Bedrock

AWS Bedrock

AWS Bedrock is Amazon's hosted-LLM service — the way you call models from Anthropic (Claude), OpenAI (the open-weight GPT-OSS family), Meta, Mistral, and others through an AWS account. The calls run on Amazon's infrastructure, get billed alongside the rest of your AWS spend, and are governed by your existing AWS contract and security controls. If your company has an AWS account that you're allowed to use, Bedrock is usually the path of least resistance for compliance-sensitive work — there's no separate vendor to onboard, no separate procurement cycle, no separate audit. Parleq calls Bedrock for cleanup the same way it would call any other provider; only the auth wiring is AWS-specific.

At a glance

Auth modes (three): AWS SSO (recommended for corporate accounts), static IAM access keys (personal accounts or service users), or scoped Bedrock API keys (Bearer tokens with no IAM understanding required).
Default model: openai.gpt-oss-120b-1:0 — fastest in benchmarks. Claude Haiku 4.5 is a balanced alternative.
Default region: us-east-2. Model availability varies by region — you have to enable each model in the Bedrock console for the region you'll use.
IAM permission required: bedrock:InvokeModelWithResponseStream (and bedrock:InvokeModel). No other AWS services are touched.
Compliance: Bedrock-served prompts and completions are not used for training. Traffic stays inside your AWS account boundary; existing CloudTrail / VPC controls apply.

Before you start

1.

Enable Bedrock model access in your AWS account.

In the AWS console, go to Bedrock → Model access, switch to the region you'll use, and request access to the models you want — at minimum, openai.gpt-oss-120b or anthropic.claude-haiku-4.5. Approval is usually instant for these models. If you skip this step, every dictation returns a Bedrock AccessDeniedException.

Model availability varies by region. us-east-2 (Parleq's default) carries both recommended models. If you switch regions, re-check the model-access page for that region.
2.
Pick one of three auth modes.

All three are functionally equivalent for Parleq once configured. Pick the one that matches how your org gives out AWS access:
- AWS SSO — your work account is federated through Identity Center / Okta / etc. Recommended.
- Static IAM access keys — you have a long-lived access-key + secret pair (typically a personal AWS account or a service IAM user).
- Bedrock API keys — scoped Bearer tokens AWS introduced for Bedrock specifically. No SigV4 ceremony, but doesn't cover other AWS services.

Mode 1: AWS SSO (recommended)

Parleq delegates to your AWS CLI session — once you've signed in via aws sso login, Parleq picks up the credentials automatically and refreshes them on schedule via Soto's SSO provider. No keys to paste, no secrets to rotate.

First-time setup (one-shot):

aws configure sso
# Walk through the prompts: SSO start URL, region, IAM role, profile name.
# Pick a profile name you'll remember — e.g. "work" or "parleq".

aws sso login --profile work
# Opens a browser, completes the SSO challenge, caches a session
# in ~/.aws/sso/cache.

Then in Parleq's Setup Wizard, pick AWS Bedrock, set the Region (defaults to us-east-2), and the Profile name you used above. Click Continue, then Finish & Restart.

When the SSO session expires (typically 8–12 hours), the surfaced error in the overlay tells you exactly which command to re-run — usually aws sso login --profile <name>.

Mode 2: Static IAM access keys

Useful when you don't have SSO — for personal AWS accounts or org accounts that still use IAM users. Keys are stored in the macOS Keychain and never written to ~/.parleq/config.json.

Create an IAM user (or use an existing one) with at minimum the following inline policy. Parleq only ever calls bedrock:InvokeModelWithResponseStream:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "bedrock:InvokeModel",
        "bedrock:InvokeModelWithResponseStream"
      ],
      "Resource": "*"
    }
  ]
}

Generate an access key for the user (IAM console → Users → your user → Security credentials → Create access key), then in Parleq open Settings… → Cleanup provider → AWS Bedrock, switch Auth mode to Static credentials, and paste:

Access key ID (starts with AKIA for IAM users or ASIA for STS sessions)
Secret access key
Session token (only if you're using a temporary STS credential — leave blank for a permanent IAM access key)

The wizard hardcodes SSO; the static-credentials path is only available in Settings post-setup. There's no Restart needed when only the credentials change.

Mode 3: Bedrock API keys

AWS introduced scoped Bedrock-only API keys in 2024 — a Bearer token that authenticates against Bedrock specifically, with no broader IAM reach. Parleq's BedrockBearerProvider talks to Bedrock over plain HTTPS with Authorization: Bearer <key>, bypassing SigV4 entirely. Useful when you want to give Parleq a credential that only calls Bedrock — no S3, no IAM, no other services.

Generate one in the AWS console under Bedrock → API keys. Pick a sensible expiration (e.g. 30 / 90 days) and scope it to the region(s) you'll use.

In Parleq, open Settings… → Cleanup provider → AWS Bedrock, switch Auth mode to Bedrock API key, and paste the key. Stored in the macOS Keychain.

Bedrock API keys expire on the date you set when creating them — Parleq's error surface includes the auth-mode hint, so an expired key shows up clearly. Generate a new one and replace it in Settings; no restart needed.

Choosing a model

Two recommended options, picked from in-house benchmarks against representative cleanup prompts:

Model ID	Profile	TTFT p50
openai.gpt-oss-120b-1:0	Fastest (default)	~400 ms
us.anthropic.claude-haiku-4-5-20251001-v1:0	Balanced	~880 ms

Cleanup is a low-stakes editing task; either model handles it well. GPT-OSS is the default because the latency advantage is noticeable in practice. Switch to Claude Haiku if you've already standardized on Anthropic across your tooling and want consistent style.

Custom model IDs work too — Settings has a Model picker with a "Custom…" option that lets you paste any Bedrock model ID or inference-profile ID. Just confirm it's enabled in the region's model-access page first.

Pricing notes

Bedrock charges per token at the model-specific rate — no monthly subscription. Cleanup prompts are short (a few hundred input tokens, a few hundred output tokens), so a typical day of dictation runs to single-digit cents. Parleq's Settings → Usage tab tracks per-call token counts and rolls them into a running cost estimate using AWS's published rates.

See the current rates at aws.amazon.com/bedrock/pricing. There's no charge for unused capacity — Bedrock is fully on-demand.

Compliance notes

Bedrock-served models do not use prompts or completions for training. Traffic stays within your AWS account boundary; the same VPC / IAM / CloudTrail controls you've already configured for AWS apply. If you're already using AWS for other compliance-sensitive workloads, Parleq fits inside that approval — no separate vendor review.

Audio never reaches AWS. Only the text transcript output by Parleq's on-device speech model is sent. Logs include length-only diagnostics; transcript text is never written to ~/.parleq/app.log.

Troubleshooting

AccessDeniedException — model not enabled

You haven't enabled access to the model in this region. Go to Bedrock → Model access, switch to the right region, and request access. Approval is usually immediate.

ValidationException: model not found

The model ID isn't valid for the configured region. Double-check the spelling against AWS's model catalog, and confirm the model is offered in the region you selected (some are us-east-1-only, others have inference profiles like the us.anthropic.* prefix that route across regions).

SSO session expired

The overlay surfaces a clear "AWS SSO session expired" error pointing at aws sso login --profile <name>. Run that, then dictate again — no restart needed.

Tracing credential resolution

For deep debugging, set PARLEQ_BEDROCK_TRACE=1 in the environment before launching Parleq (or via the launch agent plist). Soto will trace each credential provider it tries in order, so you can see exactly which one matched or why each rejected.