelOverrides": {
    "claude-opus-4-7": "arn:aws:bedrock:us-east-2:123456789012:application-inference-profile/opus-47-prod",
    "claude-opus-4-6": "arn:aws:bedrock:us-east-2:123456789012:application-inference-profile/opus-46-prod"
  }
}

Auto-refresh (Section: Automatic credential refresh):

awsAuthRefresh — runs only when credentials are detected expired, then retries. For commands that modify .aws (SSO cache, config). Output shown; interactive input not supported.
awsCredentialExport — runs at session start and each reload, even when default-chain creds are valid. For cross-account creds when you can't modify .aws. Output captured silently; must emit the Credentials JSON (AccessKeyId/SecretAccessKey/SessionToken/optional Expiration).

{ "awsAuthRefresh": "aws sso login --profile myprofile", "env": { "AWS_PROFILE": "myprofile" } }

Service tiers: ANTHROPIC_BEDROCK_SERVICE_TIER = default | flex | priority (sent as X-Amzn-Bedrock-Service-Tier header). 1M context: supported on Opus 4.6+ and Sonnet 4.6 — append [1m] to the model ID (Sections: Service tiers; 1M token context window).

AWS Guardrails — inject headers via ANTHROPIC_CUSTOM_HEADERS (Section: AWS Guardrails):

{ "env": { "ANTHROPIC_CUSTOM_HEADERS": "X-Amzn-Bedrock-GuardrailIdentifier: your-guardrail-id\nX-Amzn-Bedrock-GuardrailVersion: 1" } }

Mantle endpoint — a Bedrock endpoint serving Claude via the native Anthropic API shape rather than the Invoke API, keeping AWS creds/IAM/awsAuthRefresh (Section: Mantle endpoint):

export CLAUDE_CODE_USE_MANTLE=1
export AWS_REGION=us-east-1
claude --model anthropic.claude-haiku-4-5

Mantle IDs use the anthropic. prefix with no version suffix. Run both (CLAUDE_CODE_USE_BEDROCK=1 + CLAUDE_CODE_USE_MANTLE=1): Mantle-format IDs route to Mantle, all others to Invoke. Add anthropic.-prefixed IDs to availableModels to surface them in /model.

Minimum IAM policy (Section: IAM configuration): actions bedrock:InvokeModel, bedrock:InvokeModelWithResponseStream, bedrock:ListInferenceProfiles, bedrock:GetInferenceProfile over inference-profile/*, application-inference-profile/*, foundation-model/*, plus aws-marketplace:ViewSubscriptions / Subscribe (condition aws:CalledViaLast = bedrock.amazonaws.com).

Counterpoints

Region resolution order (v2.1.172+): AWS_REGION → AWS_DEFAULT_REGION → profile region → us-east-1. On v2.1.171 and earlier, config files aren't read — set AWS_REGION explicitly. Check resolved region with /status (Section: Region resolution).
awsCredentialExport also accepts the flat aws configure export-credentials --format process output as of v2.1.181; Expiration caching behavior changed at v2.1.176 (Section: Automatic credential refresh).
SSO auth loop with corporate proxies: TLS-inspection proxy interrupts the SSO flow, Claude Code re-runs awsAuthRefresh and loops → remove the awsAuthRefresh setting, or run aws sso login manually before launching (Section: Troubleshooting; p. 10).
403 with valid creds (Mantle) → account not granted the model; contact your AWS account team. 400 naming the model ID → that model isn't served on Mantle (separate lineup); standard inference-profile IDs like us.anthropic.claude-sonnet-4-6 won't work — use a Mantle-format ID or enable both endpoints (p. 10).
on-demand throughput isn't supported → specify the model as an inference profile ID (cross-region access) (p. 10).
availableModels also restricts the picker — include every alias you want to keep (Section: Run Mantle + Invoke API together).
/logout is unavailable on Bedrock (auth is via AWS creds); the WebSearch tool is not available on Bedrock (Section: Region resolution & caveats).

Key Commands & Config

/setup-bedrock · /status (region + provider line) · /model · claude --model <id>
Env: CLAUDE_CODE_USE_BEDROCK · CLAUDE_CODE_USE_MANTLE · CLAUDE_CODE_SKIP_MANTLE_AUTH
     AWS_REGION · AWS_BEARER_TOKEN_BEDROCK · AWS_PROFILE
     ANTHROPIC_DEFAULT_OPUS_MODEL / SONNET / HAIKU · ANTHROPIC_MODEL
     ANTHROPIC_BEDROCK_SERVICE_TIER=default|flex|priority · ANTHROPIC_CUSTOM_HEADERS
     ANTHROPIC_BEDROCK_BASE_URL · ANTHROPIC_BEDROCK_MANTLE_BASE_URL
Settings: modelOverrides · availableModels · awsAuthRefresh · awsCredentialExport
1M context: append [1m] to model ID (Opus 4.6+, Sonnet 4.6)

Rules of Thumb

Pin ANTHROPIC_DEFAULT_OPUS_MODEL to the Opus 4.8 ID — the unpinned opus alias is Opus 4.6.
Use awsAuthRefresh for SSO; use awsCredentialExport only for cross-account creds you can't put in .aws.
If SSO loops behind a corporate proxy, delete awsAuthRefresh.
For native Anthropic-API parity on AWS, use Mantle with anthropic.-prefixed IDs.

Related References

Authentication - cloud-provider creds are precedence rule 1
Enterprise & Managed Settings - Bedrock needs file/OS-level managed settings (no server-managed)
Permissions & Layered Safety - AWS Guardrails as a layered-safety control