Skip to content

[Feat]: add AWS STS assume-role and SigV4 signing for Bedrock #747

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Draft
samadpls wants to merge 3 commits into
base: main
Choose a base branch
from
Draft

[Feat]: add AWS STS assume-role and SigV4 signing for Bedrock #747

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
23d388b
Implement AWS credentials management and SigV4 signing for Bedrock in…
samadpls Feb 7, 2026
a66e93b
fixes
samadpls Feb 12, 2026
9664ecd
Merge branch 'main' into aws/iam-auth
samadpls Feb 12, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
17 changes: 17 additions & 0 deletions cli/planoai/config_generator.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -192,6 +192,7 @@ def validate_and_render_schema():
llms_with_usage = []
model_name_keys = set()
model_usage_name_keys = set()
bedrock_providers_present = False

print("listeners: ", listeners)

Expand Down Expand Up @@ -240,6 +241,8 @@ def validate_and_render_schema():
f"Invalid model name {model_name}. Please provide model name in the format <provider>/<model_id> or <provider>/* for wildcards."
)
provider = model_name_tokens[0].strip()
if provider == "amazon_bedrock":
bedrock_providers_present = True

# Check if this is a wildcard (provider/*)
is_wildcard = model_name_tokens[-1].strip() == "*"
Expand Down Expand Up @@ -436,6 +439,20 @@ def validate_and_render_schema():
f"Model alias 2 - '{alias_name}' targets '{target}' which is not defined as a model. Available models: {', '.join(sorted(model_name_keys))}"
)

aws_credentials_config = {}
for key in ["AWS_ACCESS_KEY_ID", "AWS_SECRET_ACCESS_KEY", "AWS_SESSION_TOKEN"]:
value = os.getenv(key)
if value:
aws_credentials_config[key] = value

if aws_credentials_config:
config_yaml["aws_credentials"] = aws_credentials_config
if not bedrock_providers_present:
print(
"WARNING: AWS credentials were detected but no amazon_bedrock model_providers were found. "
"These credentials will be unused unless Bedrock providers are configured."
)

arch_config_string = yaml.dump(config_yaml)
arch_llm_config_string = yaml.dump(config_yaml)

Expand Down
10 changes: 10 additions & 0 deletions config/arch_config_schema.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -128,6 +128,16 @@ properties:
timeout:
type: string
additionalProperties: false
aws_credentials:
type: object
properties:
AWS_ACCESS_KEY_ID:
type: string
AWS_SECRET_ACCESS_KEY:
type: string
AWS_SESSION_TOKEN:
type: string
additionalProperties: false
endpoints:
type: object
patternProperties:
Expand Down
119 changes: 119 additions & 0 deletions crates/Cargo.lock
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

15 changes: 15 additions & 0 deletions crates/common/Cargo.toml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -20,9 +20,24 @@ urlencoding = "2.1.3"
url = "2.5.4"
hermesllm = { version = "0.1.0", path = "../hermesllm" }
serde_with = "3.13.0"
aws-sigv4 = { version = "1", optional = true }
aws-credential-types = { version = "1", optional = true }
aws-types = { version = "1", optional = true }
http = { version = "1", optional = true }
bytes = { version = "1", optional = true }
aws-smithy-runtime-api = { version = "1.9", optional = true }

[features]
default = []
trace-collection = ["tokio", "reqwest", "tracing"]
aws-sigv4 = [
"dep:aws-sigv4",
"dep:aws-credential-types",
"dep:aws-types",
"dep:http",
"dep:bytes",
"dep:aws-smithy-runtime-api",
]

[dev-dependencies]
pretty_assertions = "1.4.1"
Expand Down
24 changes: 24 additions & 0 deletions crates/common/src/aws_credentials.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,24 @@
use crate::configuration::AwsCredentialsConfig;
use crate::errors::AwsError;

pub fn get_credentials_from_config(
config: &AwsCredentialsConfig,
) -> Result<(String, String, Option<String>), AwsError> {
let access_key_id = config
.access_key_id
.as_ref()
.ok_or_else(|| AwsError::CredentialError("AWS_ACCESS_KEY_ID not found".to_string()))?
.clone();

let secret_access_key = config
.secret_access_key
.as_ref()
.ok_or_else(|| AwsError::CredentialError("AWS_SECRET_ACCESS_KEY not found".to_string()))?
.clone();

Ok((
access_key_id,
secret_access_key,
config.session_token.clone(),
))
}
Loading