No support for Bedrock Inference Profiles

[cabcookie]

Environment information

System:
  OS: macOS 15.6.1
  CPU: (10) arm64 Apple M1 Pro
  Memory: 160.36 MB / 32.00 GB
  Shell: /bin/zsh
Binaries:
  Node: 20.19.2 - ~/.nvm/versions/node/v20.19.2/bin/node
  Yarn: undefined - undefined
  npm: 10.8.2 - ~/.nvm/versions/node/v20.19.2/bin/npm
  pnpm: 10.12.1 - ~/.nvm/versions/node/v20.19.2/bin/pnpm
NPM Packages:
  @aws-amplify/ai-constructs: 1.5.3
  @aws-amplify/auth-construct: 1.8.1
  @aws-amplify/backend: 1.16.1
  @aws-amplify/backend-ai: 1.5.1
  @aws-amplify/backend-auth: 1.7.1
  @aws-amplify/backend-cli: 1.8.0
  @aws-amplify/backend-data: 1.6.1
  @aws-amplify/backend-deployer: 2.1.3
  @aws-amplify/backend-function: 1.14.1
  @aws-amplify/backend-output-schemas: 1.7.0
  @aws-amplify/backend-output-storage: 1.3.1
  @aws-amplify/backend-secret: 1.4.0
  @aws-amplify/backend-storage: 1.4.1
  @aws-amplify/cli-core: 2.2.1
  @aws-amplify/client-config: 1.8.0
  @aws-amplify/data-construct: 1.16.3
  @aws-amplify/data-schema: 1.21.1
  @aws-amplify/deployed-backend-client: 1.8.0
  @aws-amplify/form-generator: 1.2.4
  @aws-amplify/model-generator: 1.2.0
  @aws-amplify/platform-core: 1.10.0
  @aws-amplify/plugin-types: 1.11.0
  @aws-amplify/sandbox: 2.1.2
  @aws-amplify/schema-generator: 1.4.0
  @aws-cdk/toolkit-lib: 1.1.1
  aws-amplify: 6.15.6
  aws-cdk-lib: 2.215.0
  typescript: 5.9.2
No AWS environment variables
No CDK environment variables

Describe the bug

Currently Amplify Gen 2 can't use inference profiles due to a bug in creating IAM Policies.

Reproduction steps

Root Cause Analysis

Primary Issue Location:
File: @aws-amplify/graphql-generation-transformer/lib/grapqhl-generation-transformer.js
Line: 108

resources:
[arn:${cdk.Stack.of(dataSourceScope).partition}:bedrock:${region}::foundation-model/${bedrockModelId}],

Secondary Issue Location:
File: @aws-amplify/ai-constructs/lib/conversation/conversation_handler_construct.js
Line: 115

return arn:aws:bedrock:${(_a = model.region) !== null && _a !== void 0 ? _a : aws_cdk_lib_1.Stack.of(this).region}::foundation-model/${model.modelId};

The Problem

Both the Generation Transformer and AI Constructs are hardcoded to create ARNs with the foundation-model pattern, regardless of whether the model is:

1. A standard foundation model
2. A custom inference profile
3. A cross-region inference profile

Expected vs Actual Behavior

Configuration:

const aiSchema = {
  categorizeProject: a
    .generation({
      aiModel: {
        resourcePath: "us.anthropic.claude-sonnet-4-20250514-v1:0",
      },
      systemPrompt: projectCategorizationPrompt,
    })
    .arguments({
      projectId: a.string(),
      projectName: a.string(),
      notes: a.string(),
    })
    .returns(a.string().array())
    .authorization((allow) => [allow.authenticated()]),
};

Expected ARN:
arn:aws:bedrock:us-east-1::inference-profile/us.anthropic.claude-sonnet-4-20250514-v1:0

Actual Generated ARN:
arn:aws:bedrock:us-east-1::foundation-model/us.anthropic.claude-sonnet-4-20250514-v1:0

Code Analysis

The issue is in the createBedrockDataSourceRole method where:

1. The bedrockModelId parameter comes directly from the aiModel.resourcePath
2. It's blindly inserted into a hardcoded foundation-model ARN template
3. There's no logic to detect if the model ID represents an inference profile vs foundation model

Missing Functionality

AWS Amplify Gen2 lacks:

1. ARN type detection - No logic to distinguish between foundation models and inference profiles
2. Flexible ARN construction - Hardcoded ARN patterns instead of dynamic construction

