{"id":47624892,"url":"https://github.com/antkawam/claude-code-aws-gateway","last_synced_at":"2026-04-01T22:42:44.838Z","repository":{"id":346044837,"uuid":"1183678441","full_name":"antkawam/claude-code-aws-gateway","owner":"antkawam","description":"Self-hosted API gateway for Claude Code on Amazon Bedrock. Team management, virtual API keys, per-user budgets, OIDC SSO, web search, and an admin portal.","archived":false,"fork":false,"pushed_at":"2026-03-22T04:32:07.000Z","size":1204,"stargazers_count":2,"open_issues_count":6,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2026-03-22T14:32:55.872Z","etag":null,"topics":["amazon-bedrock","anthropic","api-gateway","api-proxy","aws-cdk","bedrock-runtime","budget-management","claude","claude-code","developer-tools","docker","ecs-fargate","graviton","llm-proxy","oidc","rust","self-hosted","sso","team-management","web-search"],"latest_commit_sha":null,"homepage":"https://antkawam.github.io/claude-code-aws-gateway/","language":"Rust","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/antkawam.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":"CODE_OF_CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":"SECURITY.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2026-03-16T21:08:56.000Z","updated_at":"2026-03-22T04:30:46.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/antkawam/claude-code-aws-gateway","commit_stats":null,"previous_names":["antkawam/claude-code-aws-gateway"],"tags_count":3,"template":false,"template_full_name":null,"purl":"pkg:github/antkawam/claude-code-aws-gateway","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/antkawam%2Fclaude-code-aws-gateway","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/antkawam%2Fclaude-code-aws-gateway/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/antkawam%2Fclaude-code-aws-gateway/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/antkawam%2Fclaude-code-aws-gateway/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/antkawam","download_url":"https://codeload.github.com/antkawam/claude-code-aws-gateway/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/antkawam%2Fclaude-code-aws-gateway/sbom","scorecard":{"id":1245127,"data":{"date":"2026-03-22T03:53:05Z","repo":{"name":"github.com/antkawam/claude-code-aws-gateway","commit":"880835cf5c3b3e567c5c63063107e34048802af6"},"scorecard":{"version":"v5.0.0","commit":"ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4"},"score":3.6,"checks":[{"name":"Binary-Artifacts","score":10,"reason":"no binaries found in the repo","details":null,"documentation":{"short":"Determines if the project has generated executable (binary) artifacts in the source repository.","url":"https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#binary-artifacts"}},{"name":"Branch-Protection","score":-1,"reason":"internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration","details":null,"documentation":{"short":"Determines if the default and release branches are protected with GitHub's branch protection settings.","url":"https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#branch-protection"}},{"name":"CI-Tests","score":-1,"reason":"no pull request found","details":null,"documentation":{"short":"Determines if the project runs tests before pull requests are merged.","url":"https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#ci-tests"}},{"name":"CII-Best-Practices","score":0,"reason":"no effort to earn an OpenSSF best practices badge detected","details":null,"documentation":{"short":"Determines if the project has an OpenSSF (formerly CII) Best Practices Badge.","url":"https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#cii-best-practices"}},{"name":"Code-Review","score":0,"reason":"Found 0/18 approved changesets -- score normalized to 0","details":null,"documentation":{"short":"Determines if the project requires human code review before pull requests (aka merge requests) are merged.","url":"https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#code-review"}},{"name":"Contributors","score":0,"reason":"project has 0 contributing companies or organizations -- score normalized to 0","details":null,"documentation":{"short":"Determines