What do you want to change?
Let the bedrock-converse-stream provider use a resolved apiKey as a bearer token when no other Bedrock credential is present. Precedence: explicit bearerToken option > AWS_BEARER_TOKEN_BEDROCK env var > apiKey.
Why?
When pointing a custom provider (api: "bedrock-converse-stream") at an AI gateway that fronts Bedrock with a bearer token, the natural config is apiKey: "$GATEWAY_TOKEN". But the provider only reads options.bearerToken / AWS_BEARER_TOKEN_BEDROCK, so apiKey is silently ignored. The config looks complete yet fails to authenticate, and the only workaround is to also export AWS_BEARER_TOKEN_BEDROCK before launch — duplicating the same token. Every other provider authenticates from apiKey; Bedrock is the surprising exception.
How? (optional)
One guarded line in packages/ai/src/providers/amazon-bedrock.ts:
const apiKeyBearer = options.apiKey && options.apiKey !== AUTHENTICATED_SENTINEL ? options.apiKey : undefined;
const bearerToken = options.bearerToken || process.env.AWS_BEARER_TOKEN_BEDROCK || apiKeyBearer || undefined;
apiKey already reaches the provider via StreamOptions. The "<authenticated>" sentinel that getEnvApiKey() returns for SigV4/profile/role credentials is excluded, so existing SigV4 setups are unaffected. AWS_BEDROCK_SKIP_AUTH=1 still disables bearer auth.
I have the change implemented with regression tests (precedence, sentinel guard, SKIP_AUTH, streamSimple entrypoint) and would like to submit the PR if approved.
What do you want to change?
Let the
bedrock-converse-streamprovider use a resolvedapiKeyas a bearer token when no other Bedrock credential is present. Precedence: explicitbearerTokenoption >AWS_BEARER_TOKEN_BEDROCKenv var >apiKey.Why?
When pointing a custom provider (
api: "bedrock-converse-stream") at an AI gateway that fronts Bedrock with a bearer token, the natural config isapiKey: "$GATEWAY_TOKEN". But the provider only readsoptions.bearerToken/AWS_BEARER_TOKEN_BEDROCK, soapiKeyis silently ignored. The config looks complete yet fails to authenticate, and the only workaround is to also exportAWS_BEARER_TOKEN_BEDROCKbefore launch — duplicating the same token. Every other provider authenticates fromapiKey; Bedrock is the surprising exception.How? (optional)
One guarded line in
packages/ai/src/providers/amazon-bedrock.ts:apiKeyalready reaches the provider viaStreamOptions. The"<authenticated>"sentinel thatgetEnvApiKey()returns for SigV4/profile/role credentials is excluded, so existing SigV4 setups are unaffected.AWS_BEDROCK_SKIP_AUTH=1still disables bearer auth.I have the change implemented with regression tests (precedence, sentinel guard, SKIP_AUTH, streamSimple entrypoint) and would like to submit the PR if approved.