AI AWS Guardrails: Use IAM role assumption - Plugin

Use IAM role assumption

Configure the AI AWS Guardrails plugin to use IAM role assumption instead of static credentials.

Note: The IAM role fields can be used with or without static AWS credentials (config.aws_access_key_id and config.aws_secret_access_key).

Prerequisites

You have an AWS Bedrock Guardrails policy and access to AWS Bedrock Guardrails service.
You have enabled an AI Proxy or AI Proxy Advanced plugin.

Environment variables

AWS_GUARDRAILS_ID: The ID of the AWS Guardrails configuration.
AWS_GUARDRAILS_VERSION: The version of the AWS Guardrails configuration (e.g. DRAFT or 1).
AWS_REGION: The AWS region to use.
AWS_ASSUME_ROLE_ARN: The ARN of the IAM role to assume.
AWS_ROLE_SESSION_NAME: A unique identifier for the AWS role session.

Set up the plugin

Add this section to your kong.yaml configuration file:

kong.yaml

Copied!

_format_version: "3.0"
plugins:
  - name: ai-aws-guardrails
    config:
      guardrails_id: ${{ env "DECK_AWS_GUARDRAILS_ID" }}
      guardrails_version: ${{ env "DECK_AWS_GUARDRAILS_VERSION" }}
      aws_region: ${{ env "DECK_AWS_REGION" }}
      aws_assume_role_arn: ${{ env "DECK_AWS_ASSUME_ROLE_ARN" }}
      aws_role_session_name: ${{ env "DECK_AWS_ROLE_SESSION_NAME" }}

Make the following request:

curl -i -X POST http://localhost:8001/plugins/ \
    --header "Accept: application/json" \
    --header "Content-Type: application/json" \
    --data '
    {
      "name": "ai-aws-guardrails",
      "config": {
        "guardrails_id": "'$AWS_GUARDRAILS_ID'",
        "guardrails_version": "'$AWS_GUARDRAILS_VERSION'",
        "aws_region": "'$AWS_REGION'",
        "aws_assume_role_arn": "'$AWS_ASSUME_ROLE_ARN'",
        "aws_role_session_name": "'$AWS_ROLE_SESSION_NAME'"
      },
      "tags": []
    }
    '

Copied!

Make the following request:

curl -X POST https://{region}.api.konghq.com/v2/control-planes/{controlPlaneId}/core-entities/plugins/ \
    --header "accept: application/json" \
    --header "Content-Type: application/json" \
    --header "Authorization: Bearer $KONNECT_TOKEN" \
    --data '
    {
      "name": "ai-aws-guardrails",
      "config": {
        "guardrails_id": "'$AWS_GUARDRAILS_ID'",
        "guardrails_version": "'$AWS_GUARDRAILS_VERSION'",
        "aws_region": "'$AWS_REGION'",
        "aws_assume_role_arn": "'$AWS_ASSUME_ROLE_ARN'",
        "aws_role_session_name": "'$AWS_ROLE_SESSION_NAME'"
      },
      "tags": []
    }
    '

Copied!

Make sure to replace the following placeholders with your own values:

region: Geographic region where your Kong Konnect is hosted and operates.
KONNECT_TOKEN: Your Personal Access Token (PAT) associated with your Konnect account.
controlPlaneId: The id of the control plane.

See the Konnect API reference to learn about region-specific URLs and personal access tokens.

echo "
apiVersion: configuration.konghq.com/v1
kind: KongClusterPlugin
metadata:
  name: ai-aws-guardrails
  namespace: kong
  annotations:
    kubernetes.io/ingress.class: kong
    konghq.com/tags: ''
  labels:
    global: 'true'
config:
  guardrails_id: '$AWS_GUARDRAILS_ID'
  guardrails_version: '$AWS_GUARDRAILS_VERSION'
  aws_region: '$AWS_REGION'
  aws_assume_role_arn: '$AWS_ASSUME_ROLE_ARN'
  aws_role_session_name: '$AWS_ROLE_SESSION_NAME'
plugin: ai-aws-guardrails
" | kubectl apply -f -

Copied!

