Amazon Bedrock AI Connector Setup Guide

Create roles and permissions in AWS Bedrock

Tealium requires a connection to Amazon Bedrock in your AWS account to use Bedrock models and resources from your server-side connector. You have two options for authenticating the connection:

Provide an Access Key and Access Secret.
Provide STS credentials.

Access key and secret credentials

To create your AWS access key and secret:

Log in to the AWS Management Console and go to the IAM (Identity and Access Management) service.
Click Users and then click Add user.
Enter a username. For example, TealiumBedrockUser.
Attach policies to the user. For more information, see Attach policies.
Create the keys.
- Go to the Security credentials tab and click Create Access Key.
- Copy the Access Key ID and Secret Access Key, and save them securely.

STS credentials

To create your STS credentials:

Log in to the AWS Management Console and go to the IAM (Identity and Access Management) service.
Click Roles, and then click Create role.
Under Trusted entity type, select the AWS account.
Select Another AWS account and enter the Tealium account ID: 757913464184.
(Optional) Select the Require external ID checkbox and specify the external ID that you want to use. External IDs can be up to 256 characters long and can include alphanumeric characters (A-Z, a-z, 0-9) and symbols, such as hyphens (-), underscores (_), and periods (.).
Enter a name for the role. The role name must start with TealiumBedrock. For example: TealiumBedrock-RoleName.
Attach policies to the role. For more information, see Attach policies.
Create a trust policy.
- Go to the Trust relationships tab and click Edit trust relationship.
- Ensure that the trust policy allows the specific external ID to use the role you created and that the Tealium production account ID is 757913464184.
- Set the EXTERNAL_ID value for the connection to Tealium. The ID can be up to 256 characters long and can include alphanumeric characters (A-Z, a-z, 0-9) and symbols, such as hyphens (-), underscores (_), and periods (.).

    {
      "Version": "2012-10-17",
      "Statement": [
        {
          "Effect": "Allow",
          "Principal": {
            "AWS": "arn:aws:iam::757913464184:root"
          },
          "Action": "sts:AssumeRole",
          "Condition": {
            "StringEquals": {
              "sts:ExternalId": "EXTERNAL_ID"
            }
          }
        }
      ]
    }

Attach policies

In the AWS Management Console, enter the necessary policies for the connector actions you are using. The following policies are required for each connector action:

Send Data to Bedrock AI Prompt

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "ListModels",
      "Effect": "Allow",
      "Action": [
        "bedrock:ListFoundationModels"
      ],
      "Resource": "*"
    },
    {
      "Sid": "InvokeModel",
      "Effect": "Allow",
      "Action": [
        "bedrock:InvokeModel"
      ],
      "Resource": "*"
    }
  ]
}

Send Data to Bedrock AI Managed Prompt

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "RenderManagedPrompt",
      "Effect": "Allow",
      "Action": [
        "bedrock:RenderPrompt"
      ],
      "Resource": "*"
    }
  ]
}

Send Data to Bedrock AI Flow

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "BedrockFlowInvoke",
      "Effect": "Allow",
      "Action": [
        "bedrock:InvokeFlow"
      ],
      "Resource": "arn:aws:bedrock:<REGION>:<ACCOUNT_ID>:flow/*"
    }
  ]
}

To enter and attach the policies:

In the AWS console, go to IAM > Policies.
Click Create policy.
In the policy editor, select the JSON tab.
Paste the policy for your connector action into the editor.
Resolve any validation warnings, then click Next.
Give it a policy name (for example, TealiumCustomAccessPolicy) and optional description.
Click Create policy.
Go to Roles.
Click the role name you want to modify.
On the Permissions tab, click Add permissions > Attach policies
In the search box, enter the name of your new custom policy.
Select the box next to that policy.
Click Attach policies.

Configuration

Go to the Connector Marketplace and add a new connector. For general instructions on how to add a connector, see About Connectors.

