feat(bedrock): support Bearer token auth for Converse API#3125
Merged
badlogic merged 1 commit intoApr 16, 2026
Conversation
Adds bearer token authentication for the Bedrock Converse API, enabling users to authenticate with an API key instead of SigV4/IAM credentials. When a bearer token is available (via `options.bearerToken` or the `AWS_BEARER_TOKEN_BEDROCK` env var), the provider: 1. Sets dummy credentials to prevent SDK credential resolution errors 2. Injects middleware after SigV4 signing that replaces the Authorization header with `Bearer <token>` and removes SigV4-specific headers This uses the official `bedrock:CallWithBearerToken` IAM action, which is a documented AWS feature for API key auth on Bedrock endpoints. Use case: users who receive a Bedrock API key (bearer token) from the AWS console or their admin, without having IAM access keys or instance roles. Similar to how ANTHROPIC_API_KEY works for direct Anthropic API. Required IAM permission on the token's identity: bedrock:CallWithBearerToken Tested: Bearer token successfully authenticates against Bedrock Converse API (returns correct 403 for missing IAM permission, not auth format error). SigV4 path is unchanged when no bearer token is set.
Contributor
|
Hi @wirjo, thanks for your interest in contributing! We ask new contributors to open an issue first before submitting a PR. This helps us discuss the approach and avoid wasted effort. Next steps:
This PR will be closed automatically. See https://github.com/badlogic/pi-mono/blob/main/CONTRIBUTING.md for more details. |
Contributor
Author
|
Created issue #3127 for this. Thanks for the pointer! |
durdn
pushed a commit
to durdn/pi-mono
that referenced
this pull request
Apr 21, 2026
…orks#3125) Adds bearer token authentication for the Bedrock Converse API, enabling users to authenticate with an API key instead of SigV4/IAM credentials. When a bearer token is available (via `options.bearerToken` or the `AWS_BEARER_TOKEN_BEDROCK` env var), the provider: 1. Sets dummy credentials to prevent SDK credential resolution errors 2. Injects middleware after SigV4 signing that replaces the Authorization header with `Bearer <token>` and removes SigV4-specific headers This uses the official `bedrock:CallWithBearerToken` IAM action, which is a documented AWS feature for API key auth on Bedrock endpoints. Use case: users who receive a Bedrock API key (bearer token) from the AWS console or their admin, without having IAM access keys or instance roles. Similar to how ANTHROPIC_API_KEY works for direct Anthropic API. Required IAM permission on the token's identity: bedrock:CallWithBearerToken Tested: Bearer token successfully authenticates against Bedrock Converse API (returns correct 403 for missing IAM permission, not auth format error). SigV4 path is unchanged when no bearer token is set.
byte-rose
pushed a commit
to byte-rose/pi-mono
that referenced
this pull request
Apr 28, 2026
…orks#3125) Adds bearer token authentication for the Bedrock Converse API, enabling users to authenticate with an API key instead of SigV4/IAM credentials. When a bearer token is available (via `options.bearerToken` or the `AWS_BEARER_TOKEN_BEDROCK` env var), the provider: 1. Sets dummy credentials to prevent SDK credential resolution errors 2. Injects middleware after SigV4 signing that replaces the Authorization header with `Bearer <token>` and removes SigV4-specific headers This uses the official `bedrock:CallWithBearerToken` IAM action, which is a documented AWS feature for API key auth on Bedrock endpoints. Use case: users who receive a Bedrock API key (bearer token) from the AWS console or their admin, without having IAM access keys or instance roles. Similar to how ANTHROPIC_API_KEY works for direct Anthropic API. Required IAM permission on the token's identity: bedrock:CallWithBearerToken Tested: Bearer token successfully authenticates against Bedrock Converse API (returns correct 403 for missing IAM permission, not auth format error). SigV4 path is unchanged when no bearer token is set.
larsboes
pushed a commit
to larsboes/pi-mono
that referenced
this pull request
Apr 30, 2026
…orks#3125) Adds bearer token authentication for the Bedrock Converse API, enabling users to authenticate with an API key instead of SigV4/IAM credentials. When a bearer token is available (via `options.bearerToken` or the `AWS_BEARER_TOKEN_BEDROCK` env var), the provider: 1. Sets dummy credentials to prevent SDK credential resolution errors 2. Injects middleware after SigV4 signing that replaces the Authorization header with `Bearer <token>` and removes SigV4-specific headers This uses the official `bedrock:CallWithBearerToken` IAM action, which is a documented AWS feature for API key auth on Bedrock endpoints. Use case: users who receive a Bedrock API key (bearer token) from the AWS console or their admin, without having IAM access keys or instance roles. Similar to how ANTHROPIC_API_KEY works for direct Anthropic API. Required IAM permission on the token's identity: bedrock:CallWithBearerToken Tested: Bearer token successfully authenticates against Bedrock Converse API (returns correct 403 for missing IAM permission, not auth format error). SigV4 path is unchanged when no bearer token is set.
