Prerequisites
Before making API calls, ensure you have:
-
An active AWS account with a subscription to Claude Platform on AWS (see Set up your account).
-
The AWS CLI installed and configured.
-
Outbound web identity federation enabled on your AWS account (a one-time setup step; see Enable outbound web identity federation).
-
Your workspace ID (see Obtain your workspace ID).
Enable outbound web identity federation
The Claude Platform on AWS gateway calls sts:GetWebIdentityToken server-side to mint a JWT it forwards to Anthropic. This STS capability is disabled by default on every AWS account. Enable it once per account:
aws iam enable-outbound-web-identity-federation
If the response is [ERROR] (FeatureEnabled) … already enabled, the setting is already on for your account and you can move on. Verify and retrieve your account’s issuer URL:
aws iam get-outbound-web-identity-federation-info
Warning
Without this step, every request returns "Outbound web identity federation is disabled for your account". This is the most common setup error.
Obtain your workspace ID
A default workspace is provisioned automatically in each region when you sign up (see Set up your account). Workspaces are bound to a single AWS region. You can find the workspace ID in the Claude Console under Workspaces, or in the Workspaces section of the AWS Console service page. See Workspaces for region binding and IAM resource scoping.
Set the ANTHROPIC_AWS_WORKSPACE_ID and AWS_REGION environment variables so the SDK clients read them automatically:
export ANTHROPIC_AWS_WORKSPACE_ID='wrkspc_01AbCdEf23GhIj' export AWS_REGION='us-west-2'
The region is required. The SDK client throws if no region is set. Pass aws_region/awsRegion to the constructor, or set AWS_REGION (or AWS_DEFAULT_REGION). All AWS commercial regions are supported; opt-in regions require that you first opt the account in to the region.
