Amazon Bedrock AI Connector Setup Guide
This article describes how to set up the Amazon Bedrock AI connector.
Supported models
The Amazon Bedrock AI connector supports a wide range of foundation models. For the current list of supported models, see Amazon Bedrock: Supported foundation models in Amazon Bedrock.
Some Bedrock models require provisioned throughput and cannot be invoked using on-demand inference. If you encounter an on-demand throughput error, use a model that supports ON_DEMAND inference or provide a provisioned throughput or inference profile ARN in the configuration list.
Create IAM roles and permissions
Tealium requires IAM roles and permissions in your AWS account to connect to Amazon Bedrock from your server-side connector. You have two options for authenticating the connection:
Access key and secret credentials
To create your AWS access key and secret:
- Log in to the AWS Management Console and go to the IAM (Identity and Access Management) service.
- Click Users and then click Add user.
- Enter a username. For example,
TealiumBedrockUser. - Attach policies to the user. For more information, see Attach policies.
- Create the keys.
- Go to the Security credentials tab and click Create Access Key.
- Copy the Access Key ID and Secret Access Key, and save them securely.
STS credentials
To create your STS credentials:
- Log in to the AWS Management Console and go to the IAM (Identity and Access Management) service.
- Click Roles, and then click Create role.
- Under Trusted entity type, select the AWS account.
- Select Another AWS account and enter the Tealium account ID:
757913464184. - (Optional) Select the Require external ID checkbox and specify the external ID that you want to use. External IDs can be up to 256 characters long and can include alphanumeric characters (
A-Z,a-z,0-9) and symbols, such as hyphens (-), underscores (_), and periods (.). - Enter a name for the role. The role name must start with
TealiumBedrock. For example:TealiumBedrock-RoleName. - Attach policies to the role. For more information, see Attach policies.
- Create a trust policy.
- Go to the Trust relationships tab and click Edit trust relationship.
- Ensure that the trust policy allows the specific external ID to use the role you created and that the Tealium production account ID is
757913464184. - Set the
EXTERNAL_IDvalue for the connection to Tealium. The ID can be up to 256 characters long and can include alphanumeric characters (A-Z,a-z,0-9) and symbols, such as hyphens (-), underscores (_), and periods (.).
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::757913464184:root"
},
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals": {
"sts:ExternalId": "EXTERNAL_ID"
}
}
}
]
}
Attach policies
In the AWS Management Console, enter the necessary policies for the connector actions you are using. The following policies are required for each connector action:
We recommend that you limit permissions to the specific ARNs of flows and Lambda functions you require.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "ListModels",
"Effect": "Allow",
"Action": [
"bedrock:ListFoundationModels"
],
"Resource": "*"
},
{
"Sid": "InvokeModel",
"Effect": "Allow",
"Action": [
"bedrock:InvokeModel"
],
"Resource": "*"
}
]
}
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "RenderManagedPrompt",
"Effect": "Allow",
"Action": [
"bedrock:RenderPrompt"
],
"Resource": "*"
}
]
}
If you are using Lambda:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "BedrockFlowInvoke",
"Effect": "Allow",
"Action": [
"bedrock:InvokeFlow"
],
"Resource": "arn:aws:bedrock:<REGION>:<ACCOUNT_ID>:flow/<flow_id>/alias/<alias_name>"
},
{
"Sid": "LambdaInvokeFunction",
"Effect": "Allow",
"Action": [
"lambda:InvokeFunction"
],
"Resource": "arn:aws:lambda:<REGION>:<ACCOUNT_ID>:function:<FUNCTION_NAME>"
}
]
}
If you are not using Lambda:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "BedrockFlowInvoke",
"Effect": "Allow",
"Action": [
"bedrock:InvokeFlow"
],
"Resource": "arn:aws:bedrock:<REGION>:<ACCOUNT_ID>:flow/<flow_id>/alias/<alias_name>"
}
]
}
To enter and attach the policies:
- In the AWS console, go to IAM > Policies.
- Click Create policy.
- In the policy editor, select the JSON tab.
- Paste the policy for your connector action into the editor.
- Resolve any validation warnings, then click Next.
- Give it a policy name (for example,
TealiumCustomAccessPolicy) and optional description. - Click Create policy.
- Go to Roles.
- Click the role name you want to modify.
- On the Permissions tab, click Add permissions > Attach policies
- In the search box, enter the name of your new custom policy.
- Select the box next to that policy.
