Log full SdkError detail on Bedrock OIDC AssumeRoleWithWebIdentity failure#10945
Merged
Conversation
Contributor
|
I'm starting a first review of this pull request. You can view the conversation on Warp. I completed the review and no human review was requested for this pull request. Comment Powered by Oz |
![oz-for-oss[bot]](https://avatars.githubusercontent.com/in/3450139?s=60&v=4){kind=small}
Contributor
There was a problem hiding this comment.
Overview
This PR improves Bedrock OIDC STS AssumeRoleWithWebIdentity error formatting by distinguishing SDK error variants, preserving modeled AWS service errors, flattening dispatch connector causes, and adding role/audience/issuer context. The added tests cover the primary formatting branches introduced by the change.
Concerns
- No blocking correctness, security, or error-handling concerns found in the changed lines.
Verdict
Found: 0 critical, 0 important, 0 suggestions
Approve
Comment /oz-review on this pull request to retrigger a review (up to 3 times on the same pull request).
Powered by Oz
…ilure
The previous error path collapsed the AWS SDK's structured error into a
terse 'STS AssumeRoleWithWebIdentity failed: <Display>' string and both
surfaced that to the user and emitted it as the only error-level log
line, dropping the underlying SdkError on the floor. As a result, an
on-call debugging a user's failure had to ask the user to re-run with
'RUST_LOG=aws_sdk_sts=trace' and reproduce the failure to learn anything
beyond e.g. 'dispatch failure'.
Mirror what the local-chain path already does ('log::warn!({e:#?})' on
the CredentialsError) for the OIDC path: log the full SdkError debug
chain at error level inside the .map_err closure, so the failure kind,
the connector error chain (hyper/rustls/DNS/TLS), and any AWS service
exception are visible in client logs without requiring extra RUST_LOG
toggles or a re-repro. The user-facing message is left unchanged.
Co-Authored-By: Oz <oz-agent@warp.dev>
IsaiahWitzke
force-pushed
the
iw/improve-bedrock-oidc-error-messages
branch
from
1146682 to
064fab9
Compare
IsaiahWitzke
changed the title
lawsmd
pushed a commit
to lawsmd/cortex
that referenced
this pull request
May 22, 2026
…ilure (warpdotdev#10945) ## Description When AWS STS `AssumeRoleWithWebIdentity` fails inside the Bedrock OIDC credential refresh, the `.map_err` closure collapses the structured `SdkError` into a short `STS AssumeRoleWithWebIdentity failed: <Display>` string and uses that *both* as the user-facing error and as the only `log::error!` line — the original `SdkError` is dropped. In practice that means on-call sees something like `dispatch failure` with no failure kind, no connector cause (hyper/rustls/DNS/TLS), and no AWS service exception. To learn anything more you have to ask the user to re-run with `RUST_LOG=aws_sdk_sts=trace,aws_smithy_runtime=trace` and reproduce the failure. This PR mirrors what the local-chain path already does for `CredentialsError` (`app/src/ai/aws_credentials.rs:148` — `log::warn!("{e:#?}")`) and adds a single `log::error!("{err:#?}")` of the raw `SdkError` inside the OIDC `.map_err` before it gets mapped to the user-facing string. No behavior change; no change to the toast. ## Linked Issue N/A — observability fix. - [ ] The linked issue is labeled `ready-to-spec` or `ready-to-implement`. - [x] Where appropriate, screenshots or a short video of the implementation are included below (especially for user-visible or UI changes). ## Testing - `cargo fmt --check` passes. - `cargo clippy -p warp --all-targets --tests -- -D warnings` passes. - Pure log-emission addition with no control-flow change; the existing `aws_credentials` unit tests still pass and no new test surface is added. - [ ] I have manually tested my changes locally with `./script/run` ### Screenshots / Videos N/A — non-UI change. The new log line appears in client logs (and in the dev console under `./script/run`) only when STS `AssumeRoleWithWebIdentity` fails. ## Agent Mode - [x] Warp Agent Mode - This PR was created via Warp's AI Agent Mode <!-- CHANGELOG-NONE --> --- [Conversation](https://staging.warp.dev/conversation/e2dfc517-7abb-4543-8436-dcaaf6b45545) --------- Co-authored-by: Oz <oz-agent@warp.dev>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
When AWS STS
AssumeRoleWithWebIdentityfails inside the Bedrock OIDC credential refresh, the.map_errclosure collapses the structuredSdkErrorinto a shortSTS AssumeRoleWithWebIdentity failed: <Display>string and uses that both as the user-facing error and as the onlylog::error!line — the originalSdkErroris dropped.In practice that means on-call sees something like
dispatch failurewith no failure kind, no connector cause (hyper/rustls/DNS/TLS), and no AWS service exception. To learn anything more you have to ask the user to re-run withRUST_LOG=aws_sdk_sts=trace,aws_smithy_runtime=traceand reproduce the failure.This PR mirrors what the local-chain path already does for
CredentialsError(app/src/ai/aws_credentials.rs:148—log::warn!("{e:#?}")) and adds a singlelog::error!("{err:#?}")of the rawSdkErrorinside the OIDC.map_errbefore it gets mapped to the user-facing string. No behavior change; no change to the toast.Linked Issue
N/A — observability fix.
ready-to-specorready-to-implement.Testing
cargo fmt --checkpasses.cargo clippy -p warp --all-targets --tests -- -D warningspasses.Pure log-emission addition with no control-flow change; the existing
aws_credentialsunit tests still pass and no new test surface is added.I have manually tested my changes locally with
./script/runScreenshots / Videos
N/A — non-UI change. The new log line appears in client logs (and in the dev console under
./script/run) only when STSAssumeRoleWithWebIdentityfails.Agent Mode
Conversation