Support bearer tokens through environment for Bedrock (#3266)

Author: mullermp

build_tools/services.rb

@@ -9,10 +9,10 @@ class ServiceEnumerator
     MANIFEST_PATH = File.expand_path('../../services.json', __FILE__)
 
     # Minimum `aws-sdk-core` version for new gem builds
-    MINIMUM_CORE_VERSION = "3.225.0"
+    MINIMUM_CORE_VERSION = "3.227.0"
 
     # Minimum `aws-sdk-core` version for new S3 gem builds
-    MINIMUM_CORE_VERSION_S3 = "3.225.0"
+    MINIMUM_CORE_VERSION_S3 = "3.227.0"
 
     EVENTSTREAM_PLUGIN = "Aws::Plugins::EventStreamConfiguration"
 

gems/aws-sdk-bedrock/CHANGELOG.md

@@ -1,6 +1,8 @@
 Unreleased Changes
 ------------------
 
+* Feature - Support `ENV['AWS_BEARER_TOKEN_BEDROCK']` for authentication with Amazon Bedrock APIs.
+
 1.54.0 (2025-07-16)
 ------------------
 

gems/aws-sdk-bedrock/lib/aws-sdk-bedrock/plugins/bearer_authorization.rb

@@ -0,0 +1,27 @@
+# frozen_string_literal: true
+
+module Aws::Bedrock
+  module Plugins
+    # @api private
+    class BearerAuthorization < Seahorse::Client::Plugin
+      def after_initialize(client)
+        return unless (token = ENV['AWS_BEARER_TOKEN_BEDROCK'])
+
+        token_provider = Aws::StaticTokenProvider.new(token)
+        token_provider.metrics = ['BEARER_SERVICE_ENV_VARS']
+        client.config.token_provider ||= token_provider
+      end
+
+      class Handler < Seahorse::Client::Handler
+        def call(context)
+          # This also sets the preferred auth scheme even if the code token has precedence.
+          context[:auth_scheme] = { 'name' => 'bearer' } if ENV['AWS_BEARER_TOKEN_BEDROCK']
+          @handler.call(context)
+        end
+      end
+
+      # After endpoint/auth but before builders.
+      handle(Handler, priority: 60)
+    end
+  end
+end

gems/aws-sdk-bedrock/spec/client_spec.rb

@@ -0,0 +1,67 @@
+# frozen_string_literal: true
+
+require_relative 'spec_helper'
+
+module Aws
+  module Bedrock
+    describe Client do
+      def metrics_from_user_agent_header(resp)
+        header = resp.context.http_request.headers['User-Agent']
+        header.match(%r{ m/([A-Za-z0-9+-,]+)})[1].split(',')
+      end
+
+      it 'uses a bearer token from the environment' do
+        ENV['AWS_BEARER_TOKEN_BEDROCK'] = 'bedrock-token'
+        client = Client.new(stub_responses: true, token_provider: nil)
+        expect(client.config.token_provider.token.token).to eq('bedrock-token')
+        resp = client.list_imported_models
+        expect(resp.context.http_request.headers['Authorization']).to eq('Bearer bedrock-token')
+      end
+
+      it 'does not use a token for a different service' do
+        ENV['AWS_BEARER_TOKEN_FOO'] = 'foo-token'
+        client = Client.new(stub_responses: true, token_provider: nil)
+        expect(client.config.token_provider).to be_nil
+        resp = client.list_imported_models
+        expect(resp.context.http_request.headers['Authorization']).to_not eq('Bearer foo-token')
+      end
+
+      it 'still prefers bearer token when given an auth scheme preference' do
+        ENV['AWS_BEARER_TOKEN_BEDROCK'] = 'bedrock-token'
+        ENV['AWS_AUTH_SCHEME_PREFERENCE'] = 'sigv4,httpBearerAuth'
+        client = Client.new(stub_responses: true, token_provider: nil)
+        resp = client.list_imported_models
+        expect(resp.context.http_request.headers['Authorization']).to eq('Bearer bedrock-token')
+      end
+
+      it 'uses the token value from code over the environment token' do
+        ENV['AWS_BEARER_TOKEN_BEDROCK'] = 'bedrock-token'
+        client = Client.new(
+          stub_responses: true,
+          token_provider: Aws::StaticTokenProvider.new('explicit-code-token')
+        )
+        resp = client.list_imported_models
+        expect(resp.context.http_request.headers['Authorization']).to eq('Bearer explicit-code-token')
+      end
+
+      it 'sets a user agent metric' do
+        ENV['AWS_BEARER_TOKEN_BEDROCK'] = 'bedrock-token'
+        client = Client.new(stub_responses: true, token_provider: nil)
+        resp = client.list_imported_models
+        metrics = metrics_from_user_agent_header(resp)
+        expect(metrics).to include('3')
+      end
+
+      it 'does not set a user agent metric when using a token from code' do
+        ENV['AWS_BEARER_TOKEN_BEDROCK'] = 'bedrock-token'
+        client = Client.new(
+          stub_responses: true,
+          token_provider: Aws::StaticTokenProvider.new('explicit-code-token')
+        )
+        resp = client.list_imported_models
+        metrics = metrics_from_user_agent_header(resp)
+        expect(metrics).to_not include('3')
+      end
+    end
+  end
+end

