> ## Documentation Index
> Fetch the complete documentation index at: https://braintrust.dev/docs/llms.txt
> Use this file to discover all available pages before exploring further.

# Update AWS Bedrock credentials using API

export const plans_0 = "Any"

export const deployments_0 = "Any"

export const data_plane_version_0 = undefined

export const use_case_0 = "Use case - AWS Bedrock credential rotation and updates"

<Note>
  **Applies to:**

  * Plan - {plans_0}
  * Deployment - {deployments_0}
  * {data_plane_version_0}
  * {use_case_0}
</Note>

## Summary

AWS Bedrock AI secrets in Braintrust can be updated programmatically using the partially update AI secret endpoint. This enables credential rotation for temporary AWS credentials or updating permanent access keys without recreating the entire AI secret configuration.

## Resolution Steps

### If updating temporary credentials

#### Step 1: Get the AI secret ID

List your AI secrets to find the Bedrock secret ID you want to update.

```python theme={"theme":{"light":"github-light","dark":"github-dark-dimmed"}}
import requests

response = requests.get(
  "https://api.braintrust.dev/v1/ai_secret",
  headers={"Authorization": f"Bearer {api_key}"}
)
secrets = response.json()

```

#### Step 2: Update with new temporary credentials

Use the partially update endpoint to replace the temporary AWS credentials including the session token.

```text theme={"theme":{"light":"github-light","dark":"github-dark-dimmed"}}
response = requests.patch(
  f"https://api.braintrust.dev/v1/ai_secret/{secret_id}",
  headers={"Authorization": f"Bearer {api_key}"},
  json={
    "metadata": {
      "aws_access_key_id": "NEW_TEMP_ACCESS_KEY",
      "aws_secret_access_key": "NEW_TEMP_SECRET_KEY",
      "aws_session_token": "NEW_SESSION_TOKEN"
    }
  }
)

```

### If updating permanent credentials

#### Step 1: Update access keys only

Update permanent credentials by omitting the `aws_session_token` field.

```text theme={"theme":{"light":"github-light","dark":"github-dark-dimmed"}}
response = requests.patch(
  f"https://api.braintrust.dev/v1/ai_secret/{secret_id}",
  headers={"Authorization": f"Bearer {api_key}"},
  json={
    "metadata": {
      "aws_access_key_id": "NEW_ACCESS_KEY",
      "aws_secret_access_key": "NEW_SECRET_KEY"
    }
  }
)

```