🪨 feat: AWS Bedrock Default Credentials Chain (#4038)

* feat: use AWS cascading default providers if credentials are omitted Environment variables exposed via process.env SSO credentials from token cache Web identity token credentials Shared credentials and config ini files The EC2/ECS Instance Metadata Service The default credential provider will invoke one provider at a time and only continue to the next if no credentials have been located. For example, if the process finds values defined via the AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY environment variables, the files at ~/.aws/credentials and ~/.aws/config will not be read, nor will any messages be sent to the Instance Metadata Service. * fix: usage check in OpenAIClient * refactor: Improve usage check in OpenAIClient
2025-12-16 16:30:15 +01:00 · 2024-09-13 08:53:50 -04:00 · 2024-09-13 08:53:50 -04:00 · e293ff63f9
commit e293ff63f9
parent 45b42830a5
3 changed files with 14 additions and 2 deletions
--- a/api/app/clients/OpenAIClient.js
+++ b/api/app/clients/OpenAIClient.js
@ -914,7 +914,9 @@ ${convo}
   */
  getStreamUsage() {
    if (
+      this.usage &&
      typeof this.usage === 'object' &&
+      'completion_tokens_details' in this.usage &&
      typeof this.usage.completion_tokens_details === 'object'
    ) {
      const outputTokens = Math.abs(
--- a/api/server/services/Config/EndpointService.js
+++ b/api/server/services/Config/EndpointService.js
@ -45,7 +45,9 @@ module.exports = {
      AZURE_ASSISTANTS_BASE_URL,
      EModelEndpoint.azureAssistants,
    ),
-    [EModelEndpoint.bedrock]: generateConfig(process.env.BEDROCK_AWS_SECRET_ACCESS_KEY),
+    [EModelEndpoint.bedrock]: generateConfig(
+      process.env.BEDROCK_AWS_SECRET_ACCESS_KEY ?? process.env.BEDROCK_AWS_DEFAULT_REGION,
+    ),
    /* key will be part of separate config */
    [EModelEndpoint.agents]: generateConfig(process.env.I_AM_A_TEAPOT),
  },
--- a/api/server/services/Endpoints/bedrock/options.js
+++ b/api/server/services/Endpoints/bedrock/options.js
@ -19,7 +19,7 @@ const getOptions = async ({ req, endpointOption }) => {
  const expiresAt = req.body.key;
  const isUserProvided = BEDROCK_AWS_SECRET_ACCESS_KEY === AuthType.USER_PROVIDED;

-  const credentials = isUserProvided
+  let credentials = isUserProvided
    ? await getUserKey({ userId: req.user.id, name: EModelEndpoint.bedrock })
    : {
      accessKeyId: BEDROCK_AWS_ACCESS_KEY_ID,
@ -30,6 +30,14 @@ const getOptions = async ({ req, endpointOption }) => {
    throw new Error('Bedrock credentials not provided. Please provide them again.');
  }

+  if (
+    !isUserProvided &&
+    (credentials.accessKeyId === undefined || credentials.accessKeyId === '') &&
+    (credentials.secretAccessKey === undefined || credentials.secretAccessKey === '')
+  ) {
+    credentials = undefined;
+  }
+
  if (expiresAt && isUserProvided) {
    checkUserKeyExpiry(expiresAt, EModelEndpoint.bedrock);
  }