Prerequisite: Configure your Personal Access Token

terraform {
  required_providers {
    konnect = {
      source  = "kong/konnect"
    }
  }
}

provider "konnect" {
  personal_access_token = "$KONNECT_TOKEN"
  server_url            = "https://us.api.konghq.com/"
}

Copied!

Add the following to your Terraform configuration to create a Konnect Gateway Plugin:

resource "konnect_gateway_plugin_ai_aws_guardrails" "my_ai_aws_guardrails" {
  enabled = true

  config = {
    guardrails_id = var.aws_guardrails_id
    guardrails_version = var.aws_guardrails_version
    aws_region = var.aws_region
    aws_assume_role_arn = var.aws_assume_role_arn
    aws_role_session_name = var.aws_role_session_name
  }
  tags = []

  control_plane_id = konnect_gateway_control_plane.my_konnect_cp.id
}

Copied!

This example requires the following variables to be added to your manifest. You can specify values at runtime by setting TF_VAR_name=value.

variable "aws_role_session_name" {
  type = string
}

Copied!

Add this section to your kong.yaml configuration file:

kong.yaml

Copied!

_format_version: "3.0"
plugins:
  - name: ai-aws-guardrails
    service: serviceName|Id
    config:
      guardrails_id: ${{ env "DECK_AWS_GUARDRAILS_ID" }}
      guardrails_version: ${{ env "DECK_AWS_GUARDRAILS_VERSION" }}
      aws_region: ${{ env "DECK_AWS_REGION" }}
      aws_assume_role_arn: ${{ env "DECK_AWS_ASSUME_ROLE_ARN" }}
      aws_role_session_name: ${{ env "DECK_AWS_ROLE_SESSION_NAME" }}

Make sure to replace the following placeholders with your own values:

serviceName|Id: The id or name of the service the plugin configuration will target.

Make the following request:

curl -i -X POST http://localhost:8001/services/{serviceName|Id}/plugins/ \
    --header "Accept: application/json" \
    --header "Content-Type: application/json" \
    --data '
    {
      "name": "ai-aws-guardrails",
      "config": {
        "guardrails_id": "'$AWS_GUARDRAILS_ID'",
        "guardrails_version": "'$AWS_GUARDRAILS_VERSION'",
        "aws_region": "'$AWS_REGION'",
        "aws_assume_role_arn": "'$AWS_ASSUME_ROLE_ARN'",
        "aws_role_session_name": "'$AWS_ROLE_SESSION_NAME'"
      },
      "tags": []
    }
    '

Copied!

Make sure to replace the following placeholders with your own values:

serviceName|Id: The id or name of the service the plugin configuration will target.

Make the following request:

curl -X POST https://{region}.api.konghq.com/v2/control-planes/{controlPlaneId}/core-entities/services/{serviceId}/plugins/ \
    --header "accept: application/json" \
    --header "Content-Type: application/json" \
    --header "Authorization: Bearer $KONNECT_TOKEN" \
    --data '
    {
      "name": "ai-aws-guardrails",
      "config": {
        "guardrails_id": "'$AWS_GUARDRAILS_ID'",
        "guardrails_version": "'$AWS_GUARDRAILS_VERSION'",
        "aws_region": "'$AWS_REGION'",
        "aws_assume_role_arn": "'$AWS_ASSUME_ROLE_ARN'",
        "aws_role_session_name": "'$AWS_ROLE_SESSION_NAME'"
      },
      "tags": []
    }
    '

Copied!

Make sure to replace the following placeholders with your own values:

region: Geographic region where your Kong Konnect is hosted and operates.
KONNECT_TOKEN: Your Personal Access Token (PAT) associated with your Konnect account.
controlPlaneId: The id of the control plane.
serviceId: The id of the service the plugin configuration will target.

