Right now we look up AWS credentials only once, in chat_bedrock():
|
credentials <- paws_credentials(profile) |
and then use these static credentials to sign requests:
|
req <- req_auth_aws_v4( |
|
req, |
|
aws_access_key_id = provider@credentials$access_key_id, |
|
aws_secret_access_key = provider@credentials$secret_access_key, |
|
aws_session_token = provider@credentials$session_token |
|
) |
This causes problems when using temporary IAM credentials, as is commonly the case when using IAM on Kubernetes or with Workbench-managed credentials (both of which use AssumeRoleWithWebIdentity under the hood).
With the default settings these credentials will expire after an hour, at which point all future requests will fail. You can sidestep this by recreating the chat and passing in the existing Turns, but it seems like we should be handling credential expiry here directly instead.
Right now we look up AWS credentials only once, in
chat_bedrock():ellmer/R/provider-bedrock.R
Line 36 in bf973c9
and then use these static credentials to sign requests:
ellmer/R/provider-bedrock.R
Lines 78 to 83 in bf973c9
This causes problems when using temporary IAM credentials, as is commonly the case when using IAM on Kubernetes or with Workbench-managed credentials (both of which use
AssumeRoleWithWebIdentityunder the hood).With the default settings these credentials will expire after an hour, at which point all future requests will fail. You can sidestep this by recreating the chat and passing in the existing Turns, but it seems like we should be handling credential expiry here directly instead.