Skip to content

feat: cleanup plugin & support different auth modes for plugin based … #1392

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Draft
wants to merge 10 commits into
base: main
Choose a base branch
from
Draft

feat: cleanup plugin & support different auth modes for plugin based … #1392

Show file tree
Hide file tree
Changes from 2 commits
Commits
Show all changes
10 commits
Select commit Hold shift + click to select a range
fe35e93
feat: cleanup plugin & support different auth modes for plugin based …
b4s36t4 Oct 24, 2025
831e581
chore: allow assumed role for both runtimes
b4s36t4 Oct 29, 2025
9820478
fix: wrap getcontext in function and handle defined sessionToken
b4s36t4 Oct 31, 2025
d8a6b43
Merge branch 'main' of github.com:Portkey-AI/gateway into feat/bedroc…
b4s36t4 Nov 3, 2025
fec136e
Merge branch 'main' of github.com:Portkey-AI/gateway into feat/bedroc…
b4s36t4 Nov 4, 2025
2e9cd4a
Merge branch 'main' into feat/bedrock-plugin-cleanup
b4s36t4 Nov 6, 2025
3fef789
chore: add pod-identity auth for bedrock
b4s36t4 Nov 6, 2025
3fe43a3
Merge branch 'feat/bedrock-plugin-cleanup' of github.com:b4s36t4/rube…
b4s36t4 Nov 6, 2025
f8e6ba5
Merge branch 'main' of github.com:Portkey-AI/gateway into feat/bedroc…
b4s36t4 Nov 6, 2025
d95dc41
chore: update console with logger
b4s36t4 Nov 6, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
107 changes: 63 additions & 44 deletions plugins/bedrock/index.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,5 @@
import { PluginHandler } from '../types';
import { getRuntimeKey } from 'hono/adapter';
import { PluginHandler, PluginOptions } from '../types';
import {
getCurrentContentPart,
HttpError,
Expand All @@ -13,6 +14,8 @@ const REQUIRED_CREDENTIAL_KEYS = [
'awsRegion',
];

const runtime = getRuntimeKey();

export const validateCreds = (
credentials?: BedrockParameters['credentials']
) => {
Expand All @@ -22,52 +25,72 @@ export const validateCreds = (
};

export const handleCredentials = async (
options: Record<string, any>,
credentials: BedrockParameters['credentials'] | null
credentials: BedrockParameters['credentials'] | null,
options?: PluginOptions
) => {
const finalCredentials = {} as BedrockAccessKeyCreds;
if (credentials?.awsAuthType === 'assumedRole') {
try {
// Assume the role in the source account
const sourceRoleCredentials = await getAssumedRoleCredentials(
options.getFromCacheByKey,
options.putInCacheWithValue,
options.env,
options.env.AWS_ASSUME_ROLE_SOURCE_ARN, // Role ARN in the source account
options.env.AWS_ASSUME_ROLE_SOURCE_EXTERNAL_ID || '', // External ID for source role (if needed)
credentials.awsRegion || ''
);
if (runtime === 'workerd') {
try {
// Assume the role in the source account
const sourceRoleCredentials = await getAssumedRoleCredentials(
options?.env.AWS_ASSUME_ROLE_SOURCE_ARN, // Role ARN in the source account
options?.env.AWS_ASSUME_ROLE_SOURCE_EXTERNAL_ID || '', // External ID for source role (if needed)
credentials.awsRegion || '',
undefined,
options
);

if (!sourceRoleCredentials) {
throw new Error('Failed to assume internal role');
}
if (!sourceRoleCredentials) {
throw new Error('Failed to assume internal role');
}

