# AWS Bedrock Stack

| Layer | Product | Role |
|-------|---------|------|
| **L4** | Blekline | Mask prompts, govern tool calls, audit |
| **L2** | AWS Bedrock | Model API / routing |

## Wiring

1. Point SDK `base_url` at `https://app.blekline.com/api/ingress/v1`
2. Set server `OPENAI_API_BASE` to: `Bedrock OpenAI-compatible endpoint or sidecar with IAM role`
3. Provide upstream API key or IAM credentials on the sidecar (BYOK)

```bash
export BLEKLINE_WORKSPACE_TOKEN=blw_...
export OPENAI_API_BASE=https://api.example.com/v1
```

**Flow:** Agent/SDK → L4 Blekline ingress → L2 AWS Bedrock → model response.

## Enterprise

- **Auth / BYOK** — You own upstream API keys or IAM roles; Blekline never stores them (sidecar env only).
- **Data residency** — Align Blekline mask region with upstream; see [Multi-region ingress](/docs/enterprise/multi-region).
- **Private deploy** — Run [ingress sidecar](/docs/api/ingress-proxy) in your VPC; see [Deployment](/docs/enterprise/deployment).
- **EU AI Act** — Audit trail + human oversight; see [EU AI Act mapping](/docs/introduction/eu-ai-act).
- **Trust** — Metadata-only audit by default; see [Trust boundaries](/docs/security/trust-boundaries).

See [AWS Bedrock documentation](https://docs.aws.amazon.com/bedrock/).

---

**Next steps:** [Model providers hub](/docs/integrations/model-providers) · [Ingress proxy](/docs/api/ingress-proxy) · [Deployment](/docs/enterprise/deployment) · [Open workspace](https://app.blekline.com)