Skip to main content
By default, Freeplay routes requests to LLM providers using API keys or credentials managed by Freeplay. For customers with compliance, security, or access requirements, Freeplay also supports IAM-based authentication flows that let you use your own cloud provider roles and service accounts. This page covers IAM authentication setup for Amazon Bedrock (via AWS assume role) and Google Vertex AI (via GCP service account impersonation). BYOC customers skip to the BYOC section below.

Amazon Bedrock

**Note: **BYOC customers, see next section. When no custom credentials are configured, Freeplay uses its own AWS credentials to call Bedrock models in the Freeplay VPC.

Using your own AWS role

If you need Freeplay to call models in your own AWS account — for compliance reasons, to access private models, or to maintain full control over credentials — you can configure AWS assume role authentication. With assume role auth, Freeplay temporarily assumes an IAM role in your AWS account using a short-lived token. You retain full control and can revoke access at any time.

How it works

  1. Freeplay authenticates with an internal AWS role
  2. That role assumes your AWS role, validated by a shared External ID
  3. Using the resulting short-lived token, Freeplay calls Bedrock models in your account
The External ID is a shared string you configure both in your AWS trust policy and on the Freeplay Settings > Models page. It prevents unauthorized parties from assuming your role.

Customer setup

Freeplay strongly recommends creating a dedicated, isolated IAM role specifically for Freeplay to access Bedrock. Step 1: Create an IAM role for Freeplay Create a new IAM role in your AWS account with a trust policy that allows Freeplay’s role to assume your role, validated by an External ID. Contact your Freeplay account team to obtain the Freeplay role ARN to use as the Principal in your trust policy. You will also need to generate a unique External ID string — this same string must be configured both in your trust policy and on the Freeplay Settings > Models page. Step 2: Attach a permissions policy Attach the following permissions policy to the role to grant Freeplay access to invoke Bedrock models: 
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "AllowBedrockInvoke",
      "Effect": "Allow",
      "Action": [
        "bedrock:InvokeModel",
        "bedrock:InvokeModelWithResponseStream"
      ],
      "Resource": "*"
    }
  ]
}
You can scope the Resource field to specific model ARNs if you want to restrict which Bedrock models Freeplay can invoke.
Step 3: Configure in Freeplay
  1. Navigate to Settings > Models in Freeplay
  2. Under Amazon Bedrock, enter:
    • Your IAM role ARN (e.g., arn:aws:iam::<your-account-id>:role/<your-role-name>)
    • The External ID you set in the trust policy
  3. Mark this authentication method as default for the provider
  4. Save your configuration
Freeplay will now use assume role authentication for all Bedrock requests.

BYOC (Bring Your Own Cloud) setup

For customers running Freeplay in their own VPC via BYOC deployment, the authentication flow is simplified:
  1. Freeplay uses an implicit role from AWS IRSA (IAM Roles for Service Accounts) attached to the pod — no Freeplay-managed user or role is involved
  2. The IRSA role assumes your configured AWS role to retrieve a short-lived token
Customer setup follows the same steps as above (create a role, attach the permissions policy, configure in Freeplay), with one difference:
  • The Principal in your trust policy should reference the IRSA role ARN provided during your BYOC onboarding, rather than the standard Freeplay role ARN
  • The External ID condition is optional but recommended for BYOC deployments

Google Vertex AI

Default behavior

When no custom credentials are configured, Freeplay uses its own GCP service account to call Vertex AI models.

Using your own GCP project

To route Vertex AI requests through your own GCP project, you need to grant Freeplay’s service account permission to create access tokens in your project.

Customer setup

Step 1: Grant the Service Account Token Creator role
  1. In the GCP project where your Vertex AI models are hosted, go to IAM & Admin > IAM
  2. Click Grant Access at the top of the page
  3. Set the following:
    • Principal: Contact your Freeplay account team for the service account email to use
    • Role: Service Account Token Creator
  4. Click Save
Role changes can take 30 seconds to 2 minutes to propagate in GCP. If you see permission errors immediately after saving, wait a moment and try again.
Step 2: Configure in Freeplay
  1. Navigate to Settings > Models in Freeplay
  2. Configure your Vertex AI provider settings with your GCP project details
  3. Mark this authentication method as default for the provider
  4. Save your configuration
Freeplay will now use service account impersonation to call Vertex AI models in your project.