search

vercel / ai

Build AI-powered applications with React, Svelte, Vue, and Solid
https://sdk.vercel.ai/docs
Other
8.78k stars 1.25k forks source link

Bedrock: can't use AWS metadata service for authentication #2216

Closed brianprost closed 5 days ago

brianprost commented 2 weeks ago

Description

It seems like the only way that Bedrock can be used now is by generating access credentials, which is not the most secure nor standard way to handle permissions for workloads running on AWS.

In the legacy Bedrock provider, a deployed compute instance could still authenticate with the Bedrock API using the metadata service, but when transitioning to AI SDK 3.x / @ai-sdk/amazon-bedrock, deployed environments can no longer authenticate.

Code example

Things work fine locally, where I'm authenticated with AWS SSO CLI. All of these work fine locally, but not when deployed

const bedrock = createAmazonBedrock({
    bedrockOptions: {
      credentials: {
        accessKeyId: process.env.AWS_ACCESS_KEY_ID!,
        secretAccessKey: process.env.AWS_SECRET_ACCESS_KEY!,
        sessionToken: process.env.AWS_SESSION_TOKEN!
      }
    }
  })

Additional context

My deployed environment is a NextJS 14.2.4 app in a Docker container (derived from the official example) on a ECS service in us-east-1

lgrammel commented 2 weeks ago

@brianprost the authentication information are used as configuration options for creating a BedrockRuntimeClient ( https://github.com/vercel/ai/blob/main/packages/amazon-bedrock/src/bedrock-provider.ts#L47 ). You can use any authentication mechanism that works with the Bedrock SDK.