Suggested Fix

The libraries should implement logic like:

function createBedrockModelArn(modelId, region, partition, accountId) {
// Detect if it's an inference profile (contains dots in specific pattern)
if (modelId.match(/^[a-z]+\./)) {
  return `arn:${partition}:bedrock:${region}:${accountId}:inference-profile/${modelId}`;
}
// Default to foundation model
return `arn:${partition}:bedrock:${region}::foundation-model/${modelId}`;
}

Affected Packages

• @aws-amplify/graphql-generation-transformer
• @aws-amplify/ai-constructs
• Potentially other AI-related Amplify packages

This is a systematic issue across multiple Amplify AI packages that prevents proper use of Bedrock inference profiles.

[pahud]

Hi @cabcookie,

Thank you for the report.

I can confirm the root cause you identified in the ConversationHandlerFunction where the code assumes all models are foundation models:

arn:aws:bedrock:${model.region ?? Stack.of(this).region}::foundation-model/${model.modelId}

This prevents proper IAM policy generation for inference profiles which require the inference-profile/ ARN format instead of foundation-model/.

Impact: This blocks customers from using Bedrock inference profiles with Amplify Gen 2, limiting access to cross-region inference capabilities and custom inference configurations.

Workaround: Currently, there's no direct workaround within Amplify Gen 2 for this issue.

Next Steps: This requires implementing dynamic ARN construction logic that can detect model types and generate appropriate ARNs. The fix would need to:

1. Add pattern detection for inference profile model IDs
2. Implement flexible ARN construction
3. Maintain backward compatibility with existing foundation model configurations

Making this a feature request.

[cabcookie]

Actually, there is a workaround. What I do right now is this:

In ./amplify/backend.ts:

import { defineBackend } from "@aws-amplify/backend";
import { InferenceProfileIAM } from "./custom/inference-profile-iam/resource";

const backend = defineBackend({...});
const dataNestedStacks = backend.data.resources.nestedStacks;

// Listing the stacks where I am using Claude Inference Profiles
const stacks = [
  "GenerationBedrockDataSourceCategorizeProjectStack",
  "GenerationBedrockDataSourceGenerateWeeklyNarrativeStack",
  "GenerationBedrockDataSourceUpdateNarrativeStack",
  "GenerationBedrockDataSourceRewriteProjectNotesStack",
];
stacks.forEach((stackName) => {
  try {
    const stack = dataNestedStacks[stackName];
    const resourceId = stackName
      .replace(/Stack$/, "Iam")
      .replace(/GenerationBedrockDataSource/, "");
    new InferenceProfileIAM(stack, resourceId);
  } catch (error) {
    console.error(`Could not find ${stackName} stack`, error);
  }
});

In ./amplify/custom/inference-profile-iam/resource.ts:

import { NestedStack } from "aws-cdk-lib";
import { Role, PolicyStatement } from "aws-cdk-lib/aws-iam";
import { Construct } from "constructs";

export class InferenceProfileIAM extends Construct {
  constructor(scope: NestedStack, id: string) {
    super(scope, id);

    // Find all IAM roles in the scope
    const targetRole = this.getBedrockGenerationIamRole(scope);

    if (targetRole) {
      // Add the inference profile resource to the role's inline policy
      targetRole.addToPolicy(
        new PolicyStatement({
          actions: ["bedrock:InvokeModel"],
          resources: [
            `arn:aws:bedrock:${scope.region}:${scope.account}:inference-profile/us.anthropic.claude-sonnet-4-20250514-v1:0`,
            "arn:aws:bedrock:us-east-1::foundation-model/anthropic.claude-sonnet-4-20250514-v1:0",
            "arn:aws:bedrock:us-east-2::foundation-model/anthropic.claude-sonnet-4-20250514-v1:0",
            "arn:aws:bedrock:us-west-2::foundation-model/anthropic.claude-sonnet-4-20250514-v1:0",
          ],
        })
      );
    }
  }

  private getBedrockGenerationIamRole(scope: Construct): Role | undefined {
    const traverse = (construct: Construct): Role | undefined => {
      if (construct instanceof Role && construct.node.id !== "ServiceRole") {
        console.log("Found role:", construct.node.id);
        return construct;
      }
      for (const child of construct.node.children) {
        const result = traverse(child);
        if (result) return result;
      }
      return undefined;
    };
    return traverse(scope);
  }
}