AI Proxy: Chat route with Amazon Bedrock - Plugin

Chat route with Amazon Bedrockv3.6+

Configure a chat route using Amazon Bedrock with the Meta Llama 3 70B Instruct model and the US East 1 AWS region.

Prerequisites

AWS account with access to Bedrock

Environment variables

AWS_ACCESS_KEY_ID: The AWS access key ID to use to connect to Bedrock.
AWS_SECRET_ACCESS_KEY: The AWS secret access key to use to connect to Bedrock.

Set up the plugin

Add this section to your declarative configuration file:

_format_version: "3.0"
plugins:
  - name: ai-proxy
    config:
      route_type: llm/v1/chat
      auth:
        allow_override: false
        aws_access_key_id: ${{ env "DECK_AWS_ACCESS_KEY_ID" }}
        aws_secret_access_key: ${{ env "DECK_AWS_SECRET_ACCESS_KEY" }}
      model:
        provider: bedrock
        name: meta.llama3-70b-instruct-v1:0
        options:
          bedrock:
            aws_region: us-east-1

Make the following request:

curl -i -X POST http://localhost:8001/plugins/ \
    --header "Accept: application/json" \
    --header "Content-Type: application/json" \
    --data '
    {
      "name": "ai-proxy",
      "config": {
        "route_type": "llm/v1/chat",
        "auth": {
          "allow_override": false,
          "aws_access_key_id": "'$AWS_ACCESS_KEY_ID'",
          "aws_secret_access_key": "'$AWS_SECRET_ACCESS_KEY'"
        },
        "model": {
          "provider": "bedrock",
          "name": "meta.llama3-70b-instruct-v1:0",
          "options": {
            "bedrock": {
              "aws_region": "us-east-1"
            }
          }
        }
      }
    }
    '

Make the following request:

curl -X POST https://{region}.api.konghq.com/v2/control-planes/{controlPlaneId}/core-entities/plugins/ \
    --header "accept: application/json" \
    --header "Content-Type: application/json" \
    --header "Authorization: Bearer $KONNECT_TOKEN" \
    --data '
    {
      "name": "ai-proxy",
      "config": {
        "route_type": "llm/v1/chat",
        "auth": {
          "allow_override": false,
          "aws_access_key_id": "'$AWS_ACCESS_KEY_ID'",
          "aws_secret_access_key": "'$AWS_SECRET_ACCESS_KEY'"
        },
        "model": {
          "provider": "bedrock",
          "name": "meta.llama3-70b-instruct-v1:0",
          "options": {
            "bedrock": {
              "aws_region": "us-east-1"
            }
          }
        }
      }
    }
    '

Make sure to replace the following placeholders with your own values:

region: Geographic region where your Kong Konnect is hosted and operates.
controlPlaneId: The id of the control plane.
KONNECT_TOKEN: Your Personal Access Token (PAT) associated with your Konnect account.

See the Konnect API reference to learn about region-specific URLs and personal access tokens.

echo "
apiVersion: configuration.konghq.com/v1
kind: KongClusterPlugin
metadata:
  name: ai-proxy
  namespace: kong
  annotations:
    kubernetes.io/ingress.class: kong
  labels:
    global: 'true'
config:
  route_type: llm/v1/chat
  auth:
    allow_override: false
    aws_access_key_id: '$AWS_ACCESS_KEY_ID'
    aws_secret_access_key: '$AWS_SECRET_ACCESS_KEY'
  model:
    provider: bedrock
    name: meta.llama3-70b-instruct-v1:0
    options:
      bedrock:
        aws_region: us-east-1
plugin: ai-proxy
" | kubectl apply -f -

Prerequisite: Configure your Personal Access Token

terraform {
  required_providers {
    konnect = {
      source  = "kong/konnect"
    }
  }
}

provider "konnect" {
  personal_access_token = "$KONNECT_TOKEN"
  server_url            = "https://us.api.konghq.com/"
}