PSU3D0
added a commit
to PSU3D0/pi-mono
that referenced
this pull request
May 13, 2026
Consolidates 62 upstream commits (v0.67.4 -> v0.67.68) into the fork. Preserves all fork-local work (OAuth cloak, antigravity pool, context tiers, OSC 8 file hyperlinks, gemini3 sig skip, codex_cli_rs headers, compaction context hooks, gpt-5.4 models). Conflict resolutions (4 files): - packages/ai/src/providers/google-gemini-cli.ts: layered upstream's onResponse hook call into our pool-aware retry loop; kept our finally-block pool.saveNow() path. - packages/tui/src/utils.ts: adopted upstream's AnsiCodeTracker OSC 8 impl wholesale. It's cleaner than our f16dfd5 version (preserves hyperlink across SGR reset via separate clear(), emits ST-terminated sequences). Dropped our 7d75fee SEGMENT_RESET fix since upstream's design never introduced the bug. - packages/tui/src/components/markdown.ts: kept our resolveHref hook and wrapHyperlink helper but gated OSC 8 emission on getCapabilities().hyperlinks; switched to upstream's hyperlink() helper for consistency. Merges file path linking (ours) with terminal capability detection (upstream earendil-works#3248, #30a8a41f). - packages/tui/test/{markdown,wrap-ansi}.test.ts: updated our OSC 8 assertions to ST-terminated sequences (\x1b\\) to match new emitter; added setCapabilities({hyperlinks:true}) gating where needed; afterEach resetCapabilitiesCache to isolate test state. Dependency upgrades from upstream: - @anthropic-ai/sdk 0.73.0 -> 0.90.0 - @aws-sdk/client-bedrock-runtime 3.983.0 -> 3.1030.0 - @mistralai/mistralai 1.14.1 -> 2.2.0 Upstream features folded in: - fix(ai): Opus 4.7 adaptive thinking + xhigh effort (earendil-works#3286) - feat(ai): thinkingDisplay option (summarized/omitted/raw) - feat(coding-agent): after_provider_response hook (earendil-works#3128) - fix(ai): trust requested Codex service tier (earendil-works#3307) - feat(bedrock): Bearer token auth for Converse API (earendil-works#3125) - feat(agent,coding-agent): per-tool executionMode override (earendil-works#3345) - feat(tui): OSC 8 hyperlinks with terminal capability detection (earendil-works#3248, #30a8a41f) - feat(coding-agent,tui): argument-hint frontmatter in prompts (earendil-works#2780) - Plus ~40 smaller fixes across ai/coding-agent/tui/agent. Verification: - packages/tui: 559/559 tests pass - packages/ai: 144/144 OAuth cloak tests pass; all fork-local suites pass (antigravity-pool, context-tiers, gemini3-unsigned-tool-call, codex-stream, supports-xhigh, etc.). Remaining test failures (13) are pre-existing live-API E2E tests (no credentials in this env). - packages/agent: 39/39 tests pass. - packages/coding-agent: 1020/1021 tests pass; 1 flaky bash timeout test (passes in isolation), unrelated to merge. - All four packages build cleanly.
This was referenced May 28, 2026
This was referenced Jun 10, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Adds Bearer token authentication for the Bedrock Converse API, so users can authenticate with a Bedrock API key instead of IAM credentials (SigV4).
Use case
Users who have a Bedrock API key (bearer token) from the AWS console but do not have IAM access keys or instance roles. Same experience as setting
ANTHROPIC_API_KEYfor direct Anthropic API — just paste a token and go.How it works
When
options.bearerTokenorAWS_BEARER_TOKEN_BEDROCKenv var is set:AuthorizationwithBearer <token>and removes SigV4 headersThis uses the official
bedrock:CallWithBearerTokenIAM action — a documented AWS feature.Changes
Single file:
packages/ai/src/providers/amazon-bedrock.ts(+34 lines)bearerToken?: stringtoBedrockOptionsawsAuthMiddlewareto replace Authorization headerTesting
Verified that:
bedrock:CallWithBearerTokenpermission — not an auth format error)AWS_BEDROCK_SKIP_AUTH=1takes precedence (no double-patching)Required IAM permission
Users need this in their IAM policy:
{ "Effect": "Allow", "Action": "bedrock:CallWithBearerToken", "Resource": "*" }Context
This addresses a gap where Bedrock Mantle (OpenAI-compatible) supports Bearer auth but only for third-party models (DeepSeek, Mistral, etc.) — not Claude. This PR enables Bearer auth on the native Converse API, covering all Bedrock models including Claude.
Related OpenClaw issue: openclaw/openclaw#30215