// Assume role in destination account using temporary creds obtained in first step
const destinationCredentials =
// Assume role in destination account using temporary creds obtained in first step
const destinationCredentials =
(await getAssumedRoleCredentials(
credentials.awsRoleArn || '',
credentials.awsExternalId || '',
credentials.awsRegion || '',
{
accessKeyId: sourceRoleCredentials.accessKeyId,
secretAccessKey: sourceRoleCredentials.secretAccessKey,
sessionToken: sourceRoleCredentials.sessionToken,
},
options
)) || {};
if (!destinationCredentials) {
throw new Error('Failed to assume destination role');
}
finalCredentials.awsAccessKeyId = destinationCredentials.accessKeyId;
finalCredentials.awsSecretAccessKey =
destinationCredentials.secretAccessKey;
finalCredentials.awsSessionToken = destinationCredentials.sessionToken;
finalCredentials.awsRegion = credentials.awsRegion || '';
} catch {
throw new Error('Error while assuming role');
}
}
if (runtime === 'node') {
const { accessKeyId, secretAccessKey, sessionToken } =
(await getAssumedRoleCredentials(
options.getFromCacheByKey,
options.putInCacheWithValue,
options.env,
credentials.awsRoleArn || '',
credentials.awsExternalId || '',
credentials.awsRegion || '',
{
accessKeyId: sourceRoleCredentials.accessKeyId,
secretAccessKey: sourceRoleCredentials.secretAccessKey,
sessionToken: sourceRoleCredentials.sessionToken,
}
credentials.awsRegion || ''
)) || {};
if (!destinationCredentials) {
throw new Error('Failed to assume destination role');
}
finalCredentials.awsAccessKeyId = destinationCredentials.accessKeyId;
finalCredentials.awsSecretAccessKey =
destinationCredentials.secretAccessKey;
finalCredentials.awsSessionToken = destinationCredentials.sessionToken;
finalCredentials.awsRegion = credentials.awsRegion || '';
} catch {
throw new Error('Error while assuming role');

finalCredentials.awsAccessKeyId = accessKeyId;
finalCredentials.awsSecretAccessKey = secretAccessKey;
finalCredentials.awsSessionToken = sessionToken;
finalCredentials.awsRegion = credentials?.awsRegion;
}
} else if (credentials?.awsAuthType === 'serviceRole' && runtime === 'node') {
const { accessKeyId, secretAccessKey, sessionToken, awsRegion } =
await getAssumedRoleCredentials();

finalCredentials.awsAccessKeyId = accessKeyId;
finalCredentials.awsSecretAccessKey = secretAccessKey;
finalCredentials.awsSessionToken = sessionToken;
finalCredentials.awsRegion = awsRegion;
} else {
finalCredentials.awsAccessKeyId = credentials?.awsAccessKeyId || '';
finalCredentials.awsSecretAccessKey = credentials?.awsSecretAccessKey || '';
Expand Down Expand Up @@ -102,10 +125,7 @@ export const pluginHandler: PluginHandler<

try {
const credentials = parameters.credentials || null;
const finalCredentials = await handleCredentials(
options as Record<string, any>,
credentials
);
const finalCredentials = await handleCredentials(credentials, options);
const validate = validateCreds(finalCredentials);

const guardrailVersion = parameters.guardrailVersion;
Expand Down Expand Up @@ -152,7 +172,7 @@ export const pluginHandler: PluginHandler<
const interventionData = results.find(
(result) => result && result.action === 'GUARDRAIL_INTERVENED'
);
if (interventionData) {
if (interventionData?.action) {
verdict = false;
}

Expand All @@ -168,9 +188,8 @@ export const pluginHandler: PluginHandler<
if (result.assessments[0]?.wordPolicy) {
flaggedCategories.add('wordFilter');
}

if (hasTriggeredPII) {
continue;
break;
}

const sensitiveInfo = result.assessments[0]?.sensitiveInformationPolicy;
Expand Down
5 changes: 4 additions & 1 deletion plugins/bedrock/type.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,8 +7,11 @@ export type BedrockAccessKeyCreds = {
};

export type BedrockAssumedRoleCreds = {
awsAuthType: 'assumedRole';
awsAuthType: 'assumedRole' | 'serviceRole';
awsRoleArn: string;
awsAccessKeyId: string;
awsSecretAccessKey: string;
awsSessionToken?: string;
awsExternalId: string;
awsRegion: string;
};
Expand Down
Loading