Merge pull request #68 from Contrast-Security-OSS/AIML-195

AIML-195: Add support for AWS_BEARER_TOKEN_BEDROCK authentication

Author: ChrisEdwards

action.yml

@@ -53,6 +53,12 @@ inputs:
   anthropic_api_key:
     description: 'Anthropic API key'
     required: false
+  aws_bearer_token_bedrock:
+    description: 'AWS Bedrock API Bearer Token (alternative to AWS IAM credentials)'
+    required: false
+  aws_region:
+    description: 'AWS Region for Bedrock (required when using aws_bearer_token_bedrock)'
+    required: false
   azure_api_key:
     description: 'Azure API Key for Azure OpenAI'
     required: false
@@ -364,6 +370,9 @@ runs:
         GEMINI_API_KEY: ${{ inputs.gemini_api_key }}
         # --- Anthropic Credentials (LiteLLM) ---
         ANTHROPIC_API_KEY: ${{ inputs.anthropic_api_key }}
+        # --- AWS Bedrock API Bearer Token (LiteLLM) ---
+        AWS_BEARER_TOKEN_BEDROCK: ${{ inputs.aws_bearer_token_bedrock }}
+        AWS_REGION_NAME: ${{ inputs.aws_region }}
         # --- Azure Credentials for Azure OpenAI (LiteLLM) ---
         AZURE_API_KEY: ${{ inputs.azure_api_key }}
         AZURE_API_BASE: ${{ inputs.azure_api_base }}

docs/contrast-ai-smartfix.yml.template

@@ -37,6 +37,7 @@ jobs:
     runs-on: ubuntu-latest
     if: github.event_name == 'workflow_dispatch' || github.event_name == 'schedule'
     steps:
+      # Option A: Configure AWS Credentials using IAM (Recommended for production)
       - name: Configure AWS Credentials
         uses: aws-actions/configure-aws-credentials@v1
         with:
@@ -45,6 +46,10 @@ jobs:
           aws-session-token: ${{ secrets.AWS_SESSION_TOKEN }}
           aws-region: ${{ vars.AWS_REGION }}
 
+      # Option B: Use Bedrock API Keys (Simpler but less secure)
+      # If using API keys, omit the "Configure AWS Credentials" step above
+      # and uncomment the aws_bearer_token_bedrock and aws_region lines below in the action inputs
+
       - name: Checkout repository
         uses: actions/checkout@v4
         with:
@@ -75,6 +80,9 @@ jobs:
           gemini_api_key: ${{ secrets.GEMINI_API_KEY }}
           # --- Anthropic API Credentials ---
           anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }}
+          # --- AWS Bedrock API Key (Alternative to IAM credentials, less secure) ---
+          # aws_bearer_token_bedrock: ${{ secrets.AWS_BEARER_TOKEN_BEDROCK }}
+          # aws_region: ${{ vars.AWS_REGION }}
           # --- Azure Open API Credentials ---
           # azure_api_key: ${{ secrets.AZURE_API_KEY }}
           # azure_api_base: ${{ secrets.AZURE_API_BASE }}

docs/smartfix_coding_agent.md

@@ -60,8 +60,8 @@ jobs:
     runs-on: ubuntu-latest
     if: github.event_name == 'workflow_dispatch' || github.event_name == 'schedule'
     steps:
-      # For Claude via AWS Bedrock, please include an additional setup step for configuring AWS credentials
-      # This step can be omitted if using another LLM provider.
+      # For Claude via AWS Bedrock with IAM credentials (Option A - Recommended)
+      # This step can be omitted if using another LLM provider or using Bedrock API keys (Option B).
       - name: Configure AWS Credentials
         uses: aws-actions/configure-aws-credentials@v4
         with:
@@ -70,6 +70,12 @@ jobs:
           aws-session-token: ${{ secrets.AWS_SESSION_TOKEN }}
           aws-region: ${{ vars.AWS_REGION }}
 
