Authenticate Model connections

Create Model connections using foundational models such as Amazon Bedrock, Google Vertex AI, Azure OpenAI, OpenAI and others. Review the connection authentication methods for each to configure and ensure secure connections.

The authentication method varies based on the chosen model when defining a Model connection. These are authentication details for each foundational model.

Note: While creating and testing a Model connection, for any credential that is fetched via Credential Vault, the attribute name for Username and Password should not have any space. For example: if the attribute name is aws sign access key, it should be entered as aws_sign _access_key.

Amazon Bedrock

Amazon Bedrock authentication details

For Amazon Bedrock, you would define Authentication details for these fields:
  • Region: Select a region from the drop-down list to connect for authenticating the Model connection.

    You can also add a region that is not available in the drop-down list by referring to the list in Amazon Bedrock. Enter in this format to get the region added to the list. For example: us-east-1.

    Note: For a list of supported deployment regions for Amazon Bedrock models, see Supported regions and models for Amazon Bedrock knowledge bases.
  • Access Key: This AWS access key serves as your unique identifier within the AWS ecosystem. It is a fundamental part of the authentication process, allowing AWS services to recognize and validate your access.
  • Secret Access Key: This key is the confidential counterpart to your Access Key ID. This key is used to sign requests made to AWS, enhancing security by ensuring that only authorized individuals or systems can access your AWS resources.
  • Session Token (optional): Additionally, you have the option to include a Session token, which is a temporary, time-bound token used when working with temporary security credentials. It provides an added layer of security, particularly in scenarios where temporary access is required, such as when using temporary security credentials.
Note: For details on setting up Access Key, Secret Access Key, and Session Token for Amazon Bedrock, see Amazon Bedrock: Authenticate action.

Google Vertex AI

Google Vertex AI authentication details

For Google Vertex AI, you would define Authentication details for these fields:
  • Project Name: This is the Google Cloud account project.
  • Region: Select a region from the drop-down list to connect for authenticating the Model connection.

    You can also add a region that is not available in the drop-down list by referring to the list in Google Vertex AI. Enter in this format to get the region added to the list. For example: us-east-1.

  • Control Room OAuth Connection: Create an OAuth 2.0 Client ID. A client ID is used to identify a single application to Google's OAuth Servers.
Note: For details on setting up the Google Cloud Project and OAuth Connection for Google Vertex AI, see Vertex AI: Connect action and Create OAuth connection.

The Google Vertex AI OAuth connection has a short validity period and expires within a few hours of creating it. We recommend removing this limitation by configuring the Reauthentication policy ClientId App exemption settings in the Google Cloud Console. For more information, see Configure Reauthentication policy for Google Vertex AI.

Azure OpenAI

Azure OpenAI authentication details

For Azure OpenAI, you would define Authentication details for these fields:
  • Azure OpenAI Resource Name: You would get this value from the Microsoft Azure Resource page.
  • Deployment ID: You would get this value from the Microsoft Azure Resource page as well.
    The Model connection configuration requires a user to provide a Deployment ID which is the name of the deployment within the Microsoft Azure portal. As this deployment is mapped to a specific foundational model, users should ensure that they select the correct Model connection model that maps to the Microsoft Azure deployment model.
    Note: You would see a warning message if these values do not match.
  • API Key:
    • Insecure String: Selecting this option displays a warning message mentioning that the value provided in this field is not encrypted. We recommend using a credential for data security.
    • Credential: We recommend using this option. Click Pick to select Locker, Credential, and Attribute values available from the drop-down list. This is based on settings maintained in the connected Control Room for the credential manager.
      Note: See Security architecture and Credentials and lockers in the Credential Vault for reference.
Confirm and click Next to proceed to the Test connection section to test the Model connection.
Note: See Configuring Azure OpenAI and Azure OpenAI: Authenticate action for details on configuring the Azure OpenAI Resource Name and Deployment ID parameters.

OpenAI

OpenAI authentication details

For OpenAI, you would define Authentication details for the API Key field:

API Key
  • Insecure String: Selecting this option displays a warning message mentioning that the value provided in this field is not encrypted. We recommend using a credential for data security.
  • Credential: We recommend using this option. Click Pick to select Locker, Credential, and Attribute values available from the drop-down list. This is based on settings maintained in the connected Control Room for the credential manager.
    Note: See Security architecture and Credentials and lockers in the Credential Vault for reference.
Confirm and click Next to proceed to the Test connection section to test the Model connection.
Note: See OpenAI: Authenticate action for details on configuring the API Key for OpenAI.