This guide explains how to use AWS Bedrock instead of the direct Anthropic API for AI code reviews.
- AWS Credits: Use existing AWS credits
- Regional Availability: Deploy in specific AWS regions
- Compliance: Meet specific compliance requirements
- Integration: Easier integration with AWS infrastructure
- IAM Roles: Use IAM roles instead of API keys when running on AWS
- AWS Account with Bedrock access
- Bedrock Model Access - Claude 3.5 Sonnet must be enabled
- IAM Permissions for Bedrock API calls
- Log into AWS Console
- Navigate to Amazon Bedrock
- Go to Model access (left sidebar)
- Click Modify model access
- Find and enable: Anthropic - Claude 3.5 Sonnet v2
- Click Save changes
- Wait for status to show "Access granted" (~2-5 minutes)
- Go to IAM Console
- Click Users → Create user
- Username:
github-actions-bedrock - Click Next
Attach Policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"bedrock:InvokeModel"
],
"Resource": [
"arn:aws:bedrock:*::foundation-model/anthropic.claude-3-5-sonnet-*"
]
}
]
}- Click Create policy → JSON → Paste above
- Name:
BedrockClaudeInvokeOnly - Attach policy to user
- Click Create user
Create Access Keys:
- Click on the created user
- Go to Security credentials tab
- Click Create access key
- Select: Third-party service
- Click Next → Create access key
- Download or copy:
- Access key ID (starts with
AKIA...) - Secret access key (only shown once!)
- Access key ID (starts with
If running GitHub Actions on AWS (self-hosted runners):
- Create IAM Role with trust policy for your EC2/ECS/EKS
- Attach same
BedrockClaudeInvokeOnlypolicy - Assign role to your runner infrastructure
- No access keys needed!
- Go to: Settings → Secrets and variables → Actions
- Click New repository secret for each:
Secret 1:
- Name:
AWS_ACCESS_KEY_ID - Value: Your access key ID from Step 2
Secret 2:
- Name:
AWS_SECRET_ACCESS_KEY - Value: Your secret access key from Step 2
Secret 3:
- Name:
AWS_REGION - Value: Your Bedrock region (e.g.,
us-east-1)
Edit .github/scripts/ai-review/config.json:
{
"provider": "bedrock",
"model": "claude-3-5-sonnet-20241022",
"bedrock_model_id": "us.anthropic.claude-3-5-sonnet-20241022-v2:0",
"bedrock_region": "us-east-1",
...
}Available Bedrock Model IDs:
- US:
us.anthropic.claude-3-5-sonnet-20241022-v2:0 - EU:
eu.anthropic.claude-3-5-sonnet-20241022-v2:0 - Asia Pacific:
apac.anthropic.claude-3-5-sonnet-20241022-v2:0
Available Regions:
us-east-1(US East - N. Virginia)us-west-2(US West - Oregon)eu-central-1(Europe - Frankfurt)eu-west-1(Europe - Ireland)eu-west-2(Europe - London)ap-southeast-1(Asia Pacific - Singapore)ap-southeast-2(Asia Pacific - Sydney)ap-northeast-1(Asia Pacific - Tokyo)
Check current availability: https://docs.aws.amazon.com/bedrock/latest/userguide/models-regions.html
cd .github/scripts/ai-review
npm installThis will install the AWS SDK for Bedrock.
# Create test PR
git checkout -b test/bedrock-review
echo "// Bedrock test" >> test.c
git add test.c
git commit -m "Test: Bedrock AI review"
git push origin test/bedrock-reviewThen create PR via GitHub UI. Check:
- Actions tab - workflow should run
- PR comments - AI review should appear
- Workflow logs - should show "Using AWS Bedrock as provider"
- Input: $0.003 per 1K tokens
- Output: $0.015 per 1K tokens
- Input: $0.003 per 1K tokens
- Output: $0.015 per 1K tokens
Same price! Choose based on infrastructure preference.
Check:
- Model access enabled in Bedrock console?
- IAM policy includes correct model ARN?
- Region matches between config and enabled models?
Fix:
# Verify model access via AWS CLI
aws bedrock list-foundation-models --region us-east-1 --query 'modelSummaries[?contains(modelId, `claude-3-5-sonnet`)]'Check:
- AWS_ACCESS_KEY_ID correct?
- AWS_SECRET_ACCESS_KEY correct?
- Secrets named exactly as shown?
Fix:
- Re-create access keys
- Update GitHub secrets
- Ensure no extra spaces in secret values
Cause: Bedrock rate limits exceeded
Fix:
- Reduce
max_concurrent_requestsin config.json - Add delays between requests
- Request quota increase via AWS Support
Check:
bedrock_model_idmatches your region- Using cross-region model ID (e.g.,
us.anthropic...in us-east-1)
Fix:
Update bedrock_model_id in config.json to match your region:
- US regions:
us.anthropic.claude-3-5-sonnet-20241022-v2:0 - EU regions:
eu.anthropic.claude-3-5-sonnet-20241022-v2:0
Edit .github/scripts/ai-review/config.json:
{
"provider": "bedrock",
...
}Edit .github/scripts/ai-review/config.json:
{
"provider": "anthropic",
...
}No other changes needed! The code automatically detects the provider.
Deploy in multiple regions for redundancy:
{
"provider": "bedrock",
"bedrock_regions": ["us-east-1", "us-west-2"],
"bedrock_failover": true
}Then update review-pr.js to implement failover logic.
- Least Privilege: IAM user can only invoke Claude models
- Rotate Keys: Rotate access keys quarterly
- Audit Logs: Enable CloudTrail for Bedrock API calls
- Cost Alerts: Set up AWS Budgets alerts
- Secrets: Never commit AWS credentials to git
Bedrock metrics available:
Invocations- Number of API callsInvocationLatency- Response timeInvocationClientErrors- 4xx errorsInvocationServerErrors- 5xx errors
# Check Bedrock costs (current month)
aws ce get-cost-and-usage \
--time-period Start=2026-03-01,End=2026-03-31 \
--granularity MONTHLY \
--metrics BlendedCost \
--filter file://filter.json
# filter.json:
{
"Dimensions": {
"Key": "SERVICE",
"Values": ["Amazon Bedrock"]
}
}- AWS Bedrock Docs: https://docs.aws.amazon.com/bedrock/
- Model Access: https://docs.aws.amazon.com/bedrock/latest/userguide/model-access.html
- Bedrock Pricing: https://aws.amazon.com/bedrock/pricing/
- IAM Best Practices: https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html
Need help? Check workflow logs in Actions tab or create an issue.