feat: add AWS Bedrock as a platform AI provider#12712
Conversation
Wires Bedrock into the Universal AI provider system so platform admins can expose Bedrock-hosted models (Claude, Llama, Titan, Mistral, etc.) through the AI piece and agent model picker. Credentials are stored as an access key / secret pair in auth with the AWS region in config (mirroring the Azure apiKey+resourceName split). Models are listed dynamically via ListFoundationModelsCommand; the existing standalone amazon-bedrock piece is unchanged. Auth narrowing in ai-sdk.ts is updated to destructure apiKey via a BaseAIProviderAuthConfig cast per case, since the widened union now includes Bedrock's non-apiKey shape. The update-mutation auth check in the upsert dialog and ai-provider-hooks is generalized from apiKey?.length > 0 to a provider-agnostic 'any string field filled' helper so editing Bedrock without re-entering secrets works.
Confidence Score: 5/5Safe to merge; all prior P0/P1 concerns are resolved and the one remaining finding is a minor UX improvement. All previously flagged issues have been fixed: the Bedrock cache key now includes the region, both credential fields are hidden behind the same edit toggle, hasAnyAuthFieldFilled is no longer duplicated, and the IAM guidance recommends least-privilege. The single new finding is a P2 UX issue that does not corrupt data or break the primary path. upsert-provider-dialog.tsx — OptionalAuthSchema lacks paired-field validation for Bedrock credentials in edit mode. Important Files Changed
Reviews (8): Last reviewed commit: "fix: use enum instead of string in moda..." | Re-trigger Greptile |
![greptile-apps[bot]](https://avatars.githubusercontent.com/in/867647?s=60&v=4){kind=small}
The widened AIProviderAuthConfig union (Bedrock has no apiKey) broke two auth.apiKey accesses in ai-provider-service.ts. The models cache key is now computed from all auth values so it stays provider-agnostic and still invalidates when credentials change. The ACTIVEPIECES branch narrows with an 'apiKey' in auth type guard before reading the field.
|
🚀 Preview environment has been set up! Environment URL: https://feat-add-bedrock-ai-provider.preview.activepieces.dev The preview environment for branch |
- Pin @ai-sdk/amazon-bedrock (3.0.97) and @aws-sdk/client-bedrock (3.1017.0) to the versions resolved in bun.lock across root, server/api, and the AI piece — no caret ranges. - Replace the models-cache key concatenation with a per-provider getAuthCacheFingerprint helper: Bedrock joins accessKeyId and secretAccessKey with '-', other providers use apiKey. Keeps the key short and future auth shapes explicit. - Fix a bug where editing a Bedrock provider could silently wipe the stored Access Key ID: both accessKeyId and secretAccessKey are now hidden behind a single 'AWS Credentials · Edit' toggle so neither field is submitted empty when the user only intended to rotate the secret. - Extract hasAnyAuthFieldFilled to ai-provider-hooks.ts (exported via the platform-admin barrel) and drop the duplicate copy in the upsert dialog. - Narrow IAM policy guidance in the provider instructions to the three actions actually used (bedrock:ListFoundationModels, bedrock:InvokeModel, bedrock:InvokeModelWithResponseStream) instead of recommending AmazonBedrockFullAccess.
|
🚀 Preview environment has been set up! Environment URL: https://feat-add-bedrock-ai-provider.preview.activepieces.dev The preview environment for branch |
|
🚀 Preview environment has been set up! Environment URL: https://feat-add-bedrock-ai-provider.preview.activepieces.dev The preview environment for branch |
1 similar comment
|
🚀 Preview environment has been set up! Environment URL: https://feat-add-bedrock-ai-provider.preview.activepieces.dev The preview environment for branch |
…th schema ListFoundationModels returns different model sets per AWS region. Without region in the fingerprint, switching regions on an existing Bedrock provider served stale models until the midnight cache cron ran. The Bedrock branch now joins accessKeyId, secretAccessKey, and region so any change invalidates the cache immediately. Also tightens BedrockProviderAuthConfig with .min(1) on accessKeyId and secretAccessKey so empty strings are rejected at the schema boundary rather than surfacing as opaque AWS auth failures later.
|
🚀 Preview environment has been set up! Environment URL: https://feat-add-bedrock-ai-provider.preview.activepieces.dev The preview environment for branch |
|
🚀 Preview environment has been set up! Environment URL: https://feat-add-bedrock-ai-provider.preview.activepieces.dev The preview environment for branch |
|
🚀 Preview environment has been set up! Environment URL: https://feat-add-bedrock-ai-provider.preview.activepieces.dev The preview environment for branch |
2 participants
Wires Bedrock into the Universal AI provider system so platform admins can expose Bedrock-hosted models (Claude, Llama, Titan, Mistral, etc.) through the AI piece and agent model picker. Credentials are stored as an access key / secret pair in auth with the AWS region in config (mirroring the Azure apiKey+resourceName split). Models are listed dynamically via ListFoundationModelsCommand; the existing standalone amazon-bedrock piece is unchanged.
Auth narrowing in ai-sdk.ts is updated to destructure apiKey via a BaseAIProviderAuthConfig cast per case, since the widened union now includes Bedrock's non-apiKey shape. The update-mutation auth check in the upsert dialog and ai-provider-hooks is generalized from apiKey?.length > 0 to a provider-agnostic 'any string field filled' helper so editing Bedrock without re-entering secrets works.
What does this PR do?
Explain How the Feature Works
Relevant User Scenarios
Fixes # (issue)