if the project has a set of contributors from multiple organizations (e.g., companies).","url":"https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#contributors"}},{"name":"Dangerous-Workflow","score":10,"reason":"no dangerous workflow patterns detected","details":null,"documentation":{"short":"Determines if the project's GitHub Action workflows avoid dangerous patterns.","url":"https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#dangerous-workflow"}},{"name":"Dependency-Update-Tool","score":0,"reason":"no update tool detected","details":["Warn: no dependency update tool configurations found"],"documentation":{"short":"Determines if the project uses a dependency update tool.","url":"https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#dependency-update-tool"}},{"name":"Fuzzing","score":0,"reason":"project is not fuzzed","details":["Warn: no fuzzer integrations found"],"documentation":{"short":"Determines if the project uses fuzzing.","url":"https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#fuzzing"}},{"name":"License","score":10,"reason":"license file detected","details":["Info: project has a license file: LICENSE:0","Info: FSF or OSI recognized license: MIT License: LICENSE:0"],"documentation":{"short":"Determines if the project has defined a license.","url":"https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#license"}},{"name":"Maintained","score":0,"reason":"project was created in last 90 days. please review its contents carefully","details":["Warn: Repository was created in last 90 days."],"documentation":{"short":"Determines if the project is \"actively maintained\".","url":"https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#maintained"}},{"name":"Packaging","score":10,"reason":"packaging workflow detected","details":["Info: Project packages its releases by way of GitHub Actions.: .github/workflows/release.yml:125"],"documentation":{"short":"Determines if the project is published as a package that others can easily download, install, easily update, and uninstall.","url":"https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#packaging"}},{"name":"Pinned-Dependencies","score":0,"reason":"dependency not pinned by hash detected -- score normalized to 0","details":["Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:19: update your workflow using https://app.stepsecurity.io/secureworkflow/antkawam/claude-code-aws-gateway/ci.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/ci.yml:20: update your workflow using https://app.stepsecurity.io/secureworkflow/antkawam/claude-code-aws-gateway/ci.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/ci.yml:23: update your workflow using https://app.stepsecurity.io/secureworkflow/antkawam/claude-code-aws-gateway/ci.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:33: update your workflow using https://app.stepsecurity.io/secureworkflow/antkawam/claude-code-aws-gateway/ci.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/ci.yml:34: update your workflow using https://app.stepsecurity.io/secureworkflow/antkawam/claude-code-aws-gateway/ci.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/ci.yml:35: update your workflow using https://app.stepsecurity.io/secureworkflow/antkawam/claude-code-aws-gateway/ci.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:58: update your workflow using https://app.stepsecurity.io/secureworkflow/antkawam/claude-code-aws-gateway/ci.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/ci.yml:59: update your workflow using https://app.stepsecurity.io/secureworkflow/antkawam/claude-code-aws-gateway/ci.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/ci.yml:60: update your workflow using https://app.stepsecurity.io/secureworkflow/antkawam/claude-code-aws-gateway/ci.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:72: update your workflow using https://app.stepsecurity.io/secureworkflow/antkawam/claude-code-aws-gateway/ci.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/ci.yml:73: update your workflow using https://app.stepsecurity.io/secureworkflow/antkawam/claude-code-aws-gateway/ci.