From e3ee9a707fe7b9b1ffd46dadfc7ade7ad338c37f Mon Sep 17 00:00:00 2001
From: Mengxin Zhu <843303+zxkane@users.noreply.github.com>
Date: Tue, 30 Sep 2025 16:06:21 +0800
Subject: [PATCH] docs: update deployment instructions and enhance ECR push
script
---
README.md | 76 +++++++-----
deployment/BedrockProxy.template | 11 +-
deployment/BedrockProxyFargate.template | 46 +++++--
scripts/push-to-ecr.sh | 157 +++++++++++++++---------
4 files changed, 185 insertions(+), 105 deletions(-)
diff --git a/README.md b/README.md
index aff19b6..9d1f404 100644
--- a/README.md
+++ b/README.md
@@ -55,47 +55,75 @@ Alternatively, you can use Lambda Function URL to replace ALB, see [example](htt
### Deployment
-Please follow the steps below to deploy the Bedrock Proxy APIs into your AWS account. Only supports regions where Amazon Bedrock is available (such as `us-west-2`). The deployment will take approximately **3-5 minutes** π.
+Please follow the steps below to deploy the Bedrock Proxy APIs into your AWS account. Only supports regions where Amazon Bedrock is available (such as `us-west-2`). The deployment will take approximately **10-15 minutes** π.
**Step 1: Create your own API key in Secrets Manager (MUST)**
-
> **Note:** This step is to use any string (without spaces) you like to create a custom API Key (credential) that will be used to access the proxy API later. This key does not have to match your actual OpenAI key, and you don't need to have an OpenAI API key. please keep the key safe and private.
1. Open the AWS Management Console and navigate to the AWS Secrets Manager service.
-2. Click on "Store a new secret" button.
+2. Click on "Store a new secret" button.
3. In the "Choose secret type" page, select:
Secret type: Other type of secret
Key/value pairs:
- Key: api_key
- Value: Enter your API key value
-
+
Click "Next"
4. In the "Configure secret" page:
Secret name: Enter a name (e.g., "BedrockProxyAPIKey")
Description: (Optional) Add a description of your secret
5. Click "Next" and review all your settings and click "Store"
-After creation, you'll see your secret in the Secrets Manager console. Make note of the secret ARN.
+After creation, you'll see your secret in the Secrets Manager console. Make note of the secret ARN.
+**Step 2: Build and push container images to ECR**
-**Step 2: Deploy the CloudFormation stack**
+1. Clone this repository:
+ ```bash
+ git clone https://github.com/aws-samples/bedrock-access-gateway.git
+ cd bedrock-access-gateway
+ ```
-1. Sign in to AWS Management Console, switch to the region to deploy the CloudFormation Stack to.
-2. Click the following button to launch the CloudFormation Stack in that region. Choose one of the following:
+2. Run the build and push script:
+ ```bash
+ cd scripts
+ bash ./push-to-ecr.sh
+ ```
- [β
βALB + Lambda 1-Click Deploy πβ
β](https://console.aws.amazon.com/cloudformation/home?#/stacks/quickcreate?templateURL=https://aws-gcr-solutions.s3.amazonaws.com/bedrock-access-gateway/latest/BedrockProxy.template&stackName=BedrockProxyAPI)
+3. Follow the prompts to configure:
+ - ECR repository names (or use defaults)
+ - Image tag (or use default: `latest`)
+ - AWS region (or use default: `us-east-1`)
+
+4. The script will build and push both Lambda and ECS/Fargate images to your ECR repositories.
+
+5. **Important**: Copy the image URIs displayed at the end of the script output. You'll need these in the next step.
+
+**Step 3: Deploy the CloudFormation stack**
+
+1. Download the CloudFormation template you want to use:
+ - For Lambda: [`deployment/BedrockProxy.template`](deployment/BedrockProxy.template)
+ - For Fargate: [`deployment/BedrockProxyFargate.template`](deployment/BedrockProxyFargate.template)
+
+2. Sign in to AWS Management Console and navigate to the CloudFormation service in your target region.
