AVB/bedrock-access-gateway
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

docs: update deployment instructions and enhance ECR push script

Browse Source
This commit is contained in:
Mengxin Zhu
2025-09-30 16:06:21 +08:00
parent bdfa57c277
commit e3ee9a707f
4 changed files with 185 additions and 105 deletions
Download Patch File Download Diff File Expand all files Collapse all files

76
README.md
View File

@@ -55,47 +55,75 @@ Alternatively, you can use Lambda Function URL to replace ALB, see [example](htt
### Deployment
Please follow the steps below to deploy the Bedrock Proxy APIs into your AWS account. Only supports regions where Amazon Bedrock is available (such as `us-west-2`). The deployment will take approximately **3-5 minutes** 🕒.
Please follow the steps below to deploy the Bedrock Proxy APIs into your AWS account. Only supports regions where Amazon Bedrock is available (such as `us-west-2`). The deployment will take approximately **10-15 minutes** 🕒.
**Step 1: Create your own API key in Secrets Manager (MUST)**
> **Note:** This step is to use any string (without spaces) you like to create a custom API Key (credential) that will be used to access the proxy API later. This key does not have to match your actual OpenAI key, and you don't need to have an OpenAI API key. please keep the key safe and private.
1. Open the AWS Management Console and navigate to the AWS Secrets Manager service.
2. Click on "Store a new secret" button.
2. Click on "Store a new secret" button.
3. In the "Choose secret type" page, select:
Secret type: Other type of secret
Key/value pairs:
- Key: api_key
- Value: Enter your API key value
Click "Next"
4. In the "Configure secret" page:
Secret name: Enter a name (e.g., "BedrockProxyAPIKey")
Description: (Optional) Add a description of your secret
5. Click "Next" and review all your settings and click "Store"
After creation, you'll see your secret in the Secrets Manager console. Make note of the secret ARN.
After creation, you'll see your secret in the Secrets Manager console. Make note of the secret ARN.
**Step 2: Build and push container images to ECR**
**Step 2: Deploy the CloudFormation stack**
1. Clone this repository:
```bash
git clone https://github.com/aws-samples/bedrock-access-gateway.git
cd bedrock-access-gateway
```
1. Sign in to AWS Management Console, switch to the region to deploy the CloudFormation Stack to.
2. Click the following button to launch the CloudFormation Stack in that region. Choose one of the following:
2. Run the build and push script:
```bash
cd scripts
bash ./push-to-ecr.sh
```
[<kbd><br>ALB + Lambda 1-Click Deploy 🚀 <br></kbd>](https://console.aws.amazon.com/cloudformation/home?#/stacks/quickcreate?templateURL=https://aws-gcr-solutions.s3.amazonaws.com/bedrock-access-gateway/latest/BedrockProxy.template&stackName=BedrockProxyAPI)
3. Follow the prompts to configure:
- ECR repository names (or use defaults)
- Image tag (or use default: `latest`)
- AWS region (or use default: `us-east-1`)
4. The script will build and push both Lambda and ECS/Fargate images to your ECR repositories.
5. **Important**: Copy the image URIs displayed at the end of the script output. You'll need these in the next step.
**Step 3: Deploy the CloudFormation stack**
1. Download the CloudFormation template you want to use:
- For Lambda: [`deployment/BedrockProxy.template`](deployment/BedrockProxy.template)
- For Fargate: [`deployment/BedrockProxyFargate.template`](deployment/BedrockProxyFargate.template)
2. Sign in to AWS Management Console and navigate to the CloudFormation service in your target region.
3. Click "Create stack" → "With new resources (standard)".
4. Upload the template file you downloaded.
5. On the "Specify stack details" page, provide the following information:
- **Stack name**: Enter a stack name (e.g., "BedrockProxyAPI")
- **ApiKeySecretArn**: Enter the secret ARN from Step 1
- **ContainerImageUri**: Enter the ECR image URI from Step 2 output
- **DefaultModelId**: (Optional) Change the default model if needed
[<kbd><br>ALB + Fargate 1-Click Deploy 🚀 <br></kbd>](https://console.aws.amazon.com/cloudformation/home?#/stacks/quickcreate?templateURL=https://aws-gcr-solutions.s3.amazonaws.com/bedrock-access-gateway/latest/BedrockProxyFargate.template&stackName=BedrockProxyAPI)
3. Click "Next".
4. On the "Specify stack details" page, provide the following information:
- Stack name: Change the stack name if needed.
- ApiKeySecretArn: Enter the secret ARN you used for storing the API key.
Click "Next".
5. On the "Configure stack options" page, you can leave the default settings or customize them according to your needs. Click "Next".
6. On the "Review" page, review the details of the stack you're about to create. Check the "I acknowledge that AWS CloudFormation might create IAM resources" checkbox at the bottom. Click "Create stack".
6. On the "Configure stack options" page, you can leave the default settings or customize them according to your needs. Click "Next".
7. On the "Review" page, review all details. Check the "I acknowledge that AWS CloudFormation might create IAM resources" checkbox at the bottom. Click "Submit".
That is it! 🎉 Once deployed, click the CloudFormation stack and go to **Outputs** tab, you can find the API Base URL from `APIBaseUrl`, the value should look like `http://xxxx.xxx.elb.amazonaws.com/api/v1`.
@@ -247,12 +275,6 @@ Note that not all models are available in those regions.
You can use the [Models API](./docs/Usage.md#models-api) to get/refresh a list of supported models in the current region.
### Can I build and use my own ECR image
Yes, you can clone the repo and build the container image by yourself (`src/Dockerfile`) and then push to your ECR repo. You can use `scripts/push-to-ecr.sh`
Replace the repo url in the CloudFormation template before you deploy.
### Can I run this locally
Yes, you can run this locally, e.g. run below command under `src` folder:
@@ -279,13 +301,7 @@ Fine-tuned models and models with Provisioned Throughput are currently not suppo
### How to upgrade?
To use the latest features, you don't need to redeploy the CloudFormation stack. You simply need to pull the latest image.
To do so, depends on which version you deployed:
- **Lambda version**: Go to AWS Lambda console, find the Lambda function, then find and click the `Deploy new image` button and click save.
- **Fargate version**: Go to ECS console, click the ECS cluster, go the `Tasks` tab, select the only task that is running and simply click `Stop selected` menu. A new task with latest image will start automatically.
To use the latest features, you need follow the deployment guide to redeploy the application. You can upgrade the existing CloudFormation stack to get the latest changes.
## Security