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/ci.yml:74: update your workflow using https://app.stepsecurity.io/secureworkflow/antkawam/claude-code-aws-gateway/ci.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/pages.yml:24: update your workflow using https://app.stepsecurity.io/secureworkflow/antkawam/claude-code-aws-gateway/pages.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/pages.yml:25: update your workflow using https://app.stepsecurity.io/secureworkflow/antkawam/claude-code-aws-gateway/pages.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/pages.yml:26: update your workflow using https://app.stepsecurity.io/secureworkflow/antkawam/claude-code-aws-gateway/pages.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/pages.yml:30: update your workflow using https://app.stepsecurity.io/secureworkflow/antkawam/claude-code-aws-gateway/pages.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/pages.yml:40: update your workflow using https://app.stepsecurity.io/secureworkflow/antkawam/claude-code-aws-gateway/pages.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release.yml:93: update your workflow using https://app.stepsecurity.io/secureworkflow/antkawam/claude-code-aws-gateway/release.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/release.yml:94: update your workflow using https://app.stepsecurity.io/secureworkflow/antkawam/claude-code-aws-gateway/release.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/release.yml:97: update your workflow using https://app.stepsecurity.io/secureworkflow/antkawam/claude-code-aws-gateway/release.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release.yml:117: update your workflow using https://app.stepsecurity.io/secureworkflow/antkawam/claude-code-aws-gateway/release.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release.yml:130: update your workflow using https://app.stepsecurity.io/secureworkflow/antkawam/claude-code-aws-gateway/release.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release.yml:131: update your workflow using https://app.stepsecurity.io/secureworkflow/antkawam/claude-code-aws-gateway/release.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/release.yml:141: update your workflow using https://app.stepsecurity.io/secureworkflow/antkawam/claude-code-aws-gateway/release.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/release.yml:142: update your workflow using https://app.stepsecurity.io/secureworkflow/antkawam/claude-code-aws-gateway/release.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/release.yml:143: update your workflow using https://app.stepsecurity.io/secureworkflow/antkawam/claude-code-aws-gateway/release.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/release.yml:148: update your workflow using https://app.stepsecurity.io/secureworkflow/antkawam/claude-code-aws-gateway/release.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/release.yml:157: update your workflow using https://app.stepsecurity.io/secureworkflow/antkawam/claude-code-aws-gateway/release.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release.yml:175: update your workflow using https://app.stepsecurity.io/secureworkflow/antkawam/claude-code-aws-gateway/release.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/release.yml:181: update your workflow using https://app.stepsecurity.io/secureworkflow/antkawam/claude-code-aws-gateway/release.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release.yml:36: update your workflow using https://app.stepsecurity.io/secureworkflow/antkawam/claude-code-aws-gateway/release.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/release.yml:37: update your workflow using https://app.stepsecurity.io/secureworkflow/antkawam/claude-code-aws-gateway/release.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/release.yml:40: update your workflow using https://app.stepsecurity.io/secureworkflow/antkawam/claude-code-aws-gateway/release.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release.yml:52: update your workflow using https://app.stepsecurity.io/secureworkflow/antkawam/claude-code-aws-gateway/release.