See the Konnect API reference to learn about region-specific URLs and personal access tokens.

echo "
apiVersion: configuration.konghq.com/v1
kind: KongPlugin
metadata:
  name: ai-aws-guardrails
  namespace: kong
  annotations:
    kubernetes.io/ingress.class: kong
    konghq.com/tags: ''
config:
  guardrails_id: '$AWS_GUARDRAILS_ID'
  guardrails_version: '$AWS_GUARDRAILS_VERSION'
  aws_region: '$AWS_REGION'
  aws_assume_role_arn: '$AWS_ASSUME_ROLE_ARN'
  aws_role_session_name: '$AWS_ROLE_SESSION_NAME'
plugin: ai-aws-guardrails
" | kubectl apply -f -

Copied!

Next, apply the KongPlugin resource by annotating the service resource:

kubectl annotate -n kong service SERVICE_NAME konghq.com/plugins=ai-aws-guardrails

Copied!

Prerequisite: Configure your Personal Access Token

terraform {
  required_providers {
    konnect = {
      source  = "kong/konnect"
    }
  }
}

provider "konnect" {
  personal_access_token = "$KONNECT_TOKEN"
  server_url            = "https://us.api.konghq.com/"
}

Copied!

Add the following to your Terraform configuration to create a Konnect Gateway Plugin:

resource "konnect_gateway_plugin_ai_aws_guardrails" "my_ai_aws_guardrails" {
  enabled = true

  config = {
    guardrails_id = var.aws_guardrails_id
    guardrails_version = var.aws_guardrails_version
    aws_region = var.aws_region
    aws_assume_role_arn = var.aws_assume_role_arn
    aws_role_session_name = var.aws_role_session_name
  }
  tags = []

  control_plane_id = konnect_gateway_control_plane.my_konnect_cp.id
  service = {
    id = konnect_gateway_service.my_service.id
  }
}

Copied!

This example requires the following variables to be added to your manifest. You can specify values at runtime by setting TF_VAR_name=value.

variable "aws_role_session_name" {
  type = string
}

Copied!

Add this section to your kong.yaml configuration file:

kong.yaml

Copied!

_format_version: "3.0"
plugins:
  - name: ai-aws-guardrails
    route: routeName|Id
    config:
      guardrails_id: ${{ env "DECK_AWS_GUARDRAILS_ID" }}
      guardrails_version: ${{ env "DECK_AWS_GUARDRAILS_VERSION" }}
      aws_region: ${{ env "DECK_AWS_REGION" }}
      aws_assume_role_arn: ${{ env "DECK_AWS_ASSUME_ROLE_ARN" }}
      aws_role_session_name: ${{ env "DECK_AWS_ROLE_SESSION_NAME" }}

Make sure to replace the following placeholders with your own values:

routeName|Id: The id or name of the route the plugin configuration will target.

Make the following request:

curl -i -X POST http://localhost:8001/routes/{routeName|Id}/plugins/ \
    --header "Accept: application/json" \
    --header "Content-Type: application/json" \
    --data '
    {
      "name": "ai-aws-guardrails",
      "config": {
        "guardrails_id": "'$AWS_GUARDRAILS_ID'",
        "guardrails_version": "'$AWS_GUARDRAILS_VERSION'",
        "aws_region": "'$AWS_REGION'",
        "aws_assume_role_arn": "'$AWS_ASSUME_ROLE_ARN'",
        "aws_role_session_name": "'$AWS_ROLE_SESSION_NAME'"
      },
      "tags": []
    }
    '

Copied!

Make sure to replace the following placeholders with your own values:

routeName|Id: The id or name of the route the plugin configuration will target.

Make the following request:

curl -X POST https://{region}.api.konghq.com/v2/control-planes/{controlPlaneId}/core-entities/routes/{routeId}/plugins/ \
    --header "accept: application/json" \
    --header "Content-Type: application/json" \
    --header "Authorization: Bearer $KONNECT_TOKEN" \
    --data '
    {
      "name": "ai-aws-guardrails",
      "config": {
        "guardrails_id": "'$AWS_GUARDRAILS_ID'",
        "guardrails_version": "'$AWS_GUARDRAILS_VERSION'",
        "aws_region": "'$AWS_REGION'",
        "aws_assume_role_arn": "'$AWS_ASSUME_ROLE_ARN'",
        "aws_role_session_name": "'$AWS_ROLE_SESSION_NAME'"
      },
      "tags": []
    }
    '

Copied!

