Reactive Machines

Introducing the Claude Apps gateway for AWS

Businesses using Claude Code and Claude Desktop across development teams need centralized control over access, costs, and policy. At scale, this is difficult to manage: each developer needs individual information, settings must be deployed manually, and spending is difficult to track or access. Without a central locus of control, governance is left to whatever tool each group can use independently.

Today, we're announcing the Claude applications gateway for AWS, a management plane that gives organizations a single place to control access, cost, and policy for Claude Code and Claude Desktop. It replaces the need to provide separate cloud information for each developer, push settings for every laptop manually, or set up different tools to track usage. You can use it with Amazon Bedrock to store data within the AWS security perimeter, or with the Claude Platform on AWS to get the same gateway controls through the Claude platform experience.

A high-level overview of Claude's applications portal for AWS

In this post, we show how to set up and use the Claude applications gateway for AWS with Amazon Bedrock and the Claude Platform on AWS.

How does the Claude apps portal work

Gateway is delivered by Anthropic within the same Claude Code CLI binary that your developers already use. You can run it in a single container in your infrastructure, backed by a PostgreSQL database that stores temporary login status and rate limit calculations. Because the gateway and the client are built together, the /login the flow is known through the gate. The client uses the managed settings automatically when they sign in, and the policy is applied consistently across the application.

Boarding and skipping follows your existing workflow. To grant access, add a developer to your identity provider (IdP). To revoke them, delete them, and their session expires within the specified token lifetime (one hour by default). There are no long-lasting secrets that reside in developer's devices.

Figure 1: Claude apps gateway architecture for AWS

Figure 1: Claude apps gateway architecture for AWS

The gateway handles five key responsibilities:

  • Ownership: The gateway connects to any OpenID Connect (OIDC) standards-compliant identity provider. After a developer logs in via browser single sign-on (SSO), the gateway issues a temporary token that is used by the CLI on all subsequent requests.
  • Policy: Defines managed settings once on the server. Clients receive the policy at login, and the gateway applies it to every request. You can configure allowed models, device permissions, and default settings centrally, across IdP groups.
  • Telemetry: The client stamps the usage metric for every request, and the gateway transmits it via OpenTelemetry Protocol (OTLP) to the aggregator you configure, such as Amazon CloudWatch or Amazon Managed Service for Prometheus in your account, or a third-party platform. You control where the telemetry goes and how long it is stored.
  • Route: The gateway manages your upstream data and routing requests to Amazon Bedrock or Claude Platform on AWS on behalf of developers, with optional failover between AWS regions or across multiple accounts.
  • Use caps: Set daily, weekly, and monthly cash limits per organization, group, or user. If a developer exceeds their cap, the gateway blocks further requests until the time is reset or the administrator raises the limit.

When Claude's applications gateway is used with Amazon Bedrock, virtual requests go through Amazon Bedrock in the AWS Regions you configure, maintaining the same data management and privacy controls as any other Amazon Bedrock load in your account. When the Claude applications gateway is used with the Claude Platform on AWS, requests are processed by Anthropic.

Configuration

The gateway reads a single YAML file initially. Here's what a minimal production configuration looks like:

Small gateway.yaml configuration for Amazon Bedrock deployment

gateway.yaml — full configuration for Amazon Bedrock deployment

The file contains six sections and the secrets reside in environment variables. Upgrading Bedrock uses the IAM role for the container, so there are no static credentials to manage. To go through the Claude Platform on AWS instead, replace the ascending block:

upstreams:
  - provider: anthropicAws
    region: us-east-1
    workspace_id: wrkspc_...
    auth: {} # AWS default credential chain (IAM role)

Model IDs are the same as the Anthropic API (claude-sonnet-5, claude-opus-4-8). No Amazon Bedrock ARNs or descriptive profiles are required.

The gateway acts as a stateless container on your private network in Amazon Elastic Container Service (Amazon ECS), Amazon Elastic Kubernetes Service (Amazon EKS), or Amazon Elastic Compute Cloud (Amazon EC2). You place it behind an internal Application Load Balancer with a Transport Layer Security (TLS) certificate from the AWS Certificate Manager. Amazon Relational Database Service (Amazon RDS) for PostgreSQL maintains a temporary login state. Developers access the gateway through your private network, and the gateway uses the IAM role to call the upstream provider on its behalf.

Developer login

Once the gate is deployed, developers are active claude /login. Administrators push a managed settings file to developer devices with their device management tool that pre-populates the gateway URL, so developers can see the gateway screen for Claude applications directly.

The login screen for the Claude Apps portal to Claude Code

The login screen for the Claude Apps portal to Claude Code

They press Enter, and the browser opens with your corporate SSO.

Business login authentication screen in the browser

SSO browser authentication with your identity provider

One login, and they are connected. The session is silently refreshed in the background using OIDC refresh tokens, so developers remain authenticated across restarts without repeated browser logins. If a user is removed from the IdP, their session expires at the next renewal.

Working with Claude Code

After signing in, developers use the Claude Code as they would with any other authentication method. They write code, run commands, and generally interact with Claude. The difference is invisible to them: every request is authenticated through a gateway, routed through your default escalation path, and governed by the policies you set centrally.

Claude's code responds to the prompt, relayed to Amazon Bedrock through the gateway

Claude's code responds to the prompt, relayed to Amazon Bedrock through the gateway

I /model The feature only shows the models allowed by your policy. Beyond model access, policies can control device permissions, such as restricting file writes or web access. They can also implement permission rules that developers can override locally, and push local variables or hooks to standardize workflows across teams. Usage is attributed to each developer's ownership, and revenue is tracked against their cap. If they leave the company, removing them from the IdP revokes access for the entire set lifetime.

The conclusion

With the Claude applications gateway for AWS, you can expand the adoption of Claude Desktop and across your organization while managing identity, policy, and costs in one place. Identity flows through your existing IdP, policy is enforced in one place, and costs are limited per user, with no long-term secrets on developer machines.

Because the gateway is self-contained, you can deploy it in any AWS Region and route it to Amazon Bedrock or Claude Platform on AWS, including cross-Region and cross-account setup. Choose Amazon Bedrock where data must stay within the AWS security perimeter, or Claude Platform on AWS to access the native Anthropic platform experience with AWS authentication and billing.

To get started, download the Claude Code CLI and review the Claude applications gateway documentation. Submit a response to AWS and: Submit to Amazon Bedrock or through the usual AWS support contacts.


About the writers

Dani Mitchell

Dani Mitchell

Dani is a Sr GenAI Specialist Solutions Architect at AWS and SA lead for Amazon Bedrock Knowledge Bases. He helps businesses around the world design and implement productive AI solutions using Amazon Bedrock and Anthropic's models to build scalable, production-ready applications.

Harshetha Narayan

Harshetha Narayan

Harshetha is the Technical Product Marketing Manager for Amazon Bedrock AgentCore at AWS. He helps companies build, deploy, and manage their AI agents at scale. Outside of work, he enjoys hiking and exploring new places.

Sofian Hamiti

Sofian Hamiti

Sofian is a technology leader with more than 12 years of experience building AI solutions, and leads high-performance teams to maximize customer results. He is passionate about empowering diverse talents to drive global impact and realize their career aspirations.

Ayan Ray

Ayan Ray is a Principal Partner Solutions Architect and AI Tech Lead at AWS, serving as the Global Technical Lead for Anthropic at AWS. He works at the intersection of cloud architecture and Artificial Intelligence, helping organizations adopt and scale Anthropic technologies on AWS.

Source link

Related Articles

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top button