fix(ai/bedrock): use resolved apiKey as a bearer-token fallback#5586
Closed
Roman-Galeev wants to merge 1 commit into
Closed
fix(ai/bedrock): use resolved apiKey as a bearer-token fallback#5586Roman-Galeev wants to merge 1 commit into
Roman-Galeev wants to merge 1 commit into
Conversation
The Bedrock provider only authenticated via `options.bearerToken` or the AWS_BEARER_TOKEN_BEDROCK env var. A gateway token configured through models.json `apiKey` (e.g. an AI gateway fronting Bedrock) was silently ignored, so a config that looked complete failed to authenticate unless the env var was also exported. Add `options.apiKey` as the lowest-precedence bearer-token source: `bearerToken` option > AWS_BEARER_TOKEN_BEDROCK > apiKey. The "<authenticated>" sentinel that getEnvApiKey() returns for SigV4 / profile / role credentials is explicitly excluded so existing SigV4 setups are unaffected. Extract the sentinel into a shared AUTHENTICATED_SENTINEL constant and add regression tests covering precedence, the sentinel guard, the SKIP_AUTH escape hatch, and the streamSimple entrypoint.
Contributor
|
This PR was auto-closed. Only contributors approved with Maintainers review auto-closed issues daily. Issues that do not meet the quality bar in CONTRIBUTING.md will not be reopened or receive a reply. If a maintainer replies See CONTRIBUTING.md. |
|
This was the fix I needed :') |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Fixes #5584.
Problem
The
bedrock-converse-streamprovider authenticates only viaoptions.bearerTokenorAWS_BEARER_TOKEN_BEDROCK. A gateway token configured throughmodels.jsonapiKey(e.g. an AI gateway fronting Bedrock with a bearer token) is silently ignored, so a config that looks complete fails to authenticate unless the same token is also exported asAWS_BEARER_TOKEN_BEDROCK. Every other provider authenticates fromapiKey; Bedrock was the surprising exception.Change
packages/ai/src/providers/amazon-bedrock.tsnow uses the resolvedapiKeyas the lowest-precedence bearer-token source:apiKeyalready reaches the provider viaStreamOptions, so no signature changes were needed. The"<authenticated>"sentinel thatgetEnvApiKey()returns for SigV4 / profile / role credentials is explicitly excluded, so existing SigV4 setups are unaffected, andAWS_BEDROCK_SKIP_AUTH=1still disables bearer auth.The sentinel was a string literal duplicated in two places in
env-api-keys.ts; it is now an exportedAUTHENTICATED_SENTINELconstant so the provider guard and the producer cannot drift.Tests
New
packages/ai/test/bedrock-bearer-token.test.ts(7 cases) covers: apiKey → bearer, precedence ofbearerTokenand the env var over apiKey, the sentinel guard, the SigV4 (no-token) path, theAWS_BEDROCK_SKIP_AUTHescape hatch, and thestreamSimpleentrypoint.Verification
npm run check— passes.packages/aitest suite — 339 passed / 0 failed (the package I changed)../test.shsurfaces 3 failures inpackages/coding-agent(package-command-paths,trust-manager,3302-find-path-glob). These are unrelated to this change — none import the modified modules — and reproduce independently of it; they appear to be environment-sensitive on my machine.