Make sure to replace the following placeholders with your own values:

region: Geographic region where your Kong Konnect is hosted and operates.
KONNECT_TOKEN: Your Personal Access Token (PAT) associated with your Konnect account.
controlPlaneId: The id of the control plane.
routeId: The id of the route the plugin configuration will target.

See the Konnect API reference to learn about region-specific URLs and personal access tokens.

echo "
apiVersion: configuration.konghq.com/v1
kind: KongPlugin
metadata:
  name: ai-aws-guardrails
  namespace: kong
  annotations:
    kubernetes.io/ingress.class: kong
    konghq.com/tags: ''
config:
  guardrails_id: '$AWS_GUARDRAILS_ID'
  guardrails_version: '$AWS_GUARDRAILS_VERSION'
  aws_region: '$AWS_REGION'
  aws_assume_role_arn: '$AWS_ASSUME_ROLE_ARN'
  aws_role_session_name: '$AWS_ROLE_SESSION_NAME'
plugin: ai-aws-guardrails
" | kubectl apply -f -

Copied!

Next, apply the KongPlugin resource by annotating the httproute or ingress resource:

kubectl annotate -n kong httproute  konghq.com/plugins=ai-aws-guardrails

Copied!

kubectl annotate -n kong ingress  konghq.com/plugins=ai-aws-guardrails

Copied!

Prerequisite: Configure your Personal Access Token

terraform {
  required_providers {
    konnect = {
      source  = "kong/konnect"
    }
  }
}

provider "konnect" {
  personal_access_token = "$KONNECT_TOKEN"
  server_url            = "https://us.api.konghq.com/"
}

Copied!

Add the following to your Terraform configuration to create a Konnect Gateway Plugin:

resource "konnect_gateway_plugin_ai_aws_guardrails" "my_ai_aws_guardrails" {
  enabled = true

  config = {
    guardrails_id = var.aws_guardrails_id
    guardrails_version = var.aws_guardrails_version
    aws_region = var.aws_region
    aws_assume_role_arn = var.aws_assume_role_arn
    aws_role_session_name = var.aws_role_session_name
  }
  tags = []

  control_plane_id = konnect_gateway_control_plane.my_konnect_cp.id
  route = {
    id = konnect_gateway_route.my_route.id
  }
}

Copied!

This example requires the following variables to be added to your manifest. You can specify values at runtime by setting TF_VAR_name=value.

variable "aws_role_session_name" {
  type = string
}

Copied!

Add this section to your kong.yaml configuration file:

kong.yaml

Copied!

_format_version: "3.0"
plugins:
  - name: ai-aws-guardrails
    consumer: consumerName|Id
    config:
      guardrails_id: ${{ env "DECK_AWS_GUARDRAILS_ID" }}
      guardrails_version: ${{ env "DECK_AWS_GUARDRAILS_VERSION" }}
      aws_region: ${{ env "DECK_AWS_REGION" }}
      aws_assume_role_arn: ${{ env "DECK_AWS_ASSUME_ROLE_ARN" }}
      aws_role_session_name: ${{ env "DECK_AWS_ROLE_SESSION_NAME" }}

Make sure to replace the following placeholders with your own values:

consumerName|Id: The id or name of the consumer the plugin configuration will target.

Make the following request:

curl -i -X POST http://localhost:8001/consumers/{consumerName|Id}/plugins/ \
    --header "Accept: application/json" \
    --header "Content-Type: application/json" \
    --data '
    {
      "name": "ai-aws-guardrails",
      "config": {
        "guardrails_id": "'$AWS_GUARDRAILS_ID'",
        "guardrails_version": "'$AWS_GUARDRAILS_VERSION'",
        "aws_region": "'$AWS_REGION'",
        "aws_assume_role_arn": "'$AWS_ASSUME_ROLE_ARN'",
        "aws_role_session_name": "'$AWS_ROLE_SESSION_NAME'"
      },
      "tags": []
    }
    '

Copied!

Make sure to replace the following placeholders with your own values:

consumerName|Id: The id or name of the consumer the plugin configuration will target.