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/scorecard.yml:20: update your workflow using https://app.stepsecurity.io/secureworkflow/antkawam/claude-code-aws-gateway/scorecard.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/scorecard.yml:23: update your workflow using https://app.stepsecurity.io/secureworkflow/antkawam/claude-code-aws-gateway/scorecard.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/scorecard.yml:28: update your workflow using https://app.stepsecurity.io/secureworkflow/antkawam/claude-code-aws-gateway/scorecard.yml/main?enable=pin","Warn: containerImage not pinned by hash: Dockerfile:3","Warn: containerImage not pinned by hash: Dockerfile:35: pin your Docker image by updating alpine:3.21 to alpine:3.21@sha256:c3f8e73fdb79deaebaa2037150150191b9dcbfba68b4a46d70103204c53f4709","Warn: containerImage not pinned by hash: Dockerfile.release:3: pin your Docker image by updating alpine:3.21 to alpine:3.21@sha256:c3f8e73fdb79deaebaa2037150150191b9dcbfba68b4a46d70103204c53f4709","Info:   0 out of  18 GitHub-owned GitHubAction dependencies pinned","Info:   0 out of  19 third-party GitHubAction dependencies pinned","Info:   0 out of   3 containerImage dependencies pinned"],"documentation":{"short":"Determines if the project has declared and pinned the dependencies of its build process.","url":"https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#pinned-dependencies"}},{"name":"SAST","score":0,"reason":"no SAST tool detected","details":["Warn: no pull requests merged into dev branch"],"documentation":{"short":"Determines if the project uses static code analysis.","url":"https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#sast"}},{"name":"Security-Policy","score":10,"reason":"security policy file detected","details":["Info: security policy file detected: SECURITY.md:1","Info: Found linked content: SECURITY.md:1","Info: Found disclosure, vulnerability, and/or timelines in security policy: SECURITY.md:1","Info: Found text in security policy: SECURITY.md:1"],"documentation":{"short":"Determines if the project has published a security policy.","url":"https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#security-policy"}},{"name":"Signed-Releases","score":0,"reason":"Project has not signed or included provenance with any releases.","details":["Warn: release artifact v1.0.2 not signed: https://api.github.com/repos/antkawam/claude-code-aws-gateway/releases/299839419","Warn: release artifact v1.0.1 not signed: https://api.github.com/repos/antkawam/claude-code-aws-gateway/releases/299836036","Warn: release artifact v1.0.0 not signed: https://api.github.com/repos/antkawam/claude-code-aws-gateway/releases/299830510","Warn: release artifact v1.0.2 does not have provenance: https://api.github.com/repos/antkawam/claude-code-aws-gateway/releases/299839419","Warn: release artifact v1.0.1 does not have provenance: https://api.github.com/repos/antkawam/claude-code-aws-gateway/releases/299836036","Warn: release artifact v1.0.0 does not have provenance: https://api.github.com/repos/antkawam/claude-code-aws-gateway/releases/299830510"],"documentation":{"short":"Determines if the project cryptographically signs release artifacts.","url":"https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#signed-releases"}},{"name":"Token-Permissions","score":0,"reason":"detected GitHub workflow tokens with excessive permissions","details":["Warn: no topLevel permission defined: .github/workflows/ci.yml:1","Info: topLevel 'contents' permission set to 'read': .github/workflows/pages.yml:12","Warn: topLevel 'contents' permission set to 'write': .github/workflows/release.yml:8","Warn: topLevel 'packages' permission set to 'write': .github/workflows/release.yml:9","Info: topLevel permissions set to 'read-all': .github/workflows/scorecard.yml:10","Info: no jobLevel write permissions found"],"documentation":{"short":"Determines if the project's workflows follow the principle of least privilege.","url":"https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#token-permissions"}},{"name":"Vulnerabilities","score":5,"reason":"5 existing vulnerabilities detected","details":["Warn: Project is vulnerable to: GHSA-h395-gr6q-cpjc","Warn: Project is vulnerable to: RUSTSEC-2025-0119","Warn: Project is vulnerable to: RUSTSEC-2023-0071","Warn: Project is vulnerable to: RUSTSEC-2025-0134","Warn: Project is vulnerable to: GHSA-pwjx-qhcg-rvj4 / RUSTSEC-2026-0049"],"documentation":{"short":"Determines if the project has open, known unfixed vulnerabilities.","url":"https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#vulnerabilities"}}]},"last_synced_at":"2026-03-23T03:23:15.666Z","repository_id":346044837,"created_at":"2026-03-23T03:23:15.666Z","updated_at":"2026-03-23T03:23:15.666Z"},"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":31292686,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-04-01T21:15:39.731Z","status":"ssl_error","status_checked_at":"2026-04-01T21:15:34.046Z","response_time":53,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["amazon-bedrock","anthropic","api-gateway","api-proxy","aws-cdk","bedrock-runtime","budget-management","claude","claude-code","developer-tools","docker","ecs-fargate","graviton","llm-proxy","oidc","rust","self-hosted","sso","team-management","web-search"],"created_at":"2026-04-01T22:42:40.314Z","updated_at":"2026-04-01T22:42:44.826Z","avatar_url":"https://github.com/antkawam.png","language":"Rust","readme":"# Claude Code AWS Gateway (CCAG)\n\n[![Build](https://img.shields.io/github/actions/workflow/status/antkawam/claude-code-aws-gateway/ci.yml?branch=main)](https://github.com/antkawam/claude-code-aws-gateway/actions)\n[![Release](https://img.shields.io/github/v/release/antkawam/claude-code-aws-gateway)](https://github.com/antkawam/claude-code-aws-gateway/releases)\n[![crates.io](https://img.shields.io/crates/v/ccag-cli)](https://crates.io/crates/ccag-cli)\n[![OpenSSF Scorecard](https://api.scorecard.dev/projects/github.com/antkawam/claude-code-aws-gateway/badge)](https://scorecard.dev/viewer/?uri=github.com/antkawam/claude-code-aws-gateway)\n[![License: MIT](https://img.shields.io/badge/License-MIT-blue.svg)](LICENSE)\n\nA purpose-built gateway for running [Claude Code](https://docs.anthropic.com/en/docs/claude-code) through Amazon Bedrock. Deploy once, then give every developer on your team a single command to get connected.\n\n**For admins:** Real-time budget controls, multi-account routing for latency optimization and data sovereignty, OIDC SSO, and a full analytics dashboard — all from a built-in portal.\n\n**For developers:** One-command onboarding. No AWS credentials, no config files. A self-service portal shows personal usage metrics, budget consumption, and virtual key management.\n\n**For automation:** A management CLI (`ccag`) for scripting key provisioning, team setup, and budget enforcement. Webhook, SNS, and EventBridge integrations for piping budget alerts and events into your existing tools.\n\n**100% open source, every feature included.** No enterprise tier, no feature gates, no per-seat pricing.\n\n## Why CCAG?\n\nWhen Claude Code connects to Bedrock directly (`CLAUDE_CODE_USE_BEDROCK=1`), it operates in a reduced-capability mode — extended thinking, web search, and some tool use features are disabled on the client side. CCAG presents as the Anthropic Messages API, so Claude Code enables its full feature set while inference still runs through your AWS account.\n\n| | Direct Bedrock | Through CCAG |\n|---|---|---|\n| Extended thinking | No | Yes |\n| Tool use | Partial | Yes |\n| Web search | No | Yes (DuckDuckGo, Tavily, Serper, or custom per user) |\n| Multi-account/region routing | N/A | Pool quota across accounts, regions, and teams |\n| Budget controls | N/A | Per-user and per-team limits (notify, throttle, or block) |\n| Developer onboarding | Manual config | One-command setup via portal Connect page |\n| SSO authentication | N/A | OIDC with any provider (Okta, Azure AD, Google, etc.) |\n| Admin portal | N/A | Built-in SPA with real-time analytics |\n\n## Architecture\n\n```mermaid\ngraph LR\n    CC[Claude Code] --\u003e|Anthropic Messages API| CCAG[CCAG]\n    CCAG --\u003e|Bedrock Runtime API| BR[Amazon Bedrock]\n    CCAG --\u003e|Keys, teams, spend| RDS[(Postgres)]\n    CCAG --\u003e|Web search| DDG[DuckDuckGo]\n\n    style CCAG fill:#f9f,stroke:#333,stroke-width:2px\n```\n\nClaude Code connects to CCAG as it would to the Anthropic API. The gateway translates requests to Bedrock format, handles SSE streaming, and maps model IDs. No client-side changes are needed.\n\n### Portal\n\n![Analytics Dashboard](docs/images/portal-analytics.png)\n\n![Connect Page](docs/images/portal-connect.png)\n\n## Getting Started\n\n### Prerequisites\n\n- AWS account with [Bedrock model access](https://docs.aws.amazon.com/bedrock/latest/userguide/model-access.html) enabled for Claude models\n- AWS CLI configured with credentials\n- Docker\n\n### Option A: Docker Compose\n\nSuitable for solo users, small teams, or evaluation.\n\n```bash\ncd claude-code-aws-gateway\ncp .env.example .env\n# Edit .env: set AWS_REGION and AWS credentials (AWS_PROFILE or access keys)\ndocker compose up -d\n```\n\nThe gateway starts at `http://localhost:8080`. Log in at `http://localhost:8080/portal` with the default admin credentials (`admin`/`admin`) to create API keys and manage users.\n\nIf port 8080 is already in use: `GATEWAY_PORT=9080 docker compose up -d`\nIf port 5432 is already in use: `POSTGRES_PORT=5488 docker compose up -d`\n\n### Option B: AWS CDK (ECS Fargate + RDS)\n\nFor teams that need managed infrastructure with load balancing, autoscaling, custom domains, and RDS Postgres.\n\n```bash\ncd infra \u0026\u0026 npm install\n# See infra/README.md for the deployment guide\n```\n\nThis creates a production stack: VPC, ALB, ECS Fargate (ARM64/Graviton), RDS Postgres, autoscaling, CloudWatch alarms, and optional Route53/TLS. See [`infra/README.md`](infra/README.md) for the deployment guide.\n\n### Connect Claude Code\n\nLog in to the admin portal at `http://localhost:8080/portal` and navigate to the **Connect** page. Developers get a single command that installs Claude Code (if needed), creates an API key, and configures the gateway connection — no manual env vars or config files.\n\n```bash\ncurl -fsSL https://your-gateway/setup | sh   # one command, fully configured\n```\n\n## Features\n\n### API Translation\n\n- `/v1/messages` and `/v1/messages/count_tokens` endpoints\n- SSE event stream translation (Bedrock binary stream to Anthropic SSE format)\n- Automatic model ID mapping between Anthropic and Bedrock identifiers\n- Beta flag allowlisting (filters flags that Bedrock does not accept)\n- `cache_control` field passthrough for Bedrock\n- Web search interception with per-user configurable providers (DuckDuckGo, Tavily, Serper, or custom)\n\n### Multi-Endpoint Routing\n\n- Route requests across multiple AWS accounts, regions, or inference profiles from a single gateway\n- Assign endpoints to teams with per-team routing strategies (sticky user, primary/fallback, round robin)\n- Cross-account access via STS AssumeRole with external ID support\n- Automatic failover on 429/5xx with health tracking per endpoint\n- Sticky user routing preserves prompt cache affinity across conversations\n\n### Multi-User Management\n\n- Virtual API keys: issue and revoke keys per user or team\n- Teams: group users with shared budgets and rate limits\n- Budgets: per-key and per-team spending limits with notification webhooks\n- Rate limiting: per-key sliding window rate limiter\n- Spend tracking: async batch writes to Postgres with per-key analytics\n\n### Authentication\n\nThree-tier authentication for different use cases:\n\n1. Admin credentials: username/password for initial setup (`ADMIN_USERNAME`/`ADMIN_PASSWORD`)\n2. Virtual API keys: database-backed keys for programmatic access\n3. OIDC SSO: JWT validation with any compliant identity provider\n\nSupported OIDC providers include Okta, Azure AD, Google Workspace, Auth0, Keycloak, and any provider with a `.well-known/openid-configuration` endpoint. Multiple providers can be active at the same time.