After adding the connector, configure the following settings:

Authentication Type: (Required) The type of authentication to use.
- Access Key
  - Access Key: (Required) Provide your IAM user’s access key. The associated IAM policy (for either IAM user or Assumed Role) must grant bedrock:PutRecord permission along with streams you want to send data to.
  - Secret Key: (Required) Provide your IAM user’s secret key.
- STS
  - STS - Assume Role: ARN: (Required) An Amazon Resource Name assigned to the role to assume. For more information, see: AWS: Switching to an IAM Role.
  - STS - Assume Role: Session Name: (Required) A unique identifier of the assumed role session.
  - STS - Assume Role: External ID: (Optional) A unique identifier used by third parties when assuming roles in their customers’ accounts. For more information, see: AWS: Access to AWS accounts owned by third parties.
Region: (Required) Select a region.

Prompt information

A Bedrock AI prompt, whether sent from Tealium, managed within Amazon Bedrock, or used in a flow, must be authored to return only valid JSON for Tealium to correctly process the response. Use the following guidelines:

Use double curly braces to reference mapped parameters, for example: {{tealium_account}}, {{tealium_profile}}, {{tealium_visitor_id}}, {{visitor_json}}.
Clearly instruct the model to return only valid JSON with no explanations, no markdown, no code fences, and no extra text before or after the JSON.
Define the exact JSON structure you expect (field names, required keys, and value types) so the output can be parsed safely.
Instruct the model to return Tealium fields explicitly (for example, tealium_account, tealium_profile, tealium_visitor_id, tealium_event).
Avoid vague instructions. Write deterministic prompts so that repeated calls produce the same JSON schema.
For best results, include a line such as: “Return a single JSON object only, with no prose, no backticks, and no additional formatting.”

Prompt example

You are an AI assistant that must return only valid JSON.
Do not include explanations, markdown, code fences, or any text outside the JSON object.

Using the visitor data below, calculate a numeric score between 0 and 100 that represents
the visitor's likelihood to convert in this session.

Return a single JSON object only, with this exact structure:

{
  "tealium_account": "{{tealium_account}}",
  "tealium_profile": "{{tealium_profile}}",
  "tealium_visitor_id": "{{tealium_visitor_id}}",
  "tealium_event": "bedrock_ai_insight",
  "visitor_score": <integer between 0 and 100>
}

Visitor data:
{{visitor_json}}

The response will resemble the following:

{
    "metrics": {
        "latencyMs": 1272
    },
    "output": {
        "message": {
            "content": [
                {
                    "text": "{\"tealium_account\":\"your-account\",\"tealium_profile\":\"main\",\"tealium_visitor_id\":\"__your-account_main__5574_438850__\",\"tealium_event\":\"bedrock_ai_insight\",\"visitor_score\":85}"
                }
            ],
            "role": "assistant"
        }
    },
    "stopReason": "end_turn",
    "usage": {
        "inputTokens": 8811,
        "outputTokens": 65,
        "serverToolUsage": {},
        "totalTokens": 8876
    }
}

Amazon Bedrock Flows

Amazon Bedrock Flows are multi-step AI orchestrations that combine prompts, knowledge bases, Lambda functions, conditional logic, and external data into a single reusable workflow. A flow defines how input data moves through prompts, enrichment steps, business logic, and final output to turn complex AI decisioning into a single API endpoint.

To use the Send Data to Bedrock Flow action, create a flow in Amazon Bedrock that accepts input from Tealium, processes it through your AI steps, and sends the results back to Tealium through a Lambda function.

The sections below describe the required and optional components of a flow.

Step 1 - Define the flow input

Every flow begins with an input node. This node represents the JSON document Tealium sends to the flow.

Tealium sends your mapped attributes in the following format similar to the following example:

"document": {
    "tealium_account": "services-example",
    "tealium_profile": "ai",
    "tealium_visitor_id": "1234567890abc",
    "tealium_event": "visitor_ai_score",
    "visitor_profile": {
        "lifetime_value": "1200",
        "total_orders": 5,
        ...
        }
}

Inside your flow, reference fields using $.data.attribute_name. Based on the previous example:

$.data.tealium_account
$.data.tealium_profile
$.data.tealium_visitor_id
$.data.tealium_event
$.data.visitor_profile.lifetime_value
$.data.visitor_profile.total_orders

Step 2 - Map data into a prompt node (Required)

Next, add a prompt node to generate AI output (such as a score, recommendation, or decision).

Inside the prompt node:

Set your prompt text.
Insert variables using the {{fieldname}} format. For example, {{tealium_account}}.
Choose a Bedrock model.
Return valid JSON as the output of the prompt.

