Introducing Claude App Gateway for AWS

Machine Learning


Companies deploying Claude Code and Claude Desktop across development teams need central control over access, costs, and policies. At scale, this is difficult to manage. Each developer requires individual credentials, configurations must be distributed manually, and spending is difficult to track and set limits. Without a central point of control, governance is left to tools that each team can implement independently.

Today, we are announcing the Claude App Gateway for AWS. This is a self-hosted control plane that allows you to centrally control access, costs, and policies for Claude Code and Claude Desktop. This eliminates the need to provision separate cloud credentials for each developer, manually push settings to every laptop, or launch separate tools to track spending. You can deploy through Amazon Bedrock to keep your data within the security perimeter of AWS, or you can get the same gateway control with a native Claude platform experience through the Claude Platform on AWS.

Overview of Claude App Gateway for AWS

Overview of Claude App Gateway for AWS

This post shows you how to set up and run Claude App Gateway for AWS using Amazon Bedrock and Claude Platform on AWS.

How Claude app gateway works

The gateway is provided by Anthropic within the same Claude Code CLI binaries that developers are already using. This can be done in a single stateless container on your infrastructure, backed by a PostgreSQL database that stores short-term sign-in states and rate limit counters. Gateway and client are built together, so /login The flow is gateway aware. Clients automatically apply administrative settings when they sign in, and policies are applied consistently across all requests.

Onboarding and offboarding follow existing identity workflows. To grant access, add the developer to your identity provider (IdP). To undo this, delete them. The session will expire within the configured token lifetime (1 hour by default). There are no long-lived secrets on the developer’s machine.

Figure 1: AWS Claude Apps gateway architecture

Figure 1: AWS Claude Apps gateway architecture

The gateway handles five main roles:

  • Identity: The gateway connects to a standards-compliant OpenID Connect (OIDC) identity provider. When a developer signs in via browser single sign-on (SSO), the gateway issues a short-lived token that the CLI uses for all subsequent requests.
  • policy: Administrative settings are defined once on the server. The client receives the policy upon sign-in, and the gateway applies the policy on each request. Centrally adjust allowed models, tool permissions, and default settings for each IdP group.
  • telemetry: The client stamps usage metrics on every request, and the gateway relays them via OpenTelemetry Protocol (OTLP) to a collector you configure (such as Amazon CloudWatch or Amazon CloudWatch in your account or Amazon Managed Service for Prometheus) or a third-party platform. Control where telemetry is sent and how long it is retained.
  • routing: The gateway holds upstream credentials and routes inference requests on behalf of developers to Amazon Bedrock or Claude Platform on AWS. Optionally, failover between AWS Regions or multiple accounts is also possible.
  • Spending limit: Set daily, weekly, and monthly spending limits by organization, group, or user. Once a developer exceeds the limit, the gateway blocks further requests until the period is reset or an administrator increases the limit.

When you use Claude App Gateway with Amazon Bedrock, your inference requests route through Amazon Bedrock in the AWS Region you configure, maintaining the same data processing and privacy controls as other Amazon Bedrock workloads in your account. When Claude App Gateway is used with Claude Platform on AWS, requests are handled by Anthropic.

composition

The gateway reads a single YAML file at startup. A minimal production configuration would look like this:

Minimal gateway.yaml configuration for Amazon Bedrock deployments

Gateway.yaml — Complete configuration for Amazon Bedrock deployment

The file contains six sections and secrets are stored in environment variables. Bedrock upstream uses IAM roles for containers, so there are no static credentials to manage. To route through Claude Platform on AWS instead, replace the upstreams block.

upstreams:
  - provider: anthropicAws
    region: us-east-1
    workspace_id: wrkspc_...
    auth: {} # AWS default credential chain (IAM role)

The model ID is the Anthropic API (claude-sonnet-5, claude-opus-4-8). No Amazon Bedrock ARN or inference profile is required.

