Skip to content

Add support for environment token provider for services whose SigV4 signing names are bedrock #4241

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 4 commits into from
Jul 31, 2025
Merged

Add support for environment token provider for services whose SigV4 signing names are bedrock #4241

merged 4 commits into from
Jul 31, 2025

Conversation

ysaito1001
Copy link
Contributor

@ysaito1001 ysaito1001 commented Jul 31, 2025
edited
Loading

Motivation and Context

Adds support for environment token provider for AWS services whose SigV4 service signing name matches bedrock. Setting this environment variable, AWS_BEARER_TOKEN_BEDROCK, allows SDKs to prefer the httpBearerAuth auth scheme and to retrieve a Token value from the said environment.

Description

Customers would use the environment variable in question like so:

    // export AWS_BEARER_TOKEN_BEDROCK=my-token

    let sdk_config = aws_config::defaults(BehaviorVersion::latest()).load().await;

    let bedrock_client = aws_sdk_bedrock::Client::new(&sdk_config);
    // call an operation on `bedrock_client`...

Under the hood, this is equivalent roughly to

    let sdk_config = aws_config::defaults(BehaviorVersion::latest()).load().await;
    let bedrock_config = aws_sdk_bedrock::config::Builder::from(sdk_config)
        .auth_scheme_preference([HTTP_BEARER_AUTH_SCHEME_ID])
        .token_provider(Token::new("my-token", None))
        .build();

    let bedrock_client = aws_sdk_bedrock::Client::from_conf(bedrock_config);
    // call an operation on `bedrock_client`...

This behind-the-scenes convenience is implemented in impl From<&SdkConfig> for Builder, similar to how a service-specific environment is implemented for the endpoint URL.

However, impl From<&SdkConfig> for Builder implies that customers need to create a service client from SdkConfig (typically through ConfigLoader::load) in order to take advantage of the environment variable. If customers create the service client directly from the service config builder, the environment variable will not be applied, i.e.

    // export AWS_BEARER_TOKEN_BEDROCK=my-token

    let bedrock_config = aws_sdk_bedrock::Config::builder()
        // other configurations
        .build();

    let bedrock_client = aws_sdk_bedrock::Client::from_conf(bedrock_config);
    // `bedrock_client` neither prefers HTTP_BEARER_AUTH_SCHEME_ID nor sets a Token with my-token.

Testing

  • Added integration tests for bedrockruntime (whose model is already checked in to aws/sdk/aws-models)

Checklist

  • For changes to the AWS SDK, generated SDK code, or SDK runtime crates, I have created a changelog entry Markdown file in the .changelog directory, specifying "aws-sdk-rust" in the applies_to key.

By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.

@ysaito1001 ysaito1001 changed the title Add support environment token provider for servies whose SigV4 signing names are bedrock Add support for environment token provider for services whose SigV4 signing names are bedrock Jul 31, 2025
@github-actions GitHub Actions
Copy link

A new generated diff is ready to view.

A new doc preview is ready to view.

landonxjames
landonxjames approved these changes Jul 31, 2025
View reviewed changes
...rc/main/kotlin/software/amazon/smithy/rustsdk/customize/EnvironmentTokenProviderDecorator.kt
* the environment variable name (e.g., "bedrock" -> AWS_BEARER_TOKEN_BEDROCK)
*/
class EnvironmentTokenProviderDecorator(signingName: String) : ConditionalDecorator(
predicate = { codegenContext, _ ->
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice, didn't know this was possible!

@ysaito1001 ysaito1001 marked this pull request as ready for review July 31, 2025 15:35
@ysaito1001 ysaito1001 requested review from a team as code owners July 31, 2025 15:35
@github-actions GitHub Actions
Copy link

A new generated diff is ready to view.

A new doc preview is ready to view.

@ysaito1001 ysaito1001 merged commit de4be56 into main Jul 31, 2025
45 checks passed
@ysaito1001 ysaito1001 deleted the ysaito/bedrock-env-token-provider branch July 31, 2025 20:08
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@aajtodd aajtodd aajtodd approved these changes

@landonxjames landonxjames landonxjames approved these changes

Assignees
No one assigned
Labels
needs-sdk-review
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@ysaito1001 @aajtodd @landonxjames