AWS IAM access keys (legacy path)

Static IAM access keys still work but we recommend AWS SSO instead for any team that has Identity Center available. SSO gives you short-lived credentials, central revocation, and audit trails.

If you're stuck on static keys (legacy account, build automation, sandbox), here's the minimum config.

Configuration

~/.insightworker/.env:

LLM_PROVIDER=bedrock
AWS_REGION=us-east-1
BEDROCK_MODEL=us.anthropic.claude-sonnet-4-5-20250929-v1:0

AWS_ACCESS_KEY_ID=AKIAIOSFODNN7EXAMPLE
AWS_SECRET_ACCESS_KEY=wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY

That's it. The agent's Bedrock provider passes these to the SDK directly when set.

IAM user policy (minimum)

Same as the SSO role policy — see aws-sso.md → Required IAM permissions for the JSON.

Rotating

When you rotate keys (good hygiene says every 90 days), edit the two values in ~/.insightworker/.env and restart the agent. There's no caching beyond what the AWS SDK does in-process; once the agent reads the new env, the next API call uses the new keys.

Don't put keys in source-controlled files

~/.insightworker/.env is on your machine only — never check it in. The InsightWorker repos in your version control should never see the literal keys. Put them in .env, in your secret manager, or in CI's encrypted variables — never in code.

See also

• aws-sso.md — the recommended path
• aws-iam-role.md — instance-attached role on EC2 / ECS

Source: docs/authentication/aws-iam-keys.md in the public repo. Open a PR with corrections.