feat(amazon-bedrock): add support for default credentials provider and profile configuration

Closes #368

Author: Blarc

CHANGELOG.md

@@ -2,6 +2,10 @@
 
 ## [Unreleased]
 
+### Added
+
+- Support AWS SDK default credential locations for Bedrock Integration (#368).
+
 ## [2.15.0] - 2025-08-30
 
 ### Changed

src/main/kotlin/com/github/blarc/ai/commits/intellij/plugin/settings/AppSettings2.kt

@@ -93,6 +93,7 @@ class AppSettings2 : PersistentStateComponent<AppSettings2> {
 
     override fun loadState(state: AppSettings2) {
         XmlSerializerUtil.copyBean(state, this)
+        llmClientConfigurations.forEach { it.afterSerialization() }
     }
 
     override fun noStateLoaded() {

src/main/kotlin/com/github/blarc/ai/commits/intellij/plugin/settings/clients/LLMClientConfiguration.kt

@@ -100,6 +100,10 @@ abstract class LLMClientConfiguration(
         return ActionUpdateThread.EDT
     }
 
+    open fun afterSerialization() {
+        // Allow overriding
+    }
+
 //    override fun equals(other: Any?): Boolean {
 //        return other is LLMClientConfiguration && other.id == id
 //    }

src/main/kotlin/com/github/blarc/ai/commits/intellij/plugin/settings/clients/amazonBedrock/AmazonBedrockClientConfiguration.kt

@@ -19,13 +19,17 @@ class AmazonBedrockClientConfiguration : LLMClientConfiguration(
     "0.7"
 ) {
 
+    @Attribute
+    var useStaticCredentialsProvider: Boolean? = null
     @Attribute
     var accessKeyId: String? = null
     @Attribute
     var accessKeyIsStored: Boolean = false
     @Transient
     var accessKey: String? = null
     @Attribute
+    var profileName: String? = null
+    @Attribute
     var timeout: Int = 30
     @Attribute
     var topP: Double? = null
@@ -66,9 +70,11 @@ class AmazonBedrockClientConfiguration : LLMClientConfiguration(
         copy.name = name
         copy.modelId = modelId
         copy.temperature = temperature
+        copy.useStaticCredentialsProvider = useStaticCredentialsProvider
         copy.accessKeyId = accessKeyId
         copy.accessKeyIsStored = accessKeyIsStored
         copy.accessKey = accessKey
+        copy.profileName = profileName
         copy.timeout = timeout
         copy.topP = topP
         copy.topK = topK
@@ -80,6 +86,14 @@ class AmazonBedrockClientConfiguration : LLMClientConfiguration(
 
     override fun panel() = AmazonBedrockClientPanel(this)
 
+    override fun afterSerialization() {
+        // All new configurations should have this property set upon creation
+        if (useStaticCredentialsProvider == null) {
+            // Old version supported only static provider
+            useStaticCredentialsProvider = true
+        }
+    }
+
     class RegionConverter : Converter<Region>() {
         override fun toString(value: Region): String? {
             return value.toString()

src/main/kotlin/com/github/blarc/ai/commits/intellij/plugin/settings/clients/amazonBedrock/AmazonBedrockClientPanel.kt

@@ -1,11 +1,12 @@
-package com.github.blarc.ai.commits.intellij.plugin.settings.clients.amazonBedrock;
+package com.github.blarc.ai.commits.intellij.plugin.settings.clients.amazonBedrock
 
 import com.github.blarc.ai.commits.intellij.plugin.AICommitsBundle.message
 import com.github.blarc.ai.commits.intellij.plugin.emptyText
 import com.github.blarc.ai.commits.intellij.plugin.isInt
 import com.github.blarc.ai.commits.intellij.plugin.settings.clients.LLMClientPanel
 import com.intellij.openapi.ui.ComboBox
 import com.intellij.ui.components.JBPasswordField
+import com.intellij.ui.components.JBRadioButton
 import com.intellij.ui.components.JBTextField
 import com.intellij.ui.dsl.builder.*
 import software.amazon.awssdk.regions.Region
@@ -17,6 +18,9 @@ class AmazonBedrockClientPanel private constructor(
 