Add the following to your Terraform configuration to create a Konnect Gateway Plugin:

resource "konnect_gateway_plugin_ai_proxy" "my_ai_proxy" {
  enabled = true

  config = {
    route_type = "llm/v1/chat"

    auth = {
      allow_override = false
      aws_access_key_id = var.aws_access_key_id
      aws_secret_access_key = var.aws_secret_access_key
    }

    model = {
      provider = "bedrock"
      name = "meta.llama3-70b-instruct-v1:0"

      options = {

        bedrock = {
          aws_region = "us-east-1"
        }
      }
    }
  }

  control_plane_id = konnect_gateway_control_plane.my_konnect_cp.id
}

This example requires the following variables to be added to your manifest. You can specify values at runtime by setting TF_VAR_name=value.

variable "aws_secret_access_key" {
  type = string
}

Add this section to your declarative configuration file:

_format_version: "3.0"
plugins:
  - name: ai-proxy
    service: serviceName|Id
    config:
      route_type: llm/v1/chat
      auth:
        allow_override: false
        aws_access_key_id: ${{ env "DECK_AWS_ACCESS_KEY_ID" }}
        aws_secret_access_key: ${{ env "DECK_AWS_SECRET_ACCESS_KEY" }}
      model:
        provider: bedrock
        name: meta.llama3-70b-instruct-v1:0
        options:
          bedrock:
            aws_region: us-east-1

Make sure to replace the following placeholders with your own values:

serviceName|Id: The id or name of the service the plugin configuration will target.

Make the following request:

curl -i -X POST http://localhost:8001/services/{serviceName|Id}/plugins/ \
    --header "Accept: application/json" \
    --header "Content-Type: application/json" \
    --data '
    {
      "name": "ai-proxy",
      "config": {
        "route_type": "llm/v1/chat",
        "auth": {
          "allow_override": false,
          "aws_access_key_id": "'$AWS_ACCESS_KEY_ID'",
          "aws_secret_access_key": "'$AWS_SECRET_ACCESS_KEY'"
        },
        "model": {
          "provider": "bedrock",
          "name": "meta.llama3-70b-instruct-v1:0",
          "options": {
            "bedrock": {
              "aws_region": "us-east-1"
            }
          }
        }
      }
    }
    '

Make sure to replace the following placeholders with your own values:

serviceName|Id: The id or name of the service the plugin configuration will target.

Make the following request:

curl -X POST https://{region}.api.konghq.com/v2/control-planes/{controlPlaneId}/core-entities/services/{serviceId}/plugins/ \
    --header "accept: application/json" \
    --header "Content-Type: application/json" \
    --header "Authorization: Bearer $KONNECT_TOKEN" \
    --data '
    {
      "name": "ai-proxy",
      "config": {
        "route_type": "llm/v1/chat",
        "auth": {
          "allow_override": false,
          "aws_access_key_id": "'$AWS_ACCESS_KEY_ID'",
          "aws_secret_access_key": "'$AWS_SECRET_ACCESS_KEY'"
        },
        "model": {
          "provider": "bedrock",
          "name": "meta.llama3-70b-instruct-v1:0",
          "options": {
            "bedrock": {
              "aws_region": "us-east-1"
            }
          }
        }
      }
    }
    '

Make sure to replace the following placeholders with your own values:

region: Geographic region where your Kong Konnect is hosted and operates.
controlPlaneId: The id of the control plane.
KONNECT_TOKEN: Your Personal Access Token (PAT) associated with your Konnect account.
serviceId: The id of the service the plugin configuration will target.

See the Konnect API reference to learn about region-specific URLs and personal access tokens.

echo "
apiVersion: configuration.konghq.com/v1
kind: KongPlugin
metadata:
  name: ai-proxy
  namespace: kong
  annotations:
    kubernetes.io/ingress.class: kong
config:
  route_type: llm/v1/chat
  auth:
    allow_override: false
    aws_access_key_id: '$AWS_ACCESS_KEY_ID'
    aws_secret_access_key: '$AWS_SECRET_ACCESS_KEY'
  model:
    provider: bedrock
    name: meta.llama3-70b-instruct-v1:0
    options:
      bedrock:
        aws_region: us-east-1
plugin: ai-proxy
" | kubectl apply -f -

