Coding Agents5 min read

Claude apps gateway for AWS: self-hosted control plane

A self-hosted gateway centralizes identity, policy, telemetry and daily/weekly/monthly spend caps for Claude Code and Claude Desktop.

The Brieftide

TL;DR

  • 01A self-hosted gateway centralizes identity, policy, telemetry and daily/weekly/monthly spend caps for Claude Code and Claude Desktop.
  • 02AWS is announcing the Claude apps gateway for AWS, a self-hosted control plane that centralizes access, cost, and policy for Claude Code and Claude Desktop.
  • 03The gateway replaces per-developer cloud credentials, manual laptop settings distribution, and separate spend-tracking tooling by giving organizations a single point of control.

AWS is announcing the Claude apps gateway for AWS, a self-hosted control plane that centralizes access, cost, and policy for Claude Code and Claude Desktop. The gateway replaces per-developer cloud credentials, manual laptop settings distribution, and separate spend-tracking tooling by giving organizations a single point of control.

How does the Claude apps gateway work?

The gateway is delivered inside the Claude Code CLI and runs as a single stateless container backed by a PostgreSQL database that stores short-lived sign-in state and rate-limit counters. The client and gateway are built together so the /login flow is gateway-aware: developers sign in via browser SSO, the gateway issues a short-lived token, and the CLI uses that token for subsequent requests.

Because onboarding and offboarding follow existing identity workflows, administrators grant access by adding a developer to the identity provider and revoke it by removing them; sessions expire within the configured token lifetime (one hour by default). The CLI applies managed settings at sign-in and the gateway enforces policy on every request.

What does the gateway control?

The gateway handles five core responsibilities: identity integration, policy distribution and enforcement, telemetry forwarding, routing to upstreams, and spend caps. Identity uses any standards-compliant OpenID Connect identity provider; after SSO the gateway issues short-lived tokens for CLI requests.

Policy is defined once on the server and scoped by IdP group so the client receives managed settings at sign-in and cannot override enforced rules locally. Telemetry is stamped on every client request and relayed over OpenTelemetry Protocol to a collector you configure, such as Amazon CloudWatch or Amazon Managed Service for Prometheus, or a third-party platform. Routing holds your upstream credential and sends inference requests to Amazon Bedrock or Claude Platform on AWS, with optional failover across AWS Regions or accounts. Spend caps can be set daily, weekly, and monthly per organization, group, or user; when a cap is exceeded the gateway blocks further requests until the period resets or an admin raises the limit.

How is it deployed and configured?

The gateway reads a single YAML file at startup, the production configuration contains six sections, and secrets remain in environment variables. The Bedrock upstream uses the container's IAM role, so no static credentials are required; to route through Claude Platform on AWS you replace the upstreams block with an anthropicAws provider and AWS default credential chain.

Operators run the gateway in a private network as a stateless container on Amazon ECS, Amazon EKS, or Amazon EC2, place it behind an internal Application Load Balancer with a TLS certificate from AWS Certificate Manager, and use Amazon RDS for PostgreSQL to store short-lived sign-in state. The gateway uses an IAM task role to call the upstream provider on developers' behalf.

Model IDs match the Anthropic API, for example claude-sonnet-5 and claude-opus-4-8, and no Amazon Bedrock ARNs or inference profiles are needed.

Why it matters

The gateway removes per-developer credential management and eliminates long-lived secrets on developer machines by shifting identity, policy, telemetry and spend control to a single self-hosted plane inside the customer's AWS boundary. Organizations that require data to remain inside AWS can route inference through Amazon Bedrock; teams that want Anthropic's native platform experience can route through Claude Platform on AWS while retaining the same gateway controls and AWS authentication and billing.

This changes how enterprises standardize developer tooling: managed settings are pushed centrally, usage is attributed to each developer identity, and cost controls work at daily, weekly, or monthly cadence rather than relying on ad hoc team tooling.

What to watch

Watch whether organizations choose Amazon Bedrock to keep data within the AWS security boundary or opt for Claude Platform on AWS for Anthropic’s native experience, and whether spend caps and per-group policies become standard controls. To get started, download the Claude Code CLI and review the Claude apps gateway documentation; feedback routes to AWS re:Post for Amazon Bedrock or AWS Support.

Claude apps gateway architecture for AWS
Developer (Claude Code CLI)Internal Application Load BalancerClaude apps gateway (stateless container)PostgreSQL (Amazon RDS) — sign-in state & rate limitsIdentity Provider (OIDC) — SSOAmazon Bedrock (upstream)Claude Platform on AWS (upstream)OTLP collector (CloudWatch / AMS for Prometheus / 3rd party)IAM Task Role (used for upstream calls)
Advertisement

Written by The Brieftide · Source: AWS Machine Learning

The Brieftide Daily · 06:00

Briefs like this one, in your inbox every morning.

 

FreeOne email a dayEvery claim sourcedUnsubscribe in one click
Advertisement