     private val accessKeyIdField = JBTextField()
     private val accessKeyPasswordField = JBPasswordField()
+    private val profileNameField = JBTextField()
+    private lateinit var useDefaultCredentialsProviderRadioButton: Cell<JBRadioButton>
+    private lateinit var useStaticCredentialsProviderRadioButton: Cell<JBRadioButton>
     private val regionComboBox = ComboBox(Region.regions().toTypedArray())
     private val maxOutputTokensTextField = JBTextField()
     private val topPTextField = JBTextField()
@@ -29,6 +33,8 @@ class AmazonBedrockClientPanel private constructor(
         modelIdRow(commentKey = "settings.amazonBedrock.modelId.comment")
         temperatureRow()
         timeoutRow(clientConfiguration::timeout)
+        credentialsProviderRow()
+        profileNameRow()
         accessKeyIdRow()
         accessKeyRow()
         regionRow()
@@ -38,6 +44,34 @@ class AmazonBedrockClientPanel private constructor(
         verifyRow()
     }
 
+    private fun Panel.credentialsProviderRow() {
+        buttonsGroup {
+            row {
+                label(message("settings.amazonBedrock.credentialsProvider"))
+                    .widthGroup("label")
+                useDefaultCredentialsProviderRadioButton = radioButton(message("settings.amazonBedrock.defaultCredentialsProvider"))
+                    .bindSelected({ !(clientConfiguration.useStaticCredentialsProvider ?: false) }, { clientConfiguration.useStaticCredentialsProvider = !it })
+                    .align(Align.FILL)
+                useStaticCredentialsProviderRadioButton = radioButton(message("settings.amazonBedrock.staticCredentialsProvider"))
+                    .bindSelected(clientConfiguration::useStaticCredentialsProvider.toNonNullableProperty(true))
+                    .align(Align.FILL)
+                contextHelp(message("settings.amazonBedrock.defaultCredentialsProvider.comment"))
+                    .align(AlignX.RIGHT)
+            }
+        }
+    }
+
+    private fun Panel.profileNameRow() {
+        row {
+            label(message("settings.amazonBedrock.profileName"))
+                .widthGroup("label")
+            cell(profileNameField)
+                .bindText(clientConfiguration::profileName.toNonNullableProperty(""))
+                .resizableColumn()
+                .align(Align.FILL)
+        }.visibleIf(useDefaultCredentialsProviderRadioButton.selected)
+    }
+
     private fun Panel.accessKeyIdRow() {
         row {
             label(message("settings.amazonBedrock.accessKeyId"))
@@ -47,7 +81,7 @@ class AmazonBedrockClientPanel private constructor(
                 .emptyText(message("settings.amazonBedrock.accessKeyId.example"))
                 .resizableColumn()
                 .align(Align.FILL)
-        }
+        }.visibleIf(useStaticCredentialsProviderRadioButton.selected)
     }
 
     private fun Panel.accessKeyRow() {
@@ -63,7 +97,7 @@ class AmazonBedrockClientPanel private constructor(
                 .align(Align.FILL)
                 // maxLineLength was eye-balled, but prevents the dialog getting wider
                 .comment(message("settings.amazonBedrock.accessKey.comment"), 50)
-        }
+        }.visibleIf(useStaticCredentialsProviderRadioButton.selected)
     }
 
     private fun Panel.regionRow() {
@@ -96,6 +130,8 @@ class AmazonBedrockClientPanel private constructor(
         // Configuration passed to panel is already a copy of the original or a new configuration
         clientConfiguration.modelId = modelComboBox.item
         clientConfiguration.temperature = temperatureTextField.text
+        clientConfiguration.useStaticCredentialsProvider = useStaticCredentialsProviderRadioButton.component.isSelected
+        clientConfiguration.profileName = profileNameField.text
         clientConfiguration.accessKeyId = accessKeyIdField.text
         clientConfiguration.accessKey = String(accessKeyPasswordField.password)
         clientConfiguration.timeout = socketTimeoutTextField.text.toInt()

src/main/kotlin/com/github/blarc/ai/commits/intellij/plugin/settings/clients/amazonBedrock/AmazonBedrockClientService.kt