Next, apply the KongPlugin resource by annotating the service resource:

kubectl annotate -n kong service SERVICE_NAME konghq.com/plugins=ai-proxy

Prerequisite: Configure your Personal Access Token

terraform {
  required_providers {
    konnect = {
      source  = "kong/konnect"
    }
  }
}

provider "konnect" {
  personal_access_token = "$KONNECT_TOKEN"
  server_url            = "https://us.api.konghq.com/"
}

Add the following to your Terraform configuration to create a Konnect Gateway Plugin:

resource "konnect_gateway_plugin_ai_proxy" "my_ai_proxy" {
  enabled = true

  config = {
    route_type = "llm/v1/chat"

    auth = {
      allow_override = false
      aws_access_key_id = var.aws_access_key_id
      aws_secret_access_key = var.aws_secret_access_key
    }

    model = {
      provider = "bedrock"
      name = "meta.llama3-70b-instruct-v1:0"

      options = {

        bedrock = {
          aws_region = "us-east-1"
        }
      }
    }
  }

  control_plane_id = konnect_gateway_control_plane.my_konnect_cp.id
  service = {
    id = konnect_gateway_service.my_service.id
  }
}

This example requires the following variables to be added to your manifest. You can specify values at runtime by setting TF_VAR_name=value.

variable "aws_secret_access_key" {
  type = string
}

Add this section to your declarative configuration file:

_format_version: "3.0"
plugins:
  - name: ai-proxy
    route: routeName|Id
    config:
      route_type: llm/v1/chat
      auth:
        allow_override: false
        aws_access_key_id: ${{ env "DECK_AWS_ACCESS_KEY_ID" }}
        aws_secret_access_key: ${{ env "DECK_AWS_SECRET_ACCESS_KEY" }}
      model:
        provider: bedrock
        name: meta.llama3-70b-instruct-v1:0
        options:
          bedrock:
            aws_region: us-east-1

Make sure to replace the following placeholders with your own values:

routeName|Id: The id or name of the route the plugin configuration will target.

Make the following request:

curl -i -X POST http://localhost:8001/routes/{routeName|Id}/plugins/ \
    --header "Accept: application/json" \
    --header "Content-Type: application/json" \
    --data '
    {
      "name": "ai-proxy",
      "config": {
        "route_type": "llm/v1/chat",
        "auth": {
          "allow_override": false,
          "aws_access_key_id": "'$AWS_ACCESS_KEY_ID'",
          "aws_secret_access_key": "'$AWS_SECRET_ACCESS_KEY'"
        },
        "model": {
          "provider": "bedrock",
          "name": "meta.llama3-70b-instruct-v1:0",
          "options": {
            "bedrock": {
              "aws_region": "us-east-1"
            }
          }
        }
      }
    }
    '

Make sure to replace the following placeholders with your own values:

routeName|Id: The id or name of the route the plugin configuration will target.

Make the following request:

curl -X POST https://{region}.api.konghq.com/v2/control-planes/{controlPlaneId}/core-entities/routes/{routeId}/plugins/ \
    --header "accept: application/json" \
    --header "Content-Type: application/json" \
    --header "Authorization: Bearer $KONNECT_TOKEN" \
    --data '
    {
      "name": "ai-proxy",
      "config": {
        "route_type": "llm/v1/chat",
        "auth": {
          "allow_override": false,
          "aws_access_key_id": "'$AWS_ACCESS_KEY_ID'",
          "aws_secret_access_key": "'$AWS_SECRET_ACCESS_KEY'"
        },
        "model": {
          "provider": "bedrock",
          "name": "meta.llama3-70b-instruct-v1:0",
          "options": {
            "bedrock": {
              "aws_region": "us-east-1"
            }
          }
        }
      }
    }
    '

Make sure to replace the following placeholders with your own values:

region: Geographic region where your Kong Konnect is hosted and operates.
controlPlaneId: The id of the control plane.
KONNECT_TOKEN: Your Personal Access Token (PAT) associated with your Konnect account.
routeId: The id of the route the plugin configuration will target.

