Using Merlin AI Code Review with AWS Bedrock

AWS Bedrock provides managed access to foundation models — including Claude from Anthropic — inside the AWS cloud perimeter. For teams already on AWS with enterprise agreements, data residency requirements, or existing IAM infrastructure, using Merlin AI Code Review with Bedrock keeps AI code review entirely within your AWS environment.

Why AWS Bedrock for AI code review?

Teams choose Bedrock for several reasons:

• Data residency — Bedrock inference stays within your chosen AWS region
• Existing IAM — use existing AWS access control, no new API key management
• Enterprise agreements — AWS enterprise customers often have Bedrock included or at negotiated rates
• Consolidated billing — AI costs appear on the AWS bill alongside other infrastructure
• VPC integration — Bedrock can be accessed via VPC endpoints, keeping traffic off the public internet entirely

Prerequisites

• AWS account with Bedrock enabled in your target region
• Claude model access granted in the Bedrock console (Model access → Request access → Anthropic Claude)
• IAM credentials with bedrock:InvokeModel permission

Configuration

[ai]
provider       = "bedrock"
model          = "anthropic.claude-sonnet-4-6-20241022-v2:0"
bedrock_region = "us-east-1"   # must match where you enabled model access
max_tokens     = 4096
temperature    = 0.2

Setting up credentials in GitHub Actions

The recommended approach is to use OIDC federation — no long-lived AWS credentials in GitHub secrets:

jobs:
  merlin-review:
    runs-on: ubuntu-latest
    permissions:
      id-token: write      # needed for OIDC
      pull-requests: write
    steps:
      - uses: actions/checkout@v4
        with:
          fetch-depth: 0
      - name: Configure AWS credentials
        uses: aws-actions/configure-aws-credentials@v4
        with:
          role-to-assume: arn:aws:iam::123456789012:role/MerlinReviewRole
          aws-region: us-east-1
      - run: |
          curl -L https://github.com/Arunachalamkalimuthu/merlin-ai-code-review/releases/latest/download/merlin-linux-amd64 -o merlin
          chmod +x merlin && ./merlin review
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          # AWS credentials provided automatically by the configure-aws-credentials step

IAM policy for the review role

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": ["bedrock:InvokeModel"],
      "Resource": [
        "arn:aws:bedrock:us-east-1::foundation-model/anthropic.claude-*"
      ]
    }
  ]
}

Static credentials alternative

If OIDC isn't available, use static credentials stored as GitHub secrets:

        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
          AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}

Available Claude models on Bedrock