How to Connect Mendix to Amazon Bedrock via REST Activity?

Hello everyone,   I am currently attempting to connect my Mendix application to Amazon's Bedrock service, and I am receiving the following error:   403 Forbidden (InvalidSignatureException): The request signature we calculated does not match the signature you provided. Check your AWS Secret Access Key and signing method. Consult the service documentation for details.   I have successfully made a connection using Temporary Credentials and the Bedrock Connector module, which includes an activity for the InvokeModel API, however I now need to connect to Bedrock's ConverseStream API, which unfortunately is not currently included in the module. I created a microflow (see below), closely following a Mendix blog post, and it seems like I have configured everything accordingly apart from the SigV4Builder and REST activity. I believe the mismatch in signatures is caused by either of the configurations for these microflow components.   Microflow Overview:   SigV4Builder Details:   REST Activity Details:   Based on the above screenshots, are there any obvious discrepancies in my configurations or additional headers I need to include?   Additional Notes: I do not believe my static credentials are the issue - I have tried two sets of access keys from my IAM user account, as well as an additional set from a newly created IAM user account which still resulted in the same error (i.e., 403 Forbidden: signature mismatch). I noticed when I test the request in Postman, it adds a "Content-Length" header in the request. I tried adding it to the REST service activity, but I received a Java exception stating that this header was already added. I am wondering if this might be why there is a signature mismatch, if in fact, the SigV4Builder/GetSigV4Headers logic is not incorporating this header into the signature. The tutorial I followed included an "x-amz-target" header, but I could not find any documentation on Amazon Bedrock requiring this header, nor a value for the header if it exists for this service. I noticed the logs from the REST service activity added an "HTTP/1.1" string to the end of the URL in the request. Although this is not a request header that one manually adds, when I included it in the "path" member of the SigV4Builder as follows: "...%20HTTP/1.1", I finally received a 200 OK status but an invalid operation error. This led me to believe I may have at least successfully authenticated. Any insight or guidance would be much appreciated!
2 answers

Hi Matt Hargenrader,

For the ConverseStream, the service in the builder should be 'bedrock' (as you have it). This leads to the host being generated as '', however ConverseStream needs to have the host '' So you could overwrite the $SigV4Headers/Host you are using in the REST call with ''.

Please let me know if this solved your problem.

Best regards,



Hi Daan,


Thank you for your response and feedback.


I was in contact with someone from the Mendix team, and they advised the same thing and to set up the SigV4Builder as follows:




When I followed the above implementation, coupled with overwriting the Host header in the REST activity, the 403 Forbidden (i.e., signature mismatch) error was seemingly resolved, but I did receive a 400 Bad Request error instead.


This recommended solution makes sense, but I think something else is causing the signature mismatch error. If you look at the Java source code for the GetSigV4Headers action within the AWS Authentication module, the Host header is calculated as follows:




The getSubDomain method actually defaults to the ServiceName value if the SubDomain member is either null or empty, as seen below:




With this in mind, it seems the proper approach is to add the SubDomain member to the SigV4Builder (i.e., "bedrock-runtime"), which properly calculates the Host header, but as stated previously, this still results in a 403 Forbidden error.


Please let me know if you have any other ideas.


Best regards,