Skip to content

feat: add bedrock credential type for AWS Bedrock authentication#784

Open
knechtionscoding wants to merge 1 commit intokelos-dev:mainfrom
knechtionscoding:feat/bedrock-auth
Open

feat: add bedrock credential type for AWS Bedrock authentication#784
knechtionscoding wants to merge 1 commit intokelos-dev:mainfrom
knechtionscoding:feat/bedrock-auth

Conversation

@knechtionscoding
Copy link

@knechtionscoding knechtionscoding commented Mar 24, 2026
edited by cubic-dev-ai bot
Loading

What type of PR is this?

/kind feature

What this PR does / why we need it:

Add a new bedrock credential type that injects AWS environment variables (CLAUDE_CODE_USE_BEDROCK, AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, AWS_REGION) from a referenced Secret, with optional support for AWS_SESSION_TOKEN and ANTHROPIC_BEDROCK_BASE_URL.

Refactor credential injection into a centralized credentialEnvVars() function so that adding future providers (e.g. Vertex) requires only a new case block.

Changes:

  • Add CredentialTypeBedrock constant and update CRD enum validation
  • Add credentialEnvVars() to centralize credential env var injection for all types
  • Support bedrock config block in CLI for auto-creating AWS credential secrets
  • Add unit tests for bedrock credential injection
  • Add example manifests in examples/09-bedrock-credentials/

Which issue(s) this PR is related to:

Fixes #780

Special notes for your reviewer:

  • AWS_SESSION_TOKEN and ANTHROPIC_BEDROCK_BASE_URL are injected with Optional: true on the SecretKeySelector, so pods won't fail if those keys are absent from the Secret.
  • The credentialEnvVars() refactor is a no-op for existing api-key and oauth types — it just moves the same logic into a single function.
  • IRSA (IAM Roles for Service Accounts) is not yet supported as a first-class feature — it requires making secretRef optional, which is a separate API change. The IRSA workaround via podOverrides.env is documented in the example README.

Does this PR introduce a user-facing change?

Add `bedrock` credential type for running Claude Code tasks via AWS Bedrock. Create a Secret with `AWS_ACCESS_KEY_ID`, `AWS_SECRET_ACCESS_KEY`, and `AWS_REGION` keys, then set `credentials.type: bedrock` on your Task.

Summary by cubic

Add a new bedrock credential type to run Claude Code via AWS Bedrock. Injects AWS env vars from a Secret, adds CLI/config to create/update it, and centralizes credential env var injection.

  • New Features

    • CRD supports bedrock; injects CLAUDE_CODE_USE_BEDROCK=1, AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, AWS_REGION, plus optional AWS_SESSION_TOKEN and ANTHROPIC_BEDROCK_BASE_URL.
    • CLI/config: new bedrock block; kelos run can create/update kelos-credentials; completion includes bedrock; examples in examples/09-bedrock-credentials/.
    • IRSA is not first-class yet; secretRef remains required (workaround documented in the example).

  • Refactors

    • Introduce credentialEnvVars() and use it for api-key, oauth, and bedrock; add unit test for Bedrock injection.

Written for commit d0a18b6. Summary will update on new commits.

Loading
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cubic-dev-ai cubic-dev-ai[bot] cubic-dev-ai[bot] left review comments

Assignees

No one assigned

Labels

needs-actor needs-kind Indicates an issue or PR lacks a kind/* label needs-priority needs-triage release-note

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Allow for authentication via bedrock instead of Anthropic directly

2 participants

@knechtionscoding @CLAassistant