feat(auth): add AWS Bedrock token provider#3135
feat(auth): add AWS Bedrock token provider#3135tbuatois wants to merge 6 commits intoopenai:mainfrom
Conversation
Add aws_bedrock_token_provider() to generate bearer tokens for AWS Bedrock OpenAI-compatible endpoints using SigV4 presigned URLs. - Credentials resolved from standard AWS chain (env, profiles, IMDS) - Tokens cached and auto-refreshed before expiry - botocore available via openai[bedrock] optional dependency
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: a9f9f2cce1
ℹ️ About Codex in GitHub
Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".
…edential lifetime
|
@codex review |
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: cc64a8b16b
ℹ️ About Codex in GitHub
Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".
| now = time.monotonic() | ||
| if _cached_token[0] is None or now >= _refresh_at[0]: | ||
| _cached_token[0] = _generate_token() | ||
| _refresh_at[0] = now + max(token_duration - 60, token_duration * 0.9) |
There was a problem hiding this comment.
The refresh schedule is based only on token_duration, but Bedrock bearer tokens signed with temporary AWS credentials stop working when those credentials expire, which can be much earlier than the requested token duration (for example, 15-minute STS credentials). With the current logic, a token can be reused for nearly an hour after its signing credentials have expired, causing intermittent 401s until _refresh_at is reached. The cache policy should incorporate credential expiration (or avoid caching) so expired signed tokens are not returned.
Useful? React with 👍 / 👎.
| import botocore.auth | ||
| import botocore.awsrequest |
There was a problem hiding this comment.
These tests import real botocore modules unconditionally, but botocore is only declared as an optional extra and is not part of the default dev lockfile used by the standard nox test session. In a normal test environment without openai[bedrock], this helper raises ModuleNotFoundError before the new tests run, which can fail CI/test runs unrelated to Bedrock support. The tests should skip when botocore is unavailable or fully mock these modules.
Useful? React with 👍 / 👎.
|
@codex review |
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 71df8f4131
ℹ️ About Codex in GitHub
Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".
| region: str | None = None, | ||
| profile: str | None = None, | ||
| token_duration: int = 3600, | ||
| ) -> Callable[[], str]: |
There was a problem hiding this comment.
aws_bedrock_token_provider() currently returns a synchronous Callable[[], str], but AsyncOpenAI unconditionally awaits api_key providers in AsyncOpenAI._refresh_api_key. If an async user passes this new helper (the same way as the sync example), requests fail at runtime with a TypeError because str is not awaitable. This makes the new Bedrock auth path unusable for async clients unless users write their own wrapper.
Useful? React with 👍 / 👎.
…y mock tests for CI
|
@codex review |
|
Codex Review: Didn't find any major issues. Already looking forward to the next diff. ℹ️ About Codex in GitHubCodex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you
If Codex has suggestions, it will comment; otherwise it will react with 👍. When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback". |
1 participant
feat(auth): add built-in AWS Bedrock token provider
Add
aws_bedrock_token_provider()to generate bearer tokens for AWS Bedrock OpenAI-compatible endpoints using SigV4 presigned URLs.Changes being requested
Amazon Bedrock provides OpenAI-compatible API endpoints, but today users must install and configure a separate library (aws-bedrock-token-generator-python) to generate the required bearer tokens. This PR builds that token generation directly into the SDK.
What it does:
aws_bedrock_token_provider()function inopenai.authbedrock-api-key-<base64-encoded-presigned-url>tokens via SigV4 signingbotocoreis an optional dependency viapip install 'openai[bedrock]'Usage:
Files changed (5):
src/openai/auth/_workload.pyaws_bedrock_token_provider()functionsrc/openai/auth/__init__.pypyproject.tomlopenai[bedrock]optional dependency forbotocoreREADME.mdtests/test_auth.pyAdditional context & links