Overview
A platform team runs rousseau on shared infrastructure. Each project has its own AWS account for Bedrock (compliance, chargeback, model access). Use one rousseau binary with per-project config files, each pinning a bedrock.profile and its own state.path.
Prerequisites
- AWS SSO (or IAM Identity Center) with roles pre-configured in
~/.aws/config. - Bedrock model access approved in each account for the target model.
- A directory-per-project layout on the host.
Layout
/etc/rousseau/
├── projects/
│ ├── alpha/
│ │ └── config.yaml
│ ├── bravo/
│ │ └── config.yaml
│ └── charlie/
│ └── config.yaml
└── shared/
└── skills/
Per-project config
/etc/rousseau/projects/alpha/config.yaml:
provider: bedrock
bedrock:
region: eu-west-2
model: anthropic.claude-sonnet-4-6-20250101-v1:0
profile: alpha-dev
state:
path: /var/lib/rousseau/alpha/sessions.db
agent:
skills_dir: /etc/rousseau/shared/skills
approver:
mode: pattern
default: deny
allow:
- {tool: read, match: ".*"}
- {tool: grep, match: ".*"}
~/.aws/config:
[profile alpha-dev]
sso_start_url = https://acme.awsapps.com/start
sso_region = eu-west-2
sso_account_id = 111111111111
sso_role_name = BedrockOperator
region = eu-west-2
[profile bravo-dev]
# …
Launch
# Refresh SSO once
aws sso login --profile alpha-dev
# Alpha WhatsApp bridge
rousseau --config /etc/rousseau/projects/alpha/config.yaml whatsapp \
--allow 447900123456@s.whatsapp.net
# Bravo Slack bridge
rousseau --config /etc/rousseau/projects/bravo/config.yaml slack
Under systemd, one unit per project.
Verification
-
AWS_PROFILE=alpha-dev aws bedrock list-foundation-modelsreturns the approved model. -
rousseau --config /etc/rousseau/projects/alpha/config.yaml doctorreports the provider asbedrockwith the right region. - Session-store paths are distinct per project (
/var/lib/rousseau/alpha/,/bravo/, …).
Failure modes
AccessDeniedException— role lacksbedrock:InvokeModelWithResponseStream. Grant in the SCP or the role's policy.ModelNotReady— model access not approved for this account. Request in the Bedrock console.- Cross-account STS refresh loops — SSO session expired. Add a systemd timer that runs
aws sso login --profile Xweekly. - State bleed — two projects share a state.path. Always use distinct paths.