Skip to content

bring back bed rock auth #13089

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
yuval-k merged 14 commits into from
Dec 11, 2025
Merged

bring back bed rock auth #13089

Show file tree
Hide file tree
Changes from 7 commits
Commits
Show all changes
14 commits
Select commit Hold shift + click to select a range
3177084
bring back bed rock auth
yuval-k Dec 10, 2025
804d8c2
more yaml tests
yuval-k Dec 10, 2025
8e61c84
PR comments
yuval-k Dec 10, 2025
7af67c2
move auth to the provider
yuval-k Dec 11, 2025
bcab27c
move aws to policy.
yuval-k Dec 11, 2025
91bc916
cleanup
yuval-k Dec 11, 2025
065d8d8
Merge remote-tracking branch 'origin/main' into yuval-k/bedrock-auth
yuval-k Dec 11, 2025
ba9cf57
bump agentgw
yuval-k Dec 11, 2025
d44b375
fix build
yuval-k Dec 11, 2025
3b733f1
make verify
yuval-k Dec 11, 2025
ec09ef7
fix yaml
yuval-k Dec 11, 2025
3835d2a
Merge remote-tracking branch 'origin/main' into yuval-k/bedrock-auth
yuval-k Dec 11, 2025
ee88619
fix yaml after merge
yuval-k Dec 11, 2025
90f4e71
more yamls
yuval-k Dec 11, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
18 changes: 16 additions & 2 deletions api/v1alpha1/agentgateway/agentgateway_policy_types.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -707,7 +707,7 @@ const (
HostnameRewriteModeNone HostnameRewriteMode = "None"
)

// +kubebuilder:validation:ExactlyOneOf=key;secretRef;passthrough
// +kubebuilder:validation:ExactlyOneOf=key;secretRef;passthrough;aws
type BackendAuth struct {
// key provides an inline key to use as the value of the Authorization header.
// This option is the least secure; usage of a Secret is preferred.
Expand All @@ -726,7 +726,21 @@ type BackendAuth struct {
// request, the original token would be unchanged, so this would have no effect.
// +optional
Passthrough *BackendAuthPassthrough `json:"passthrough,omitempty"`
// TODO: aws, azure, gcp
// TODO: azure, gcp

// Auth specifies an explicit AWS authentication method for the backend.
// When omitted, we will try to use the default AWS SDK authentication methods.
//
// +optional
AWS *AwsAuth `json:"aws,omitempty"`
}

// AwsAuth specifies the authentication method to use for the backend.
type AwsAuth struct {
// SecretRef references a Kubernetes Secret containing the AWS credentials.
// The Secret must have keys "accessKey", "secretKey", and optionally "sessionToken".
// +required
Copy link
Contributor

@EItanya EItanya Dec 11, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Are we going to add workload credentials in the future?

Copy link
Contributor Author

@yuval-k yuval-k Dec 11, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

you mean from the env of the pod? i think that is already supported - it's the default if you don't specify auth. cc @howardjohn

SecretRef corev1.LocalObjectReference `json:"secretRef"`
}

type BackendAuthPassthrough struct {
Expand Down
21 changes: 21 additions & 0 deletions api/v1alpha1/agentgateway/zz_generated.deepcopy.go
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