See the Konnect API reference to learn about region-specific URLs and personal access tokens.

echo "
apiVersion: configuration.konghq.com/v1
kind: KongPlugin
metadata:
  name: ai-proxy
  namespace: kong
  annotations:
    kubernetes.io/ingress.class: kong
config:
  route_type: llm/v1/chat
  auth:
    allow_override: false
    aws_access_key_id: '$AWS_ACCESS_KEY_ID'
    aws_secret_access_key: '$AWS_SECRET_ACCESS_KEY'
  model:
    provider: bedrock
    name: meta.llama3-70b-instruct-v1:0
    options:
      bedrock:
        aws_region: us-east-1
plugin: ai-proxy
" | kubectl apply -f -

Next, apply the KongPlugin resource by annotating the httproute or ingress resource:

kubectl annotate -n kong httproute  konghq.com/plugins=ai-proxy

kubectl annotate -n kong ingress  konghq.com/plugins=ai-proxy

Prerequisite: Configure your Personal Access Token

terraform {
  required_providers {
    konnect = {
      source  = "kong/konnect"
    }
  }
}

provider "konnect" {
  personal_access_token = "$KONNECT_TOKEN"
  server_url            = "https://us.api.konghq.com/"
}

Add the following to your Terraform configuration to create a Konnect Gateway Plugin:

resource "konnect_gateway_plugin_ai_proxy" "my_ai_proxy" {
  enabled = true

  config = {
    route_type = "llm/v1/chat"

    auth = {
      allow_override = false
      aws_access_key_id = var.aws_access_key_id
      aws_secret_access_key = var.aws_secret_access_key
    }

    model = {
      provider = "bedrock"
      name = "meta.llama3-70b-instruct-v1:0"

      options = {

        bedrock = {
          aws_region = "us-east-1"
        }
      }
    }
  }

  control_plane_id = konnect_gateway_control_plane.my_konnect_cp.id
  route = {
    id = konnect_gateway_route.my_route.id
  }
}

This example requires the following variables to be added to your manifest. You can specify values at runtime by setting TF_VAR_name=value.

variable "aws_secret_access_key" {
  type = string
}

Add this section to your declarative configuration file:

_format_version: "3.0"
plugins:
  - name: ai-proxy
    consumer: consumerName|Id
    config:
      route_type: llm/v1/chat
      auth:
        allow_override: false
        aws_access_key_id: ${{ env "DECK_AWS_ACCESS_KEY_ID" }}
        aws_secret_access_key: ${{ env "DECK_AWS_SECRET_ACCESS_KEY" }}
      model:
        provider: bedrock
        name: meta.llama3-70b-instruct-v1:0
        options:
          bedrock:
            aws_region: us-east-1

Make sure to replace the following placeholders with your own values:

consumerName|Id: The id or name of the consumer the plugin configuration will target.

Make the following request:

curl -i -X POST http://localhost:8001/consumers/{consumerName|Id}/plugins/ \
    --header "Accept: application/json" \
    --header "Content-Type: application/json" \
    --data '
    {
      "name": "ai-proxy",
      "config": {
        "route_type": "llm/v1/chat",
        "auth": {
          "allow_override": false,
          "aws_access_key_id": "'$AWS_ACCESS_KEY_ID'",
          "aws_secret_access_key": "'$AWS_SECRET_ACCESS_KEY'"
        },
        "model": {
          "provider": "bedrock",
          "name": "meta.llama3-70b-instruct-v1:0",
          "options": {
            "bedrock": {
              "aws_region": "us-east-1"
            }
          }
        }
      }
    }
    '

Make sure to replace the following placeholders with your own values:

consumerName|Id: The id or name of the consumer the plugin configuration will target.