+
+3. Click "Create stack" β "With new resources (standard)".
+
+4. Upload the template file you downloaded.
+
+5. On the "Specify stack details" page, provide the following information:
+ - **Stack name**: Enter a stack name (e.g., "BedrockProxyAPI")
+ - **ApiKeySecretArn**: Enter the secret ARN from Step 1
+ - **ContainerImageUri**: Enter the ECR image URI from Step 2 output
+ - **DefaultModelId**: (Optional) Change the default model if needed
- [β
βALB + Fargate 1-Click Deploy πβ
β](https://console.aws.amazon.com/cloudformation/home?#/stacks/quickcreate?templateURL=https://aws-gcr-solutions.s3.amazonaws.com/bedrock-access-gateway/latest/BedrockProxyFargate.template&stackName=BedrockProxyAPI)
-3. Click "Next".
-4. On the "Specify stack details" page, provide the following information:
- - Stack name: Change the stack name if needed.
- - ApiKeySecretArn: Enter the secret ARN you used for storing the API key.
-
Click "Next".
-5. On the "Configure stack options" page, you can leave the default settings or customize them according to your needs. Click "Next".
-6. On the "Review" page, review the details of the stack you're about to create. Check the "I acknowledge that AWS CloudFormation might create IAM resources" checkbox at the bottom. Click "Create stack".
+
+6. On the "Configure stack options" page, you can leave the default settings or customize them according to your needs. Click "Next".
+
+7. On the "Review" page, review all details. Check the "I acknowledge that AWS CloudFormation might create IAM resources" checkbox at the bottom. Click "Submit".
That is it! π Once deployed, click the CloudFormation stack and go to **Outputs** tab, you can find the API Base URL from `APIBaseUrl`, the value should look like `http://xxxx.xxx.elb.amazonaws.com/api/v1`.
@@ -247,12 +275,6 @@ Note that not all models are available in those regions.
You can use the [Models API](./docs/Usage.md#models-api) to get/refresh a list of supported models in the current region.
-### Can I build and use my own ECR image
-
-Yes, you can clone the repo and build the container image by yourself (`src/Dockerfile`) and then push to your ECR repo. You can use `scripts/push-to-ecr.sh`
-
-Replace the repo url in the CloudFormation template before you deploy.
-
### Can I run this locally
Yes, you can run this locally, e.g. run below command under `src` folder:
@@ -279,13 +301,7 @@ Fine-tuned models and models with Provisioned Throughput are currently not suppo
### How to upgrade?
-To use the latest features, you don't need to redeploy the CloudFormation stack. You simply need to pull the latest image.
-
-To do so, depends on which version you deployed:
-
-- **Lambda version**: Go to AWS Lambda console, find the Lambda function, then find and click the `Deploy new image` button and click save.
-- **Fargate version**: Go to ECS console, click the ECS cluster, go the `Tasks` tab, select the only task that is running and simply click `Stop selected` menu. A new task with latest image will start automatically.
-
+To use the latest features, you need follow the deployment guide to redeploy the application. You can upgrade the existing CloudFormation stack to get the latest changes.
## Security
diff --git a/deployment/BedrockProxy.template b/deployment/BedrockProxy.template
index 5d43267..ec97dad 100644
--- a/deployment/BedrockProxy.template
+++ b/deployment/BedrockProxy.template
@@ -4,6 +4,9 @@ Parameters:
Type: String
AllowedPattern: ^arn:aws:secretsmanager:.*$
Description: The secret ARN in Secrets Manager used to store the API Key
+ ContainerImageUri:
+ Type: String
+ Description: The ECR image URI for the Lambda function (e.g., 123456789012.dkr.ecr.us-east-1.amazonaws.com/bedrock-proxy-api:latest)
DefaultModelId:
Type: String
Default: anthropic.claude-3-sonnet-20240229-v1:0
@@ -169,13 +172,7 @@ Resources:
- arm64
Code:
ImageUri:
- Fn::Join:
- - ""
- - - 366590864501.dkr.ecr.
