AI Provider Configuration

Supported Providers

StackFlow supports multiple AI model providers, allowing organizations to use their preferred models and maintain flexibility as the AI landscape evolves. Amazon Bedrock is the default and recommended provider for AWS-hosted StackFlow deployments due to its VPC endpoint support, CMK encryption, and AWS IAM-based authentication (no API keys to rotate).

⚙️ Minimum Requirements

DynamoDB: StackFlow_AIProvider table with at least one record having status: active
Secrets Manager: Provider API keys stored as stackflow/ai-provider/{providerId}/api-key encrypted with CMK
Bedrock Model Access: Requested models must be approved in Bedrock Model Access console before activation
IAM: StackFlowAPIRole with bedrock:InvokeModel on specific model ARNs

Provider	Auth Method	Models Available	VPC Support
Amazon Bedrock	IAM Role (recommended)	Claude, Titan, Llama	Yes
Anthropic Direct	API Key	Claude 3.x, Claude 2.x	No
OpenAI	API Key	GPT-4o, GPT-4-turbo	No
Azure OpenAI	API Key + Endpoint	GPT-4o, GPT-4	Via Azure PrivateLink

Adding a Provider

Add AI providers in AI → Configuration → Providers → Add Provider. For Bedrock, only the region and model list need to be specified — authentication uses the Lambda execution role. For external providers, credentials are stored in AWS Secrets Manager and the key ARN is stored in StackFlow configuration (never the plaintext key).

curl -X POST https://your-instance.stackflow-tech.com/prod/api/ai/providers   -H "Authorization: Bearer $ADMIN_TOKEN"   -H "Content-Type: application/json"   -d '{
    "name": "Anthropic Direct",
    "provider_type": "anthropic",
    "enabled": true,
    "credentials_secret_arn": "arn:aws:secretsmanager:us-east-1:373544523367:secret:stackflow/ai/anthropic-api-key",
    "models": ["claude-3-opus-20240229", "claude-3-sonnet-20240229-v1:0"],
    "rate_limit_rpm": 1000
  }'

API Key Management

External AI provider API keys are stored in AWS Secrets Manager, encrypted with the CMK mrk-bd842691514c4d74a02992b8dc11fe16. The StackFlowGenericSecretRotation Lambda can be configured to rotate API keys automatically (for providers that support programmatic key rotation). StackFlow never logs or exposes API key values in any interface.

Key Rotation: Set up automatic secret rotation for all external AI provider API keys. A compromised API key can result in unauthorized model usage and significant cost. The rotation Lambda runs on a 90-day schedule by default.

Provider Health

Provider health is monitored via the AI Observability dashboard. Each provider shows: current status (healthy/degraded/down), P50/P95/P99 latency, error rate, and cost for the current billing period. Automated health checks run every 60 seconds and trigger failover to the backup provider if error rate exceeds 5% over 5 minutes.

Fallback Configuration

Configure provider fallback chains so that if the primary provider is unavailable, requests automatically route to the fallback. For example: primary = Bedrock Claude 3 Sonnet → fallback = Bedrock Claude 3 Haiku → fallback = Anthropic Direct Claude 3 Haiku. Fallback kicks in after 3 consecutive failures or a 30-second timeout.

← Previous

AI Engine Overview

Cognitive AI platform architecture

Model Router

Intelligent model routing and fallback