Skip to content

feat: add AWS profile support for Bedrock credentials #10504

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

feat: add AWS profile support for Bedrock credentials #10504

wants to merge 1 commit into from
+61 −21

Conversation

@iElsha
Copy link

@iElsha iElsha commented Nov 14, 2025
edited
Loading

Pull Request Template

⚠️ Before Submitting a PR, Please Review:

  • Please ensure that you have thoroughly read and understood the Contributing Docs before submitting your Pull Request.
  • Done

⚠️ Documentation Updates Notice:

  • Kindly note that documentation updates are managed in this repository: librechat.ai
  • Done

Summary

This PR adds AWS profile support for Bedrock credentials, enabling automatic credential refresh using the AWS SDK's credential provider chain. This
improvement allows users to configure AWS profiles with optional credential_process for seamless token rotation, eliminating the need to manually
update static environment variables when credentials expire.

Key Changes:

  • Added BEDROCK_AWS_PROFILE environment variable support
  • Implemented AWS SDK credential provider chain following the existing S3 implementation pattern
  • Updated credential loading logic to support three methods: user-provided credentials, static environment variables, and AWS profiles
  • Added logging for credential source transparency
  • Updated .env.example with comprehensive documentation on profile configuration and optional auto-refresh setup

Benefits:

  • Automatic credential refresh for temporary credentials (no manual intervention needed)
  • Follows AWS best practices for credential management
  • Maintains backward compatibility with existing credential methods
  • Supports IAM roles, EC2/ECS metadata, SSO, and AWS profiles

Change Type

Please delete any irrelevant options.

  • New feature (non-breaking change which adds functionality)
  • This change requires a documentation update

Testing

Please describe your test process and include instructions so that we can reproduce your test. If there are any important variables for your testing configuration, list them here.

Test Configuration:

Environment Variables:

BEDROCK_AWS_DEFAULT_REGION=us-west-2
BEDROCK_AWS_PROFILE=my-bedrock-profile

AWS Config (~/.aws/config):
[profile my-bedrock-profile]
region = us-west-2
credential_process = my-custom-refresh-command --format json

# This can also be   credential_process = node /path/to/LibreChat/config/get-aws-credentials.js or anything else...

Test Steps:

  1. Set up AWS profile with credential_process in ~/.aws/config
  2. Configure BEDROCK_AWS_PROFILE in .env file
  3. Start LibreChat
  4. Verify Bedrock endpoint connects successfully using profile credentials
  5. Check logs confirm credential source: [Bedrock] Using AWS credential provider chain with profile: my-bedrock-profile
  6. Test that credentials automatically refresh when expired

Backward Compatibility Testing:

  • Verified existing static environment variable configuration still works
  • Verified user-provided credentials flow unchanged
  • Tested fallback to default credential provider chain when no profile specified

Checklist

Please delete any irrelevant options.

  • My code adheres to this project's style guidelines
  • I have performed a self-review of my own code
  • I have commented in any complex areas of my code
  • I have made pertinent documentation changes
  • My changes do not introduce new warnings
  • Local unit tests pass with my changes Test Suites: 1 skipped, 80 passed, 80 of 81 total
  • A pull request for updating the documentation has been submitted.

feat: add AWS profile support for Bedrock credentials
ec31e78 
  - Add BEDROCK_AWS_PROFILE environment variable support
  - Implement AWS SDK credential provider chain for automatic refresh
  - Update credential loading logic to support profiles, static env vars, and user-provided credentials
  - Add logging for credential source transparency
  - Update .env.example with profile configuration documentation

  Follows S3 implementation pattern for credential handling.
  Enables users to configure AWS profiles with optional credential_process for automatic token refresh.
iElsha pushed a commit to iElsha/librechat.ai that referenced this pull request Nov 14, 2025
docs: update Bedrock authentication with AWS profile support
272166b 
  - Add AWS profile configuration as Option 1 (recommended for temporary credentials)
  - Document credential_process for automatic credential refresh
  - Reorganize authentication methods into three clear options with recommendations
  - Add examples for ~/.aws/config and ~/.aws/credentials setup
  - Include JSON format specification for credential_process output
  - Add links to AWS CLI configuration and external process documentation
  - Clarify when to use each authentication method (profiles vs provider chain vs static)
  - Add warnings about static credentials with temporary tokens

  Aligns documentation with new BEDROCK_AWS_PROFILE feature in LibreChat - PR: danny-avila/LibreChat#10504.
This was referenced Nov 14, 2025
Open
Open
@iElsha
Copy link
Author

iElsha commented Nov 14, 2025

Issue: #10506

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@iElsha