Enterprises deploying Claude Code and Claude Desktop throughout growth groups want centralized management over entry, value, and coverage. At scale, that is arduous to handle: every developer wants a person credential, settings have to be distributed manually, and spend is tough to trace or cap. With out a centralized management level, governance is left to no matter tooling every workforce can implement independently.
At present, we’re saying the Claude apps gateway for AWS, a self-hosted management airplane that offers organizations a single level of management over entry, value, and coverage for Claude Code and Claude Desktop. It replaces the necessity to provision a separate cloud credential per developer, push settings to each laptop computer by hand, or arise separate tooling to trace spend. You may deploy it via Amazon Bedrock to maintain information inside the AWS safety boundary, or via Claude Platform on AWS to get the identical gateway controls with the native Claude platform expertise.
Excessive degree overview of Claude apps gateway for AWS
On this submit, we present tips on how to arrange and run Claude apps gateway for AWS with Amazon Bedrock and Claude Platform on AWS.
How the Claude apps gateway works
The gateway is delivered by Anthropic inside the identical Claude Code CLI binary your builders already use. You may run it in a single stateless container in your infrastructure, backed by a PostgreSQL database that shops short-lived sign-in state and rate-limit counters. As a result of the gateway and the consumer are constructed collectively, the /login move is gateway-aware. The consumer applies managed settings mechanically at sign-in, and coverage is enforced constantly on each request.
Onboarding and offboarding comply with your current id workflows. To grant entry, add a developer to your id supplier (IdP). To revoke it, take away them, and their session expires inside the configured token lifetime (one hour by default). No long-lived secrets and techniques dwell on developer machines.
Determine 1: Claude apps gateway structure for AWS
The gateway handles 5 core obligations:
- Id: The gateway connects to any standards-compliant OpenID Join (OIDC) id supplier. After a developer indicators in via browser single sign-on (SSO), the gateway points a short-lived token that the CLI makes use of for all subsequent requests.
- Coverage: You outline managed settings as soon as on the server. Purchasers obtain coverage at sign-in, and the gateway enforces it on each request. You may alter allowed fashions, software permissions, and default settings centrally, scoped by IdP group.
- Telemetry: The consumer stamps a utilization metric for each request, and the gateway relays it over OpenTelemetry Protocol (OTLP) to a collector you configure, equivalent to Amazon CloudWatch or Amazon Managed Service for Prometheus in your individual account, or a third-party platform. You management the place telemetry goes and the way lengthy it’s retained.
- Routing: The gateway holds your upstream credential and routes inference requests to Amazon Bedrock or Claude Platform on AWS on behalf of builders, with optionally available failover between AWS Areas or throughout a number of accounts.
- Spend caps: Set day by day, weekly, and month-to-month spend limits per group, group, or person. When a developer exceeds their cap, the gateway blocks additional requests till the interval resets or an admin raises the restrict.
When Claude apps gateway is used with Amazon Bedrock, inference requests undergo Amazon Bedrock within the AWS Areas you configure, sustaining the identical information dealing with and privateness controls as another Amazon Bedrock workload in your account. When Claude apps gateway is used with Claude Platform on AWS, requests are processed by Anthropic.
The configuration
The gateway reads a single YAML file at startup. Right here’s what a minimal manufacturing configuration appears like:
gateway.yaml — the total configuration for an Amazon Bedrock deployment
The file accommodates six sections and the secrets and techniques keep in setting variables. The Bedrock upstream makes use of the container’s IAM function, so there are not any static credentials to handle. To route via Claude Platform on AWS as a substitute, substitute the upstreams block:
Mannequin IDs are the identical because the Anthropic API (claude-sonnet-5, claude-opus-4-8). No Amazon Bedrock ARNs or inference profiles wanted.
The gateway runs as a stateless container in your non-public community on Amazon Elastic Container Service (Amazon ECS), Amazon Elastic Kubernetes Service (Amazon EKS), or Amazon Elastic Compute Cloud (Amazon EC2). You place it behind an inside Software Load Balancer with a Transport Layer Safety (TLS) certificates from AWS Certificates Supervisor. Amazon Relational Database Service (Amazon RDS) for PostgreSQL shops short-lived sign-in state. Builders attain the gateway via your non-public community, and the gateway makes use of an IAM activity function to name the upstream supplier on their behalf.
Developer sign-in
As soon as the gateway is deployed, builders run claude /login. Directors push a managed settings file to developer machines through their machine administration software that pre-fills the gateway URL, so builders see the Claude apps gateway display screen straight.
The Claude apps gateway login display screen in Claude Code
They press Enter, and a browser opens along with your company SSO.
Browser SSO authentication via your id supplier
One sign-in, and so they’re related. The session refreshes silently within the background utilizing OIDC refresh tokens, so builders keep authenticated throughout restarts with out repeated browser logins. If a person is faraway from the IdP, their session expires on the subsequent refresh.
Working with Claude Code
After sign-in, builders use Claude Code precisely as they’d with another authentication methodology. They write code, run instructions, and work together with Claude usually. The distinction is invisible to them: each request is authenticated via the gateway, routed via your configured upstream, and ruled by the insurance policies you set centrally.
Claude Code responding to a immediate, routed via Amazon Bedrock through the gateway
The /mannequin picker reveals solely the fashions your coverage permits. Past mannequin entry, insurance policies can management software permissions, equivalent to proscribing file writes or internet entry. They’ll additionally implement permission guidelines that builders can’t override regionally, and push setting variables or hooks to standardize workflows throughout groups. Utilization is attributed to every developer’s id, and spend is tracked in opposition to their cap. In the event that they go away the corporate, eradicating them from the IdP revokes entry inside the configured session lifetime.
Conclusion
With the Claude apps gateway for AWS, you may broaden Claude Code and Claude Desktop adoption throughout your group whereas managing id, coverage, and value from one place. Id flows via your current IdP, coverage is enforced centrally, and value is attributed per person, with no long-lived secrets and techniques on developer machines.
As a result of the gateway is self-hosted, you may deploy it in any AWS Area and route inference to Amazon Bedrock or Claude Platform on AWS, together with cross-Area and cross-account setups. Select Amazon Bedrock when information should keep inside the AWS safety boundary, or Claude Platform on AWS for entry to Anthropic’s native platform expertise with AWS authentication and billing.
To get began, obtain the Claude Code CLI and evaluate the Claude apps gateway documentation. Ship suggestions to AWS re:Put up for Amazon Bedrock or via your typical AWS Assist contacts.
Concerning the authors







