feat(auth): add AWS Bedrock token provider

[tbuatois]

• I understand that this repository is auto-generated and my pull request may not be merged

Changes being requested

Add AWS Bedrock support via awsBedrockTokenProvider in the existing openai/auth module.

What

• src/auth/subject-token-providers.ts — New awsBedrockTokenProvider() that generates SigV4 presigned URL bearer tokens using the standard AWS credential chain
• src/auth/index.ts — Re-export the new provider
• tests/auth/subject-token-providers.test.ts — Unit tests for token generation, no-region error, missing SDK error
• package.json — Added @aws-sdk/credential-providers, @smithy/signature-v4, and @aws-crypto/sha256-js as optional peer dependencies (following the existing ws/zod pattern)
• README.md — Added Bedrock section with usage example

Usage

import OpenAI from 'openai';
import { awsBedrockTokenProvider } from 'openai/auth';

const client = new OpenAI({
  baseURL: 'https://bedrock-mantle.us-east-1.api.aws/v1', // region must match the token provider
  apiKey: awsBedrockTokenProvider({
    region: 'us-east-1',
    profile: 'my-profile', // optional
  }),
});

Design decisions

• Token is regenerated on each call to ensure it always reflects the latest valid credentials (important for short-lived STS/assumed-role sessions)
• AWS SDK modules are cached after first import so resolution is efficient
• AWS packages are optional peer dependencies — not auto-installed, but discoverable and warns if version mismatches

Additional context & links

• Companion PRs: openai-python
• AWS credential chain docs: https://docs.aws.amazon.com/sdkref/latest/guide/standardized-credentials.html

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 4a682ec2f5

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

[chatgpt-codex-connector]

Validate Bedrock token TTL against service limits

tokenDuration is passed directly to signer.presign without bounds checking, so callers can request values above Bedrock’s short-term bearer-token limit (12 hours) and receive tokens that are later rejected at request time. This creates a runtime auth failure path that is avoidable and hard to diagnose from the caller side; validating/clamping to the accepted range before signing would fail fast with a clear provider error.

Useful? React with 👍 / 👎.