Using the VSCode Claude Code Extension with Bedrock and Claude Sonnet 4.5

Source: Dev.to

Lots of folks use the Claude IDE, or the Claude Code VSCode extension. Unfortunately, your prompts and completions are used (by default) to train Claude models. [0]

AWS Bedrock, on the other hand, doesn’t use your prompts and completions to train any AWS models or give them to third parties. [1]

For these reasons (privacy, data sovereignty) I’m more inclined to use Bedrock as an LLM in my IDE. Today we’ll go over how to set up the VSCode Claude Code extension with AWS Bedrock and use the Claude Sonnet 4.5 foundation model.

Overview

In order to use the Claude Code VSCode extension with Bedrock and the Claude Sonnet 4.5 model, we need to perform these tasks:

1. Setup AWS IAM permissions to allow Bedrock usage
2. Install and configure the Claude Code VSCode extension
3. Integrate AWS credentials and configure the extension
4. Test that our setup works

We’ll use Terraform to create the AWS IAM user and policies (you could also do this via the AWS console). After that we’ll wire everything together and verify it works as expected.

Unfortunate Missing Features and a Bug/Regression with the Claude Code Extension

AWS Bedrock enables generating short‑lived API tokens via its SDK. [2]

Claude Code supports two methods for automatic AWS credential refresh, but Bedrock API tokens are not one of them.

If it did support this feature it would be the best solution from a security perspective. Tokens would expire after 12 hours and the extension would automatically refresh them when needed.

Instead, Claude Code only supports:

[3]

This omission is a poor decision—or at least an oversight—by the Claude Code development team.

A more egregious issue is that the awsCredentialsExport refresh method is documented as functional but does not work. Whether this is a regression, a bug, or a never‑implemented feature, I couldn’t get it working after a couple of hours of troubleshooting (including attempts to converse with the Claude Code VSCode extension while using a working AWS profile; it couldn’t suggest a workaround).

Additionally, using the Claude Code settings file (~/.claude/settings.json) didn’t work, so I had to configure everything via the VSCode settings UI.

Because:

• Using AWS Identity Center for a personal account feels like overkill
• Refreshing Bedrock API tokens in Claude Code isn’t supported
• The awsCredentialsExport method is broken

I’ll settle for the lowest common denominator: using an AWS profile in the extension. This isn’t ideal because it relies on a long‑lived IAM user credential (access key + secret access key), but it’s the only workable option given the current state of the Claude Code VSCode extension.

Create IAM User and Bedrock Permissions

Create an IAM user and attach a policy that grants the required Bedrock permissions. Below is a Terraform example you can apply (or create the same resources manually in the AWS console).

resource "aws_iam_user" "bedrock_user" {
  name = "bedrock-user"
}

resource "aws_iam_access_key" "bedrock" {
  user = aws_iam_user.bedrock_user.name
}

data "aws_iam_policy_document" "bedrock" {
  statement {
    effect = "Allow"
    actions = [
      "bedrock:InvokeModel",
      "bedrock:ListFoundationModels",
      "bedrock:ListInferenceProfiles",
      "bedrock:InvokeModelWithResponseStream",
      # "bedrock:CallWithBearerToken" # required if using Bedrock API token (not used here)
    ]
    resources = ["*"]
  }

  statement {
    effect = "Allow"
    actions = [
      "aws-marketplace:ViewSubscriptions",
      "aws-marketplace:Subscribe"
    ]
    resources = ["*"]
    condition {
      test     = "StringEquals"
      variable = "aws:CalledViaLast"
      values   = ["bedrock.amazonaws.com"]
    }
  }
}

resource "aws_iam_user_policy" "bedrock" {
  name   = "bedrock"
  user   = aws_iam_user.bedrock_user.name
  policy = data.aws_iam_policy_document.bedrock.json
}

Setup AWS Profile

I usually manage credentials with aws-vault for short‑lived tokens, but because Claude Code can’t refresh Bedrock tokens we’ll fall back to the classic ~/.aws/credentials file with a long‑lived IAM user.

1. Create an access key for the IAM user you just made (via the AWS console → Security credentials → Create access key).
   

2. Copy the Access Key ID and Secret Access Key to a safe place (e.g., a password manager).

3. Add a profile to ~/.aws/credentials (or ~/.aws/config if you prefer). Replace the placeholders with your actual keys:

   [bedrock-profile]
   aws_access_key_id     = YOUR_ACCESS_KEY_ID
   aws_secret_access_key = YOUR_SECRET_ACCESS_KEY
   region                = us-east-1   # or the region you plan to use

4. (Optional) Verify the profile works:

   aws sts get-caller-identity --profile bedrock-profile

   You should see an ARN that matches the bedrock-user you created.

Install and Configure the Claude Code VSCode Extension

1. Install the extension

   • Open VSCode → Extensions (Ctrl+Shift+X) → search for Claude Code → click Install.