11
deployment/BedrockProxy.template
View File

@@ -4,6 +4,9 @@ Parameters:
Type: String
AllowedPattern: ^arn:aws:secretsmanager:.*$
Description: The secret ARN in Secrets Manager used to store the API Key
ContainerImageUri:
Type: String
Description: The ECR image URI for the Lambda function (e.g., 123456789012.dkr.ecr.us-east-1.amazonaws.com/bedrock-proxy-api:latest)
DefaultModelId:
Type: String
Default: anthropic.claude-3-sonnet-20240229-v1:0
@@ -169,13 +172,7 @@ Resources:
- arm64
Code:
ImageUri:
Fn::Join:
- ""
- - 366590864501.dkr.ecr.
- Ref: AWS::Region
- "."
- Ref: AWS::URLSuffix
- /bedrock-proxy-api:latest
Ref: ContainerImageUri
Description: Bedrock Proxy API Handler
Environment:
Variables:

46
deployment/BedrockProxyFargate.template
View File

@@ -4,6 +4,9 @@ Parameters:
Type: String
AllowedPattern: ^arn:aws:secretsmanager:.*$
Description: The secret ARN in Secrets Manager used to store the API Key
ContainerImageUri:
Type: String
Description: The ECR image URI for the ECS/Fargate task (e.g., 123456789012.dkr.ecr.us-east-1.amazonaws.com/bedrock-proxy-api-ecs:latest)
DefaultModelId:
Type: String
Default: anthropic.claude-3-sonnet-20240229-v1:0
@@ -134,10 +137,6 @@ Resources:
PolicyDocument:
Statement:
- Action:
- ecr:GetAuthorizationToken
- ecr:BatchCheckLayerAvailability
- ecr:GetDownloadUrlForLayer
- ecr:BatchGetImage
- logs:CreateLogStream
- logs:PutLogEvents
Effect: Allow
@@ -157,8 +156,35 @@ Resources:
Fn::Join:
- ""
- - "arn:aws:ecr:"
- Ref: AWS::Region
- :366590864501:repository/bedrock-proxy-api-ecs
- Fn::Select:
- 3
- Fn::Split:
- "."
- Fn::Select:
- 0
- Fn::Split:
- "/"
- Ref: ContainerImageUri
- ":"
- Fn::Select:
- 0
- Fn::Split:
- "."
- Fn::Select:
- 0
- Fn::Split:
- "/"
- Ref: ContainerImageUri
- ":repository/"
- Fn::Select:
- 0
- Fn::Split:
- ":"
- Fn::Select:
- 1
- Fn::Split:
- "/"
- Ref: ContainerImageUri
- Action: ecr:GetAuthorizationToken
Effect: Allow
Resource: "*"
@@ -227,13 +253,7 @@ Resources:
Value: "true"
Essential: true
Image:
Fn::Join:
- ""
- - 366590864501.dkr.ecr.
- Ref: AWS::Region
- "."
- Ref: AWS::URLSuffix
- /bedrock-proxy-api-ecs:latest
Ref: ContainerImageUri
Name: proxy-api
PortMappings:
- ContainerPort: 80

