# Configure third-party speech providers in Amazon Connect
Configure third-party speech providers

You can configure third-party speech-to-text (STT) and text-to-speech (TTS) providers in Amazon Connect to expand language coverage, improve recognition accuracy, and deliver more expressive synthesized speech. This section describes how to configure third-party STT providers for bots and third-party TTS providers for use in contact flows.

**Topics**
+ [

# Configure third-party speech-to-text (STT) providers
](configure-third-party-stt.md)
+ [

# Configure third-party text-to-speech (TTS) providers
](configure-third-party-tts.md)
+ [

# Endpoints and Regions for third-party STT providers
](endpoints-regions-third-party-stt.md)
+ [

# Managing secrets and resource policies
](managing-secrets-resource-policies.md)

# Configure third-party speech-to-text (STT) providers
Configure third-party STT providers

Use the following instructions to configure a third-party speech-to-text (STT) provider.

## Prerequisites

+ A bot with an existing locale.
+ A third-party STT provider API key stored in AWS Secrets Manager. For more information about storing API keys as secrets in Secrets Manager, see [Create an AWS Secrets Manager secret](https://docs.aws.amazon.com/secretsmanager/latest/userguide/create_secret.html).
+ An Secrets Manager resource policy allowing Amazon Connect to retrieve the secret. For more information, see [Managing secrets and resource policies](managing-secrets-resource-policies.md).
+ AWS KMS key permissions allowing decryption. For more information, see [Managing secrets and resource policies](managing-secrets-resource-policies.md).
+ A provider model ID and Secrets Manager ARN.

## Step 1: Open the speech model configuration panel


1. Sign in to the Amazon Connect admin website.

1. Choose **Bots**, then choose the bot.

1. Choose the locale.

1. In the **Speech model** section, choose **Edit** to open the configuration modal.  
![\[The configuration page for your conversational AI bot.\]](http://docs.aws.amazon.com/connect/latest/adminguide/images/Lex/01-airlinesbot.png)

## Step 2: Choose the model type


In the **Model type** dropdown, choose **Speech-to-Text (STT)**. This ensures the locale is configured for transcription rather than speech-to-speech.

![\[The speech model dialog box.\]](http://docs.aws.amazon.com/connect/latest/adminguide/images/Lex/02-speech-model.png)


## Step 3: Review the default speech model settings


By default, Amazon is selected as the speech-to-text provider. Review the current settings before switching to a third-party provider.

![\[The speech model dialog box with Amazon selected as the voice provider.\]](http://docs.aws.amazon.com/connect/latest/adminguide/images/Lex/03-speech-model-amazon.png)


## Step 4: Choose a third-party STT provider


Open the **Voice provider** dropdown and choose a supported third-party speech-to-text provider.

![\[The speech model dialog box with Deepgram selected as the voice provider.\]](http://docs.aws.amazon.com/connect/latest/adminguide/images/Lex/04-speech-model-deepgram.png)


## Step 5: Enter the model ID and Secrets Manager ARN


1. In **Model ID**, enter the provider's model name.
   + Some providers require a minimum or maximum length.
   + Model IDs are case-sensitive and must match provider documentation.

1. In **Secrets Manager ARN**, enter the ARN of the secret that contains the provider API key.
   + The secret must be in the same Region as your Amazon Connect instance.
   + Secrets Manager and KMS key policies must permit Amazon Connect to access and decrypt the key. For more information, see [Managing secrets and resource policies](managing-secrets-resource-policies.md).

1. Choose **Continue** to save your changes.

## Build and activate the locale


If the locale shows **Unbuilt changes**, choose **Build language**. The new STT settings become active after a successful build.

## Runtime behavior (STT)

+ Amazon Connect routes audio to the chosen third-party speech-to-text provider.
+ No changes to flows or Lambda functions are required.
+ Errors such as invalid credentials or invalid model IDs appear in logs.
+ Metrics and analytics continue to function normally.

## Troubleshooting (STT)

+ **Invalid model ID**: Confirm the value with provider documentation.
+ **Access denied**: Verify Secrets Manager and KMS permissions.
+ **Locale build fails**: Ensure required fields are valid.
+ **High latency**: Validate the provider region configuration.