gems/aws-sdk-bedrockruntime/CHANGELOG.md

@@ -1,6 +1,8 @@
 Unreleased Changes
 ------------------
 
+* Feature - Support `ENV['AWS_BEARER_TOKEN_BEDROCK']` for authentication with Amazon Bedrock APIs.
+
 1.51.0 (2025-07-16)
 ------------------
 

gems/aws-sdk-bedrockruntime/lib/aws-sdk-bedrockruntime/plugins/bearer_authorization.rb

@@ -0,0 +1,27 @@
+# frozen_string_literal: true
+
+module Aws::BedrockRuntime
+  module Plugins
+    # @api private
+    class BearerAuthorization < Seahorse::Client::Plugin
+      def after_initialize(client)
+        return unless (token = ENV['AWS_BEARER_TOKEN_BEDROCK'])
+
+        token_provider = Aws::StaticTokenProvider.new(token)
+        token_provider.metrics = ['BEARER_SERVICE_ENV_VARS']
+        client.config.token_provider ||= token_provider
+      end
+
+      class Handler < Seahorse::Client::Handler
+        def call(context)
+          # This also sets the preferred auth scheme even if the code token has precedence.
+          context[:auth_scheme] = { 'name' => 'bearer' } if ENV['AWS_BEARER_TOKEN_BEDROCK']
+          @handler.call(context)
+        end
+      end
+
+      # After endpoint/auth but before builders.
+      handle(Handler, priority: 60)
+    end
+  end
+end