For an example, see the Prompt example section above.

Step 3 - (Optional) Add knowledge base retrieval

Amazon Bedrock Knowledge Bases let you connect your AI workflows to external data sources, such as Amazon S3, Amazon Redshift, or Amazon OpenSearch Service. A knowledge base stores and indexes your documents, making them available for retrieval and grounding during prompt execution. When you add a knowledge base node to your flow, the model can use relevant information from your data to generate more accurate and context-aware responses. This step is optional, but it is valuable for personalization, recommendations, or contextual decisioning.

After you connect the knowledgebase, you can pass knowledge base results into your prompt using fields like {{$.kbResults}}.

For more information on knowledge bases, see Amazon Bedrock: Retrieve data and generate AI responses with Amazon Bedrock Knowledge Bases.

For more information on creating a knowledge base, see Amazon Bedrock: Create a knowledge base by connecting to a data source in Amazon Bedrock Knowledge Bases.

Step 4 - Add a Lambda node to send results back to Tealium (Required for Tealium Integration)

After your prompt produces structured JSON, you must send that result back into Tealium for profile enrichment.

Add a Lambda node that:

Receives the prompt output ($.data from your prompt node).
Parses the JSON.
Posts it to Tealium Collect: POST https://collect.tealiumiq.com/event.
Includes the following:
- tealium_account
- tealium_profile
- tealium_visitor_id
- tealium_event (user-defined)
- Your AI output fields (for example, visitor_score)

Use our provided Lambda example or build your own.

Step 5 - Add a flow output node

Although Tealium does not process the flow’s API response, an output node is required to complete the flow.

Connecting your Lambda output to the FlowOutputNode doesn’t affect Tealium processing, but helps you verify the flow works with the following tools:

Debug in the Bedrock console.
View errors from the Lambda function.
Inspect final JSON results for validation.
View output in Tealium using Trace.

Lambda example

The following is a Lambda example for accepting prompt output, parsing the JSON, and sending that data to the Tealium Collect endpoint for enrichment and activation in Tealium.

It includes fallbacks to account for various data structures. Rewrite yours as needed.

const COLLECT_URL = process.env.COLLECT_URL || "https://collect.tealiumiq.com/event";

// ---- Robust extractor for Bedrock Flow Lambda wrapper ----
function extractInputByName(event, name) {
  const arr = event?.node?.inputs;
  if (Array.isArray(arr)) {
    const hit = arr.find(i => i?.name === name);
    if (hit && typeof hit.value === "string") return hit.value;      // expected: codeHookInput (STRING)
    if (hit && typeof hit.value === "object") return JSON.stringify(hit.value); // if wired as Object by mistake
  }
  return undefined;
}

function extractJsonStringFromEvent(event) {
  // Standard pin
  const fromStandardPin = extractInputByName(event, "codeHookInput");
  if (typeof fromStandardPin === "string") return fromStandardPin;

  // First STRING input as fallback
  const anyString = event?.node?.inputs?.find?.(i => typeof i?.value === "string")?.value;
  if (typeof anyString === "string") return anyString;

  // Legacy fallbacks (other shapes)
  if (typeof event?.codeHookInput === "string") return event.codeHookInput;
  if (typeof event?.document === "string") return event.document;
  const doc = event?.fields?.[0]?.content?.document;
  if (typeof doc === "string") return doc;
  if (typeof event === "string") return event;

  throw new Error("Could not find JSON string in event");
}
// ----------------------------------------------------------

export const handler = async (event) => {
  try {
    const jsonStr = extractJsonStringFromEvent(event); // raw JSON string from Prompt
    // Validate syntax (no double-stringify)
    JSON.parse(jsonStr);

    //Validate required fields
    const required = ["tealium_account", "tealium_profile", "tealium_visitor_id"];

    for (const key of required) {
      if (!Object.prototype.hasOwnProperty.call(obj, key)) {
        throw new Error(`Missing required field '${key}' in model output`);
      }
    }

    const r = await fetch(COLLECT_URL, {
      method: "POST",
      headers: { "Content-Type": "application/json" },
      body: jsonStr
    });

    if (!r.ok) {
      const txt = await r.text().catch(() => "");
      throw new Error(`Collect failed ${r.status}: ${txt}`);
    }

    return jsonStr;
  } catch (err) {
    console.error("Shim error:", err);
    return JSON.stringify({ ok: false, error: String(err.message || err) });
  }
};

Actions

Action Name	AudienceStream	EventStream
Send Prompt to Bedrock AI Model	✓	✗
Send Data to Bedrock AI Managed Prompt	✓	✗
Send Data to Bedrock AI Workflow	✓	✗

Enter a name for the action and select the action type.

