Skip to content

feat(coderd_ai_provider): add Bedrock role_arn for STS assume-role#372

Merged
ethanndickson merged 2 commits into
mainfrom
ethan/bedrock-role-arn
Jul 1, 2026
Merged

feat(coderd_ai_provider): add Bedrock role_arn for STS assume-role#372
ethanndickson merged 2 commits into
mainfrom
ethan/bedrock-role-arn

Conversation

@ethanndickson

@ethanndickson ethanndickson commented Jun 26, 2026

Copy link
Copy Markdown
Member

Background

A customer running AWS Bedrock needs runtime IAM role assumption across multiple AWS accounts so usage bills to the correct account: a pod starts with its ambient AWS identity (IRSA / EKS Pod Identity / instance profile), then assumes a downstream role in another account via STS before calling Bedrock, with temp credentials cached and rotated by the AWS SDK. Static keys are not acceptable, and the base identity alone is insufficient since it's shared across providers.

This gap (AIGOV-371) was fixed server-side in coder/coder#26527 (backend: assume a configured role ARN via STS before calling Bedrock; whether the role is same- or cross-account is purely a matter of its trust policy) and coder/coder#26578 (web UI follow-up). The only piece reaching this provider is one new role_arn field on codersdk.AIProviderBedrockSettings, plus server-side ARN validation. Everything else lives in aibridge / coderd / cli / UI, which this provider doesn't import.

What this PR does

Adds an optional role_arn to coderd_ai_provider's settings.bedrock block so the assume-role workflow is configurable via Terraform, not only the UI. When set, the gateway uses its base identity to assume that IAM role via STS and signs Bedrock requests with the resulting temporary credentials; the role can live in the same account or a different one, depending entirely on its trust policy. A deployment that needs several roles configures several providers. Omitting it preserves today's behavior. Also updates the example and regenerates docs/.

SDK bump

role_arn isn't in any tagged codersdk release yet (latest v2.34.3 predates it), so go.mod is pinned to a pseudo-version of the coder/coder#26527 merge commit; re-pin to a real tag once one ships.

Closes CODAGT-607. Refs AIGOV-371. Refs coder/coder#26527, coder/coder#26578.

@linear-code

linear-code Bot commented Jun 26, 2026

Copy link
Copy Markdown

AIGOV-371

CODAGT-607

Comment thread docs/resources/ai_provider.md Outdated
Comment thread docs/resources/ai_provider.md Outdated
@ethanndickson ethanndickson force-pushed the ethan/bedrock-role-arn branch from f39b9dd to 6e87fa3 Compare June 27, 2026 03:50
@ethanndickson ethanndickson changed the title feat(coderd_ai_provider): add Bedrock role_arn for cross-account assume-role feat(coderd_ai_provider): add Bedrock role_arn for STS assume-role Jun 27, 2026
@ethanndickson ethanndickson force-pushed the ethan/bedrock-role-arn branch from 6e87fa3 to 6d0f35e Compare June 27, 2026 07:03
@ethanndickson ethanndickson force-pushed the ethan/agents-model-resource branch from 86ac6f2 to 877f8dc Compare June 27, 2026 07:03
@ethanndickson ethanndickson force-pushed the ethan/bedrock-role-arn branch from 6d0f35e to 10d7ae1 Compare June 29, 2026 02:34
@ethanndickson ethanndickson requested a review from matifali June 30, 2026 01:55
@ethanndickson ethanndickson force-pushed the ethan/agents-model-resource branch from f04afaa to be8cc11 Compare June 30, 2026 02:13
@ethanndickson ethanndickson force-pushed the ethan/bedrock-role-arn branch 3 times, most recently from ee92aa7 to f01d658 Compare June 30, 2026 05:44
@ethanndickson ethanndickson force-pushed the ethan/agents-model-resource branch from 2fc431f to 85ed7f9 Compare June 30, 2026 05:44
@ethanndickson ethanndickson force-pushed the ethan/bedrock-role-arn branch from f01d658 to 3ed74ae Compare June 30, 2026 06:29
@ethanndickson ethanndickson force-pushed the ethan/agents-model-resource branch from 85ed7f9 to 3681e2e Compare June 30, 2026 06:29
@ethanndickson ethanndickson force-pushed the ethan/bedrock-role-arn branch from 3ed74ae to 382af33 Compare June 30, 2026 13:03

ethanndickson commented Jul 1, 2026

Copy link
Copy Markdown
Member Author

Merge activity

  • Jul 1, 5:55 AM UTC: A user started a stack merge that includes this pull request via Graphite.
  • Jul 1, 6:01 AM UTC: Graphite couldn't merge this PR because it had merge conflicts.
  • Jul 1, 6:17 AM UTC: A user started a stack merge that includes this pull request via Graphite.
  • Jul 1, 6:17 AM UTC: @ethanndickson merged this pull request with Graphite.

@ethanndickson ethanndickson changed the base branch from ethan/agents-model-resource to graphite-base/372 July 1, 2026 05:59
@ethanndickson ethanndickson changed the base branch from graphite-base/372 to main July 1, 2026 06:00
@ethanndickson ethanndickson force-pushed the ethan/bedrock-role-arn branch from 382af33 to 837564e Compare July 1, 2026 06:14
@ethanndickson ethanndickson merged commit 65aaf9b into main Jul 1, 2026
14 checks passed
@ethanndickson ethanndickson deleted the ethan/bedrock-role-arn branch July 1, 2026 06:17
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants