Skip to content

feat: add AWS Bedrock as a platform AI provider#12712

Merged
Louai-Zokerburg merged 10 commits intomainfrom
feat/add-bedrock-ai-provider
Apr 21, 2026
Merged

feat: add AWS Bedrock as a platform AI provider#12712
Louai-Zokerburg merged 10 commits intomainfrom
feat/add-bedrock-ai-provider

Conversation

@Louai-Zokerburg
Copy link
Copy Markdown
Collaborator

Wires Bedrock into the Universal AI provider system so platform admins can expose Bedrock-hosted models (Claude, Llama, Titan, Mistral, etc.) through the AI piece and agent model picker. Credentials are stored as an access key / secret pair in auth with the AWS region in config (mirroring the Azure apiKey+resourceName split). Models are listed dynamically via ListFoundationModelsCommand; the existing standalone amazon-bedrock piece is unchanged.

Auth narrowing in ai-sdk.ts is updated to destructure apiKey via a BaseAIProviderAuthConfig cast per case, since the widened union now includes Bedrock's non-apiKey shape. The update-mutation auth check in the upsert dialog and ai-provider-hooks is generalized from apiKey?.length > 0 to a provider-agnostic 'any string field filled' helper so editing Bedrock without re-entering secrets works.

What does this PR do?

Explain How the Feature Works

Relevant User Scenarios

Fixes # (issue)

Wires Bedrock into the Universal AI provider system so platform admins
can expose Bedrock-hosted models (Claude, Llama, Titan, Mistral, etc.)
through the AI piece and agent model picker. Credentials are stored
as an access key / secret pair in auth with the AWS region in config
(mirroring the Azure apiKey+resourceName split). Models are listed
dynamically via ListFoundationModelsCommand; the existing standalone
amazon-bedrock piece is unchanged.

Auth narrowing in ai-sdk.ts is updated to destructure apiKey via a
BaseAIProviderAuthConfig cast per case, since the widened union now
includes Bedrock's non-apiKey shape. The update-mutation auth check
in the upsert dialog and ai-provider-hooks is generalized from
apiKey?.length > 0 to a provider-agnostic 'any string field filled'
helper so editing Bedrock without re-entering secrets works.
@Louai-Zokerburg Louai-Zokerburg added the preview spin up preview environment label Apr 20, 2026
@greptile-apps
Copy link
Copy Markdown
Contributor

greptile-apps Bot commented Apr 20, 2026

Confidence Score: 5/5

Safe to merge; all prior P0/P1 concerns are resolved and the one remaining finding is a minor UX improvement.

All previously flagged issues have been fixed: the Bedrock cache key now includes the region, both credential fields are hidden behind the same edit toggle, hasAnyAuthFieldFilled is no longer duplicated, and the IAM guidance recommends least-privilege. The single new finding is a P2 UX issue that does not corrupt data or break the primary path.

upsert-provider-dialog.tsx — OptionalAuthSchema lacks paired-field validation for Bedrock credentials in edit mode.

Important Files Changed

Filename Overview
packages/server/api/src/app/ai/providers/bedrock-provider.ts New Bedrock provider strategy: lists models via ListFoundationModelsCommand (ON_DEMAND inference), maps output modalities to model types. Implementation is clean and correct.
packages/server/api/src/app/ai/ai-provider-service.ts getAuthCacheFingerprint now correctly includes both accessKeyId and region for Bedrock, fixing the previously flagged stale-cache bug. Logic is otherwise sound.
packages/shared/src/lib/management/ai-providers/index.ts Adds BedrockProviderAuthConfig (accessKeyId + secretAccessKey) and BedrockProviderConfig (region) with correct Zod schemas; union ordering is safe.
packages/pieces/community/ai/src/lib/common/ai-sdk.ts Adds Bedrock case using @ai-sdk/amazon-bedrock; per-case auth cast is the correct fix for the widened union. Image and text model routing is consistent with other providers.
packages/web/src/app/routes/platform/setup/ai/universal-pieces/upsert-provider-config-form.tsx Both credential fields are now correctly gated behind the showBedrockAuthInputs toggle, fixing the prior edit-mode empty-key overwrite issue.
packages/web/src/app/routes/platform/setup/ai/universal-pieces/upsert-provider-dialog.tsx hasAnyAuthFieldFilled duplication fixed. OptionalAuthSchema lacks a refinement to require both Bedrock fields together when one is filled, so partial edits reach the server with a validation error.
packages/web/src/features/platform-admin/hooks/ai-provider-hooks.ts hasAnyAuthFieldFilled defined here and re-exported from the platform-admin index, resolving the prior duplication.
packages/web/src/features/agents/ai-providers.ts Bedrock provider definition added with setup markdown recommending least-privilege IAM policy, addressing the prior broad-policy comment.

Reviews (8): Last reviewed commit: "fix: use enum instead of string in moda..." | Re-trigger Greptile

Comment thread packages/web/src/features/agents/ai-providers.ts
The widened AIProviderAuthConfig union (Bedrock has no apiKey) broke
two auth.apiKey accesses in ai-provider-service.ts. The models cache
key is now computed from all auth values so it stays provider-agnostic
and still invalidates when credentials change. The ACTIVEPIECES branch
narrows with an 'apiKey' in auth type guard before reading the field.
@github-actions
Copy link
Copy Markdown

🚀 Preview environment has been set up!

Environment URL: https://feat-add-bedrock-ai-provider.preview.activepieces.dev

The preview environment for branch feat/add-bedrock-ai-provider is now ready for testing.

Comment thread packages/pieces/community/ai/package.json Outdated
Comment thread packages/server/api/src/app/ai/ai-provider-service.ts Outdated
Comment thread packages/server/api/package.json Outdated
- Pin @ai-sdk/amazon-bedrock (3.0.97) and @aws-sdk/client-bedrock
  (3.1017.0) to the versions resolved in bun.lock across root,
  server/api, and the AI piece — no caret ranges.
- Replace the models-cache key concatenation with a per-provider
  getAuthCacheFingerprint helper: Bedrock joins accessKeyId and
  secretAccessKey with '-', other providers use apiKey. Keeps the
  key short and future auth shapes explicit.
- Fix a bug where editing a Bedrock provider could silently wipe
  the stored Access Key ID: both accessKeyId and secretAccessKey
  are now hidden behind a single 'AWS Credentials · Edit' toggle
  so neither field is submitted empty when the user only intended
  to rotate the secret.
- Extract hasAnyAuthFieldFilled to ai-provider-hooks.ts (exported
  via the platform-admin barrel) and drop the duplicate copy in
  the upsert dialog.
- Narrow IAM policy guidance in the provider instructions to the
  three actions actually used (bedrock:ListFoundationModels,
  bedrock:InvokeModel, bedrock:InvokeModelWithResponseStream)
  instead of recommending AmazonBedrockFullAccess.
Comment thread packages/server/api/src/app/ai/ai-provider-service.ts Outdated
@github-actions
Copy link
Copy Markdown

🚀 Preview environment has been set up!

Environment URL: https://feat-add-bedrock-ai-provider.preview.activepieces.dev

The preview environment for branch feat/add-bedrock-ai-provider is now ready for testing.

@github-actions
Copy link
Copy Markdown

🚀 Preview environment has been set up!

Environment URL: https://feat-add-bedrock-ai-provider.preview.activepieces.dev

The preview environment for branch feat/add-bedrock-ai-provider is now ready for testing.

1 similar comment
@github-actions
Copy link
Copy Markdown

🚀 Preview environment has been set up!

Environment URL: https://feat-add-bedrock-ai-provider.preview.activepieces.dev

The preview environment for branch feat/add-bedrock-ai-provider is now ready for testing.

…th schema

ListFoundationModels returns different model sets per AWS region.
Without region in the fingerprint, switching regions on an existing
Bedrock provider served stale models until the midnight cache cron
ran. The Bedrock branch now joins accessKeyId, secretAccessKey, and
region so any change invalidates the cache immediately.

Also tightens BedrockProviderAuthConfig with .min(1) on accessKeyId
and secretAccessKey so empty strings are rejected at the schema
boundary rather than surfacing as opaque AWS auth failures later.
@github-actions
Copy link
Copy Markdown

🚀 Preview environment has been set up!

Environment URL: https://feat-add-bedrock-ai-provider.preview.activepieces.dev

The preview environment for branch feat/add-bedrock-ai-provider is now ready for testing.

@github-actions
Copy link
Copy Markdown

🚀 Preview environment has been set up!

Environment URL: https://feat-add-bedrock-ai-provider.preview.activepieces.dev

The preview environment for branch feat/add-bedrock-ai-provider is now ready for testing.

@github-actions
Copy link
Copy Markdown

🚀 Preview environment has been set up!

Environment URL: https://feat-add-bedrock-ai-provider.preview.activepieces.dev

The preview environment for branch feat/add-bedrock-ai-provider is now ready for testing.

@Louai-Zokerburg Louai-Zokerburg merged commit 0c68586 into main Apr 21, 2026
15 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

preview spin up preview environment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants