Skip to content

fix: allow Bedrock provider to use AWS SDK default credential chain#3708

Open
majiayu000 wants to merge 4 commits intosimstudioai:mainfrom
majiayu000:fix/issue-3694-bedrock-default-credential-chain
Open

fix: allow Bedrock provider to use AWS SDK default credential chain#3708
majiayu000 wants to merge 4 commits intosimstudioai:mainfrom
majiayu000:fix/issue-3694-bedrock-default-credential-chain

Conversation

@majiayu000
Copy link
Contributor

@majiayu000 majiayu000 commented Mar 22, 2026

Summary

Make Bedrock credentials optional so the provider falls back to AWS SDK's default credential chain (env vars, IAM role, ~/.aws/credentials, etc.) when explicit keys are not provided.

Fixes #3694

Type of Change

  • Bug fix
  • New feature
  • Breaking change
  • Documentation
  • Other: ___________

Testing

  • Unit tests added in apps/sim/providers/bedrock/index.test.ts covering:
    • Explicit credentials passed through correctly
    • No credentials → SDK default chain (no credentials in client config)
    • Partial credentials (key only / secret only) → throws clear error
    • Custom region forwarded correctly
  • All existing tests continue to pass

Checklist

  • Code follows project style guidelines
  • Self-reviewed my changes
  • Tests added/updated and passing
  • No new warnings introduced
  • I confirm that I have read and agree to the terms outlined in the Contributor License Agreement (CLA)

Screenshots/Videos

N/A — backend-only change, no UI impact.

@majiayu000
fix: allow Bedrock provider to use AWS SDK default credential chain
845a19a 
Remove hard requirement for explicit AWS credentials in Bedrock provider.
When access key and secret key are not provided, the AWS SDK automatically
falls back to its default credential chain (env vars, instance profile,
ECS task role, EKS IRSA, SSO).

Closes simstudioai#3694

Signed-off-by: majiayu000 <[email protected]>
@majiayu000
fix: add partial credential guard for Bedrock provider
bd1aab6 
Reject configurations where only one of bedrockAccessKeyId or
bedrockSecretKey is provided, preventing silent fallback to the
default credential chain with a potentially different identity.

Add tests covering all credential configuration scenarios.

Signed-off-by: majiayu000 <[email protected]>
@majiayu000
fix: clean up bedrock test lint and dead code
0418a45 
Remove unused config parameter and dead _lastConfig assignment
from mock factory. Break long mockReturnValue chain to satisfy
biome line-length rule.

Signed-off-by: majiayu000 <[email protected]>
@vercel
Copy link

vercel bot commented Mar 22, 2026

@majiayu000 is attempting to deploy a commit to the Sim Team on Vercel.

A member of the Team first needs to authorize it.

@majiayu000 majiayu000 marked this pull request as ready for review March 22, 2026 04:18
@cursor
Copy link

cursor bot commented Mar 22, 2026
edited
Loading

PR Summary

Medium Risk
Changes how Bedrock credentials are validated and passed to the AWS SDK, which could affect authentication behavior in production if misconfigured. Scope is limited and covered by new unit tests for explicit/implicit/partial credential cases.

Overview
Allows the Bedrock provider to run without explicit access keys, relying on the AWS SDK default credential chain when bedrockAccessKeyId/bedrockSecretKey are omitted.

Updates request validation to reject partial credentials (only one of the two keys) and only includes credentials in BedrockRuntimeClient config when both are present; the Agent block UI now marks these fields as optional with updated placeholders. Adds apps/sim/providers/bedrock/index.test.ts to cover explicit credentials, default-chain usage, partial-credential errors, and custom region forwarding.

Written by Cursor Bugbot for commit e67b9df. This will update automatically on new commits. Configure here.

@greptile-apps
Copy link
Contributor

greptile-apps bot commented Mar 22, 2026

Greptile Summary

This PR makes AWS Bedrock credentials optional in the provider, allowing the AWS SDK's default credential chain (environment variables, IAM roles, ~/.aws/credentials, etc.) to be used when explicit keys are not supplied.

Key changes:

  • providers/bedrock/index.ts: Removes the hard mandatory-credential guards and replaces them with a partial-credential XOR check — if only one of bedrockAccessKeyId / bedrockSecretKey is provided the call throws a clear error; if neither is provided, BedrockRuntimeClient is instantiated without a credentials field, which lets the SDK resolve credentials through its default chain.
  • blocks/blocks/agent.ts: Marks both AWS credential fields required: false and updates their placeholder text to communicate the optional / fallback behavior to the user.
  • providers/bedrock/index.test.ts: New test suite covering all four credential scenarios (both, neither, key-only, secret-only) and a custom region case.

Confidence Score: 5/5

  • Safe to merge — the logic is correct, the guard against partial credentials is sound, and UI fields are kept consistent with the backend change.
  • The change is small, focused, and well-tested. The XOR guard prevents silent misconfigurations (only one key supplied). Omitting credentials from the SDK client config is the standard pattern for delegating to the default credential chain. All existing tests still pass and new tests cover the four credential scenarios. The only notes are minor style suggestions (using the SDK's own config type, hardening a mock return value) that don't affect correctness.
  • No files require special attention.

Important Files Changed

Filename Overview
apps/sim/providers/bedrock/index.ts Core logic change: removes mandatory credential checks and adds conditional credential config — only passes explicit credentials to BedrockRuntimeClient when both keys are present, otherwise omits credentials so the AWS SDK default chain is used. The partial-credential XOR guard is correct and is placed before the try block (consistent with the original pattern). Minor: the inline clientConfig type could reference the SDK's own type.
apps/sim/blocks/blocks/agent.ts UI field changes: bedrockAccessKeyId and bedrockSecretKey are now required: false with updated placeholder text, consistent with the backend change making credentials optional.
apps/sim/providers/bedrock/index.test.ts New test file covering credential handling: explicit creds, no creds, partial creds (both XOR cases), and custom region. The prepareToolsWithUsageControl mock returns undefined by default which would cause a TypeError if any future test exercises the tools path — minor gap but doesn't affect the current test suite.

Flowchart

%%{init: {'theme': 'neutral'}}%%
flowchart TD
    A[executeRequest called] --> B{bedrockAccessKeyId\nprovided?}
    B -- Yes --> C{bedrockSecretKey\nprovided?}
    B -- No --> D{bedrockSecretKey\nprovided?}
    C -- Yes --> E[Build clientConfig\nwith explicit credentials]
    C -- No --> F[Throw Error:\nboth keys must be\nprovided together]
    D -- Yes --> F
    D -- No --> G[Build clientConfig\nwithout credentials]
    E --> H[new BedrockRuntimeClient\nwith credentials]
    G --> I[new BedrockRuntimeClient\nno credentials → AWS SDK\ndefault credential chain]
    H --> J[Send request to Bedrock]
    I --> J
Loading

Last reviewed commit: "fix: clean up bedroc..."

greptile-apps[bot]
greptile-apps bot reviewed Mar 22, 2026
View reviewed changes
@majiayu000
fix: address greptile review feedback on PR simstudioai#3708
e67b9df 
Use BedrockRuntimeClientConfig from SDK instead of inline type.
Add default return value for prepareToolsWithUsageControl mock.

Signed-off-by: majiayu000 <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@greptile-apps greptile-apps[bot] greptile-apps[bot] left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[BUG] AWS Bedrock provider requires explicit access key/secret and does not support AWS SDK default credential chain

1 participant

@majiayu000