openclaw/extensions/amazon-bedrock-mantle/bedrock-token-generator.d.ts at 4329d94de3a71803db177ee50af68eb75d7ea06b - openclaw - Gitea: Git with a cup of tea

vultr/openclaw

mirror of https://github.com/openclaw/openclaw.git synced 2026-04-17 20:21:13 +00:00

Files

wirjo 0793136c63 feat(bedrock-mantle): add IAM credential auth via @aws/bedrock-token-… (#61563 )

* feat(bedrock-mantle): add IAM credential auth via @aws/bedrock-token-generator

Mantle previously required a manually-created API key (AWS_BEARER_TOKEN_BEDROCK).
This adds automatic bearer token generation from IAM credentials using the
official @aws/bedrock-token-generator package.

Auth priority:
1. Explicit AWS_BEARER_TOKEN_BEDROCK env var (manual API key from Console)
2. IAM credentials via getTokenProvider() → Bearer token (instance roles,
   SSO profiles, access keys, EKS IRSA, ECS task roles)

Token is cached in memory (1hr TTL, generated with 2hr validity) and in
process.env.AWS_BEARER_TOKEN_BEDROCK for downstream sync reads.

Falls back gracefully when package is not installed or credentials are
unavailable — Mantle provider simply not registered.

Closes #45152

* fix(bedrock-mantle): harden IAM auth

---------

Co-authored-by: Vincent Koc <vincentkoc@ieee.org>

2026-04-06 01:41:24 +01:00

7 lines

175 B

TypeScript

Raw Blame History

 declare module "@aws/bedrock-token-generator" {
   export function getTokenProvider(opts?: {
     region?: string;
     expiresInSeconds?: number;
   }): () => Promise<string>;
 }