146 changes: 133 additions & 13 deletions install/helm/agentgateway-crds/templates/agentgateway.dev_agentgatewaybackends.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -477,6 +477,30 @@ spec:
authentication to the
backend
properties:
aws:
description: |-
Auth specifies an explicit AWS authentication method for the backend.
When omitted, we will try to use the default AWS SDK authentication methods.
properties:
secretRef:
description: |-
SecretRef references a Kubernetes Secret containing the AWS credentials.
The Secret must have keys "accessKey", "secretKey", and optionally "sessionToken".
properties:
name:
default: ""
description: |-
Name of the referent.
This field is effectively required, but due to backwards compatibility is
allowed to be empty. Instances of this type with an empty value here are
almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
type: string
type: object
x-kubernetes-map-type: atomic
required:
- secretRef
type: object
key:
description: |-
key provides an inline key to use as the value of the Authorization header.
Expand Down Expand Up @@ -510,9 +534,9 @@ spec:
x-kubernetes-validations:
- message: exactly one of
the fields in [key secretRef
passthrough] must be
set
rule: '[has(self.key),has(self.secretRef),has(self.passthrough)].filter(x,x==true).size()
passthrough aws] must
be set
rule: '[has(self.key),has(self.secretRef),has(self.passthrough),has(self.aws)].filter(x,x==true).size()
== 1'
http:
description: http defines
Expand Down Expand Up @@ -1213,6 +1237,30 @@ spec:
description: auth defines settings for managing
authentication to the backend
properties:
aws:
description: |-
Auth specifies an explicit AWS authentication method for the backend.
When omitted, we will try to use the default AWS SDK authentication methods.
properties:
secretRef:
description: |-
SecretRef references a Kubernetes Secret containing the AWS credentials.
The Secret must have keys "accessKey", "secretKey", and optionally "sessionToken".
properties:
name:
default: ""
description: |-
Name of the referent.
This field is effectively required, but due to backwards compatibility is
allowed to be empty. Instances of this type with an empty value here are
almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
type: string
type: object
x-kubernetes-map-type: atomic
required:
- secretRef
type: object
key:
description: |-
key provides an inline key to use as the value of the Authorization header.
Expand Down Expand Up @@ -1245,8 +1293,8 @@ spec:
type: object
x-kubernetes-validations:
- message: exactly one of the fields in [key secretRef
passthrough] must be set
rule: '[has(self.key),has(self.secretRef),has(self.passthrough)].filter(x,x==true).size()
passthrough aws] must be set
rule: '[has(self.key),has(self.secretRef),has(self.passthrough),has(self.aws)].filter(x,x==true).size()
== 1'
http:
description: http defines settings for managing
Expand Down Expand Up @@ -1829,6 +1877,30 @@ spec:
description: auth defines settings for managing
authentication to the backend
properties:
aws:
description: |-
Auth specifies an explicit AWS authentication method for the backend.
When omitted, we will try to use the default AWS SDK authentication methods.
properties:
secretRef:
description: |-
SecretRef references a Kubernetes Secret containing the AWS credentials.
The Secret must have keys "accessKey", "secretKey", and optionally "sessionToken".
properties:
name:
default: ""
description: |-
Name of the referent.
This field is effectively required, but due to backwards compatibility is
allowed to be empty. Instances of this type with an empty value here are
almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
type: string
type: object
x-kubernetes-map-type: atomic
required:
- secretRef
type: object
key:
description: |-
key provides an inline key to use as the value of the Authorization header.
Expand Down Expand Up @@ -1861,8 +1933,8 @@ spec:
type: object
x-kubernetes-validations:
- message: exactly one of the fields in [key secretRef
passthrough] must be set
rule: '[has(self.key),has(self.secretRef),has(self.passthrough)].filter(x,x==true).size()
passthrough aws] must be set
rule: '[has(self.key),has(self.secretRef),has(self.passthrough),has(self.aws)].filter(x,x==true).size()
== 1'
http:
description: http defines settings for managing
Expand Down Expand Up @@ -2528,6 +2600,30 @@ spec:
description: auth defines settings for managing
authentication to the backend
properties:
aws:
description: |-
Auth specifies an explicit AWS authentication method for the backend.
When omitted, we will try to use the default AWS SDK authentication methods.
properties:
secretRef:
description: |-
SecretRef references a Kubernetes Secret containing the AWS credentials.
The Secret must have keys "accessKey", "secretKey", and optionally "sessionToken".
properties:
name:
default: ""
description: |-
Name of the referent.
This field is effectively required, but due to backwards compatibility is
allowed to be empty. Instances of this type with an empty value here are
almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
type: string
type: object
x-kubernetes-map-type: atomic
required:
- secretRef
type: object
key:
description: |-
key provides an inline key to use as the value of the Authorization header.
Expand Down Expand Up @@ -2560,9 +2656,9 @@ spec:
type: object
x-kubernetes-validations:
- message: exactly one of the fields in
[key secretRef passthrough] must be
set
rule: '[has(self.key),has(self.secretRef),has(self.passthrough)].filter(x,x==true).size()
[key secretRef passthrough aws] must
be set
rule: '[has(self.key),has(self.secretRef),has(self.passthrough),has(self.aws)].filter(x,x==true).size()
== 1'
http:
description: http defines settings for managing
Expand Down Expand Up @@ -3221,6 +3317,30 @@ spec:
description: auth defines settings for managing authentication
to the backend
properties:
aws:
description: |-
Auth specifies an explicit AWS authentication method for the backend.
When omitted, we will try to use the default AWS SDK authentication methods.
properties:
secretRef:
description: |-
SecretRef references a Kubernetes Secret containing the AWS credentials.
The Secret must have keys "accessKey", "secretKey", and optionally "sessionToken".
properties:
name:
default: ""
description: |-
Name of the referent.
This field is effectively required, but due to backwards compatibility is
allowed to be empty. Instances of this type with an empty value here are
almost certainly wrong.
More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
type: string
type: object
x-kubernetes-map-type: atomic
required:
- secretRef
type: object
key:
description: |-
key provides an inline key to use as the value of the Authorization header.
Expand Down Expand Up @@ -3252,9 +3372,9 @@ spec:
x-kubernetes-map-type: atomic
type: object
x-kubernetes-validations:
- message: exactly one of the fields in [key secretRef passthrough]
must be set
rule: '[has(self.key),has(self.secretRef),has(self.passthrough)].filter(x,x==true).size()
- message: exactly one of the fields in [key secretRef passthrough
aws] must be set
rule: '[has(self.key),has(self.secretRef),has(self.passthrough),has(self.aws)].filter(x,x==true).size()
== 1'
http:
description: http defines settings for managing HTTP requests
Expand Down
Loading