- Click Attach policies.
Configuration
Go to the Connector Marketplace and add a new connector. For general instructions on how to add a connector, see About Connectors.
After adding the connector, configure the following settings:
- Authentication Type: (Required) The type of authentication to use.
- Access Key
- Access Key: (Required) Provide your IAM user’s access key. The associated IAM policy (for either IAM user or Assumed Role) must grant
bedrock:PutRecordpermission along with streams you want to send data to. - Secret Key: (Required) Provide your IAM user’s secret key.
- Access Key: (Required) Provide your IAM user’s access key. The associated IAM policy (for either IAM user or Assumed Role) must grant
- STS
- STS - Assume Role: ARN: (Required) An Amazon Resource Name assigned to the role to assume. For more information, see: AWS: Switching to an IAM Role.
- STS - Assume Role: Session Name: (Required) A unique identifier of the assumed role session.
- STS - Assume Role: External ID: (Optional) A unique identifier used by third parties when assuming roles in their customers’ accounts. For more information, see: AWS: Access to AWS accounts owned by third parties.
- Access Key
- Region: (Required) Select a region.
Prompt information
A Bedrock AI prompt, whether sent from Tealium, managed within Amazon Bedrock, or used in a flow, must be authored to return only valid JSON for Tealium to correctly process the response. Use the following guidelines:
- Use double curly braces to reference mapped parameters, for example:
{{tealium_account}},{{tealium_profile}},{{tealium_visitor_id}},{{visitor_json}}. - Clearly instruct the model to return only valid JSON with no explanations, no markdown, no code fences, and no extra text before or after the JSON.
- Define the exact JSON structure you expect (field names, required keys, and value types) so the output can be parsed safely.
- Instruct the model to return Tealium fields explicitly (for example,
tealium_account,tealium_profile,tealium_visitor_id,tealium_event). - If you need to reference a specific attribute in the prompt, map that attribute to a vendor parameter. For example, map
Last product viewedtolast_product_viewedand reference it in the prompt as{{last_product_viewed}}. - Avoid vague instructions. Write deterministic prompts so that repeated calls produce the same JSON schema.
- For best results, include a line such as: “Return a single JSON object only, with no prose, no backticks, and no additional formatting.”
Prompt example
You are an AI assistant that must return only valid JSON.
Do not include explanations, markdown, code fences, or any text outside the JSON object.
Using the visitor data below, calculate a numeric score between 0 and 100 that represents
the visitor's likelihood to convert in this session.
Return a single JSON object only, with this exact structure:
{
"tealium_account": "{{tealium_account}}",
"tealium_profile": "{{tealium_profile}}",
"tealium_visitor_id": "{{tealium_visitor_id}}",
"tealium_event": "bedrock_ai_insight",
"visitor_score": <integer between 0 and 100>
}
Visitor data:
{{visitor_json}}
Pay particular attention to the value of {{last_product_viewed}}.
The response will resemble the following:
{
"metrics": {
"latencyMs": 1272
},
"output": {
"message": {
"content": [
{
"text": "{\"tealium_account\":\"your-account\",\"tealium_profile\":\"main\",\"tealium_visitor_id\":\"__your-account_main__5574_438850__\",\"tealium_event\":\"bedrock_ai_insight\",\"visitor_score\":85}"
}
],
"role": "assistant"
}
},
"stopReason": "end_turn",
"usage": {
"inputTokens": 8811,
"outputTokens": 65,
"serverToolUsage": {},
"totalTokens": 8876
}
}
The connector accepts the response and sends the JSON event object to the Tealium Collect API endpoint.
Amazon Bedrock Flows
Amazon Bedrock Flows are multi-step AI orchestrations that combine prompts, knowledge bases, Lambda functions, conditional logic, and external data into a single reusable workflow. A flow defines how input data moves through prompts, enrichment steps, business logic, and final output to turn complex AI decisioning into a single API endpoint.
To use the Send Data to Bedrock Flow action, create a flow in Amazon Bedrock that accepts input from Tealium, processes it through your AI steps, and sends the results back to Tealium through a Lambda function.
The sections below describe the required and optional components of a flow.
Step 1 - Define the flow input
Every flow begins with an input node. This node represents the JSON document Tealium sends to the flow.
Tealium sends your mapped attributes in the following format similar to the following example:
"document": {
"tealium_account": "services-example",
"tealium_profile": "ai",
"tealium_visitor_id": "1234567890abc",
"visitor_profile": {
"lifetime_value": "1200",
"total_orders": 5,
...