gems/aws-sdk-bedrockruntime/spec/client_spec.rb

@@ -0,0 +1,73 @@
+# frozen_string_literal: true
+
+require_relative 'spec_helper'
+
+module Aws
+  module BedrockRuntime
+    describe Client do
+      def metrics_from_user_agent_header(resp)
+        header = resp.context.http_request.headers['User-Agent']
+        header.match(%r{ m/([A-Za-z0-9+-,]+)})[1].split(',')
+      end
+
+      def invoke_model(client)
+        stub = client.stub_data(:invoke_model, body: 'test')
+        client.stub_responses(:invoke_model, stub)
+        client.invoke_model(model_id: 'test')
+      end
+
+      it 'uses a bearer token from the environment' do
+        ENV['AWS_BEARER_TOKEN_BEDROCK'] = 'bedrock-token'
+        client = Client.new(stub_responses: true, token_provider: nil)
+        expect(client.config.token_provider.token.token).to eq('bedrock-token')
+        resp = invoke_model(client)
+        expect(resp.context.http_request.headers['Authorization']).to eq('Bearer bedrock-token')
+      end
+
+      it 'does not use a token for a different service' do
+        ENV['AWS_BEARER_TOKEN_FOO'] = 'foo-token'
+        client = Client.new(stub_responses: true, token_provider: nil)
+        expect(client.config.token_provider).to be_nil
+        resp = invoke_model(client)
+        expect(resp.context.http_request.headers['Authorization']).to_not eq('Bearer foo-token')
+      end
+
+      it 'still prefers bearer token when given an auth scheme preference' do
+        ENV['AWS_BEARER_TOKEN_BEDROCK'] = 'bedrock-token'
+        ENV['AWS_AUTH_SCHEME_PREFERENCE'] = 'sigv4,httpBearerAuth'
+        client = Client.new(stub_responses: true, token_provider: nil)
+        resp = invoke_model(client)
+        expect(resp.context.http_request.headers['Authorization']).to eq('Bearer bedrock-token')
+      end
+
+      it 'uses explicit config over the environment token' do
+        ENV['AWS_BEARER_TOKEN_BEDROCK'] = 'bedrock-token'
+        client = Client.new(
+          stub_responses: true,
+          token_provider: Aws::StaticTokenProvider.new('explicit-code-token')
+        )
+        resp = invoke_model(client)
+        expect(resp.context.http_request.headers['Authorization']).to eq('Bearer explicit-code-token')
+      end
+
+      it 'sets a user agent metric' do
+        ENV['AWS_BEARER_TOKEN_BEDROCK'] = 'bedrock-token'
+        client = Client.new(stub_responses: true, token_provider: nil)
+        resp = invoke_model(client)
+        metrics = metrics_from_user_agent_header(resp)
+        expect(metrics).to include('3')
+      end
+
+      it 'does not set a user agent metric when using a token from code' do
+        ENV['AWS_BEARER_TOKEN_BEDROCK'] = 'bedrock-token'
+        client = Client.new(
+          stub_responses: true,
+          token_provider: Aws::StaticTokenProvider.new('explicit-code-token')
+        )
+        resp = invoke_model(client)
+        metrics = metrics_from_user_agent_header(resp)
+        expect(metrics).to_not include('3')
+      end
+    end
+  end
+end

gems/aws-sdk-core/CHANGELOG.md

@@ -1,6 +1,8 @@
 Unreleased Changes
 ------------------
 
+* Feature - Support metric tracking for Bedrock Bearer tokens.
+
 3.226.3 (2025-07-17)
 ------------------
 

gems/aws-sdk-core/lib/aws-sdk-core/plugins/credentials_configuration.rb

@@ -99,13 +99,8 @@ class CredentialsConfiguration < Seahorse::Client::Plugin
 will be used to search for tokens configured for your profile in shared configuration files.
       DOCS
       ) do |config|
-        if config.stub_responses
-          StaticTokenProvider.new('token')
-        else
-          TokenProviderChain.new(config).resolve
-        end
+        TokenProviderChain.new(config).resolve
       end
-
     end
   end
 end

gems/aws-sdk-core/lib/aws-sdk-core/plugins/sign.rb

@@ -13,8 +13,7 @@ class Sign < Seahorse::Client::Plugin
       option(:sigv4_region)
       option(:unsigned_operations, default: [])
 
-      supported_auth_types = %w[sigv4 bearer sigv4-s3express sigv4a none]
-      SUPPORTED_AUTH_TYPES = supported_auth_types.freeze
+      SUPPORTED_AUTH_TYPES = %w[sigv4 bearer sigv4-s3express sigv4a none].freeze
 
