Skip to content

Feature Request: AWS Web Identity Token / IRSA support for aws-bedrock #2849

New issue
New issue
Open
#2856
Open
Feature Request: AWS Web Identity Token / IRSA support for aws-bedrock#2849
#2856
Labels
feature (small)
@poiley

Description

@poiley
poiley
opened on Dec 19, 2025

Summary

Add support for AWS Web Identity Token authentication (IRSA - IAM Roles for Service Accounts) to the aws-bedrock provider.

Related Issue

This is the AWS equivalent of #2560 (Workload Identity Federation for Vertex AI).

Problem

When running BAML in Amazon EKS with IAM Roles for Service Accounts (IRSA), the aws-bedrock provider cannot authenticate automatically.

IRSA provides credentials via:

  • AWS_WEB_IDENTITY_TOKEN_FILE - path to the projected service account token
  • AWS_ROLE_ARN - the IAM role to assume

But the aws-bedrock provider only reads:

  • AWS_ACCESS_KEY_ID / AWS_SECRET_ACCESS_KEY / AWS_SESSION_TOKEN
  • AWS_PROFILE

IRSA is the standard authentication method for production EKS workloads calling AWS services. Without native support, users must implement manual credential exchange.

Current Workaround

We use @aws-sdk/credential-providers's fromTokenFile() to manually exchange the web identity token for temporary credentials, then pass them explicitly to BAML's ClientRegistry:

import { fromTokenFile } from '@aws-sdk/credential-providers';

async function getIRSACredentials() {
  const credentialsProvider = fromTokenFile(); // reads AWS_WEB_IDENTITY_TOKEN_FILE + AWS_ROLE_ARN
  const credentials = await credentialsProvider();
  return {
    accessKeyId: credentials.accessKeyId,
    secretAccessKey: credentials.secretAccessKey,
    sessionToken: credentials.sessionToken,
  };
}

// Then pass to ClientRegistry
const creds = await getIRSACredentials();
cr.addLlmClient('bedrock', 'aws-bedrock', {
  model: 'us.meta.llama3-3-70b-instruct-v1:0',
  region: 'us-west-2',
  access_key_id: creds.accessKeyId,
  secret_access_key: creds.secretAccessKey,
  session_token: creds.sessionToken,
});

This works but adds complexity and requires caching/refreshing credentials manually.

Suggested Implementation

The Rust aws-config crate's DefaultCredentialsChain already includes WebIdentityTokenCredentialsProvider. Using this for credential resolution (instead of only checking explicit env vars) would enable IRSA automatically.

Alternatively, a minimal implementation could:

  1. Check for AWS_WEB_IDENTITY_TOKEN_FILE + AWS_ROLE_ARN env vars
  2. Call STS AssumeRoleWithWebIdentity to exchange the token
  3. Use the returned temporary credentials

Use Case

Production Kubernetes (EKS) deployment using BAML to call Amazon Bedrock for LLM inference. IRSA is the AWS-recommended way to grant pods access to AWS services without managing static credentials.

Environment

  • BAML version: 0.214.0
  • Runtime: Node.js (TypeScript)
  • Deployment: Amazon EKS with IRSA

Metadata

Metadata

Assignees

No one assigned

    Labels

    feature (small)

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions