Files
sproutclaw/packages
wirjo 22085a9a17 feat(bedrock): support Bearer token auth for Converse API (#3125)
Adds bearer token authentication for the Bedrock Converse API, enabling
users to authenticate with an API key instead of SigV4/IAM credentials.

When a bearer token is available (via `options.bearerToken` or the
`AWS_BEARER_TOKEN_BEDROCK` env var), the provider:
1. Sets dummy credentials to prevent SDK credential resolution errors
2. Injects middleware after SigV4 signing that replaces the Authorization
   header with `Bearer <token>` and removes SigV4-specific headers

This uses the official `bedrock:CallWithBearerToken` IAM action, which
is a documented AWS feature for API key auth on Bedrock endpoints.

Use case: users who receive a Bedrock API key (bearer token) from the
AWS console or their admin, without having IAM access keys or instance
roles. Similar to how ANTHROPIC_API_KEY works for direct Anthropic API.

Required IAM permission on the token's identity:
  bedrock:CallWithBearerToken

Tested: Bearer token successfully authenticates against Bedrock Converse
API (returns correct 403 for missing IAM permission, not auth format error).
SigV4 path is unchanged when no bearer token is set.
2026-04-16 23:34:18 +02:00
..
2026-04-16 23:25:54 +02:00