Make the following request:

curl -X POST https://{region}.api.konghq.com/v2/control-planes/{controlPlaneId}/core-entities/consumers/{consumerId}/plugins/ \
    --header "accept: application/json" \
    --header "Content-Type: application/json" \
    --header "Authorization: Bearer $KONNECT_TOKEN" \
    --data '
    {
      "name": "ai-aws-guardrails",
      "config": {
        "guardrails_id": "'$AWS_GUARDRAILS_ID'",
        "guardrails_version": "'$AWS_GUARDRAILS_VERSION'",
        "aws_region": "'$AWS_REGION'",
        "aws_assume_role_arn": "'$AWS_ASSUME_ROLE_ARN'",
        "aws_role_session_name": "'$AWS_ROLE_SESSION_NAME'"
      },
      "tags": []
    }
    '

Copied!

Make sure to replace the following placeholders with your own values:

region: Geographic region where your Kong Konnect is hosted and operates.
KONNECT_TOKEN: Your Personal Access Token (PAT) associated with your Konnect account.
controlPlaneId: The id of the control plane.
consumerId: The id of the consumer the plugin configuration will target.

See the Konnect API reference to learn about region-specific URLs and personal access tokens.

echo "
apiVersion: configuration.konghq.com/v1
kind: KongPlugin
metadata:
  name: ai-aws-guardrails
  namespace: kong
  annotations:
    kubernetes.io/ingress.class: kong
    konghq.com/tags: ''
config:
  guardrails_id: '$AWS_GUARDRAILS_ID'
  guardrails_version: '$AWS_GUARDRAILS_VERSION'
  aws_region: '$AWS_REGION'
  aws_assume_role_arn: '$AWS_ASSUME_ROLE_ARN'
  aws_role_session_name: '$AWS_ROLE_SESSION_NAME'
plugin: ai-aws-guardrails
" | kubectl apply -f -

Copied!

Next, apply the KongPlugin resource by annotating the KongConsumer resource:

kubectl annotate -n kong  CONSUMER_NAME konghq.com/plugins=ai-aws-guardrails

Copied!

Prerequisite: Configure your Personal Access Token

terraform {
  required_providers {
    konnect = {
      source  = "kong/konnect"
    }
  }
}

provider "konnect" {
  personal_access_token = "$KONNECT_TOKEN"
  server_url            = "https://us.api.konghq.com/"
}

Copied!

Add the following to your Terraform configuration to create a Konnect Gateway Plugin:

resource "konnect_gateway_plugin_ai_aws_guardrails" "my_ai_aws_guardrails" {
  enabled = true

  config = {
    guardrails_id = var.aws_guardrails_id
    guardrails_version = var.aws_guardrails_version
    aws_region = var.aws_region
    aws_assume_role_arn = var.aws_assume_role_arn
    aws_role_session_name = var.aws_role_session_name
  }
  tags = []

  control_plane_id = konnect_gateway_control_plane.my_konnect_cp.id
  consumer = {
    id = konnect_gateway_consumer.my_consumer.id
  }
}

Copied!

This example requires the following variables to be added to your manifest. You can specify values at runtime by setting TF_VAR_name=value.

variable "aws_role_session_name" {
  type = string
}

Copied!

Add this section to your kong.yaml configuration file:

kong.yaml

Copied!

_format_version: "3.0"
plugins:
  - name: ai-aws-guardrails
    consumer_group: consumerGroupName|Id
    config:
      guardrails_id: ${{ env "DECK_AWS_GUARDRAILS_ID" }}
      guardrails_version: ${{ env "DECK_AWS_GUARDRAILS_VERSION" }}
      aws_region: ${{ env "DECK_AWS_REGION" }}
      aws_assume_role_arn: ${{ env "DECK_AWS_ASSUME_ROLE_ARN" }}
      aws_role_session_name: ${{ env "DECK_AWS_ROLE_SESSION_NAME" }}

Make sure to replace the following placeholders with your own values:

consumerGroupName|Id: The id or name of the consumer group the plugin configuration will target.

