withAWSBedrockOptions returns request options for authenticating with AWS Bedrock. When both AccessKey and AccessKeySecret are set in the aibridge config, they are used directly as static credentials. Otherwise, the AWS SDK default credential chain resolves credentials (environment variables, share
(ctx context.Context, cfg *aibconfig.AWSBedrock)
| 281 | // resolves credentials (environment variables, shared config/credentials files, IAM |
| 282 | // roles, IRSA, SSO, IMDS, etc.). |
| 283 | func (*interceptionBase) withAWSBedrockOptions(ctx context.Context, cfg *aibconfig.AWSBedrock) ([]option.RequestOption, error) { |
| 284 | if cfg == nil { |
| 285 | return nil, xerrors.New("nil config given") |
| 286 | } |
| 287 | if cfg.Region == "" && cfg.BaseURL == "" { |
| 288 | return nil, xerrors.New("region or base url required") |
| 289 | } |
| 290 | if cfg.Model == "" { |
| 291 | return nil, xerrors.New("model required") |
| 292 | } |
| 293 | if cfg.SmallFastModel == "" { |
| 294 | return nil, xerrors.New("small fast model required") |
| 295 | } |
| 296 | |
| 297 | loadOpts := []func(*config.LoadOptions) error{ |
| 298 | config.WithRegion(cfg.Region), |
| 299 | } |
| 300 | |
| 301 | // Use static credentials when explicitly provided, otherwise fall back to the SDK default credential chain. |
| 302 | switch { |
| 303 | // Both set: use static credentials directly. |
| 304 | case cfg.AccessKey != "" && cfg.AccessKeySecret != "": |
| 305 | loadOpts = append(loadOpts, config.WithCredentialsProvider( |
| 306 | credentials.NewStaticCredentialsProvider( |
| 307 | cfg.AccessKey, |
| 308 | cfg.AccessKeySecret, |
| 309 | "", |
| 310 | ), |
| 311 | )) |
| 312 | // Only one set: misconfiguration. |
| 313 | case cfg.AccessKey != "" || cfg.AccessKeySecret != "": |
| 314 | return nil, xerrors.New("both access key and access key secret must be provided together") |
| 315 | // Neither set: SDK default credential chain resolves credentials. |
| 316 | default: |
| 317 | } |
| 318 | |
| 319 | awsCfg, err := config.LoadDefaultConfig(ctx, loadOpts...) |
| 320 | if err != nil { |
| 321 | return nil, xerrors.Errorf("failed to load AWS Bedrock config: %w", err) |
| 322 | } |
| 323 | |
| 324 | // Fail fast: ensure credentials can be resolved before making any requests. |
| 325 | // awsCfg already carries the credentials provider, and the Bedrock middleware |
| 326 | // will call Retrieve on it when signing each request. |
| 327 | if _, err := awsCfg.Credentials.Retrieve(ctx); err != nil { |
| 328 | return nil, xerrors.Errorf("no AWS credentials found: %w", err) |
| 329 | } |
| 330 | |
| 331 | var out []option.RequestOption |
| 332 | out = append(out, option.WithMiddleware(func(req *http.Request, next option.MiddlewareNext) (*http.Response, error) { |
| 333 | if ua := req.Header.Get("User-Agent"); ua != "" { |
| 334 | req.Header.Set("User-Agent", ua+" sdk-ua-app-id/APN_1.1%2Fpc_cdfmjwn8i6u8l9fwz8h82e4w3%24") |
| 335 | } |
| 336 | return next(req) |
| 337 | })) |
| 338 | out = append(out, bedrock.WithConfig(awsCfg)) |
| 339 | |
| 340 | // If a custom base URL is set, override the default endpoint constructed by the bedrock middleware. |