More CI/CD pipelines are calling Claude these days: running a prompt-regression suite before deploy, generating release notes, or checking that a new system prompt still passes golden test cases. The tempting shortcut is pasting an API key into pipeline secrets. On Claude Platform on AWS you can do strictly better, because authentication is AWS SigV4 — which means the pipeline can authenticate the same way it already authenticates to S3 or ECR: by assuming an IAM role through OIDC federation, with no stored secret at all.
How the credential flow works
OIDC (OpenID Connect) federation lets an external system prove its identity to AWS with a signed, short-lived token instead of a stored key. In GitHub Actions, the workflow requests an OIDC token from GitHub, exchanges it with AWS STS for temporary credentials tied to a role you define, and those credentials expire when the job ends. AWS CodeBuild is simpler still — the build runs under a service role natively. Either way, the Anthropic SDK needs no special handling: the AnthropicAWS client resolves credentials through the standard AWS provider chain, which explicitly supports web identity federation (the AWS_WEB_IDENTITY_TOKEN_FILE plus AWS_ROLE_ARN pattern used by GitHub Actions and Kubernetes IRSA). Temporary credentials also require the x-amz-security-token header on each request — the SDK adds it automatically.
# In the pipeline step, after the OIDC role assumption action has run:
# env: AWS_REGION=us-west-2, ANTHROPIC_AWS_WORKSPACE_ID=wrkspc_01AbCdEf23GhIj
from anthropic import AnthropicAWS
client = AnthropicAWS() # picks up the job's temporary AWS credentials
resp = client.messages.create(
model="claude-haiku-4-5", max_tokens=512,
messages=[{"role": "user", "content": eval_case_prompt}])
print(resp.usage.input_tokens, resp.usage.output_tokens)
Scope the role like you mean it
The pipeline role should be able to run inference against one workspace and nothing else. Anthropic documents a minimal single-workspace inference policy for exactly this shape: allow CreateInference, CountTokens, GetModel, ListModels, and GetWorkspace on the workspace ARN (arn:aws:aws-external-anthropic:{region}:{account}:workspace/wrkspc_...). Prefer that over the managed AnthropicInferenceAccess policy for CI: the managed policy's Get*/List* wildcards apply to Resource: "*" and grant read access to all workspace content — file bytes, batch results, even session conversation history — far more than a test runner needs. Give CI its own dedicated workspace, too, so evaluation traffic never shares quota, cost reporting, or prompt caches with production.
aws iam enable-outbound-web-identity-federation) before any Claude Platform on AWS request succeeds. If pipeline calls fail with "Outbound web identity federation is disabled for your account," that step was skipped — it is the most common setup error.Auditability per run
Because every pipeline invocation is an assumed-role session, your audit story is per-run, not per-team-shared-key. Role assumptions land in CloudTrail as management events by default. The inference calls themselves are CloudTrail data events — logged only if you explicitly enable (paid) data event logging for the service, which is worth doing for a compliance-sensitive pipeline. Every response also carries two request IDs: x-amzn-requestid (indexed in CloudTrail, quote it to AWS support) and request-id (quote it to Anthropic support). Emit both, plus the token counts from usage, into your job logs so any surprising result or cost spike traces back to a specific commit and run.
When a bearer token is unavoidable
Some pipeline tooling only speaks "API key in a header." Rather than minting a long-lived key in the AWS Console, generate a short-term API key from the job's AWS credentials using Anthropic's token-generator libraries (Python, JavaScript, Java). The token lifetime is capped at the lesser of the requested duration, the underlying credentials' expiry, and 12 hours — a natural fit for a CI job. The token-using principal needs the aws-external-anthropic:CallWithBearerToken IAM action; and if the process can generate the token itself, it already has SigV4 credentials, so plain SigV4 is usually the simpler choice.
Where to go next
See short-term credentials for the token-generator pattern in detail, IAM policy templates for copy-ready policies, and Terraform for Claude Platform on AWS to manage the role itself as code.