- - Ref: AWS::Region
- - "."
- - Ref: AWS::URLSuffix
- - /bedrock-proxy-api:latest
+ Ref: ContainerImageUri
Description: Bedrock Proxy API Handler
Environment:
Variables:
diff --git a/deployment/BedrockProxyFargate.template b/deployment/BedrockProxyFargate.template
index 8299a8a..eaf0b91 100644
--- a/deployment/BedrockProxyFargate.template
+++ b/deployment/BedrockProxyFargate.template
@@ -4,6 +4,9 @@ Parameters:
Type: String
AllowedPattern: ^arn:aws:secretsmanager:.*$
Description: The secret ARN in Secrets Manager used to store the API Key
+ ContainerImageUri:
+ Type: String
+ Description: The ECR image URI for the ECS/Fargate task (e.g., 123456789012.dkr.ecr.us-east-1.amazonaws.com/bedrock-proxy-api-ecs:latest)
DefaultModelId:
Type: String
Default: anthropic.claude-3-sonnet-20240229-v1:0
@@ -134,10 +137,6 @@ Resources:
PolicyDocument:
Statement:
- Action:
- - ecr:GetAuthorizationToken
- - ecr:BatchCheckLayerAvailability
- - ecr:GetDownloadUrlForLayer
- - ecr:BatchGetImage
- logs:CreateLogStream
- logs:PutLogEvents
Effect: Allow
@@ -157,8 +156,35 @@ Resources:
Fn::Join:
- ""
- - "arn:aws:ecr:"
- - Ref: AWS::Region
- - :366590864501:repository/bedrock-proxy-api-ecs
+ - Fn::Select:
+ - 3
+ - Fn::Split:
+ - "."
+ - Fn::Select:
+ - 0
+ - Fn::Split:
+ - "/"
+ - Ref: ContainerImageUri
+ - ":"
+ - Fn::Select:
+ - 0
+ - Fn::Split:
+ - "."
+ - Fn::Select:
+ - 0
+ - Fn::Split:
+ - "/"
+ - Ref: ContainerImageUri
+ - ":repository/"
+ - Fn::Select:
+ - 0
+ - Fn::Split:
+ - ":"
+ - Fn::Select:
+ - 1
+ - Fn::Split:
+ - "/"
+ - Ref: ContainerImageUri
- Action: ecr:GetAuthorizationToken
Effect: Allow
Resource: "*"
@@ -227,13 +253,7 @@ Resources:
Value: "true"
Essential: true
Image:
- Fn::Join:
- - ""
- - - 366590864501.dkr.ecr.
- - Ref: AWS::Region
- - "."
- - Ref: AWS::URLSuffix
- - /bedrock-proxy-api-ecs:latest
+ Ref: ContainerImageUri
Name: proxy-api
PortMappings:
- ContainerPort: 80
diff --git a/scripts/push-to-ecr.sh b/scripts/push-to-ecr.sh
index ae51fae..7139750 100755
--- a/scripts/push-to-ecr.sh
+++ b/scripts/push-to-ecr.sh
@@ -7,71 +7,118 @@ set -o errexit # exit on first error
set -o nounset # exit on using unset variables
set -o pipefail # exit on any error in a pipeline
-# Define variables
-TAG="latest"
-ARCHS=("arm64" "amd64")
-AWS_REGIONS=("us-east-1") # List of AWS region, use below liest if you don't enable ECR repository replication
-# AWS_REGIONS=("us-east-1" "us-west-2" "eu-central-1" "ap-southeast-1" "ap-southeast-2" "ap-northeast-1" "eu-central-1" "eu-west-3") # List of supported AWS regions
+# Prompt user for inputs
+echo "================================================"
+echo "Bedrock Access Gateway - Build and Push to ECR"
+echo "================================================"
+echo ""
-build_and_push_images() {
+# Get repository name for Lambda version
+read -p "Enter ECR repository name for Lambda (default: bedrock-proxy-api): " LAMBDA_REPO
+LAMBDA_REPO=${LAMBDA_REPO:-bedrock-proxy-api}
+
+# Get repository name for ECS/Fargate version
+read -p "Enter ECR repository name for ECS/Fargate (default: bedrock-proxy-api-ecs): " ECS_REPO
+ECS_REPO=${ECS_REPO:-bedrock-proxy-api-ecs}
+
+# Get image tag
+read -p "Enter image tag (default: latest): " TAG
+TAG=${TAG:-latest}
+
+# Get AWS region
+read -p "Enter AWS region (default: us-east-1): " AWS_REGION
+AWS_REGION=${AWS_REGION:-us-east-1}
+
+echo ""
+echo "Configuration:"
+echo " Lambda Repository: $LAMBDA_REPO"
+echo " ECS/Fargate Repository: $ECS_REPO"
+echo " Image Tag: $TAG"
+echo " AWS Region: $AWS_REGION"
+echo ""
+read -p "Continue with these settings? (y/n): " CONFIRM
+if [[ ! "$CONFIRM" =~ ^[Yy]$ ]]; then
+ echo "Aborted."