The gateway runs as a stateless container in a private network on Amazon Elastic Container Service (Amazon ECS), Amazon Elastic Kubernetes Service (Amazon EKS), or Amazon Elastic Compute Cloud (Amazon EC2). Place it behind an internal Application Load Balancer using a Transport Layer Security (TLS) certificate from AWS Certificate Manager. Amazon Relational Database Service (Amazon RDS) for PostgreSQL stores short-term sign-in state. Developers access the gateway through a private network, and the gateway uses IAM task roles to call upstream providers on their behalf.

developer sign in

Once the gateway is deployed, the developer runs the following command: claude /login. The administrator pushes the managed configuration file to the developer machine through a device management tool that pre-populates the gateway URL, so the developer can see the gateway screen directly in the cloud app.

Claude Code's Claude Apps Gateway login screen

Claude Code’s Claude App Gateway Login Screen

Press Enter to open your browser using corporate SSO.

Corporate single sign-on authentication screen on browser

Browser SSO authentication with identity provider

You only need to sign in once to be connected. Sessions are refreshed silently in the background using OIDC refresh tokens, allowing developers to remain authenticated across reboots without having to log in to the browser again and again. If a user is removed from the IdP, their session will expire on their next renewal.

Working with Claude Code

After signing in, developers use the Claude code just like any other authentication method. They write code, run commands, and interact with Claude as usual. They won’t know the difference. All requests are authenticated through the gateway, routed through configured upstreams, and managed by centrally configured policies.

Claude code that responds to prompts is routed through Amazon Bedrock through the gateway.

Claude code that responds to prompts is routed through Amazon Bedrock through the gateway.

of /model The picker displays only models that are allowed by your policy. Policies can go beyond model access to control tool permissions, such as restricting file writes and web access. You can also enforce permission rules that developers can’t override locally, and push environment variables and hooks to standardize workflows across your team. Usage is attributed to each developer’s identity, and spending is tracked against that limit. If a user leaves your company, removing them from the IdP will revoke their access within the configured session lifetime.

conclusion

Claude App Gateway for AWS allows you to scale your Claude Code and Claude Desktop deployments across your organization while managing identities, policies, and costs from one place. Identity flows through your existing IdP, policies are enforced centrally, costs are allocated per user, and there are no long-lived secrets on the developer’s machine.

The gateway is self-hosted, so you can deploy it in any AWS Region and route inference to Amazon Bedrock or Claude Platform on AWS, including cross-region and cross-account setups. Choose Amazon Bedrock if you need your data to stay within the security perimeter of AWS, or choose Claude Platform on AWS to access Anthropic’s native platform experience with AWS authentication and billing.

First, download the Claude Code CLI and review the Claude App Gateway documentation. Please send feedback to AWS re:Post on Amazon Bedrock or to your regular AWS Support contact.


About the author

dani mitchell

dani mitchell

Dani is a Senior GenAI Specialist Solutions Architect at AWS and an SA Lead for the Amazon Bedrock Knowledge Bases. He helps companies around the world design and deploy generative AI solutions that use models and capabilities from Amazon Bedrock and Anthropic to build scalable, production-ready applications.

Harsheta Narayan

Harsheta Narayan

Harshetha is a Technical Product Marketing Manager for Amazon Bedrock AgentCore on AWS. She helps companies build, deploy, and manage AI agents at scale. Outside of work, I enjoy hiking and exploring new places.

Sofian Hamity

Sofian Hamity

Sofian is a technology leader with over 12 years of experience building AI solutions and leading high-performance teams to maximize customer outcomes. He is passionate about empowering diverse talent to increase their global impact and achieve their career aspirations.

Ayan Ray

Ayan Ray is a Principal Partner Solutions Architect and AI Tech Lead at AWS and serves as the Worldwide Tech Lead for Anthropic on AWS. He works at the intersection of cloud architecture and artificial intelligence, helping organizations adopt and scale Anthropic’s technology on AWS.



Source link