-
-
Notifications
You must be signed in to change notification settings - Fork 2.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[FEAT]: AWS SDK Credential Provider Chain Not Following Standard Order in Bedrock Integration #2588
Comments
Excerpt from /**
* AWS Credentials. If no credentials are provided, the default credentials from
* `@aws-sdk/credential-provider-node` will be used.
*/
credentials?: CredentialType; Fallback to this is dependency behavior leads to
However, our implementation of anything-llm/server/utils/AiProviders/bedrock/index.js Lines 73 to 79 in a2eced0
And since the only way to invoke that client loader function is preceded by these statements anything-llm/server/utils/AiProviders/bedrock/index.js Lines 25 to 41 in a2eced0
This would enable the client on the invocation to always be passed credentials explicitly and the langchain dependency fallback behavior would not be invoked. This same principle/guard is implemented in That being said, I do think it is worth addressing more explicitly in the code, but accidental credential loading should be mitigated. If this however is not the case in reality then it requires addressing as a bug |
I agree with @dannysteenman, when the app is running on ECS I would expect the implementation to use the container task role instead of having to pass credentials to AnythingLLM explicitly somehow. |
Thanks for the detailed response @timothycarambat. I understand the current implementation always provides explicit credentials, which prevents the default AWS SDK credential provider chain from working as intended. Let me clarify my proposal:
This approach would:
Would you be open to this approach? I'm happy to submit a PR implementing these changes if you agree. Edit: I did a small change yesterday on our fork to test this and it worked on our own aws environment. |
Im not opposed to that at all if the behavior is known to work. Since the provider is loaded as needed simply creating a new env like AwsBedrockLLMAuthMethod: {
envKey: "AWS_BEDROCK_LLM_AUTH_METHOD",
checks: [(input) => ['iam_role','iam_user'].includes(input) ? null : "invalid Value"]]
}
// rest of checks The only thing I would elect we change from the proposed above is that we should always assume the default is So the provider can look like // ...
verifyAuth() {
if(process.env.AWS_BEDROCK_LLM_AUTH_METHOD === "iam_role") { // return or check default creds? }
// do regular checks
}
constructor(embedder = null, modelPreference = null) {
this.verifyAuth();
.....
} |
Thanks for the feedback, I have implemented your suggestion and kept credentials as the default if they are supplied by the user as an env var. Now I've updated the slider to include the iam role in favor of the session token since that essentially replaces that session token feature. The PR can be found over here: #2632 including screenshots of the UI change. I've tested it on aws ecs fargate with the following policy enabled on the task role ( I think its the same policy that was mentioned in the docs):
|
What would you like to see?
The recent implementation of temporary credentials support in PR #2554 (fixing #2299) doesn't fully align with AWS SDK's standard credential provider chain behavior.
Current Behavior
The implementation appears to prioritize explicit credentials (access key, secret key, session token) over the standard AWS credential provider chain.
Expected Behavior
The AWS SDK should follow the standard credential provider chain where:
This is particularly important for containerized environments (like ECS) where best practice is to use task role credentials rather than long-term or even temporary explicit credentials.
Benefits of Following Standard Chain
Proposed Solution
Update the Bedrock client initialization to:
The text was updated successfully, but these errors were encountered: