8000 assumed role support for bedrock application inference profile by narengogi · Pull Request #1131 · Portkey-AI/gateway · GitHub
[go: up one dir, main page]
More Web Proxy on the site http://driver.im/
Skip to content

assumed role support for bedrock application inference profile #1131

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 2 commits into
base: main
Choose a base branch
from
Open

assumed role support for bedrock application inference profile #1131

wants to merge 2 commits into from

Conversation

narengogi
Copy link
Collaborator

No description provided.

@narengogi narengogi requested a review from sk-portkey June 12, 2025 09:03
@matter-code-review Matter Code Review
Copy link
matter-code-review bot commented Jun 12, 2025
edited
Loading

Code Quality new feature

Description

Summary By MatterAI MatterAI logo

🔄 What Changed

This pull request introduces support for AWS assumed roles when fetching Bedrock application inference profiles. The getInferenceProfile function's signature has been updated to accept a providerOptions object and a Context object instead of individual AWS credential parameters. A new logic block has been added within getInferenceProfile to conditionally call getAssumedRoleCredentials if providerOptions.awsAuthType is set to 'assumedRole'. The obtained credentials (accessKeyId, secretAccessKey, sessionToken) are then used to populate the providerOptions object for subsequent AWS API calls. The getFoundationModelFromInferenceProfile function has been updated to pass the new providerOptions and Context parameters to getInferenceProfile.

🔍 Impact of the Change

This change enables applications to use AWS assumed roles for authenticating with Bedrock, enhancing security and flexibility by allowing temporary, role-based credentials. It simplifies the getInferenceProfile function's interface by consolidating AWS authentication parameters into a single providerOptions object. The modification ensures that the Bedrock inference profile retrieval process can leverage more secure and dynamic AWS authentication mechanisms.

📁 Total Files Changed

1 file changed (src/providers/bedrock/utils.ts)

🧪 Test Added

While specific test files are not provided in the patch, it is assumed that unit tests have been added or updated to cover the new assumed role authentication flow within getInferenceProfile. This would include tests for:

  • Successful retrieval of credentials via getAssumedRoleCredentials when awsAuthType is 'assumedRole'.
  • Correct application of assumed role credentials for generating AWS headers and making Bedrock API calls.
  • Handling of cases where awsAuthType is not 'assumedRole' (fallback to direct credentials).
  • Edge cases where getAssumedRoleCredentials might return empty or invalid credentials.

🔒Security Vulnerabilities

No new security vulnerabilities were detected. The change enhances security by supporting AWS assumed roles, which is a best practice for managing temporary, least-privilege access.

Motivation

To enable applications to use AWS assumed roles for authenticating with Bedrock, providing a more secure and flexible authentication mechanism.

Type of Change

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to not work as expected)
  • Documentation update
  • Refactoring (no functional changes)

How Has This Been Tested?

  • Unit Tests
  • Integration Tests
  • Manual Testing

Screenshots (if applicable)

N/A

Checklist

  • My code follows the style guidelines of this project
  • I have performed a self-review of my own code
  • I have commented my code, particularly in hard-to-understand areas
  • I have made corresponding changes to the documentation
  • My changes generate no new warnings
  • I have added tests that prove my fix is effective or that my feature works
  • New and existing unit tests pass locally with my changes

Related Issues

N/A

Tip

Quality Recommendations

  1. Consider adding explicit error handling for the case where getAssumedRoleCredentials fails to return valid credentials when awsAuthType is 'assumedRole'. Currently, it defaults to empty strings, which might lead to silent authentication failures instead of clear error messages.

  2. While passing a copy of providerOptions ({ ...providerOptions }) to getInferenceProfile is good for immutability, ensure that the getAssumedRoleCredentials function itself handles potential errors or null/undefined returns gracefully, as the || {} might mask underlying issues if credentials are truly missing.

Sequence Diagram

sequenceDiagram
    participant Caller as getFoundationModelFromInferenceProfile()
    participant GIP as getInferenceProfile(inferenceProfileIdentifier, providerOptions, c)
    participant GAC as getAssumedRoleCredentials(c, awsRoleArn, awsExternalId, awsRegion)
    participant BedrockAPI as Bedrock API (bedrock.aws.com)

    Caller->>GIP: Call getInferenceProfile(inferenceProfileIdentifier, { ...providerOptions }, c)
    activate GIP
    GIP->>GIP: Check providerOptions.awsAuthType
    alt If awsAuthType is 'assumedRole'
        GIP->>GAC: Request assumed role credentials (c, providerOptions.awsRoleArn, providerOptions.awsExternalId, providerOptions.awsRegion)
        activate GAC
        GAC-->>GIP: Return { accessKeyId, secretAccessKey, sessionToken } or {}
        deactivate GAC
        GIP->>GIP: Update local providerOptions copy with obtained credentials
    end
    GIP->>GIP: Extract awsRegion, awsAccessKeyId, awsSecretAccessKey, awsSessionToken from providerOptions
    GIP->>GIP: Construct Bedrock API URL: `https://bedrock.${awsRegion}.amazonaws.com/inference-profiles/${encodedIdentifier}`
    GIP->>GIP: Generate AWS Headers using extracted credentials
    GIP->>BedrockAPI: HTTP GET Request to Bedrock Inference Profile API
    activate BedrockAPI
    BedrockAPI-->>GIP: Return Inference Profile Data
    deactivate BedrockAPI
    GIP-->>Caller: Return Inference Profile
    deactivate GIP
Loading

matter-code-review[bot]
matter-code-review bot reviewed Jun 12, 2025
View reviewed changes
Copy link
@matter-code-review matter-code-review bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This PR adds support for AWS assumed role authentication when working with Bedrock inference profiles. The implementation looks good overall, but I've identified a few improvements that could make the code more robust.

@matter-code-review Matter Code Review
Copy link

Important

PR Review Skipped

PR review skipped as per the configuration setting. Run a manually review by commenting /matter review

💡Tips to use Matter AI

Command List

  • /matter summary: Generate AI Summary for the PR
  • /matter review: Generate AI Reviews for the latest commit in the PR
  • /matter review-full: Generate AI Reviews for the complete PR
  • /matter release-notes: Generate AI release-notes for the PR
  • /matter : Chat with your PR with Matter AI Agent
  • /matter remember : Generate AI memories for the PR
  • /matter explain: Get an explanation of the PR
  • /matter help: Show the list of available commands and documentation
  • Need help? Join our Discord server: https://discord.gg/fJU5DvanU3

@narengogi narengogi force-pushed the fix/inference-profile-assumed-role branch from 92373cb to d9a3459 Compare June 12, 2025 10:41
@matter-code-review Matter Code Review
Copy link

Important

PR Review Skipped

PR review skipped as per the configuration setting. Run a manually review by commenting /matter review

💡Tips to use Matter AI

Command List

  • /matter summary: Generate AI Summary for the PR
  • /matter review: Generate AI Reviews for the latest commit in the PR
  • /matter review-full: Generate AI Reviews for the complete PR
  • /matter release-notes: Generate AI release-notes for the PR
  • /matter : Chat with your PR with Matter AI Agent
  • /matter remember : Generate AI memories for the PR
  • /matter explain: Get an explanation of the PR
  • /matter help: Show the list of available commands and documentation
  • Need help? Join our Discord server: https://discord.gg/fJU5DvanU3

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@matter-code-review matter-code-review[bot] matter-code-review[bot] left review comments

@sk-portkey sk-portkey sk-portkey approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@narengogi @sk-portkey
0