fix(app): add bearer token authentication support for Bedrock#1789
Closed
kkkksu wants to merge 1 commit intokagent-dev:mainfrom
Closed
fix(app): add bearer token authentication support for Bedrock#1789kkkksu wants to merge 1 commit intokagent-dev:mainfrom
kkkksu wants to merge 1 commit intokagent-dev:mainfrom
Conversation
kkkksu
requested review from
EItanya,
ilackarms,
iplay88keys,
jmhbh,
peterj,
supreme-gg-gg and
yuval-k
as code owners
kkkksu
changed the title
github-actions
Bot
added
enhancement
kkkksu
force-pushed
the
feat/bedrock-bearer-token-support
branch
from
3e2e2ba to
d90ce36
Compare
Contributor
There was a problem hiding this comment.
Pull request overview
Adds support in the Python Bedrock runtime for authenticating with an injected bearer token (AWS_BEARER_TOKEN_BEDROCK), aligning runtime behavior with the Go controller’s env var injection so Bedrock API-key auth works correctly.
Changes:
- Added a
before-signevent handler to injectAuthorization: Bearer …and configured the Bedrock client to useUNSIGNEDwhen the bearer token env var is present. - Added unit tests covering bearer-token behavior (UNSIGNED config, event registration, header injection) and IAM fallback behavior.
- Updated Bedrock module documentation to describe bearer token vs IAM auth.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.
| File | Description |
|---|---|
| python/packages/kagent-adk/src/kagent/adk/models/_bedrock.py | Add bearer-token-based auth path for Bedrock client creation using UNSIGNED + event hook. |
| python/packages/kagent-adk/tests/unittests/models/test_bedrock.py | Add unit tests for bearer-token auth path and header injection behavior. |
| Makefile | Changes default app image name used by build tooling. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Comment on lines
+7
to
+8
| - **Bearer token**: Set ``AWS_BEARER_TOKEN_BEDROCK`` env var (API key auth). | ||
| - **IAM credentials**: Standard AWS credential chain (env vars, IAM role, etc.). |
There was a problem hiding this comment.
The file-level docstring now documents bearer token auth, but the KAgentBedrockLlm class docstring later in this file still states it "Authenticates using the standard AWS credential chain." This is now inaccurate and may mislead readers; please update the class docstring to reflect both supported auth methods (IAM + AWS_BEARER_TOKEN_BEDROCK).
Suggested change
| - **Bearer token**: Set ``AWS_BEARER_TOKEN_BEDROCK`` env var (API key auth). | |
| - **IAM credentials**: Standard AWS credential chain (env vars, IAM role, etc.). | |
| - **Bearer token**: Set ``AWS_BEARER_TOKEN_BEDROCK`` to send a Bearer token in | |
| the ``Authorization`` header. | |
| - **IAM credentials**: Use the standard AWS credential chain (environment | |
| variables, shared config, IAM role, etc.). |
kkkksu
force-pushed
the
feat/bedrock-bearer-token-support
branch
from
d90ce36 to
bc9fb45
Compare
When AWS_BEARER_TOKEN_BEDROCK env var is set, the Bedrock client now uses UNSIGNED signature with a before-sign event handler to inject the Bearer token, instead of relying on IAM credential chain. Signed-off-by: Kexin Su <kexin.su823@gmail.com>
kkkksu
force-pushed
the
feat/bedrock-bearer-token-support
branch
from
bc9fb45 to
e0a85db
Compare
kkkksu
changed the title
github-actions
Bot
added
bug
Author
|
No I might be wrong about this. It turns out I did not set the secret correctly for the first time. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
summary
The Go controller already injects
AWS_BEARER_TOKEN_BEDROCKas an env var into agent pods when the secret contains that key. However, the Python Bedrock runtime (_bedrock.py) only used boto3's standard IAM credential chain, ignoring the bearer token entirely — causing "Invalid API Key format" errors.The AWS docs imply that boto3 should auto-detect AWS_BEARER_TOKEN_BEDROCK, but in practice it doesn’t. I got
"Invalid API Key format: Must start with pre-defined prefix"
That error happened because boto3 ignored the env var and tried its standard SigV4 credential chain (which failed since no IAM credentials were present).
This PR adds bearer token support to
_get_bedrock_client(): whenAWS_BEARER_TOKEN_BEDROCKis set, the client usesUNSIGNEDsignature and abefore-signevent handler to inject theAuthorization: Bearer <token>header. When the env var is not set, the existing IAM credential chain behavior is unchanged.changes
_inject_bearer_token()event handler function_get_bedrock_client()to detect bearer token and use UNSIGNED + event handlerai model disclosure
Used Claude (via Copilot CLI) to assist with implementation and test writing. Self-reviewed the approach against boto3/botocore docs and verified end-to-end on a GKE cluster with a real Bedrock bearer token. Tests verified via:
uv run pytest packages/kagent-adk/tests/unittests/models/test_bedrock.py -v # 12 passed