Make the following request:

curl -i -X POST http://localhost:8001/consumer_groups/{consumerGroupName|Id}/plugins/ \
    --header "Accept: application/json" \
    --header "Content-Type: application/json" \
    --data '
    {
      "name": "ai-aws-guardrails",
      "config": {
        "guardrails_id": "'$AWS_GUARDRAILS_ID'",
        "guardrails_version": "'$AWS_GUARDRAILS_VERSION'",
        "aws_region": "'$AWS_REGION'",
        "aws_assume_role_arn": "'$AWS_ASSUME_ROLE_ARN'",
        "aws_role_session_name": "'$AWS_ROLE_SESSION_NAME'"
      },
      "tags": []
    }
    '

Copied!

Make sure to replace the following placeholders with your own values:

consumerGroupName|Id: The id or name of the consumer group the plugin configuration will target.

Make the following request:

curl -X POST https://{region}.api.konghq.com/v2/control-planes/{controlPlaneId}/core-entities/consumer_groups/{consumerGroupId}/plugins/ \
    --header "accept: application/json" \
    --header "Content-Type: application/json" \
    --header "Authorization: Bearer $KONNECT_TOKEN" \
    --data '
    {
      "name": "ai-aws-guardrails",
      "config": {
        "guardrails_id": "'$AWS_GUARDRAILS_ID'",
        "guardrails_version": "'$AWS_GUARDRAILS_VERSION'",
        "aws_region": "'$AWS_REGION'",
        "aws_assume_role_arn": "'$AWS_ASSUME_ROLE_ARN'",
        "aws_role_session_name": "'$AWS_ROLE_SESSION_NAME'"
      },
      "tags": []
    }
    '

Copied!

Make sure to replace the following placeholders with your own values:

region: Geographic region where your Kong Konnect is hosted and operates.
KONNECT_TOKEN: Your Personal Access Token (PAT) associated with your Konnect account.
controlPlaneId: The id of the control plane.
consumerGroupId: The id of the consumer group the plugin configuration will target.

See the Konnect API reference to learn about region-specific URLs and personal access tokens.

echo "
apiVersion: configuration.konghq.com/v1
kind: KongPlugin
metadata:
  name: ai-aws-guardrails
  namespace: kong
  annotations:
    kubernetes.io/ingress.class: kong
    konghq.com/tags: ''
config:
  guardrails_id: '$AWS_GUARDRAILS_ID'
  guardrails_version: '$AWS_GUARDRAILS_VERSION'
  aws_region: '$AWS_REGION'
  aws_assume_role_arn: '$AWS_ASSUME_ROLE_ARN'
  aws_role_session_name: '$AWS_ROLE_SESSION_NAME'
plugin: ai-aws-guardrails
" | kubectl apply -f -

Copied!

Next, apply the KongPlugin resource by annotating the KongConsumerGroup resource:

kubectl annotate -n kong  CONSUMERGROUP_NAME konghq.com/plugins=ai-aws-guardrails

Copied!

Prerequisite: Configure your Personal Access Token

terraform {
  required_providers {
    konnect = {
      source  = "kong/konnect"
    }
  }
}

provider "konnect" {
  personal_access_token = "$KONNECT_TOKEN"
  server_url            = "https://us.api.konghq.com/"
}

Copied!

Add the following to your Terraform configuration to create a Konnect Gateway Plugin:

resource "konnect_gateway_plugin_ai_aws_guardrails" "my_ai_aws_guardrails" {
  enabled = true

  config = {
    guardrails_id = var.aws_guardrails_id
    guardrails_version = var.aws_guardrails_version
    aws_region = var.aws_region
    aws_assume_role_arn = var.aws_assume_role_arn
    aws_role_session_name = var.aws_role_session_name
  }
  tags = []

  control_plane_id = konnect_gateway_control_plane.my_konnect_cp.id
  consumer_group = {
    id = konnect_gateway_consumer_group.my_consumer_group.id
  }
}

Copied!

This example requires the following variables to be added to your manifest. You can specify values at runtime by setting TF_VAR_name=value.

variable "aws_role_session_name" {
  type = string
}

Copied!

AI AWS Guardrails

Use IAM role assumption

Prerequisites

Environment variables

Set up the plugin

Help us make these docs great!

Still need help