Skip to main content
Bedrock Chat supports multiple authentication methods through Amazon Cognito, including built-in Cognito user pools, Google OAuth, and custom OIDC providers.

Amazon Cognito User Pool

By default, Bedrock Chat uses Amazon Cognito User Pool for authentication. Users can sign up and sign in using email addresses.

Self Sign-Up Configuration

Control whether users can register their own accounts.
selfSignUpEnabled
boolean
default:"true"
Enable or disable self-registration for new users. When disabled, administrators must create user accounts manually through the Cognito console.
Configure in cdk.json: 
{
  "context": {
    "selfSignUpEnabled": true
  }
}
Configure in parameter.ts: 
bedrockChatParams.set("default", {
  selfSignUpEnabled: false,
});

Email Domain Restrictions

Restrict sign-ups to specific email domains.
allowedSignUpEmailDomains
array
default:"[]"
List of email domains allowed for sign-up. Empty array allows all domains.
Example: 
{
  "context": {
    "allowedSignUpEmailDomains": ["example.com", "company.org"]
  }
}
This restricts sign-ups to users with @example.com or @company.org email addresses.

User Pool Domain Prefix

userPoolDomainPrefix
string
default:""
Globally unique domain prefix for the Cognito User Pool. Required when using external identity providers.
The prefix must be globally unique across all Amazon Cognito users. Include identifiers, project names, or environment names to ensure uniqueness.

Auto-Join User Groups

autoJoinUserGroups
array
default:"[\"CreatingBotAllowed\"]"
List of Cognito user groups that new users automatically join upon registration.
Available groups:
  • CreatingBotAllowed: Grants permission to create custom bots
  • Admin: Provides administrative access
  • PublishAllowed: Enables bot API publishing
Example: 
{
  "context": {
    "autoJoinUserGroups": ["CreatingBotAllowed", "PublishAllowed"]
  }
}

Google OAuth Integration

Integrate Google as an external identity provider.

Step 1: Create Google OAuth 2.0 Client

  1. Go to the Google Developer Console
  2. Create a new project or select an existing one
  3. Navigate to Credentials > Create Credentials > OAuth client ID
  4. Configure the consent screen if prompted
  5. Select Web application as the application type
  6. Leave the redirect URI blank initially (will be configured after deployment)
  7. Note the Client ID and Client Secret

Step 2: Store Credentials in AWS Secrets Manager

  1. Open AWS Secrets Manager in the console
  2. Choose Store a new secret
  3. Select Other type of secrets
  4. Add the following key-value pairs:
    • Key: clientId, Value: Your Google Client ID
    • Key: clientSecret, Value: Your Google Client Secret
  5. Name the secret (e.g., googleOAuthCredentials)
  6. Store the secret
The key names must exactly match clientId and clientSecret.

Step 3: Configure Identity Provider

identityProviders
array
default:"[]"
List of external identity provider configurations.
Configure in cdk.json: 
{
  "context": {
    "identityProviders": [
      {
        "service": "google",
        "secretName": "googleOAuthCredentials"
      }
    ],
    "userPoolDomainPrefix": "my-bedrock-chat"
  }
}

Step 4: Deploy and Update Redirect URI

After deploying, retrieve the AuthApprovedRedirectURI from CloudFormation outputs and add it to your Google OAuth client’s authorized redirect URIs.

Custom OIDC Provider

Integrate any OIDC-compliant identity provider.

Step 1: Obtain OIDC Credentials

Follow your OIDC provider’s procedures to obtain:
  • Client ID
  • Client Secret
  • Issuer URL

Step 2: Store Credentials in AWS Secrets Manager

  1. Open AWS Secrets Manager
  2. Choose Store a new secret
  3. Select Other type of secrets
  4. Add the following key-value pairs:
    • Key: clientId, Value: Your OIDC Client ID
    • Key: clientSecret, Value: Your OIDC Client Secret
    • Key: issuerUrl, Value: Your OIDC Issuer URL
  5. Name the secret (e.g., oidcCredentials)
  6. Store the secret
The key names must exactly match clientId, clientSecret, and issuerUrl.

Step 3: Configure Identity Provider

Configure in cdk.json: 
{
  "context": {
    "identityProviders": [
      {
        "service": "oidc",
        "serviceName": "MyCompanySSO",
        "secretName": "oidcCredentials"
      }
    ],
    "userPoolDomainPrefix": "my-bedrock-chat"
  }
}
identityProviders[].service
string
required
Identity provider type. Use "google" or "oidc".
identityProviders[].serviceName
string
Display name for custom OIDC provider. Only used when service is "oidc".
identityProviders[].secretName
string
required
Name of the AWS Secrets Manager secret containing provider credentials.

Step 4: Deploy and Update Redirect URI

After deployment, retrieve the AuthApprovedRedirectURI from CloudFormation outputs and configure it in your OIDC provider.

Token Configuration

tokenValidMinutes
number
default:"30"
ID token validity period in minutes. Determines how often users need to refresh their authentication.
Example: 
{
  "context": {
    "tokenValidMinutes": 60
  }
}

Deployment Commands

Deploy with authentication configuration: 
cd cdk
npx cdk deploy --require-approval never --all
Or use the deployment script with options: 
./bin.sh --disable-self-register --allowed-signup-email-domains "example.com"

Build docs developers (and LLMs) love

Get started for freeTalk to us