How to Run OpenAI Codex on AWS: A 2026 Setup Guide

On June 1, 2026, OpenAI announced that its frontier models and Codex are now available on AWS. For teams already standardized on Amazon's cloud, that removes a real adoption barrier: you can now run OpenAI Codex on AWS inside the same account, billing, and IAM boundary you already use for everything else. This guide walks through how to set it up cleanly, what to get right on permissions, and how to wire Codex into an agentic coding workflow — while being explicit about which details you should confirm in the official console rather than copy from a blog.

A note on accuracy: this guide is grounded in OpenAI's June 1 announcement plus standard AWS setup practice. Where an exact model identifier, region, or price is required, we tell you to pull it from the live AWS/OpenAI console rather than hardcoding a value, because those specifics change and should come from the source of truth.

Why run OpenAI Codex on AWS?

If your stack already lives in AWS, hosting your coding agent's model there has concrete benefits:

One security boundary. Calls stay inside your AWS account, governed by IAM, with logging through your existing CloudTrail/observability setup.
Unified billing and quotas. Model usage shows up on the same AWS bill, simplifying cost tracking and budget controls.
Lower data-movement friction. Source code and prompts don't have to traverse a separate third-party boundary, which matters for compliance reviews.
Closer to your data and tools. Your repos, CI, and internal services are already in-region.

If you're weighing models for an agentic coding workflow before you commit, our Claude vs GPT comparison and the 2026 AI agent leaderboard are useful starting points.

Prerequisites

Before you begin, make sure you have:

An AWS account with permission to enable new foundation-model providers and create IAM roles/policies.
The AWS CLI v2 installed and configured (aws configure) with credentials for that account.
A recent runtime for whichever client you'll use — typically Node.js (for the Codex CLI) and/or Python (for SDK calls).
Admin or a delegated role that can grant model access, since first-time provider enablement is usually an account-admin action.

Step 1 — Enable the OpenAI models in your AWS account

OpenAI models reach AWS through Amazon's managed foundation-model surface. In the AWS console:

Open the foundation-model / model-access area of the console for your chosen Region.
Locate the OpenAI provider and request access to the model(s) you need, including Codex for agentic coding.
Approve any terms and wait for access to move to "granted."

Confirm in the console: the exact provider/service name, the Regions where OpenAI models are offered, and the precise model IDs. Use whatever the console shows — do not assume a model ID or Region; offerings roll out region-by-region.

Step 2 — Create least-privilege IAM permissions

Don't run this with admin keys. Create a dedicated IAM role or user scoped to only invoking the models you enabled:

Grant only the model-invocation actions your client needs (read the policy hints the console surfaces when you enable access).
Restrict to the specific model resource ARNs/Regions you're using rather than a wildcard.
Prefer short-lived credentials (an assumed role) over long-lived access keys, especially for CI.

This matters double for coding agents, which can take real actions — keep the model-invocation credential separate from any credential that can push code or touch production.

Step 3 — Configure credentials locally

Point your environment at the right account and Region:

# Verify your identity and Region
aws sts get-caller-identity
aws configure get region

# Or set an explicit profile/region for this work
export AWS_PROFILE=codex-on-aws
export AWS_REGION=<the-region-shown-in-console>

Use a named profile dedicated to this workflow so model calls are easy to audit and rotate.

Step 4 — Make your first call

Validate access with a minimal request before wiring anything complex. The exact invocation depends on the client and the model ID from Step 1; the pattern is: authenticate via your AWS credentials, target the OpenAI model on AWS, send a small prompt, and confirm you get a completion back.

# Illustrative shape only — replace the service command, --model-id,
# and request body with the exact values from the AWS console docs.
aws <bedrock-runtime-or-the-service-named-in-console> invoke-model \
  --model-id "<openai-codex-model-id-from-console>" \
  --body '{ "input": "Write a Python function that reverses a string." }' \
  --region "$AWS_REGION" \
  out.json

If that returns a completion, your account, Region, model access, and IAM scope are all correct. If it fails, the error almost always points to one of those four: wrong Region, model not yet granted, missing IAM action, or a malformed request body.

Step 5 — Wire Codex into your coding workflow

With access confirmed, connect Codex to your agentic coding setup:

Codex CLI / SDK: Install the official client and point it at your AWS-hosted endpoint and credentials per OpenAI's announcement docs. Configure it to authenticate through your AWS profile rather than a separate API key where the integration supports it.
Scope its actions. Treat the coding agent like any other agent: least-privilege tools, no ambient production credentials, and a review/approval gate before it commits or deploys.
Add observability. Route requests through CloudTrail/your logging so you can track usage, cost, and behavior.

For a deeper look at why disciplined scaffolding — not just a strong model — determines whether a coding agent is actually useful, see our research on the agent execution bottleneck.

FAQ

Is OpenAI Codex on AWS the same as the standalone OpenAI API?

The model capability is OpenAI's, but on AWS it runs inside your AWS account's security, billing, and IAM context instead of OpenAI's direct API surface. That's the main operational difference: governance and data flow, not a different model family. Confirm feature parity details against the official announcement.

Which AWS Regions support OpenAI Codex?

Region availability is set by AWS and rolls out over time. Check the model-access page in the console for the current list rather than assuming a Region — pick one where the specific OpenAI models you need show as available.

How much does it cost to run Codex on AWS?

Pricing appears on your AWS bill, but the exact per-token or per-request rates should be read from the official AWS/OpenAI pricing pages for your Region. We don't quote numbers here because model pricing changes and is Region-dependent.

Do I still need an OpenAI API key?

That depends on how the AWS integration handles auth. Where the integration authenticates through AWS IAM, you manage access with AWS credentials; some tooling may still expect an OpenAI-style key. Follow the official setup docs for your chosen client — and never commit any key or long-lived credential to source control.

Can I use Codex on AWS for autonomous agents?

Yes, and you should apply the same containment discipline as any agent deployment: scoped tools, sandboxed execution, gated irreversible actions, and full logging. A model on your own cloud doesn't reduce the need for safe agent design.

Key takeaways

OpenAI Codex on AWS lets you run OpenAI's coding model inside your existing AWS account, IAM, and billing as of June 1, 2026.
The setup path is: enable model access → scope IAM tightly → configure credentials → test with one call → wire Codex into your workflow.
Pull exact model IDs, Regions, and pricing from the live console — don't hardcode them from a guide.
Treat the coding agent with least privilege and a review gate, just like any other agent.

Ready to choose the right model for your agent stack? Compare options in our Claude vs GPT deep comparison, and explore how Clawvard evaluates agentic coding performance across models.