Skip to content

[Enhancement]: Add AWS Profile Support with Auto-Refresh for Bedrock Credentials #10506

New issue
New issue
Open
Open
[Enhancement]: Add AWS Profile Support with Auto-Refresh for Bedrock Credentials#10506
Labels
✨ enhancementNew feature or request
@iElsha

Description

@iElsha
iElsha
opened on Nov 14, 2025

What features would you like to see added?

Add support for AWS profiles (BEDROCK_AWS_PROFILE) for Bedrock endpoint authentication, enabling automatic credential refresh for temporary
credentials.

Currently, LibreChat only supports static environment variables for Bedrock credentials (BEDROCK_AWS_ACCESS_KEY_ID, BEDROCK_AWS_SECRET_ACCESS_KEY,
BEDROCK_AWS_SESSION_TOKEN). This requires manual updates whenever temporary credentials expire, which is inconvenient for users working with:

  • Corporate AWS accounts that issue temporary credentials
  • AWS SSO authentication
  • Credentials that rotate frequently (hourly, daily)
  • Multi-account AWS setups

Proposed Solution:

Add BEDROCK_AWS_PROFILE environment variable support that leverages the AWS SDK's credential provider chain, similar to how the S3 integration
already works.

Example configuration:

.env file

BEDROCK_AWS_DEFAULT_REGION=us-west-2
BEDROCK_AWS_PROFILE=my-bedrock-profile

~/.aws/config

[profile my-bedrock-profile]
region = us-west-2
credential_process = my-credential-tool --format json

This would enable:

  • ✅ Automatic credential refresh when tokens expire
  • ✅ Support for AWS SSO, IAM roles, and EC2/ECS metadata
  • ✅ No manual credential updates required
  • ✅ Consistent authentication pattern across LibreChat (matches existing S3 implementation)

More details

Benefits:

  1. User Experience: Users won't need to restart LibreChat or manually update environment variables when credentials expire
  2. Security: Reduces the risk of hardcoded credentials in .env files
  3. Enterprise-friendly: Aligns with corporate AWS credential management practices
  4. Flexibility: Supports multiple authentication methods through AWS SDK's credential provider chain
  5. Consistency: Follows the same pattern already implemented for S3 storage

Implementation approach:

Follow the existing S3 implementation pattern in packages/api/src/cdn/s3.ts:

  • If explicit credentials are provided → use them (backward compatible)
  • If profile is specified → pass to AWS SDK with credential provider chain
  • If neither → fall back to default credential provider chain

Technical details:

The AWS SDK already supports this via DefaultProviderInit which includes profile support. The @langchain/aws package's ChatBedrockConverseInput
extends this interface, so the underlying infrastructure already supports profiles.

Use cases:

  1. Corporate environments with temporary credential tools (e.g., ada, aws-vault, saml2aws)
  2. AWS SSO users who authenticate through Identity Center
  3. Multi-account setups where different profiles access different AWS accounts
  4. CI/CD pipelines using IAM roles with automatic credential rotation
  5. Development teams sharing credential configuration without exposing secrets

Backward compatibility:

This change would be fully backward compatible:

  • Existing static environment variable configurations continue to work
  • User-provided credentials (via user_provided) remain unchanged
  • Only adds new optional functionality

PR: #10504

Which components are impacted by your request?

Endpoints

Pictures

No response

Code of Conduct

  • I agree to follow this project's Code of Conduct

Metadata

Metadata

Assignees

No one assigned

    Labels

    ✨ enhancementNew feature or request

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions