# Stratoclave: a tenant-aware credit gateway for Amazon Bedrock — now with OpenAI codex support > Source: > Published: 2026-06-03 11:21:13+00:00 If you let a team share a single AWS account for Amazon Bedrock, you quickly run into questions Bedrock alone does not answer: who called which model, under whose budget, through which identity. **Stratoclave** is a small OSS gateway that puts those answers in front of Bedrock without dragging in Postgres, Redis, or a SaaS control plane. It was originally written for myself — I just wanted per-user credits in front of Bedrock for personal use of Claude Code. It grew into something that now also covers OpenAI codex / GPT-5.x via Bedrock's `bedrock-mantle` endpoint. Repo:[(Apache 2.0, alpha)]`littlemex/stratoclave` Stratoclave is a single FastAPI service on ECS Fargate that exposes two inference routes: | Route | Wire format | Backend | |---|---|---| `POST /v1/messages` | Anthropic Messages API | `bedrock:Converse` in us-east-1 | `POST /openai/v1/responses` | OpenAI Responses API | `bedrock-mantle` in us-east-2 / us-west-2 | Both routes share the same DynamoDB-backed credit reservation, the same `messages:send` / `responses:send` RBAC scopes, the same audit log, and the same three identity paths (Cognito password, AWS SSO via Vouch-by-STS, long-lived `sk-stratoclave-*` keys). The control plane is one AWS region (us-east-1) and one Fargate task. Bedrock for OpenAI is cross-region, but no second control-plane region is deployed. The web console login screen redirects to the Cognito Hosted UI for password / SSO sign-in; CLI users instead run `stratoclave auth login` and then bring this tab into focus with `stratoclave ui open` . The reason this exists. Every inference call atomically reserves `max_tokens + input_estimate` from the caller's budget with a conditional `UpdateItem` , invokes the upstream, then refunds the diff from the real token counts on return. `UsageLogs` always records the actual spend, not the reservation. Concurrent requests cannot race past the quota — the conditional write either commits or fails. The pipeline lives in one file (`backend/mvp/_pipeline.py` ) and is shared between both routes — the OpenAI Responses route applies an extra reasoning-effort multiplier (1× / 2× / 4× / 8× for `low` / `medium` / `high` / `xhigh` ) on the upfront reservation because reasoning traces can blow output by an order of magnitude. The minimum reservation is 8 192 tokens regardless of multiplier. Personal usage history shows per-call token counts, model names, and credit spend drawn from the same `UsageLogs` table. The single behaviour I am proudest of. The CLI signs an `sts:GetCallerIdentity` request locally with SigV4, the backend forwards the signed payload to STS verbatim, and the backend trusts only the `Arn` / `UserId` / `Account` STS returns. No IdP refresh token ever touches the backend. The pattern is the same one [HashiCorp Vault has used for a decade](https://developer.hashicorp.com/vault/docs/auth/aws) in its AWS `iam` auth method. Anything that populates `~/.aws/credentials` works the same way: `aws sso login` , `saml2aws` , Entra ID / Okta / ADFS SAML federation, even a regular IAM user with long-lived keys (default DENY unless explicitly allowed per trusted account). EC2 instance profiles are rejected by default because they cannot be attributed to a single human. A full backend compromise cannot pivot into the customer's IAM Identity Center or SAML IdP. The worst-case blast radius is bounded to Stratoclave's own resources — Bedrock overspend, DynamoDB tampering, impersonation within this deployment. The trusted-accounts admin page is where AWS account IDs and `allowed_role_patterns` (fnmatch) are managed — this is the allowlist that gates SSO logins from outside accounts. `stratoclave codex -- "..."` (and `stratoclave claude -- "..."` ) A wrapper subcommand that mints a 30-minute ephemeral `responses:send` (or `messages:send` ) key, hands it to the child process via env, and revokes the key on exit: ``` bash $ stratoclave codex -- "Write a hello-world Python function" [INFO] Launching codex via Stratoclave proxy (model=openai.gpt-5.4, key=sk-stratoclave-...) [INFO] Child process uses an ephemeral responses-only API key; the Cognito bearer is not exported and the user's ~/.codex/config.toml is untouched. ``` The child gets a key scoped to exactly one route; the user's Cognito bearer never leaves the parent process. MCP servers and tool subprocesses started by codex cannot pivot back into the user's stratoclave admin endpoints because the env they inherit doesn't carry the right credentials. The same wrapper exists for Claude Code (`stratoclave claude` ). They share the env-scrub list and the