+ exit 1
+fi
+echo ""
+
+# Acknowledgment about ECR repository creation
+echo "βΉοΈ NOTICE: This script will automatically create ECR repositories if they don't exist."
+echo " The repositories will be created with the following default settings:"
+echo " - Image tag mutability: MUTABLE (allows overwriting tags)"
+echo " - Image scanning: Disabled"
+echo " - Encryption: AES256 (AWS managed encryption)"
+echo ""
+echo " You can modify these settings later in the AWS ECR Console if needed."
+echo " Required IAM permissions: ecr:CreateRepository, ecr:GetAuthorizationToken,"
+echo " ecr:BatchCheckLayerAvailability, ecr:InitiateLayerUpload, ecr:UploadLayerPart,"
+echo " ecr:CompleteLayerUpload, ecr:PutImage"
+echo ""
+read -p "Do you acknowledge and want to proceed? (y/n): " ACK_CONFIRM
+if [[ ! "$ACK_CONFIRM" =~ ^[Yy]$ ]]; then
+ echo "Aborted."
+ exit 1
+fi
+echo ""
+
+# Define variables
+ARCHS=("arm64") # Single architecture for simplicity
+
+build_and_push_image() {
local IMAGE_NAME=$1
local TAG=$2
- local ENABLE_MULTI_ARCH=${3:-true} # Parameter for enabling multi-arch build, default is true
- local DOCKERFILE_PATH=${4:-"../src/Dockerfile_ecs"} # Parameter for Dockerfile path, default is "../src/Dockerfile_ecs"
+ local DOCKERFILE_PATH=$3
+ local REGION=$AWS_REGION
+ local ARCH=${ARCHS[0]}
- # Build Docker image for each architecture
- if [ "$ENABLE_MULTI_ARCH" == "true" ]; then
- for ARCH in "${ARCHS[@]}"
- do
- # Build multi-architecture Docker image
- docker buildx build --platform linux/$ARCH -t $IMAGE_NAME:$TAG-$ARCH -f $DOCKERFILE_PATH --load ../src/
- done
- else
- # Build single architecture Docker image
- docker buildx build --platform linux/${ARCHS[0]} -t $IMAGE_NAME:$TAG -f $DOCKERFILE_PATH --load ../src/
- fi
+ echo "Building $IMAGE_NAME:$TAG..."