157
scripts/push-to-ecr.sh
View File

@@ -7,71 +7,118 @@ set -o errexit # exit on first error
set -o nounset # exit on using unset variables
set -o pipefail # exit on any error in a pipeline
# Define variables
TAG="latest"
ARCHS=("arm64" "amd64")
AWS_REGIONS=("us-east-1") # List of AWS region, use below liest if you don't enable ECR repository replication
# AWS_REGIONS=("us-east-1" "us-west-2" "eu-central-1" "ap-southeast-1" "ap-southeast-2" "ap-northeast-1" "eu-central-1" "eu-west-3") # List of supported AWS regions
# Prompt user for inputs
echo "================================================"
echo "Bedrock Access Gateway - Build and Push to ECR"
echo "================================================"
echo ""
build_and_push_images() {
# Get repository name for Lambda version
read -p "Enter ECR repository name for Lambda (default: bedrock-proxy-api): " LAMBDA_REPO
LAMBDA_REPO=${LAMBDA_REPO:-bedrock-proxy-api}
# Get repository name for ECS/Fargate version
read -p "Enter ECR repository name for ECS/Fargate (default: bedrock-proxy-api-ecs): " ECS_REPO
ECS_REPO=${ECS_REPO:-bedrock-proxy-api-ecs}
# Get image tag
read -p "Enter image tag (default: latest): " TAG
TAG=${TAG:-latest}
# Get AWS region
read -p "Enter AWS region (default: us-east-1): " AWS_REGION
AWS_REGION=${AWS_REGION:-us-east-1}
echo ""
echo "Configuration:"
echo " Lambda Repository: $LAMBDA_REPO"
echo " ECS/Fargate Repository: $ECS_REPO"
echo " Image Tag: $TAG"
echo " AWS Region: $AWS_REGION"
echo ""
read -p "Continue with these settings? (y/n): " CONFIRM
if [[ ! "$CONFIRM" =~ ^[Yy]$ ]]; then
echo "Aborted."
exit 1
fi
echo ""
# Acknowledgment about ECR repository creation
echo " NOTICE: This script will automatically create ECR repositories if they don't exist."
echo " The repositories will be created with the following default settings:"
echo " - Image tag mutability: MUTABLE (allows overwriting tags)"
echo " - Image scanning: Disabled"
echo " - Encryption: AES256 (AWS managed encryption)"
echo ""
echo " You can modify these settings later in the AWS ECR Console if needed."
echo " Required IAM permissions: ecr:CreateRepository, ecr:GetAuthorizationToken,"
echo " ecr:BatchCheckLayerAvailability, ecr:InitiateLayerUpload, ecr:UploadLayerPart,"
echo " ecr:CompleteLayerUpload, ecr:PutImage"
echo ""
read -p "Do you acknowledge and want to proceed? (y/n): " ACK_CONFIRM
if [[ ! "$ACK_CONFIRM" =~ ^[Yy]$ ]]; then
echo "Aborted."
exit 1
fi
echo ""
# Define variables
ARCHS=("arm64") # Single architecture for simplicity
build_and_push_image() {
local IMAGE_NAME=$1
local TAG=$2
local ENABLE_MULTI_ARCH=${3:-true} # Parameter for enabling multi-arch build, default is true
local DOCKERFILE_PATH=${4:-"../src/Dockerfile_ecs"} # Parameter for Dockerfile path, default is "../src/Dockerfile_ecs"
local DOCKERFILE_PATH=$3
local REGION=$AWS_REGION
local ARCH=${ARCHS[0]}
# Build Docker image for each architecture
if [ "$ENABLE_MULTI_ARCH" == "true" ]; then
for ARCH in "${ARCHS[@]}"
do
# Build multi-architecture Docker image
docker buildx build --platform linux/$ARCH -t $IMAGE_NAME:$TAG-$ARCH -f $DOCKERFILE_PATH --load ../src/
done
else
# Build single architecture Docker image
docker buildx build --platform linux/${ARCHS[0]} -t $IMAGE_NAME:$TAG -f $DOCKERFILE_PATH --load ../src/
fi
echo "Building $IMAGE_NAME:$TAG..."