}
}
Inside your flow, reference fields using $.data.attribute_name. Based on the previous example:
| Tealium Attribute | Bedrock Reference | Example |
|---|---|---|
tealium_account |
$.data.tealium_account or {{tealium_account}} |
services-example |
tealium_profile |
$.data.tealium_profile or {{tealium_profile}} |
ai |
tealium_visitor_id |
$.data.tealium_visitor_id or {{tealium_visitor_id}} |
1234567890abc |
visitor_profile |
$.data.visitor_profile.lifetime_value |
"visitor_profile": {"lifetime_value": "1200","total_orders": 5,...} |
Step 2 - Map data into a prompt node (Required)
Next, add a prompt node to generate AI output (such as a score, recommendation, or decision).
Inside the prompt node:
- Set your prompt text.
- Insert variables using the
{{fieldname}}format. For example,{{tealium_account}}. - Choose a Bedrock model.
- Return valid JSON as the output of the prompt.
For an example, see the Prompt example section above.
Step 3 - (Optional) Add knowledge base retrieval
Amazon Bedrock Knowledge Bases let you connect your AI workflows to external data sources, such as Amazon S3, Amazon Redshift, or Amazon OpenSearch Service. A knowledge base stores and indexes your documents, making them available for retrieval and grounding during prompt execution. When you add a knowledge base node to your flow, the model can use relevant information from your data to generate more accurate and context-aware responses. This step is optional, but it is valuable for personalization, recommendations, or contextual decisioning.
After you connect the knowledge base, you can pass knowledge base results into your prompt using fields like {{$.kbResults}}.
For more information on knowledge bases, see Amazon Bedrock: Retrieve data and generate AI responses with Amazon Bedrock Knowledge Bases.
For more information on creating a knowledge base, see Amazon Bedrock: Create a knowledge base by connecting to a data source in Amazon Bedrock Knowledge Bases.
Step 4 - Add a Lambda node to send results back to Tealium (Required for Tealium Integration)
After your prompt produces structured JSON, you must send that result back into Tealium for profile enrichment.
Add a Lambda node that:
- Receives the prompt output (
$.datafrom your prompt node). - Parses the JSON.
- Posts it to Tealium Collect:
POST https://collect.tealiumiq.com/event. - Includes the following:
tealium_accounttealium_profiletealium_visitor_idtealium_event(user-defined)- Your AI output fields (for example,
visitor_score)
Use our provided Lambda example or build your own.
Step 5 - Add a flow output node
Although Tealium does not process the flow’s API response, an output node is required to complete the flow.
Connecting your Lambda output to the FlowOutputNode doesn’t affect Tealium processing, but helps you verify that the flow works with the following tools:
- Debug in the Bedrock console.
- View errors from the Lambda function.
- Inspect final JSON results for validation.
- View output in Tealium using Trace.
Lambda example
The following is a Lambda example for accepting prompt output, parsing the JSON, and sending that data to the Tealium Collect endpoint for enrichment and activation in Tealium. It includes fallbacks to account for various data structures. Rewrite yours as needed.
The account and profile must be configured to accept server-side events with the specified data source.
This example requires Node.js version 18.x or later as the runtime environment.
Actions
| Action Name | AudienceStream | EventStream | Response Method | Best For |
|---|---|---|---|---|
| Send Prompt to Bedrock AI Model | ✓ | ✓ | Synchronous through connector | Simple, single-model calls |
| Send Data to Bedrock AI Managed Prompt | ✓ | ✓ | Synchronous through connector | Reusable prompts, versioning |
| Send Data to Bedrock AI Workflow | ✓ | ✓ | Asynchronous through Lambda | Multi-step orchestration, KB retrieval |
The following section describes how to set up parameters and options for each action.