The following section describes how to set up parameters and options for each action.

Send Prompt to Bedrock AI Model

Parameters

Parameter	Description
Model ID or Inference Profile ARN	Select the Amazon Bedrock model or enter an inference profile ARN to use for generating the AI response.
Prompt Parameters	Map parameters to a placeholder to replace in the prompt. The connector will make available the default variables `{{tealium_account}}`, `{{tealium_profile}}`, and `{{tealium_visitor_id}}`. These can be overwritten with mapping.
Add Visitor Profile	Whether to allow the visitor profile in the prompt template as variable `{{visitor_profile}}`.
Add Current Visit	Whether to allow current visit data in the `{{visitor_profile}}` object.
Prompt	Use double curly braces to reference mapped parameters, for example: `{{tealium_account}}`, `{{visitor_id}}`, `{{event_value}}`. Use `{{visitor_profile}}` to include the visitor profile in the prompt. Clearly instruct the model to return only valid JSON, with no explanations, markdown, code fences, or extra text. Define the exact JSON structure expected (for example, field names, required keys, value formats). If Tealium fields must be included, specify them explicitly in the prompt. Avoid ambiguous phrasing. Write deterministic prompts. Include direct instructions such as: “Return a single JSON object only, with no prose, no backticks, and no extra formatting."
Debug Mode	When debug mode is enabled, the connector accepts the raw Bedrock response without sending it to Tealium Collect. Use Trace to validate the response format before enabling full processing.

Send Data to Bedrock AI Managed Prompt

Parameter	Description
Prompt ARN	(Required) Provide the ARN of a Bedrock Prompt Management template. The prompt ARN can be found in the Overview section of the prompt details in Bedrock.
Prompt Data	Tealium will pass mapped attributes into prompt when invoking it. The connector includes the variables `tealium_account`, `tealium_profile`, and `tealium_visitor_id` in the prompt. These can be overwritten with mapping. Write the prompt to clearly instruct the model to return only valid JSON, with no explanations, no markdown, no code fences, and no additional text before or after the JSON. You must author the prompt to include instructions for the model to return `tealium_account`, `tealium_profile`, and `tealium_visitor_id` in the JSON. Avoid ambiguous phrasing. Write deterministic prompts so the output can be parsed reliably. For best results, include a direct instruction such as: “Return a single JSON object only, with no prose, no backticks, and no extra formatting."
Add Visitor Profile	Whether to allow the visitor profile in the prompt variables as `visitor_profile`.
Add Current Visit	Whether to allow current visit data in the `visitor_profile` object.
Debug Mode	When debug mode is enabled, the connector accepts the raw Bedrock response without sending it to Tealium Collect. Use Trace to validate the response format before enabling full processing.

Send Data to Bedrock AI Workflow

Parameter	Description
Bedrock Flow Alias ARN	(Required) Enter the ARN of the Bedrock Flow Alias you want this action to invoke. We recommend creating an alias such as `live` and using that ARN here.
Flow Data	You can change which Flow Version that alias points to in AWS without updating this connector. The connector sends your mapped fields to the Flow as a JSON object named document. Inside your Flow, you can reference these fields using `$.data.<fieldName>` in Prompt, Lambda, or other nodes. By default, `tealium_account`, `tealium_profile`, and `tealium_visitor_id` are included automatically, and can be overwritten through field mappings if needed. Your flow must include a `FlowOutputNode`, but Tealium does not use its output. Use Lambda to send data back into Tealium through the Collect endpoint. We recommend wiring the Lambda output into the `FlowOutputNode` to see success/error information when testing the flow in the Bedrock console.
Add Visitor Profile	Whether to allow the full visitor profile to be added to the Flow input as a `visitor_profile` JSON object.
Add Current Visit	Whether to allow attributes from the current visit to be merged into the same `visitor_profile` object.