- # Push Docker image to ECR for each architecture in each AWS region
- for REGION in "${AWS_REGIONS[@]}"
- do
- # Get the account ID for the current region
- ACCOUNT_ID=$(aws sts get-caller-identity --region $REGION --query Account --output text)
+ # Build Docker image
+ docker buildx build --platform linux/$ARCH -t $IMAGE_NAME:$TAG -f $DOCKERFILE_PATH --load ../src/
- # Create repository URI
- REPOSITORY_URI="${ACCOUNT_ID}.dkr.ecr.${REGION}.amazonaws.com/${IMAGE_NAME}"
+ # Get the account ID
+ ACCOUNT_ID=$(aws sts get-caller-identity --region $REGION --query Account --output text)
- # Create ECR repository if it doesn't exist
- aws ecr create-repository --repository-name "${IMAGE_NAME}" --region $REGION || true
+ # Create repository URI
+ REPOSITORY_URI="${ACCOUNT_ID}.dkr.ecr.${REGION}.amazonaws.com/${IMAGE_NAME}"
- # Log in to ECR
- aws ecr get-login-password --region $REGION | docker login --username AWS --password-stdin $REPOSITORY_URI
+ echo "Creating ECR repository if it doesn't exist..."
+ # Create ECR repository if it doesn't exist
+ aws ecr create-repository --repository-name "${IMAGE_NAME}" --region $REGION || true
- # Push the image to ECR for each architecture
- if [ "$ENABLE_MULTI_ARCH" == "true" ]; then
- for ARCH in "${ARCHS[@]}"
- do
- # Tag the image for the current region
- docker tag $IMAGE_NAME:$TAG-$ARCH $REPOSITORY_URI:$TAG-$ARCH
- # Push the image to ECR
- docker push $REPOSITORY_URI:$TAG-$ARCH
- # Create a manifest for the image
- docker manifest create $REPOSITORY_URI:$TAG $REPOSITORY_URI:$TAG-$ARCH --amend
- # Annotate the manifest with architecture information
- docker manifest annotate $REPOSITORY_URI:$TAG "$REPOSITORY_URI:$TAG-$ARCH" --os linux --arch $ARCH
- done
+ echo "Logging in to ECR..."
+ # Log in to ECR
+ aws ecr get-login-password --region $REGION | docker login --username AWS --password-stdin $REPOSITORY_URI
- # Push the manifest to ECR
- docker manifest push $REPOSITORY_URI:$TAG
- else
- # Tag the image for the current region
- docker tag $IMAGE_NAME:$TAG $REPOSITORY_URI:$TAG
- # Push the image to ECR
- docker push $REPOSITORY_URI:$TAG
- fi
+ echo "Pushing image to ECR..."
+ # Tag the image for ECR
+ docker tag $IMAGE_NAME:$TAG $REPOSITORY_URI:$TAG
- echo "Pushed $IMAGE_NAME:$TAG to $REPOSITORY_URI"
- done
+ # Push the image to ECR
+ docker push $REPOSITORY_URI:$TAG
+
+ echo "β
Successfully pushed $IMAGE_NAME:$TAG to $REPOSITORY_URI"
+ echo ""
}
-build_and_push_images "bedrock-proxy-api" "$TAG" "false" "../src/Dockerfile"
-build_and_push_images "bedrock-proxy-api-ecs" "$TAG"
+echo "Building and pushing Lambda image..."
+build_and_push_image "$LAMBDA_REPO" "$TAG" "../src/Dockerfile"
+
+echo "Building and pushing ECS/Fargate image..."
+build_and_push_image "$ECS_REPO" "$TAG" "../src/Dockerfile_ecs"
+
+echo "================================================"
+echo "β
All images successfully pushed!"
+echo "================================================"
+echo ""
+echo "Your container image URIs:"
+ACCOUNT_ID=$(aws sts get-caller-identity --region $AWS_REGION --query Account --output text)
+echo " Lambda: ${ACCOUNT_ID}.dkr.ecr.${AWS_REGION}.amazonaws.com/${LAMBDA_REPO}:${TAG}"
+echo " ECS/Fargate: ${ACCOUNT_ID}.dkr.ecr.${AWS_REGION}.amazonaws.com/${ECS_REPO}:${TAG}"
+echo ""
+echo "Next steps:"
+echo " 1. Download the CloudFormation templates from deployment/ folder"
+echo " 2. Update the ContainerImageUri parameter with your image URI above"
+echo " 3. Deploy the stack via AWS CloudFormation Console"
+echo ""