\n\n### Admin Portal\n\nA built-in single-page application at `/portal` for:\n\n- Key creation and management\n- Team administration\n- Identity provider configuration\n- Gateway settings\n- Analytics dashboard with 4 tabs:\n  - Spend: timeseries by team, spend by team/model/user, budget status, OLS cost forecast\n  - Activity: active users over time (new vs returning), hourly request heatmap\n  - Models \u0026 Performance: model mix, latency percentiles (p50/p95/p99), cache hit rate, token breakdown, endpoint utilization\n  - Tools \u0026 MCP: tool call totals, MCP server usage, top tools\n- Multi-select filters (team, user, model, endpoint) with time range and granularity control\n- CSV export of filtered analytics data\n\n### Notifications \u0026 Integrations\n\n- Budget alerts, rate limit events, and system notifications delivered to your tools\n- **Webhook:** POST to any URL (Slack, PagerDuty, custom endpoints)\n- **SNS:** Publish to your own AWS SNS topic for fan-out to email, Lambda, SQS, etc.\n- **EventBridge:** Emit structured events to your own event bus for custom routing rules\n- Configure and test destinations from the admin portal — no config files needed\n\n### Observability\n\n- Prometheus metrics at `/metrics`\n- Optional OTLP export via gRPC\n- Structured logging with configurable log levels\n\n## Configuration\n\nCCAG is configured through environment variables:\n\n| Variable | Default | Description |\n|---|---|---|\n| `PROXY_HOST` | `127.0.0.1` | Listen address |\n| `PROXY_PORT` | `8080` | Listen port |\n| `DATABASE_URL` | | Postgres connection URL (required) |\n| `ADMIN_USERNAME` | `admin` | Bootstrap admin username |\n| `ADMIN_PASSWORD` | `admin` | Bootstrap admin password |\n| `ADMIN_USERS` | | Comma-separated OIDC subjects auto-provisioned as admin |\n| `OIDC_ISSUER` | | OIDC issuer URL for SSO |\n| `OIDC_AUDIENCE` | | Expected JWT audience claim |\n| `OIDC_JWKS_URL` | | Override JWKS endpoint (auto-discovered from issuer by default) |\n| `RUST_LOG` | `info` | Log level (`debug` for request body logging) |\n| `OTEL_EXPORTER_OTLP_ENDPOINT` | | OTLP gRPC endpoint for metrics export |\n| `BUDGET_NOTIFICATION_URL` | | Webhook URL or SNS topic ARN for budget alerts |\n\nSee [docs/configuration.md](docs/configuration.md) for the full reference including TLS, database, and notification settings.\n\n### Model Routing\n\nBedrock model IDs are resolved automatically from the AWS SDK's configured region.\n\n| AWS Region | Inference Profile |\n|---|---|\n| `us-*`, `ca-*` | US cross-region |\n| `eu-*` | EU cross-region |\n| `ap-southeast-2`, `ap-southeast-4` | Australia |\n| `ap-*`, `me-*` | Asia Pacific |\n| `us-gov-*` | GovCloud |\n\nCustom model mappings can also be configured through the admin portal.\n\n## Development\n\n### Build and test\n\n```bash\nmake build               # Build gateway + CLI\nmake test                # Unit tests\nmake lint                # Format check + clippy\nmake check               # All checks (what CI runs)\nmake test-integration    # Integration tests (requires Docker)\n```\n\n### Project structure\n\n```\nsrc/\n  main.rs              Entry point, startup, cache poll loop\n  api/\n    handlers.rs        HTTP handlers (messages, count_tokens, health)\n    admin.rs           Admin API (keys, teams, users, spend, IDPs, settings, analytics)\n  config/mod.rs        GatewayConfig, routing prefix auto-detection\n  proxy/mod.rs         Shared gateway state\n  auth/\n    mod.rs             In-memory key cache, key validation\n    oidc.rs            Multi-IDP OIDC JWT validation, JWKS caching\n  ratelimit/mod.rs     Per-key sliding window rate limiter\n  db/                  Postgres pool, migrations, CRUD operations\n    org_analytics.rs   Cross-org analytics queries (~20 functions)\n  spend/mod.rs         Async spend tracker (buffer + flush loop)\n  telemetry/mod.rs     Prometheus metrics, OTLP export\n  translate/\n    models.rs          Model ID mapping (Anthropic \u003c-\u003e Bedrock)\n    request.rs         Request translation\n    response.rs        Response normalization\n    streaming.rs       SSE event formatting\n  websearch/mod.rs     DuckDuckGo web search interception\nstatic/index.html     Embedded admin portal SPA\ninfra/                 AWS CDK (TypeScript) for ECS Fargate + RDS\nmigrations/            Postgres schema migrations\n```\n\n### Tech stack\n\n- **Language:** Rust (axum + tokio)\n- **AWS SDK:** aws-sdk-bedrockruntime\n- **Database:** PostgreSQL with sqlx\n- **Infrastructure:** AWS CDK (TypeScript), ECS Fargate (ARM64), RDS, ALB\n- **Admin portal:** Vanilla HTML/JS SPA embedded at compile time\n\n## FAQ\n\n### How is this different from using `CLAUDE_CODE_USE_BEDROCK=1`?