# Configure third-party text-to-speech (TTS) providers
Configure third-party TTS providers

Use the following instructions to configure a third-party text-to-speech (TTS) provider.

## Prerequisites

+ A contact flow exists (or you have permission to create one).
+ A third-party TTS provider API key stored in AWS Secrets Manager. For more information about storing API keys as secrets in Secrets Manager, see [Create an AWS Secrets Manager secret](https://docs.aws.amazon.com/secretsmanager/latest/userguide/create_secret.html).
+ An Secrets Manager resource policy allowing Amazon Connect to retrieve the key. For more information, see [Managing secrets and resource policies](managing-secrets-resource-policies.md).
+ AWS KMS key permissions allowing decryption. For more information, see [Managing secrets and resource policies](managing-secrets-resource-policies.md).
+ Provider-specific model and voice values.

## Step 1: Open the contact flow


1. Sign in to the Amazon Connect admin website.

1. Choose **Flows**.

1. Choose an existing flow or create a new one.

## Step 2: Add or choose a Set voice block


1. In the Flow designer, search for **Set voice**.

1. Drag the block onto the canvas or choose an existing one.

1. Choose the block to open its configuration panel.

## Step 3: Choose a third-party TTS provider


In the **Voice provider** dropdown, choose the third-party text-to-speech provider you want to use.

![\[The 'Set voice' configuration pane showing a drop-down list of voice providers.\]](http://docs.aws.amazon.com/connect/latest/adminguide/images/Lex/08-set-voice-amazon.png)


## Step 4: Specify model, voice, Secrets Manager ARN, and language


1. Under **Model**, choose **Set manually** and enter the provider model.

1. Under **Voice**, choose **Set manually** and enter the provider voice.

1. Under **Secrets Manager ARN**, choose **Set manually** and enter the ARN of the provider secret.
   + The secret must be in the same AWS Region.
   + AWS Secrets Manager and KMS policies must permit retrieval and decryption. For more information, see [Managing secrets and resource policies](managing-secrets-resource-policies.md).

1. Under **Language**, choose **Set manually** and choose a language that is supported by the provider voice.  
![\[The 'Voice provider' configuration pane showing the ElevenLabs third-party voice provider.\]](http://docs.aws.amazon.com/connect/latest/adminguide/images/Lex/09-voice-provider-elevenlabs.png)

## Step 5: Save and publish the flow


1. Choose **Save** in the Flow designer.

1. Choose **Publish** to activate the updated flow settings.

## Runtime behavior (TTS)

+ Amazon Connect sends text to the TTS provider for synthesis.
+ Returned audio is played to the customer.
+ Execution logs include provider errors such as invalid credentials or model values.

## Troubleshooting (TTS)

+ **No audio output**: Validate model and voice values.
+ **Authentication errors**: Verify Secrets Manager and KMS permissions.
+ **Dynamic attributes**: Ensure runtime values resolve to valid provider parameters.
+ **High latency**: Validate provider region alignment.

# Endpoints and Regions for third-party STT providers


By default, Amazon Connect communicates with the following endpoints:

**Deepgram**: [https://api.deepgram.com](https://api.deepgram.com)

**ElevenLabs**: [https://api.elevenlabs.io](https://api.elevenlabs.io)

You can specify a different provider Region alongside your API key as part of the JSON object:

```
{
  "apiToken": "XXXXX",
  "apiTokenRegion": "xx"
}
```

The following regions are supported:


| **Provider** | **apiTokenRegion** | **Endpoint** | 
| --- | --- | --- | 
| Deepgram | eu | [https://api.eu.deepgram.com](https://api.eu.deepgram.com) (only supported for speech-to-text) | 
| Deepgram | \$1SHORT\$1UID\$1.\$1REGION\$1SUBDOMAIN\$1 | https://\$1SHORT\$1UID\$1.\$1REGION\$1SUBDOMAIN\$1.api.deepgram.com (Deepgram Dedicated endpoints) | 
| ElevenLabs | us | [https://api.us.elevenlabs.io](https://api.us.elevenlabs.io) | 
| ElevenLabs | eu | [https://api.eu.residency.elevenlabs.io](https://api.eu.residency.elevenlabs.io) | 
| ElevenLabs | in | [https://api.in.residency.elevenlabs.io](https://api.in.residency.elevenlabs.io) | 

# Managing secrets and resource policies


When you [configure a third-party speech provider](configure-third-party-speech-providers.md), you will need to create a secret in Secrets Manager that contains the speech provider's API key. Creating the secret is a two step process:
+ Create the secret containing the API key. For instructions, see [Create an AWS Secrets Manager secret](https://docs.aws.amazon.com/secretsmanager/latest/userguide/create_secret.html).
+ Configure the necessary permissions:
  + Attach a resource-based policy to the secret.
  + Attach a resource-based policy to the KMS key (not the API key) associated with the secret. The KMS key protects the API key in the secret.