+      # Alternative: For Claude via AWS Bedrock with API keys (Option B - Simpler but less secure)
+      # If using this method, omit the "Configure AWS Credentials" step above and uncomment the lines below
+      # in the "Run Contrast AI SmartFix - Generate Fixes Action" step:
+      # aws_bearer_token_bedrock: ${{ secrets.AWS_BEARER_TOKEN_BEDROCK }}
+      # aws_region: ${{ vars.AWS_REGION }}
+
       - name: Checkout repository
         uses: actions/checkout@v4
         with:
@@ -180,7 +186,9 @@ The SmartFix Coding Agent uses a "Bring Your Own LLM" (BYOLLM) model. You provid
     * Provide your `anthropic_api_key`.
   * Option 2 - AWS Bedrock:
     * Set `agent_model` to the appropriate model string (e.g., `bedrock/us.anthropic.claude-3-7-sonnet-20250219-v1:0`).
-    * In order for the action to an AWS Bedrock LLM, you need to provide AWS credentials. We recommend using [aws-actions/configure-aws-credentials](https://github.com/aws-actions/configure-aws-credentials) to configure your credentials for a job.
+    * In order for the action to use an AWS Bedrock LLM, you need to provide AWS credentials using one of two methods:
+      * **Option A - IAM Credentials (Recommended):** Use [aws-actions/configure-aws-credentials](https://github.com/aws-actions/configure-aws-credentials) to configure your credentials with AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, AWS_SESSION_TOKEN, and AWS_REGION. This is the recommended approach for production use.
+      * **Option B - Bedrock API Keys:** Provide your `aws_bearer_token_bedrock` and `aws_region` directly to the action. This is a simpler setup but is less secure than IAM credentials. Use with caution and review AWS security best practices. See [AWS Bedrock API Keys](https://aws.amazon.com/blogs/machine-learning/accelerate-ai-development-with-amazon-bedrock-api-keys/) for more information.
 
 * **Experimental:** **Google Gemini Pro (e.g., Gemini 2.5 Pro)**. Preliminary testing shows good results.
   * Set `agent_model` to the appropriate model string (e.g., `gemini/gemini-2.5-pro-preview-05-06`).
@@ -262,6 +270,8 @@ The following are key inputs for the SmartFix GitHub Action using SmartFix Codin
 | `contrast_api_key` | Contrast API Key. | Yes |  |
 | `agent_model` | LLM model to use (e.g., `bedrock/anthropic.claude-3-sonnet-20240229-v1:0`). | No | `bedrock/us.anthropic.claude-3-7-sonnet-20250219-v1:0` |
 | `anthropic_api_key` | Anthropic API key (if using direct Anthropic API). | No |  |
+| `aws_bearer_token_bedrock` | AWS Bedrock API Bearer Token (alternative to IAM credentials). Use with caution - less secure than IAM. | No |  |
+| `aws_region` | AWS Region for Bedrock (required when using `aws_bearer_token_bedrock`). | No |  |
 | `gemini_api_key` | Gemini API key (if using Gemini). | No |  |
 | `build_command` | Command to build the application (for QA). | Yes, for generating fixes |  |
 | `formatting_command` | Command to format code. | No |  |

