Skip to content

bedrock: Add Bedrock API key authentication support #41393

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
wants to merge 6 commits into
base: main
Choose a base branch
from
Draft

bedrock: Add Bedrock API key authentication support #41393

wants to merge 6 commits into from
+141 −35

Conversation

@5herlocked
Copy link
Contributor

@5herlocked 5herlocked commented Oct 28, 2025
edited
Loading

Closes #41312

Release Notes:

  • Added support for Bedrock API Keys

Also includes fix for duplicate Region field (#41341).

References:

@cla-bot cla-bot bot added the cla-signed The user has signed the Contributor License Agreement label Oct 28, 2025
@5herlocked 5herlocked changed the title Add Bedrock API key authentication support bedrock: Add Bedrock API key authentication support Oct 28, 2025
@5herlocked 5herlocked marked this pull request as draft October 28, 2025 18:00
@SomeoneToIgnore SomeoneToIgnore added the ai Improvement related to Agent Panel, Edit Prediction, Copilot, or other AI features label Oct 28, 2025
@5herlocked @ona-agent
Add AWS Bedrock API key (bearer token) authentication support
c715051 
Fixes zed-industries#41312

This adds support for AWS Bedrock API keys (bearer tokens) as an
authentication method. Users can now authenticate using:

- Traditional access keys (existing)
- Bearer tokens via ZED_AWS_BEARER_TOKEN_BEDROCK environment variable (new)
- Bearer tokens via UI input field (new)

Changes:
- Added bearer_token field to BedrockCredentials struct
- Added ZED_AWS_BEARER_TOKEN_BEDROCK environment variable constant
- Updated authentication logic to check for bearer tokens (read-only from ENV)
- Implemented BearerTokenProvider using AWS SDK's ResolveIdentity trait
- Modified client initialization to use token_provider when bearer token is present
- Enhanced UI with bearer token input field and updated instructions
- Updated all help text and tooltips to mention bearer token option

Bearer tokens are:
- Read from environment variables (never written)
- Stored in Zed's credential store when provided via UI
- Passed to AWS SDK using the proper token_provider configuration

Also includes fix for duplicate Region field (issue zed-industries#41313).

References:
- AWS Bedrock API Key Documentation: https://docs.aws.amazon.com/bedrock/latest/userguide/api-keys-use.html

Co-authored-by: Ona <[email protected]>
@5herlocked 5herlocked force-pushed the feature/bedrock-bearer-token-auth branch from 5f4a482 to c715051 Compare October 31, 2025 16:05
5herlocked and others added 5 commits October 31, 2025 16:07
@5herlocked @ona-agent
Remove unwrap() to prevent potential panic
7edbb53 
Replace unwrap() with proper error handling using context() to
propagate errors instead of panicking when serializing credentials.

Co-authored-by: Ona <[email protected]>
@5herlocked @ona-agent
Add support for individual AWS credential environment variables
1c769da 
Support reading credentials from individual environment variables:
- ZED_ACCESS_KEY_ID (required)
- ZED_SECRET_ACCESS_KEY (required)
- ZED_SESSION_TOKEN (optional)
- ZED_AWS_REGION (defaults to us-east-1)

This provides a more intuitive way to set credentials via environment
variables, in addition to the existing ZED_AWS_CREDENTIALS JSON format
and ZED_AWS_BEARER_TOKEN_BEDROCK for bearer tokens.

Co-authored-by: Ona <[email protected]>
@5herlocked @ona-agent
Remove legacy ZED_AWS_CREDENTIALS_VAR environment variable check
119418c 
ZED_AWS_CREDENTIALS_VAR was never meant to be read from environment
variables - it was a legacy constant for the credential store key.
Credentials are now stored under AMAZON_AWS_URL in the credential store.

Environment variables are now properly limited to:
- ZED_ACCESS_KEY_ID + ZED_SECRET_ACCESS_KEY + ZED_SESSION_TOKEN (optional)
- ZED_AWS_BEARER_TOKEN_BEDROCK
- ZED_AWS_REGION

Co-authored-by: Ona <[email protected]>
@5herlocked @ona-agent
Use zed_env_vars::EnvVar for environment variable handling
b3380ac 
Improves environment variable handling to match the pattern used by
Anthropic provider:

- Use LazyLock<EnvVar> for all environment variables
- Environment variables are cached and lazy-loaded
- Cleaner code with .value and .name accessors
- More consistent with other providers in the codebase

This provides better performance (cached reads) and cleaner code
structure while maintaining the same functionality.

Co-authored-by: Ona <[email protected]>
@5herlocked @ona-agent
Use proper auth_scheme_preference for bearer token authentication
a141bbe 
Follow the AWS SDK Rust pattern for bearer token authentication as
documented in release-2025-08-05:

- Add HTTP_BEARER_AUTH_SCHEME_ID constant
- Use auth_scheme_preference([HTTP_BEARER_AUTH_SCHEME_ID]) when bearer token is present
- Create BedrockClient using from_conf() with service-specific config

This ensures the SDK properly prefers httpBearerAuth scheme when
using bearer tokens, matching the official AWS SDK pattern.

Reference: https://github.com/awslabs/aws-sdk-rust/releases/tag/release-2025-08-05

Co-authored-by: Ona <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

ai Improvement related to Agent Panel, Edit Prediction, Copilot, or other AI features cla-signed The user has signed the Contributor License Agreement community champion

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

AI: Amazon Bedrock API keys cannot be used to authenticate

2 participants

@5herlocked @SomeoneToIgnore