feat: enable AWS login credentials for Bedrock auth#21623
Merged
Conversation
celia-oai
force-pushed
the
dev/cc/console-login
branch
2 times, most recently
from
02550ee to
03eab36
Compare
celia-oai
force-pushed
the
dev/cc/console-login
branch
from
03eab36 to
4cf4aa8
Compare
pakrym-oai
reviewed
May 8, 2026
| // richer Codex agent requests fail even though raw Responses requests work. | ||
| let headers_to_remove = headers | ||
| .keys() | ||
| .filter(|name| name.as_str().contains('_')) |
Collaborator
There was a problem hiding this comment.
is this the right filter? should we have an allowlist instead?
Collaborator
Author
There was a problem hiding this comment.
unfortunately non-standard headers just won't be accepted by aws anyways. I think it's a fine tradeoff for now, we can revisit it if we need to achieve header parity with out responses api down the road
pakrym-oai
reviewed
May 8, 2026
pakrym-oai
approved these changes
May 8, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Codex's Amazon Bedrock provider signs Mantle requests with SigV4 using credentials resolved by the AWS SDK. That worked for standard AWS profiles and environment credentials, but AWS CLI console-login profiles created by
aws loginrequire the SDK'scredentials-loginfeature to resolvelogin_sessioncredentials.This change enables that credential provider so Bedrock can use AWS console-login credentials through the existing provider-owned AWS auth path.
While testing the console-login path, we also hit a Mantle-specific SigV4 regression from the new split between
session_idandthread_id. Mantle does not preserve legacy OpenAI compatibility headers that usesnake_casebefore SigV4 verification, so signing those headers can make the server reconstruct a different canonical request. The Bedrock auth path now removes that header class before signing, keeping preserved hyphenated Codex/AWS headers such asx-codex-turn-metadatasigned normally.Changes
aws-config'scredentials-loginfeature incodex-rs/aws-auth.aws_config::login::LoginCredentialsProvider.snake_casecompatibility headers from Bedrock Mantle SigV4 requests before signing.session_id,thread_id, and future headers of the same shape.aws-sdk-signindependency.Tests
aws loginlocally and verified that it works as intended.