test/test_aws_bearer_token_bedrock.py

@@ -0,0 +1,141 @@
+#!/usr/bin/env python
+# -
+# #%L
+# Contrast AI SmartFix
+# %%
+# Copyright (C) 2025 Contrast Security, Inc.
+# %%
+# Contact: [email protected]
+# License: Commercial
+# NOTICE: This Software and the patented inventions embodied within may only be
+# used as part of Contrast Security's commercial offerings. Even though it is
+# made available through public repositories, use of this Software is subject to
+# the applicable End User Licensing Agreement found at
+# https://www.contrastsecurity.com/enduser-terms-0317a or as otherwise agreed
+# between Contrast Security and the End User. The Software may not be reverse
+# engineered, modified, repackaged, sold, redistributed or otherwise used in a
+# way not consistent with the End User License Agreement.
+# #L%
+#
+
+"""
+Unit tests for AWS_BEARER_TOKEN_BEDROCK environment variable support.
+
+This module tests that the AWS_BEARER_TOKEN_BEDROCK environment variable
+is properly handled and available for LiteLLM to use for Bedrock authentication.
+"""
+
+import sys
+import unittest
+import os
+
+# Add project root to path for imports
+sys.path.insert(0, os.path.abspath(os.path.join(os.path.dirname(__file__), '..')))
+
+# Import config module (need to initialize before other imports)
+from src.config import get_config  # noqa: E402
+
+# Initialize config with testing flag
+_ = get_config(testing=True)
+
+
+class TestAwsBearerTokenBedrock(unittest.TestCase):
+    """Test cases for AWS_BEARER_TOKEN_BEDROCK environment variable support."""
+
+    def test_environment_variable_can_be_set(self):
+        """Test that AWS_BEARER_TOKEN_BEDROCK environment variable can be set and retrieved."""
+        test_token = "test-bearer-token-12345"
+
+        # Set the environment variable
+        os.environ['AWS_BEARER_TOKEN_BEDROCK'] = test_token
+
+        # Verify it can be retrieved
+        self.assertEqual(os.environ.get('AWS_BEARER_TOKEN_BEDROCK'), test_token)
+
+        # Clean up
+        del os.environ['AWS_BEARER_TOKEN_BEDROCK']
+
+    def test_environment_variable_not_set_returns_none(self):
+        """Test that missing AWS_BEARER_TOKEN_BEDROCK returns None."""
+        # Ensure the variable is not set
+        if 'AWS_BEARER_TOKEN_BEDROCK' in os.environ:
+            del os.environ['AWS_BEARER_TOKEN_BEDROCK']
+
+        # Verify it returns None when not set
+        self.assertIsNone(os.environ.get('AWS_BEARER_TOKEN_BEDROCK'))
+
+    def test_bearer_token_precedence_over_iam(self):
+        """Test that AWS_BEARER_TOKEN_BEDROCK can coexist with IAM credentials."""
+        # Set both bearer token and IAM credentials
+        os.environ['AWS_BEARER_TOKEN_BEDROCK'] = "test-bearer-token"
+        os.environ['AWS_ACCESS_KEY_ID'] = "test-access-key"
+        os.environ['AWS_SECRET_ACCESS_KEY'] = "test-secret-key"
+
+        try:
+            # Verify both are set (LiteLLM will determine which to use based on its own logic)
+            self.assertIsNotNone(os.environ.get('AWS_BEARER_TOKEN_BEDROCK'))
+            self.assertIsNotNone(os.environ.get('AWS_ACCESS_KEY_ID'))
+            self.assertIsNotNone(os.environ.get('AWS_SECRET_ACCESS_KEY'))
+
+        finally:
+            # Clean up
+            for key in ['AWS_BEARER_TOKEN_BEDROCK', 'AWS_ACCESS_KEY_ID', 'AWS_SECRET_ACCESS_KEY']:
+                if key in os.environ:
+                    del os.environ[key]
+
+    def test_empty_bearer_token_is_ignored(self):
+        """Test that an empty AWS_BEARER_TOKEN_BEDROCK value is handled gracefully."""
+        # Set an empty bearer token
+        os.environ['AWS_BEARER_TOKEN_BEDROCK'] = ""
+
+        try:
+            # Verify it's set but empty
+            self.assertEqual(os.environ.get('AWS_BEARER_TOKEN_BEDROCK'), "")
+
+            # An empty token should be falsy
+            self.assertFalse(os.environ.get('AWS_BEARER_TOKEN_BEDROCK'))
+
+        finally:
+            # Clean up
+            if 'AWS_BEARER_TOKEN_BEDROCK' in os.environ:
+                del os.environ['AWS_BEARER_TOKEN_BEDROCK']
+
+    def test_aws_region_name_can_be_set(self):
+        """Test that AWS_REGION_NAME environment variable can be set and retrieved."""
+        test_region = "us-east-1"
+
+        # Set the environment variable
+        os.environ['AWS_REGION_NAME'] = test_region
+
+        try:
+            # Verify it can be retrieved
+            self.assertEqual(os.environ.get('AWS_REGION_NAME'), test_region)
+
+        finally:
+            # Clean up
+            if 'AWS_REGION_NAME' in os.environ:
+                del os.environ['AWS_REGION_NAME']
+
+    def test_bearer_token_and_region_together(self):
+        """Test that AWS_BEARER_TOKEN_BEDROCK and AWS_REGION_NAME can be used together."""
+        test_token = "test-bearer-token-abc123"
+        test_region = "us-west-2"
+
+        # Set both environment variables
+        os.environ['AWS_BEARER_TOKEN_BEDROCK'] = test_token
+        os.environ['AWS_REGION_NAME'] = test_region
+
+        try:
+            # Verify both are set correctly
+            self.assertEqual(os.environ.get('AWS_BEARER_TOKEN_BEDROCK'), test_token)
+            self.assertEqual(os.environ.get('AWS_REGION_NAME'), test_region)
+
+        finally:
+            # Clean up
+            for key in ['AWS_BEARER_TOKEN_BEDROCK', 'AWS_REGION_NAME']:
+                if key in os.environ:
+                    del os.environ[key]
+
+
+if __name__ == '__main__':
+    unittest.main()