Make the following request:

curl -X POST https://{region}.api.konghq.com/v2/control-planes/{controlPlaneId}/core-entities/consumers/{consumerId}/plugins/ \
    --header "accept: application/json" \
    --header "Content-Type: application/json" \
    --header "Authorization: Bearer $KONNECT_TOKEN" \
    --data '
    {
      "name": "ai-proxy",
      "config": {
        "route_type": "llm/v1/chat",
        "auth": {
          "allow_override": false,
          "aws_access_key_id": "'$AWS_ACCESS_KEY_ID'",
          "aws_secret_access_key": "'$AWS_SECRET_ACCESS_KEY'"
        },
        "model": {
          "provider": "bedrock",
          "name": "meta.llama3-70b-instruct-v1:0",
          "options": {
            "bedrock": {
              "aws_region": "us-east-1"
            }
          }
        }
      }
    }
    '

Make sure to replace the following placeholders with your own values:

region: Geographic region where your Kong Konnect is hosted and operates.
controlPlaneId: The id of the control plane.
KONNECT_TOKEN: Your Personal Access Token (PAT) associated with your Konnect account.
consumerId: The id of the consumer the plugin configuration will target.

See the Konnect API reference to learn about region-specific URLs and personal access tokens.

echo "
apiVersion: configuration.konghq.com/v1
kind: KongPlugin
metadata:
  name: ai-proxy
  namespace: kong
  annotations:
    kubernetes.io/ingress.class: kong
config:
  route_type: llm/v1/chat
  auth:
    allow_override: false
    aws_access_key_id: '$AWS_ACCESS_KEY_ID'
    aws_secret_access_key: '$AWS_SECRET_ACCESS_KEY'
  model:
    provider: bedrock
    name: meta.llama3-70b-instruct-v1:0
    options:
      bedrock:
        aws_region: us-east-1
plugin: ai-proxy
" | kubectl apply -f -

Next, apply the KongPlugin resource by annotating the KongConsumer resource:

kubectl annotate -n kong  CONSUMER_NAME konghq.com/plugins=ai-proxy

Prerequisite: Configure your Personal Access Token

terraform {
  required_providers {
    konnect = {
      source  = "kong/konnect"
    }
  }
}

provider "konnect" {
  personal_access_token = "$KONNECT_TOKEN"
  server_url            = "https://us.api.konghq.com/"
}

Add the following to your Terraform configuration to create a Konnect Gateway Plugin:

resource "konnect_gateway_plugin_ai_proxy" "my_ai_proxy" {
  enabled = true

  config = {
    route_type = "llm/v1/chat"

    auth = {
      allow_override = false
      aws_access_key_id = var.aws_access_key_id
      aws_secret_access_key = var.aws_secret_access_key
    }

    model = {
      provider = "bedrock"
      name = "meta.llama3-70b-instruct-v1:0"

      options = {

        bedrock = {
          aws_region = "us-east-1"
        }
      }
    }
  }

  control_plane_id = konnect_gateway_control_plane.my_konnect_cp.id
  consumer = {
    id = konnect_gateway_consumer.my_consumer.id
  }
}

This example requires the following variables to be added to your manifest. You can specify values at runtime by setting TF_VAR_name=value.

variable "aws_secret_access_key" {
  type = string
}

Add this section to your declarative configuration file:

_format_version: "3.0"
plugins:
  - name: ai-proxy
    consumer_group: consumerGroupName|Id
    config:
      route_type: llm/v1/chat
      auth:
        allow_override: false
        aws_access_key_id: ${{ env "DECK_AWS_ACCESS_KEY_ID" }}
        aws_secret_access_key: ${{ env "DECK_AWS_SECRET_ACCESS_KEY" }}
      model:
        provider: bedrock
        name: meta.llama3-70b-instruct-v1:0
        options:
          bedrock:
            aws_region: us-east-1

Make sure to replace the following placeholders with your own values:

consumerGroupName|Id: The id or name of the consumer group the plugin configuration will target.

