The AWS Bedrock Token Generator for Python is a lightweight utility library that generates short-term bearer tokens for AWS Bedrock API authentication. This library simplifies the process of creating secure, time-limited tokens that can be used to authenticate with AWS Bedrock services without exposing long-term credentials.
pip install aws-bedrock-token-generatorgit clone https://github.com/aws/aws-bedrock-token-generator-python.git
cd aws-bedrock-token-generator-python
pip install -e .from aws_bedrock_token_generator import provide_token
token = provide_token() # uses AWS_REGION env var and default credential chain
print(f"Token: {token}")from aws_bedrock_token_generator import provide_token
from botocore.credentials import EnvProvider
token = provide_token(region="us-east-1", aws_credentials_provider=EnvProvider())
print(f"Token: {token}")from aws_bedrock_token_generator import provide_token
from botocore.credentials import AssumeRoleProvider, CanonicalNameCredentialSourcer, EnvProvider
from botocore.session import Session
from datetime import timedelta
session = Session()
assume_role_provider = AssumeRoleProvider(
profile_name="bearertoken",
load_config=lambda: session.full_config,
client_creator=session.create_client,
credential_sourcer=CanonicalNameCredentialSourcer([EnvProvider()]),
cache={}
)
bearer_token = provide_token(
region="us-east-1",
aws_credentials_provider=assume_role_provider,
expiry=timedelta(seconds=900)
)
print(f"Bearer Token: {bearer_token}")The generated tokens follow this format:
bedrock-api-key-<base64-encoded-presigned-url>&Version=1
- Prefix:
bedrock-api-key-identifies the token type - Payload: Base64-encoded presigned URL with embedded credentials
- Version:
&Version=1for future compatibility - Expiration: The token has a default expiration of 12 hours. If the expires parameter is specified during token creation, the expiration can be configured up to a maximum of 12 hours. However, the actual token validity period will always be the minimum of the requested expiration time and the AWS credentials' expiry time
- Token Expiration: The token has a default expiration of 12 hours. If the expiry parameter is specified during token creation, the expiration can be configured up to a maximum of 12 hours. However, the actual token validity period will always be the minimum of the requested expiration time and the AWS credentials' expiry time. The token must be generated again once it expires, as it cannot be refreshed or extended
- Secure Storage: Store tokens securely and avoid logging them
- Credential Management: Use IAM roles and temporary credentials when possible
- Network Security: Always use HTTPS when transmitting tokens
- Principle of Least Privilege: Ensure underlying credentials have minimal required permissions
- Python: 3.7 or later
- boto3: 1.26.0 or later
- botocore: 1.29.0 or later
# Clone the repository
git clone https://github.com/aws/aws-bedrock-token-generator-python.git
cd aws-bedrock-token-generator-python
# Install in development mode with dev dependencies
pip install -e .[dev]# Run all tests
pytest
# Run tests with coverage
pytest --cov=aws_bedrock_token_generator
# Run tests with verbose output
pytest -v# Format code with black
black aws_bedrock_token_generator tests
# Check code style with flake8
flake8 aws_bedrock_token_generator tests
# Type checking with mypy
mypy aws_bedrock_token_generator# Build wheel and source distribution
python -m build
# Install from local build
pip install dist/aws_bedrock_token_generator-*.whlWe welcome contributions! Please see CONTRIBUTING.md for details on how to contribute to this project.
- Fork the repository
- Create a feature branch:
git checkout -b feature-name - Make changes and add tests
- Run tests:
pytest - Format code:
black . - Submit a pull request
- Documentation: AWS Bedrock Documentation
- Issues: GitHub Issues
- AWS Support: AWS Support Center
This project is licensed under the Apache License 2.0 - see the LICENSE file for details.
See CHANGELOG.md for a list of changes and version history.