\n\nSetting `CLAUDE_CODE_USE_BEDROCK=1` connects Claude Code to Bedrock directly, identifying it as a Bedrock client. In this mode, extended thinking and some tool use features are not available. CCAG presents as the Anthropic API (`ANTHROPIC_BASE_URL`), enabling these features while inference runs through Bedrock in your AWS account.\n\n### What features does CCAG provide beyond direct Bedrock?\n\nExtended thinking, web search (with per-user configurable providers: DuckDuckGo, Tavily, Serper, or custom), and complete tool use support. CCAG also adds team management features not available in direct Bedrock mode: virtual API keys, per-user/team budgets, rate limiting, OIDC SSO, and an analytics dashboard.\n\n### What OIDC providers are supported?\n\nAny provider that exposes a `.well-known/openid-configuration` endpoint: Okta, Azure AD (Entra ID), Google Workspace, Auth0, Keycloak, AWS IAM Identity Center, and others. Multiple providers can be active at the same time. Each is configured as a separate identity provider in the admin portal or via the `OIDC_ISSUER` environment variable.\n\n### Can I use multiple AWS accounts or regions?\n\nYes. A single CCAG instance can route to multiple Bedrock endpoints across different AWS accounts and regions. Configure endpoints through the admin portal or API, then assign them to teams with routing strategies (sticky user, primary/fallback, or round robin). Cross-account access is supported via STS AssumeRole. See [docs/endpoints.md](docs/endpoints.md) for details.\n\n### What is the latency overhead?\n\nCCAG adds 1-5ms for request translation and response normalization. When deployed in the same region as Bedrock, network round-trip to Bedrock is under 1ms. Streaming responses are forwarded as they arrive with no buffering.\n\n### How do I upgrade?\n\nPre-built images and binaries are published to [GitHub Releases](https://github.com/antkawam/claude-code-aws-gateway/releases) on every release. No compilation required.\n\n- **Docker Compose:** `docker compose pull \u0026\u0026 docker compose up -d` (or pin with `CCAG_VERSION=1.0.2`)\n- **CDK:** `npx cdk deploy -c environment=prod -c imageTag=1.0.2`\n- **CLI:** `ccag update`\n\nDatabase migrations run automatically on startup. See [docs/upgrading.md](docs/upgrading.md) for details.\n\n### Can I use this with Claude Code in VS Code or JetBrains?\n\nYes. Claude Code extensions for VS Code and JetBrains use the same underlying CLI. Set `ANTHROPIC_BASE_URL` in your Claude Code settings to point to your CCAG instance.\n\n### What models are supported?\n\nClaude 4+ models on Bedrock are supported. Model IDs are translated automatically: use Anthropic-style names (e.g., `claude-sonnet-4-20250514`) and CCAG maps them to the Bedrock inference profile for your region. Custom mappings can be configured through the admin portal.\n\n### How does web search work?\n\nAnthropic's `web_search` tool is a server-side feature that Bedrock does not implement. When Claude Code sends a request containing a `web_search` tool use, CCAG intercepts it, executes the search via DuckDuckGo, and returns the results in Anthropic's `server_tool_use`/`web_search_tool_result` format.\n\n## Roadmap\n\n- **MCP server** — manage CCAG as an MCP server alongside the CLI\n- **Custom guardrails** — configurable input/output validation rules beyond built-in detection\n- **SMTP notifications** — email delivery for budget alerts without requiring SNS\n\nSee [GitHub Discussions](https://github.com/antkawam/claude-code-aws-gateway/discussions) to suggest features or vote on priorities.\n\n## License\n\n[MIT](LICENSE)\n","funding_links":[],"categories":["Ecosystem"],"sub_categories":["GateGuard — Fact-Forcing PreToolUse Gate"],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fantkawam%2Fclaude-code-aws-gateway","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fantkawam%2Fclaude-code-aws-gateway","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fantkawam%2Fclaude-code-aws-gateway/lists"}