feat: Add Bedrock provider support to inference configuration

[skamenan7]

What does this PR do?

Adds AWS Bedrock provider support to the llama-stack distribution by configuring the remote::bedrock provider in both build.yaml and run.yaml files. This enables users to leverage AWS Bedrock models for inference through the llama-stack framework.

The changes include:

• Added remote::bedrock provider type to build.yaml inference providers
• Added complete bedrock-inference provider configuration in run.yaml with AWS credentials and connection settings

Summary by CodeRabbit

• New Features

  • Added support for Amazon Bedrock as a remote inference provider; selectable alongside existing providers and configurable with AWS credentials, region, and reliability/performance settings (retry mode, max attempts, connection/read timeouts, session TTL).

• Chores

  • Added the AWS SDK dependency required to enable Bedrock integration.

[coderabbitai]

Walkthrough

Added a new inference provider type remote::bedrock to the build spec, declared a bedrock-inference provider with AWS credential, retry and timeout settings in the runtime config, and included boto3 in the container image dependencies.

Changes

Cohort / File(s)	Summary
Build spec distribution/build.yaml	Inserted remote::bedrock under distribution_spec.providers.inference. No other modifications.
Runtime provider config distribution/run.yaml	Added bedrock-inference ( provider_type: remote::bedrock ) with AWS config keys: aws_access_key_id, aws_secret_access_key, aws_session_token, region_name, profile_name, total_max_attempts, retry_mode, connect_timeout, read_timeout, session_ttl. Existing providers unchanged.
Container dependencies distribution/Containerfile	Added boto3 to the Python pip install list.

Sequence Diagram(s)

sequenceDiagram
  autonumber
  participant App as Application
  participant Cfg as Config Loader
  participant Prov as Provider Registry
  participant BR as Bedrock Provider (remote::bedrock)
  participant AWS as AWS Bedrock

  App->>Cfg: Load providers.inference
  Cfg-->>Prov: Register providers (including bedrock-inference)
  App->>Prov: getProvider("bedrock-inference")
  Prov-->>App: Bedrock Provider instance

  App->>BR: infer(request)
  BR->>BR: Resolve AWS creds, region, timeouts, retries
  BR->>AWS: Invoke model inference (via boto3)
  AWS-->>BR: Response / error
  BR-->>App: Inference result
  note over BR,AWS: Retries governed by retry_mode / total_max_attempts

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Pre-merge checks (3 passed)

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title Check	✅ Passed	The title "feat: Add Bedrock provider support to inference configuration" is concise and directly describes the primary change in the PR — adding AWS Bedrock as an inference provider in the build/run configuration — so it accurately summarizes the main change for reviewers.
Docstring Coverage	✅ Passed	No functions found in the changes. Docstring coverage check skipped.

Poem

A nibble of config, a hop through the cloud,
Bedrock now beckons—our carrots are proud!
With regions and retries neatly in line,
I thump out requests; the results come fine.
Ears up, paws ready—new paths we tread. 🥕✨

Tip

👮 Agentic pre-merge checks are now available in preview!

Pro plan users can now enable pre-merge checks in their settings to enforce checklists before merging PRs.

• Built-in checks – Quickly apply ready-made checks to enforce title conventions, require pull request descriptions that follow templates, validate linked issues for compliance, and more.
• Custom agentic checks – Define your own rules using CodeRabbit’s advanced agentic capabilities to enforce organization-specific policies and workflows. For example, you can instruct CodeRabbit’s agent to verify that API documentation is updated whenever API schema files are modified in a PR. Note: Upto 5 custom checks are currently allowed during the preview period. Pricing for this feature will be announced in a few weeks.

Please see the documentation for more information.

Example:

reviews:
  pre_merge_checks:
    custom_checks:
      - name: "Undocumented Breaking Changes"
        mode: "warning"
        instructions: |
          Pass/fail criteria: All breaking changes to public APIs, CLI flags, environment variables, configuration keys, database schemas, or HTTP/GraphQL endpoints must be documented in the "Breaking Change" section of the PR description and in CHANGELOG.md. Exclude purely internal or private changes (e.g., code not exported from package entry points or explicitly marked as internal).

Please share your feedback with us on this Discord post.

---

📜 Recent review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 5c0df6b and d47ab5f.

📒 Files selected for processing (3)

• distribution/Containerfile (1 hunks)
• distribution/build.yaml (1 hunks)
• distribution/run.yaml (1 hunks)

🚧 Files skipped from review as they are similar to previous changes (3)

• distribution/Containerfile
• distribution/run.yaml
• distribution/build.yaml

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: build-test-push (linux/amd64)

✨ Finishing touches

🧪 Generate unit tests

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch feat/Bedrock-midstream-772

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[skamenan7]

cc: @leseb , @nathan-weinberg

Here is the PR for midstream. Please review. Thanks!

[coderabbitai]

Actionable comments posted: 0

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

distribution/Containerfile (1)

46-49: Do not bake AWS credentials into the image; avoid copying run.yaml with secrets.

PR summary indicates run.yaml contains AWS keys. Copying it into the image embeds secrets irreversibly in image layers and caches.

Recommended:

• Remove the COPY of run.yaml and mount it at runtime (Kubernetes Secret/ConfigMap) at /opt/app-root/run.yaml, or
• Keep run.yaml in the image but rely on the AWS default credential chain (IRSA/STS/IMDS/profile) and remove static keys from the file.

Suggested change in this file:

- COPY distribution/run.yaml ${APP_ROOT}/run.yaml

Notes:

• Keep the ENTRYPOINT unchanged and mount the config to that exact path in your deployment.
• Also review distribution/providers.d/ contents for secrets; mount those as Secrets if they contain credentials.

🧹 Nitpick comments (1)

distribution/Containerfile (1)

11-11: Pin boto3 and botocore to Bedrock-compatible versions

In distribution/Containerfile, update the install hunk:

-    boto3 \
+    boto3==${BOTO3_VERSION} \
+    botocore==${BOTOCORE_VERSION} \

Add at the top:

ARG BOTO3_VERSION=1.37.0
ARG BOTOCORE_VERSION=1.40.25

Ensures support for BedrockRuntime.invoke_model (boto3 v1.37.0) and bedrock-runtime Converse (botocore v1.40.25).

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 03d0712 and 5c0df6b.

📒 Files selected for processing (3)

• distribution/Containerfile (1 hunks)
• distribution/build.yaml (1 hunks)
• distribution/run.yaml (1 hunks)

🚧 Files skipped from review as they are similar to previous changes (2)

• distribution/build.yaml
• distribution/run.yaml

[nathan-weinberg]

What is the difference between this and #15?

Also, can you please use a fork instead of creating branches directly in the repo?

[skamenan7]

Sure I will.

[nathan-weinberg]

Sure I will.

I still don't know what the difference is between this and the other PR?

[skamenan7]

yes, Nathan. This was one the PR where I used a branch instead of fork.