?

Overview

A platform team runs rousseau on shared infrastructure. Each project has its own AWS account for Bedrock (compliance, chargeback, model access). Use one rousseau binary with per-project config files, each pinning a bedrock.profile and its own state.path.

Prerequisites

  • AWS SSO (or IAM Identity Center) with roles pre-configured in ~/.aws/config.
  • Bedrock model access approved in each account for the target model.
  • A directory-per-project layout on the host.

Layout

/etc/rousseau/
├── projects/
│   ├── alpha/
│   │   └── config.yaml
│   ├── bravo/
│   │   └── config.yaml
│   └── charlie/
│       └── config.yaml
└── shared/
    └── skills/

Per-project config

/etc/rousseau/projects/alpha/config.yaml:

provider: bedrock

bedrock:
  region: eu-west-2
  model: anthropic.claude-sonnet-4-6-20250101-v1:0
  profile: alpha-dev

state:
  path: /var/lib/rousseau/alpha/sessions.db

agent:
  skills_dir: /etc/rousseau/shared/skills
  approver:
    mode: pattern
    default: deny
    allow:
      - {tool: read, match: ".*"}
      - {tool: grep, match: ".*"}

~/.aws/config:

[profile alpha-dev]
sso_start_url = https://acme.awsapps.com/start
sso_region    = eu-west-2
sso_account_id = 111111111111
sso_role_name = BedrockOperator
region        = eu-west-2

[profile bravo-dev]
# …

Launch

# Refresh SSO once
aws sso login --profile alpha-dev

# Alpha WhatsApp bridge
rousseau --config /etc/rousseau/projects/alpha/config.yaml whatsapp \
  --allow 447900123456@s.whatsapp.net

# Bravo Slack bridge
rousseau --config /etc/rousseau/projects/bravo/config.yaml slack

Under systemd, one unit per project.

Verification

  • AWS_PROFILE=alpha-dev aws bedrock list-foundation-models returns the approved model.
  • rousseau --config /etc/rousseau/projects/alpha/config.yaml doctor reports the provider as bedrock with the right region.
  • Session-store paths are distinct per project (/var/lib/rousseau/alpha/, /bravo/, …).

Failure modes

  • AccessDeniedException — role lacks bedrock:InvokeModelWithResponseStream. Grant in the SCP or the role's policy.
  • ModelNotReady — model access not approved for this account. Request in the Bedrock console.
  • Cross-account STS refresh loops — SSO session expired. Add a systemd timer that runs aws sso login --profile X weekly.
  • State bleed — two projects share a state.path. Always use distinct paths.

Related pages

Type to search 150+ pages. Ranking: BM25 with title/description boost.