SDKs & Developer Experience

SDK Setup for Claude Platform on AWS

Claude Platform on AWS speaks the first-party Claude API surface but authenticates with AWS credentials. The SDK client hides most of that plumbing — if you give it the two values it cannot guess.

Claude 3P 101 · Updated July 2026 · Unofficial guide

Claude Platform on AWS is the Anthropic-operated deployment surface that lives behind an AWS front door: Anthropic runs the models, while AWS provides the authentication layer (SigV4 request signing or API keys), IAM-based access control, and billing through AWS Marketplace. Unlike Amazon Bedrock, it exposes the Claude API endpoints directly (/v1/messages and friends), so application code written against the first-party API mostly carries over. What changes is the client class and the configuration it needs.

Install and construct the client

In Python, install the AWS extra and swap Anthropic() for AnthropicAWS(). The platform-specific SDK clients are currently in beta, but they behave like the standard client once constructed — same client.messages.create(...) calls, same bare model IDs (claude-opus-4-8, not Bedrock-style anthropic.-prefixed IDs).

# pip install -U "anthropic[aws]"
import anthropic

# Reads AWS_REGION and ANTHROPIC_AWS_WORKSPACE_ID from the environment
client = anthropic.AnthropicAWS()

message = client.messages.create(
    model="claude-opus-4-8",
    max_tokens=1024,
    messages=[{"role": "user", "content": "Hello from AWS"}],
)
print(message.content)

Equivalent clients exist in other languages — for example @anthropic-ai/aws-sdk for TypeScript and Anthropic.Aws for C# — each handling SigV4 signing, region-based base URL construction, and the workspace header for you.

The two required values

Two settings are mandatory and have no default fallback:

ValueEnvironment variableConstructor argument
AWS regionAWS_REGION (falls back to AWS_DEFAULT_REGION)aws_region
Workspace IDANTHROPIC_AWS_WORKSPACE_IDworkspace_id

Unlike the Bedrock client, which quietly falls back to us-east-1, AnthropicAWS raises an error at construction time if either value is missing — before any request is sent. That fail-fast behavior is deliberate: workspaces are bound to a single AWS region, so a workspace created in us-west-2 can only be reached through the us-west-2 endpoint. Workspace IDs use the tagged wrkspc_ format (for example wrkspc_01AbCdEf23GhIj) and can be found in the AWS Console under Claude Platform on AWS → Workspaces, or in the Claude Console.

Under the hood, the client builds the regional base URL (the pattern is https://aws-external-anthropic.{region}.api.aws/v1/...), signs each request with SigV4 using service name aws-external-anthropic, and attaches the anthropic-workspace-id header. If you ever hand-roll requests, note that a region mismatch between the signature and the endpoint URL produces a generic signature-rejection error rather than a helpful diagnostic — one more reason to let the SDK do the signing.

Where credentials come from

For SigV4 auth, the client uses the standard AWS default credential provider chain: environment variables (AWS_ACCESS_KEY_ID / AWS_SECRET_ACCESS_KEY / AWS_SESSION_TOKEN), shared credentials and config files including SSO, web identity tokens (for Kubernetes IRSA and GitHub Actions), ECS container credentials, and EC2 instance metadata. Temporary credentials from roles or STS also need the x-amz-security-token header — the SDK handles that automatically too.

Client credential precedence, first match wins: an apiKey constructor argument (sent as an x-api-key header), explicit access-key constructor arguments, an awsProfile constructor argument, the ANTHROPIC_AWS_API_KEY environment variable, and finally the default AWS provider chain. Note that API keys for this platform are generated in the AWS Console, not the Claude Console — first-party sk-ant-api... keys do not work here, and OAuth is not supported on this platform at all.

The most common setup error: every request fails with "Outbound web identity federation is disabled for your account." There is a one-time per-account prerequisite — run aws iam enable-outbound-web-identity-federation — because the gateway mints a JWT server-side to forward to Anthropic. Verify state with aws iam get-outbound-web-identity-federation-info.

Debugging the first call

A construction-time error means region or workspace ID could not be resolved. A 403 means the request actually reached the server: check for a wrong workspace ID, or a missing IAM action on the calling principal — inference needs aws-external-anthropic:CreateInference, and API-key callers additionally need CallWithBearerToken. Every response carries two request IDs: x-amzn-requestid for AWS support and request-id for Anthropic support; keep both when filing tickets.

Where to go next

For the platform itself — billing, feature parity, PrivateLink — see the Claude Platform on AWS deep dive. For the environment variables involved, the full env var list covers precedence, and the quickstart covers the other platforms.

Sources