Send Prompt to Bedrock AI Model
Parameters
| Parameter | Description |
|---|---|
| Model ID or Inference Profile ARN | Select the Amazon Bedrock model or enter an inference profile ARN to use for generating the AI response. |
| Prompt Parameters | Map parameters to a placeholder to replace in the prompt. By default, the connector has access to {{tealium_account}}, {{tealium_profile}}, and {{tealium_visitor_id}}. These can be overwritten with mapping. |
| Add Visitor Profile | (Only audience actions) Whether to allow the visitor profile for use in the prompt template as the variable {{visitor_profile}}. |
| Add Current Visit | (Only audience actions) Whether to include current visit data in the {{visitor_profile}} object. |
| Add Event Payload | (Only event actions) Whether to allow the event payload for use in the prompt template as the variable {{event_payload}}. |
| Prompt |
|
| Debug Mode | When debug mode is enabled, the connector accepts the raw Bedrock response without sending it to Tealium Collect. Use Trace to validate the response format before enabling full processing. |
Send Data to Bedrock AI Managed Prompt
| Parameter | Description |
|---|---|
| Prompt ARN | (Required) Provide the ARN of a Bedrock Prompt Management template. The prompt ARN can be found in the Overview section of the prompt details in Bedrock. |
| Prompt Data |
|
| Add Visitor Profile | (Only audience actions) Whether to allow the visitor profile for use in the prompt template as the variable {{visitor_profile}}. |
| Add Current Visit | (Only audience actions) Whether to include current visit data in the {{visitor_profile}} object. |
| Add Event Payload | (Only event actions) Whether to allow the event payload for use in the prompt template as the variable {{event_payload}}. |
| Debug Mode | When debug mode is enabled, the connector accepts the raw Bedrock response without sending it to Tealium Collect. Use Trace to validate the response format before enabling full processing. |
Send Data to Bedrock AI Flow
| Parameter | Description |
|---|---|
| Bedrock Flow Alias ARN | (Required) Enter the ARN of the Bedrock Flow Alias you want this action to invoke. We recommend creating an alias such as live and using that ARN here. |
| Flow Data |
|
| Add Visitor Profile | (Only audience actions) Whether to include the full visitor profile in the Flow input as a visitor_profile JSON object. |
| Add Current Visit | (Only audience actions) Whether to include the current visit data in the visitor_profile JSON object. |
| Add Event Payload | (Only event actions) Whether to include the event payload in the Flow input as the event_payload JSON object. |
Common errors and troubleshooting
The following are common error codes and resolutions:
Common AWS error codes:
-
AccessDeniedExceptionorNotAuthorized
Your IAM user or role doesn’t have the required permissions (for example,bedrock:InvokeModel,bedrock:RenderPrompt,bedrock:InvokeFlow,bedrock:ListFoundationModels).
To solve this, update the IAM policy attached to the role or access keys to include the needed Bedrock actions on the correct resources. -
InvalidClientTokenId,UnrecognizedClientException, orExpiredTokenException
The configured access keys or STS session are invalid or expired.
To solve this, rotate and re‑enter credentials in the connector, or verify the STS role and external ID are correct and not expired. -
OptInRequiredorFTUFormNotFilled
The AWS account is not fully enabled for Bedrock or for a specific model (for example, Anthropic).
To solve this, complete the required Bedrock enablement steps and any model‑specific forms or Marketplace subscriptions in the AWS console.
If you see any of these errors, resolve the IAM or account setup in AWS first. Retrying the connector action alone will not succeed until permissions are corrected.
Common errors from Bedrock API calls
The following errors mean the request reached Bedrock, but the service or model could not complete it successfully.
-
ValidationExceptionorValidationError
The request body or parameters are invalid for the target model or API (for example, wrong model ID, unsupported parameters, input too large).
To solve this, verify the model ID / prompt ARN / flow ARN, ensure the request body matches the model’s expected schema, and reduce prompt size or max tokens if needed. -
ResourceNotFoundorResourceNotFoundException
The specified model, prompt version, or Flow alias ARN does not exist or is not available in that region.
To solve this, double‑check ARNs and region in the connector configuration against the values shown in the Bedrock console. -
ThrottlingExceptionorServiceQuotaExceededException
Your calls exceed Bedrock quotas (for example, TPS or token limits).
To solve this, reduce call frequency or request a quota increase in AWS. -
ServiceUnavailable,InternalFailure, orInternalServerException
Temporary or internal errors within Bedrock.
To solve this, if errors persist, check the AWS Service Health Dashboard or open an AWS Support case. -
ModelErrorException,ModelNotReadyException, orModelTimeoutException(prompt or managed prompt flows)
The model failed, is still warming up, or took too long to respond.
To solve this, wait and retry, simplify the prompt or reduce token usage, and confirm the model or provisioned throughput is fully active.
For all of these errors, Tealium displays the original AWS error message from Bedrock so you can match it against AWS documentation when you are troubleshooting.
This page was last updated: February 24, 2026