Make the following request:

curl -i -X POST http://localhost:8001/consumer_groups/{consumerGroupName|Id}/plugins/ \
    --header "Accept: application/json" \
    --header "Content-Type: application/json" \
    --data '
    {
      "name": "ai-proxy",
      "config": {
        "route_type": "llm/v1/chat",
        "auth": {
          "allow_override": false,
          "aws_access_key_id": "'$AWS_ACCESS_KEY_ID'",
          "aws_secret_access_key": "'$AWS_SECRET_ACCESS_KEY'"
        },
        "model": {
          "provider": "bedrock",
          "name": "meta.llama3-70b-instruct-v1:0",
          "options": {
            "bedrock": {
              "aws_region": "us-east-1"
            }
          }
        }
      }
    }
    '

Make sure to replace the following placeholders with your own values:

consumerGroupName|Id: The id or name of the consumer group the plugin configuration will target.

Make the following request:

curl -X POST https://{region}.api.konghq.com/v2/control-planes/{controlPlaneId}/core-entities/consumer_groups/{consumerGroupId}/plugins/ \
    --header "accept: application/json" \
    --header "Content-Type: application/json" \
    --header "Authorization: Bearer $KONNECT_TOKEN" \
    --data '
    {
      "name": "ai-proxy",
      "config": {
        "route_type": "llm/v1/chat",
        "auth": {
          "allow_override": false,
          "aws_access_key_id": "'$AWS_ACCESS_KEY_ID'",
          "aws_secret_access_key": "'$AWS_SECRET_ACCESS_KEY'"
        },
        "model": {
          "provider": "bedrock",
          "name": "meta.llama3-70b-instruct-v1:0",
          "options": {
            "bedrock": {
              "aws_region": "us-east-1"
            }
          }
        }
      }
    }
    '

Make sure to replace the following placeholders with your own values:

region: Geographic region where your Kong Konnect is hosted and operates.
controlPlaneId: The id of the control plane.
KONNECT_TOKEN: Your Personal Access Token (PAT) associated with your Konnect account.
consumerGroupId: The id of the consumer group the plugin configuration will target.

See the Konnect API reference to learn about region-specific URLs and personal access tokens.

echo "
apiVersion: configuration.konghq.com/v1
kind: KongPlugin
metadata:
  name: ai-proxy
  namespace: kong
  annotations:
    kubernetes.io/ingress.class: kong
config:
  route_type: llm/v1/chat
  auth:
    allow_override: false
    aws_access_key_id: '$AWS_ACCESS_KEY_ID'
    aws_secret_access_key: '$AWS_SECRET_ACCESS_KEY'
  model:
    provider: bedrock
    name: meta.llama3-70b-instruct-v1:0
    options:
      bedrock:
        aws_region: us-east-1
plugin: ai-proxy
" | kubectl apply -f -

Next, apply the KongPlugin resource by annotating the KongConsumerGroup resource:

kubectl annotate -n kong  CONSUMERGROUP_NAME konghq.com/plugins=ai-proxy

Prerequisite: Configure your Personal Access Token

terraform {
  required_providers {
    konnect = {
      source  = "kong/konnect"
    }
  }
}

provider "konnect" {
  personal_access_token = "$KONNECT_TOKEN"
  server_url            = "https://us.api.konghq.com/"
}

Add the following to your Terraform configuration to create a Konnect Gateway Plugin:

resource "konnect_gateway_plugin_ai_proxy" "my_ai_proxy" {
  enabled = true

  config = {
    route_type = "llm/v1/chat"

    auth = {
      allow_override = false
      aws_access_key_id = var.aws_access_key_id
      aws_secret_access_key = var.aws_secret_access_key
    }

    model = {
      provider = "bedrock"
      name = "meta.llama3-70b-instruct-v1:0"

      options = {

        bedrock = {
          aws_region = "us-east-1"
        }
      }
    }
  }

  control_plane_id = konnect_gateway_control_plane.my_konnect_cp.id
  consumer_group = {
    id = konnect_gateway_consumer_group.my_consumer_group.id
  }
}

This example requires the following variables to be added to your manifest. You can specify values at runtime by setting TF_VAR_name=value.

variable "aws_secret_access_key" {
  type = string
}

AI Proxy

Chat route with Amazon Bedrockv3.6+

Prerequisites

Environment variables

Set up the plugin

Help us make these docs great!

Still need help