revoke-on-exit lifecycle through one Rust struct (`ChildLauncher` ) so a fix to one applies to both. `/.well-known/stratoclave-config` One unauthenticated discovery endpoint that drives the entire CLI bootstrap: ``` bash $ stratoclave setup https://.cloudfront.net $ stratoclave auth sso --profile your-aws-sso-profile # or `auth login --email` $ stratoclave codex -- "..." ``` The endpoint returns Cognito IDs, default model names, and OpenAI base path / supported regions when `CODEX_ENABLED=true` . Old CLI binaries hitting a new backend deserialize cleanly because every new field is `Optional` . Anything that speaks Anthropic Messages or OpenAI Responses with a custom `base_url` works. The CLI is just a quality-of-life wrapper. If you prefer using the OpenAI SDK directly: ``` python import openai client = openai.OpenAI( base_url="https://.cloudfront.net/openai/v1", api_key="sk-stratoclave-xxxxxxxx...", # mint via web console or CLI ) resp = client.responses.create( model="openai.gpt-5.4", input="Hello", ) print(resp.output_text) ``` Same for Anthropic: ``` python from anthropic import Anthropic client = Anthropic( base_url="https://.cloudfront.net", api_key="sk-stratoclave-xxxxxxxx...", ) print(client.messages.create( model="claude-opus-4-7", max_tokens=1024, messages=[{"role": "user", "content": "Hello"}], ).content[0].text) ``` Claude Desktop's Cowork (Gateway mode) and Cline / Continue / Aider with `ANTHROPIC_BASE_URL` work the same way. The personal API-keys page is where you manage long-lived `sk-stratoclave-*` keys yourself — the same key-shape the wrapper subcommands mint ephemerally and revoke on exit. The admin flow from dashboard to a provisioned tenant member, top to bottom. The dashboard summarises tenants, users, recent activity, and credit consumption. The new-user form collects email, role (`admin` / `team_lead` / `user` ), tenant assignment, and an initial credit budget. The user detail view shows assigned role, tenant, remaining vs total credit, and the user's own API keys. The tenant detail view lists members, their credit balances, and the tenant-wide monthly cap. The admin usage-logs page is the audit trail. Filter by `tenant_id` , `user_id` , and ISO-8601 `since` / `until` — backed by a PK Query when `tenant_id` is set, a GSI Query when `user_id` is set, and a Scan otherwise (truncated at 100 rows). `bedrock-mantle` calls for OpenAI are cross-region (us-east-2 / us-west-2).| Dimension | Stratoclave | LiteLLM Proxy | |---|---|---| | Providers | Amazon Bedrock (Claude family + OpenAI GPT-5.x) | 100+ (OpenAI, Anthropic, Bedrock, Vertex, Azure, Gemini, Ollama, …) | | State | DynamoDB only (serverless) | Postgres required, Redis recommended | | RBAC | admin / team_lead / user, tenant-scoped | Proxy / Internal User / Team, global / team / user / key / model budgets | | API keys | `sk-stratoclave-*` , scope narrowing, cap of 5 active, immediate revoke | Virtual keys with `expires / max_budget / rpm_limit / tpm_limit / models` | | SSO / STS | Built-in (Vouch by STS, covers `aws sso` , `saml2aws` , IAM users) | Enterprise tier (Okta / Entra ID / OIDC / SAML) | | Deploy | AWS CDK v2, Fargate from 256 CPU / 512 MiB | Docker / Helm / ECS / EKS / Cloud Run | | License | Apache 2.0 (everything OSS) | Dual license (MIT + Commercial); SSO / audit are commercial | | CLI integration | `stratoclave claude --` / `stratoclave codex --` ephemeral wrappers | `ANTHROPIC_BASE_URL` / `OPENAI_BASE_URL` env override | You're an AWS-native team that already has IAM Identity Center / `saml2aws` , you only call Bedrock, and you do not want to run an RDBMS for a proxy. You want per-tenant credit, per-user override, an audit trail, and the option to mint short-lived keys for CI without touching Postgres. You're not? Pick LiteLLM. Stratoclave is opinionated and small on purpose. ``` # Deploy to your AWS account git clone https://github.com/littlemex/stratoclave.git cd stratoclave export AWS_PROFILE=your-admin-profile export AWS_REGION=us-east-1 CDK_DEFAULT_REGION=us-east-1 export CDK_DEFAULT_ACCOUNT=$(aws sts get-caller-identity --query Account --output text) cd iac && npm install && ./scripts/deploy-all.sh # Build the CLI (pre-built binaries TBD) cd ../cli && cargo build --release export PATH="$PWD/target/release:$PATH" # Bootstrap and use stratoclave setup https://.cloudfront.net stratoclave auth sso --profile stratoclave codex -- "Hello, who are you?" stratoclave claude -- "Summarise this repository" ``` Alpha. Public HTTP surfaces, DynamoDB schemas, and CDK construct props may change without notice until `v0.1.0` is cut. Issues and pull requests welcome. If you read this far and the tradeoffs match your situation, I would be very glad to hear how the deploy goes.