2. Open the VSCode Settings UI (File → Preferences → Settings or Ctrl+,).

3. Search for “Claude Code” to reveal the extension’s configuration options.

4. Set the required fields (replace values as appropriate):

   Setting	Value
   claude.apiProvider	bedrock
   claude.bedrockModelId	anthropic.claude-3-5-sonnet-20240620-v1:0 (or the exact model ID you want)
   claude.awsProfile	bedrock-profile
   claude.awsRegion	us-east-1 (or your chosen region)
   claude.awsAuthRefresh	(leave blank – we’re not using SSO)
   claude.awsCredentialsExport	(leave blank – not functional)

   Note: The extension also looks for a ~/.claude/settings.json file, but in my experience that file is ignored. All configuration must be done via VSCode’s settings UI or settings.json.

5. Save the settings and reload VSCode (Ctrl+Shift+P → Reload Window).

Test the Setup

Create a new file (e.g., test.py) and open the Claude Code sidebar (usually appears on the right). Try a simple prompt such as:

Write a Python function that returns the factorial of a given integer.

If everything is configured correctly, Claude should respond with the generated code. You can also verify that the request is hitting Bedrock by checking CloudWatch logs for InvokeModel calls (optional).

Recap & Security Considerations

Because Claude Code cannot refresh Bedrock API tokens automatically, you’re forced to rely on long‑lived IAM credentials. If you need tighter security:

• Rotate the access key regularly (e.g., every 30 days).
• Use AWS IAM permissions boundaries or service control policies to further restrict usage.
• Consider creating a dedicated IAM role with a trust relationship to the user and assume that role from the extension (requires custom scripting, not natively supported by Claude Code today).

TL;DR

1. Create an IAM user with Bedrock permissions (Terraform or console).
2. Generate an access key and add it to ~/.aws/credentials under a profile (e.g., bedrock-profile).
3. Install Claude Code in VSCode and configure it to use the bedrock provider, the desired model ID, and the profile you just created.
4. Reload VSCode and test a prompt – you should now be getting responses from Claude Sonnet 4.5 via AWS Bedrock.

Until Claude Code adds proper support for short‑lived Bedrock tokens or fixes the awsCredentialsExport refresh method, using a static AWS profile is the only viable path. Rotate the credentials regularly to mitigate the security trade‑off.

Configure AWS Credentials

Create (or edit) the ~/.aws/credentials file by running:

aws configure --profile YOUR_AWS_PROFILE_NAME

You will be prompted for the AWS Access Key and Secret Access Key. These values will be stored under the profile name you specified (choose wisely!).

Enable Bedrock Claude Sonnet 4.5 and Validate Access

1. After creating the IAM user and policy and setting up the profile, log in to the AWS console.
2. Choose the AWS region you normally use. Note: Bedrock foundation models are not available in every region.
   • Tested regions: us-west-2, us-east-1, us-east-2.
3. Anthropic requires first‑time customers to submit use‑case details before invoking a model (once per account or per organization’s management account). See the AWS Bedrock model‑access documentation.
4. In the AWS console, navigate to Bedrock → Chat/Text Playground, select Anthropic Claude Sonnet 4.5, and fill out the dialog to enable the foundation model.

Install and Configure VS Code

Install the Extension via CLI

code --install-extension anthropic.claude-code

Identify Your Inference Profile ARN

aws bedrock list-inference-profiles \
    --region us-west-2 \
    --profile YOUR_AWS_PROFILE_NAME \
    --no-cli-pager | jq '.inferenceProfileSummaries
        | .[]
        | select(.inferenceProfileId | match("us.anthropic.claude-sonnet-4-5-20250929-v1:0"))
        | .inferenceProfileArn'

NOTE: The command above assumes you are using a US region. Adjust the region/profile as needed.

Add Settings to settings.json

Edit your VS Code user settings file (usually ~/.config/Code/User/settings.json) and add the following configuration:

{
  "claudeCode.selectedModel": "us.anthropic.claude-sonnet-4-5-20250929-v1:0",
  "claudeCode.environmentVariables": [
    {
      "name": "AWS_PROFILE",
      "value": "YOUR_AWS_PROFILE_NAME"
    },
    {
      "name": "AWS_REGION",
      "value": "YOUR_AWS_REGION_FROM_ABOVE"
    },
    {
      "name": "BEDROCK_MODEL_ID",
      "value": "INFERENCE_PROFILE_ARN_FROM_ABOVE"
    },
    {
      "name": "CLAUDE_CODE_USE_BEDROCK",
      "value": "1"
    }
  ],
  "claudeCode.disableLoginPrompt": true
}

Did It Work?

1. Restart VS Code if it was already running.
2. Open the Claude window, type a question or request, and you should see a successful response similar to the screenshot below:

Conclusion

We got it working! The Claude Code VS Code extension still has some rough edges around AWS IAM credential handling, but it functions for now. I’ll revisit the extension when short‑lived credentials are fully supported and report back.

Resources

• Vasko Kelkocev, Configuring Claude Code Extension with AWS Bedrock (and How You Can Avoid My Mistakes) – Link
  Note: The blog (Oct 2025) was already outdated when I used it; I needed to add the bedrock:InvokeModelWithResponseStream permission and tweak a few configuration details. Thanks, Vasko!