       def add_handlers(handlers, cfg)
         operations = cfg.api.operation_names - cfg.unsigned_operations
@@ -32,7 +31,7 @@ def self.signer_for(auth_scheme, config, sigv4_region_override = nil, sigv4_cred
           }
           SignatureV4.new(auth_scheme, config, sigv4_overrides)
         when 'bearer'
-          Bearer.new
+          Bearer.new(config)
         else
           NullSigner.new
         end
@@ -41,26 +40,29 @@ def self.signer_for(auth_scheme, config, sigv4_region_override = nil, sigv4_cred
       class Handler < Seahorse::Client::Handler
         def call(context)
           # Skip signing if using sigv2 signing from s3_signer in S3
-          credentials = nil
           unless v2_signing?(context.config)
             signer = Sign.signer_for(
               context[:auth_scheme],
               context.config,
               context[:sigv4_region],
               context[:sigv4_credentials]
             )
-            credentials = signer.credentials if signer.is_a?(SignatureV4)
             signer.sign(context)
           end
-          with_metrics(credentials) { @handler.call(context) }
+          with_metrics(signer) { @handler.call(context) }
         end
 
         private
 
-        def with_metrics(credentials, &block)
-          return block.call unless credentials&.respond_to?(:metrics)
-
-          Aws::Plugins::UserAgent.metric(*credentials.metrics, &block)
+        def with_metrics(signer, &block)
+          case signer
+          when SignatureV4
+            Aws::Plugins::UserAgent.metric(*signer.credentials.metrics, &block)
+          when Bearer
+            Aws::Plugins::UserAgent.metric(*signer.token_provider.metrics, &block)
+          else
+            block.call
+          end
         end
 
         def v2_signing?(config)
@@ -72,21 +74,19 @@ def v2_signing?(config)
 
       # @api private
       class Bearer
-        def initialize
+        def initialize(config)
+          @token_provider = config.token_provider
         end
 
+        attr_reader :token_provider
+
         def sign(context)
           if context.http_request.endpoint.scheme != 'https'
-            raise ArgumentError,
-                  'Unable to use bearer authorization on non https endpoint.'
+            raise ArgumentError, 'Unable to use bearer authorization on non https endpoint.'
           end
+          raise Errors::MissingBearerTokenError unless @token_provider && @token_provider.set?
 
-          token_provider = context.config.token_provider
-
-          raise Errors::MissingBearerTokenError unless token_provider&.set?
-
-          context.http_request.headers['Authorization'] =
-            "Bearer #{token_provider.token.token}"
+          context.http_request.headers['Authorization'] = "Bearer #{@token_provider.token.token}"
         end
 
         def presign_url(*args)
@@ -100,16 +100,11 @@ def sign_event(*args)
 
       # @api private
       class SignatureV4
-        attr_reader :signer
-
         def initialize(auth_scheme, config, sigv4_overrides = {})
           scheme_name = auth_scheme['name']
-
           unless %w[sigv4 sigv4a sigv4-s3express].include?(scheme_name)
-            raise ArgumentError,
-                  "Expected sigv4, sigv4a, or sigv4-s3express auth scheme, got #{scheme_name}"
+            raise ArgumentError, "Expected sigv4, sigv4a, or sigv4-s3express auth scheme, got #{scheme_name}"
           end
-
           region = if scheme_name == 'sigv4a'
                      auth_scheme['signingRegionSet'].join(',')
                    else
@@ -121,15 +116,17 @@ def initialize(auth_scheme, config, sigv4_overrides = {})
               region: sigv4_overrides[:region] || config.sigv4_region || region,
               credentials_provider: sigv4_overrides[:credentials] || config.credentials,
               signing_algorithm: scheme_name.to_sym,
-              uri_escape_path: !!!auth_scheme['disableDoubleEncoding'],
-              normalize_path: !!!auth_scheme['disableNormalizePath'],
+              uri_escape_path: !auth_scheme['disableDoubleEncoding'],
+              normalize_path: !auth_scheme['disableNormalizePath'],
               unsigned_headers: %w[content-length user-agent x-amzn-trace-id expect transfer-encoding connection]
             )
           rescue Aws::Sigv4::Errors::MissingCredentialsError
             raise Aws::Errors::MissingCredentialsError
           end
         end
 
+        attr_reader :signer
+
         def sign(context)
           req = context.http_request