  These policies allow Amazon Connect to access to the API key within the secret. Note that you cannot use the default `aws/secretsmanager` KMS key; you will have to create a new key or use an existing customer-managed key. For more information about how KMS keys secure secrets, see [Secret encryption and decryption in Secrets Manager](https://docs.aws.amazon.com/secretsmanager/latest/userguide/security-encryption.html).

Make sure that the resource-based policy for the secret includes the `aws:SourceAccount` and `aws:SourceArn` confused deputy conditions (see [The confused deputy problem](https://docs.aws.amazon.com/IAM/latest/UserGuide/confused-deputy.html)) and that the resource-based policy for the KMS key includes the `kms:EncryptionContext:SecretARN` condition. This will ensure that Amazon Connect can only access your API key secret in context of a single specific instance, and can only access your KMS key in context of both that instance and the specific secret.

## Example of a resource-based policy for Secrets Manager secrets


The following is an example of a resource-based policy that you can attach to your secret.

```
{
  "Version":"2012-10-17",		 	 	                    
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": [
          "connect.amazonaws.com"
        ]
      },
      "Action": "secretsmanager:GetSecretValue",
      "Resource": "*",
      "Condition": {
        "ArnLike": {
          "aws:sourceArn": "///the ARN of your Amazon Connect instance///"
        },
        "StringEquals": {
          "aws:sourceAccount": "///Your account ID///"
        }
      }
    }
  ]
}
```

## Example of a resource-based policy for AWS KMS keys


The following is an example of a resource-based policy that you can attach to your KMS key.

```
{
  "Version":"2012-10-17",		 	 	                    
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": [
          "connect.amazonaws.com"
        ]
      },
      "Action": "kms:Decrypt",
      "Resource": "*",
      "Condition": {
        "ArnLike": {
          "aws:sourceArn": "///the ARN of your Amazon Connect instance///"
        },
        "StringEquals": {
          "aws:sourceAccount": "///Your account ID///",
          "kms:EncryptionContext:SecretARN": "///the ARN of your secrets manager secret///"
        }
      }
    }
  ]
}
```

## Attaching a resource-based policy to your Secrets Manager secret


To attach a resource-based policy to your secret, go to the Secrets Manager console within the AWS Management Console, navigate to your secret, choose **Edit Permissions** or **Resource Permissions** and then add or modify the resource policy directly on the page so that it looks similar to the [example](#example-resource-policy-secrets-manager). You can also attach the resource policy through the AWS CLI's `put-resource-policy` command, or programmatically using the [PutResourcePolicy](https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_PutResourcePolicy.html) API operation.

## Attaching a resource-based policy to your KMS key


To attach a resource-based policy to your KMS key, go to the AWS Key Management Service console within the AWS Management Console, navigate to your KMS key and edit your key policy to look like the [example](#example-resource-policy-kms-keys). You can also update the key through the AWS CLI's `put-key-policy` command, or programmatically using the [PutKeyPolicy](https://docs.aws.amazon.com/kms/latest/APIReference/API_PutKeyPolicy.html) API operation.

## Rotating API keys


We recommend rotating API keys at least every 90 days to minimize the risk of compromise, and to maintain a well-practiced key rotation process for emergency situations.

To rotate an API key, you must rotate the secret in which it is contained. See [Rotate Secrets Manager secrets](https://docs.aws.amazon.com/secretsmanager/latest/userguide/rotating-secrets.html) in the *Secrets Manager User Guide* for more information on how to rotate secrets. When you rotate an API key, it is recommended that you wait for the previous key's usage to drop to zero before revoking the old API key to ensure that ongoing requests are not impacted.