# Push Docker image to ECR for each architecture in each AWS region
for REGION in "${AWS_REGIONS[@]}"
do
# Get the account ID for the current region
ACCOUNT_ID=$(aws sts get-caller-identity --region $REGION --query Account --output text)
# Build Docker image
docker buildx build --platform linux/$ARCH -t $IMAGE_NAME:$TAG -f $DOCKERFILE_PATH --load ../src/
# Create repository URI
REPOSITORY_URI="${ACCOUNT_ID}.dkr.ecr.${REGION}.amazonaws.com/${IMAGE_NAME}"
# Get the account ID
ACCOUNT_ID=$(aws sts get-caller-identity --region $REGION --query Account --output text)
# Create ECR repository if it doesn't exist
aws ecr create-repository --repository-name "${IMAGE_NAME}" --region $REGION || true
# Create repository URI
REPOSITORY_URI="${ACCOUNT_ID}.dkr.ecr.${REGION}.amazonaws.com/${IMAGE_NAME}"
# Log in to ECR
aws ecr get-login-password --region $REGION | docker login --username AWS --password-stdin $REPOSITORY_URI
echo "Creating ECR repository if it doesn't exist..."
# Create ECR repository if it doesn't exist
aws ecr create-repository --repository-name "${IMAGE_NAME}" --region $REGION || true
# Push the image to ECR for each architecture
if [ "$ENABLE_MULTI_ARCH" == "true" ]; then
for ARCH in "${ARCHS[@]}"
do
# Tag the image for the current region
docker tag $IMAGE_NAME:$TAG-$ARCH $REPOSITORY_URI:$TAG-$ARCH
# Push the image to ECR
docker push $REPOSITORY_URI:$TAG-$ARCH
# Create a manifest for the image
docker manifest create $REPOSITORY_URI:$TAG $REPOSITORY_URI:$TAG-$ARCH --amend
# Annotate the manifest with architecture information
docker manifest annotate $REPOSITORY_URI:$TAG "$REPOSITORY_URI:$TAG-$ARCH" --os linux --arch $ARCH
done
echo "Logging in to ECR..."
# Log in to ECR
aws ecr get-login-password --region $REGION | docker login --username AWS --password-stdin $REPOSITORY_URI
# Push the manifest to ECR
docker manifest push $REPOSITORY_URI:$TAG
else
# Tag the image for the current region
docker tag $IMAGE_NAME:$TAG $REPOSITORY_URI:$TAG
# Push the image to ECR
docker push $REPOSITORY_URI:$TAG
fi
echo "Pushing image to ECR..."
# Tag the image for ECR
docker tag $IMAGE_NAME:$TAG $REPOSITORY_URI:$TAG
echo "Pushed $IMAGE_NAME:$TAG to $REPOSITORY_URI"
done
# Push the image to ECR
docker push $REPOSITORY_URI:$TAG
echo "✅ Successfully pushed $IMAGE_NAME:$TAG to $REPOSITORY_URI"
echo ""
}
build_and_push_images "bedrock-proxy-api" "$TAG" "false" "../src/Dockerfile"
build_and_push_images "bedrock-proxy-api-ecs" "$TAG"
echo "Building and pushing Lambda image..."
build_and_push_image "$LAMBDA_REPO" "$TAG" "../src/Dockerfile"
echo "Building and pushing ECS/Fargate image..."
build_and_push_image "$ECS_REPO" "$TAG" "../src/Dockerfile_ecs"
echo "================================================"
echo "✅ All images successfully pushed!"
echo "================================================"
echo ""
echo "Your container image URIs:"
ACCOUNT_ID=$(aws sts get-caller-identity --region $AWS_REGION --query Account --output text)
echo " Lambda: ${ACCOUNT_ID}.dkr.ecr.${AWS_REGION}.amazonaws.com/${LAMBDA_REPO}:${TAG}"
echo " ECS/Fargate: ${ACCOUNT_ID}.dkr.ecr.${AWS_REGION}.amazonaws.com/${ECS_REPO}:${TAG}"
echo ""
echo "Next steps:"
echo " 1. Download the CloudFormation templates from deployment/ folder"
echo " 2. Update the ContainerImageUri parameter with your image URI above"
echo " 3. Deploy the stack via AWS CloudFormation Console"
echo ""