@@ -18,6 +18,8 @@ import kotlinx.coroutines.CoroutineScope
 import kotlinx.coroutines.Dispatchers
 import kotlinx.coroutines.launch
 import software.amazon.awssdk.auth.credentials.AwsBasicCredentials
+import software.amazon.awssdk.auth.credentials.AwsCredentialsProvider
+import software.amazon.awssdk.auth.credentials.DefaultCredentialsProvider
 import software.amazon.awssdk.auth.credentials.StaticCredentialsProvider
 import software.amazon.awssdk.services.bedrockruntime.BedrockRuntimeAsyncClient
 import software.amazon.awssdk.services.bedrockruntime.BedrockRuntimeClient
@@ -32,19 +34,16 @@ class AmazonBedrockClientService(private val cs: CoroutineScope) : LLMClientServ
     }
 
     override suspend fun buildChatModel(client: AmazonBedrockClientConfiguration): ChatModel {
-        val accessKey = client.accessKeyId.nullize(true) ?: retrieveToken(client.id)?.toString(true)
-        val credentials = AwsBasicCredentials.builder()
-            .accessKeyId(client.accessKeyId)
-            .secretAccessKey(accessKey)
-            .build()
-
         return BedrockChatModel.builder()
             .modelId(client.modelId)
             .region(client.region)
             .timeout(Duration.ofSeconds(client.timeout.toLong()))
-            .client(BedrockRuntimeClient.builder()
-                .region(client.region)
-                .credentialsProvider(StaticCredentialsProvider.create(credentials)).build())
+            .client(
+                BedrockRuntimeClient.builder()
+                    .region(client.region)
+                    .credentialsProvider(getCredentialProvider(client))
+                    .build()
+            )
             .defaultRequestParameters(
                 BedrockChatRequestParameters.builder()
                     .topP(client.topP)
@@ -57,20 +56,16 @@ class AmazonBedrockClientService(private val cs: CoroutineScope) : LLMClientServ
     }
 
     override suspend fun buildStreamingChatModel(client: AmazonBedrockClientConfiguration): StreamingChatModel? {
-        val accessKey = client.accessKeyId.nullize(true) ?: retrieveToken(client.id)?.toString(true)
-        val credentials = AwsBasicCredentials.builder()
-            .accessKeyId(client.accessKeyId)
-            .secretAccessKey(accessKey)
-            .build()
-
         return BedrockStreamingChatModel.builder()
             .modelId(client.modelId)
             .region(client.region)
             .timeout(Duration.ofSeconds(client.timeout.toLong()))
             .client(
                 BedrockRuntimeAsyncClient.builder()
-                .region(client.region)
-                .credentialsProvider(StaticCredentialsProvider.create(credentials)).build())
+                    .region(client.region)
+                    .credentialsProvider(getCredentialProvider(client))
+                    .build()
+            )
             .defaultRequestParameters(
                 BedrockChatRequestParameters.builder()
                     .topP(client.topP)
@@ -82,6 +77,21 @@ class AmazonBedrockClientService(private val cs: CoroutineScope) : LLMClientServ
             .build()
     }
 
+    suspend fun getCredentialProvider(client: AmazonBedrockClientConfiguration): AwsCredentialsProvider {
+        if (client.useStaticCredentialsProvider == true) {
+            val accessKey = client.accessKeyId.nullize(true) ?: retrieveToken(client.id)?.toString(true)
+            return StaticCredentialsProvider.create(
+                AwsBasicCredentials.builder()
+                    .accessKeyId(client.accessKeyId)
+                    .secretAccessKey(accessKey)
+                    .build()
+            )
+        }
+        return DefaultCredentialsProvider.builder()
+            .profileName(client.profileName)
+            .build()
+    }
+
     fun saveToken(client: AmazonBedrockClientConfiguration, token: String) {
         cs.launch(Dispatchers.Default) {
             try {

src/main/resources/messages/AiCommitsBundle.properties

@@ -156,3 +156,8 @@ settings.amazonBedrock.accessKeyId=Access key ID
 settings.amazonBedrock.maxOutputTokens=Max output tokens
 settings.amazonBedrock.region=Region
 settings.amazonBedrock.modelId.comment=Models IDs can be found <a href="https://docs.aws.amazon.com/bedrock/latest/userguide/models-supported.html">here</a>.
+settings.amazonBedrock.credentialsProvider=Credentials provider:
+settings.amazonBedrock.defaultCredentialsProvider=Default
+settings.amazonBedrock.staticCredentialsProvider=Static
+settings.amazonBedrock.profileName=Profile name
+settings.amazonBedrock.defaultCredentialsProvider.comment=Use Default for discovering credentials from the host's environment and Static for a fixed set of credentials.