AWS Bedrock setup (Bedrock-Mantle)
The Distillery can sit in front of AWS Bedrock-Mantle, the OpenAI-compatible endpoint Amazon exposes for open-weight models. This guide walks you through pointing your client at the proxy, telling The Distillery to forward requests to the right region, and confirming everything routes correctly. If you have already used the Distillery against another OpenAI-compatible provider this will feel familiar; the only Bedrock-specific bits are the URL prefix, a bearer token, and a two-key entry in .distilleryrc.json.
What it is
Bedrock-Mantle is AWS's OpenAI-compatible front door at bedrock-mantle.{region}.api.aws/v1. It accepts chat-completions-shaped requests and returns chat-completions-shaped responses, which means The Distillery's existing OpenAI passthrough handles it without translation. The proxy targets the open-weight family Bedrock-Mantle serves: Qwen, Mistral, Gemma, DeepSeek, and the AWS first-party Nova models among others.
Claude models on Bedrock are a different surface. They use the native AWS Invoke API, sign every request with SigV4, and do not accept OpenAI-shaped traffic. The route described here will not work for them and there is no Bearer-token alternative — The Distillery's Bedrock support is open-weight-only by design.
Prerequisites
Three things need to be true before you start:
- Your AWS account has Bedrock-Mantle enabled in the target region. Bedrock-Mantle is region-scoped and model availability differs per region. Check the AWS console under Bedrock → Model access before assuming a model is reachable.
- You have an
AWS_BEARER_TOKEN_BEDROCKvalue. The Distillery requires a Bearer token rather than SigV4 access keys; the proxy rewrites request bodies for compression, and any rewrite invalidates a SigV4 signature. Generate a Bearer token in the AWS console under IAM → Bedrock API keys (the same flowaws bedrock create-api-keyexposes from the CLI). .distilleryrc.jsonis editable in the project directory you launch your client from. The proxy walks up from the client's cwd looking for this file, so the file must exist in that directory or an ancestor. If you do not yet have one, create an empty{}and the next step will populate it.
Step-by-step setup
Run these once per shell or per project, depending on whether you want the env var permanent.
Step 1. Point your client at The Distillery's Bedrock prefix:
export OPENAI_BASE_URL=http://127.0.0.1:3080/bedrock
On Windows PowerShell use $env:OPENAI_BASE_URL = "http://127.0.0.1:3080/bedrock". Add it to your shell profile if you want it to survive across sessions.
Step 2. Tell The Distillery this project should use the Bedrock route by adding two keys to .distilleryrc.json in your project root:
{
"bedrockProvider": true,
"bedrockRegion": "us-east-1"
}
bedrockProvider: true is the activation flag — without it the proxy returns a 400 with a setupUrl field pointing back here. bedrockRegion defaults to us-east-1 if you omit it; set it explicitly when your model lives elsewhere.
Step 3. Export your Bearer token (this is the credential the proxy forwards upstream unchanged):
export AWS_BEARER_TOKEN_BEDROCK=...
The Distillery does not store, log, or persist this value. It reads the Authorization header on each request and forwards it directly to bedrock-mantle.{region}.api.aws.
Step 4. Start the proxy:
thedistillery start
You should see Listening on http://127.0.0.1:3080 followed by hook-installation output. Leave that terminal open while you test.
Verify
In a separate terminal, send a small chat-completion through the proxy. Use the shell-variable form below so you do not accidentally paste your real token into a code block:
curl -X POST http://127.0.0.1:3080/bedrock/v1/chat/completions \
-H "Authorization: Bearer $AWS_BEARER_TOKEN_BEDROCK" \
-H "Content-Type: application/json" \
-d '{"model":"us.amazon.nova-lite-v1:0","messages":[{"role":"user","content":"hi"}]}'
A successful response is HTTP 200 with an OpenAI-compat chat completion body: an id, an object: "chat.completion", a choices[] array containing the model's reply, and a usage object with prompt_tokens and completion_tokens. The Distillery dashboard at http://127.0.0.1:3080 shows the request in its live feed within a few seconds, attributed to the bedrock provider.
If you do not see the request in the dashboard but the curl returned 200, you probably hit the proxy directly without the project config — confirm .distilleryrc.json is in the cwd you ran curl from, or pass an explicit cwd header (-H "x-distillery-cwd: /absolute/path").
Troubleshooting
| Symptom | Cause | Fix |
|---|---|---|
400 sigv4_not_supported | You sent a SigV4-signed request (the Authorization header starts with AWS4-HMAC-SHA256). | Switch your client from SigV4 access keys to a Bearer token via AWS_BEARER_TOKEN_BEDROCK. |
400 configuration_error with setupUrl: https://thedistillery.dev/docs/bedrock-setup in the body | bedrockProvider is not true in .distilleryrc.json, or the file is not in your project cwd. | Add "bedrockProvider": true (and optionally "bedrockRegion") to .distilleryrc.json. Confirm the file lives in the directory you launched the client from or an ancestor. |
404 body from upstream | Region mismatch — Bedrock-Mantle is region-scoped, and the model is not enabled in the configured bedrockRegion. | Either enable the model in your current region, or change bedrockRegion to one where the model is available. |
403 forbidden from the proxy | The request came in on a non-loopback Host header. The Distillery rejects non-localhost hosts as a defense-in-depth measure. | Send the request to 127.0.0.1 or localhost, not to a LAN IP. |
| Request succeeds in curl but never appears in the dashboard | Your project cwd is not where .distilleryrc.json lives, so the proxy did not match the request to a Bedrock-tracked session. | Either run from the project directory, or pass -H "x-distillery-cwd: /absolute/path" so the proxy can locate the config. |
What is not supported
Three Bedrock surfaces are intentionally out of scope for this route:
- Claude models on Bedrock (native Invoke API, SigV4). Use Claude Code's standard Anthropic endpoint via
ANTHROPIC_BASE_URLinstead — that path is auto-configured when you runthedistillery start. - SigV4-signed requests to Bedrock-Mantle. Body mutation breaks the signature, so the proxy rejects them at the door with a
400 sigv4_not_supported. Bearer tokens are the only supported auth. - Per-region URL overrides beyond
bedrockRegion. If you need to hit a private Bedrock endpoint or VPC-only deployment, file an issue — the registry can accept an override but there is no first-class config field for it yet.
Everything else — Qwen, Mistral, Gemma, DeepSeek, Amazon Nova, and any future open-weight model Bedrock-Mantle ships — works through this route with no further configuration.