AWS Bedrock IAM permissions for Braintrust integration

Applies to:

Summary

AWS Bedrock AI secrets in Braintrust can be updated programmatically using the partially update AI secret endpoint. This enables credential rotation for temporary AWS credentials or updating permanent access keys without recreating the entire AI secret configuration.

Resolution Steps

If updating temporary credentials

Step 1: Get the AI secret ID

List your AI secrets to find the Bedrock secret ID you want to update.

import requests

response = requests.get(
  "https://api.braintrust.dev/v1/ai_secret",
  headers={"Authorization": f"Bearer {api_key}"}
)
secrets = response.json()

Step 2: Update with new temporary credentials

Use the partially update endpoint to replace the temporary AWS credentials including the session token.

response = requests.patch(
  f"https://api.braintrust.dev/v1/ai_secret/{secret_id}",
  headers={"Authorization": f"Bearer {api_key}"},
  json={
    "metadata": {
      "aws_access_key_id": "NEW_TEMP_ACCESS_KEY",
      "aws_secret_access_key": "NEW_TEMP_SECRET_KEY",
      "aws_session_token": "NEW_SESSION_TOKEN"
    }
  }
)

If updating permanent credentials

Step 1: Update access keys only

Update permanent credentials by omitting the aws_session_token field.

response = requests.patch(
  f"https://api.braintrust.dev/v1/ai_secret/{secret_id}",
  headers={"Authorization": f"Bearer {api_key}"},
  json={
    "metadata": {
      "aws_access_key_id": "NEW_ACCESS_KEY",
      "aws_secret_access_key": "NEW_SECRET_KEY"
    }
  }
)

​Summary

​Resolution Steps

​If updating temporary credentials

​Step 1: Get the AI secret ID

​Step 2: Update with new temporary credentials

​If updating permanent credentials

​Step 1: Update access keys only