Add bearer token authentication for AWS Bedrock API keys

AWS Bedrock supports API key authentication via bearer tokens
(Authorization: Bearer <token>), as an alternative to SigV4 signing.
See: https://docs.aws.amazon.com/bedrock/latest/userguide/api-keys-use.html

The existing Anthropic::BedrockClient only supports SigV4, so this adds
a BearerClient that subclasses Anthropic::Client directly, reusing its
built-in auth_token support while copying the Bedrock-specific request
transformations (URL path rewriting, anthropic_version injection).

The provider now checks for a bearer token first (via aws_bearer_token
option or AWS_BEARER_TOKEN_BEDROCK env var) and falls back to the
existing SigV4 path when no token is present.

Also adds extra_headers and anthropic_beta to Bedrock::Options, which
are required by the inherited AnthropicProvider at runtime.

Author: Davidslv

lib/active_agent/providers/bedrock/_types.rb

@@ -1,6 +1,7 @@
 # frozen_string_literal: true
 
 require_relative "options"
+require_relative "bearer_client"
 require_relative "../anthropic/_types"
 
 # Bedrock uses the same request/response types as Anthropic.

lib/active_agent/providers/bedrock/bearer_client.rb

@@ -0,0 +1,109 @@
+# frozen_string_literal: true
+
+module ActiveAgent
+  module Providers
+    module Bedrock
+      # Client for AWS Bedrock using bearer token (API key) authentication.
+      #
+      # Subclasses Anthropic::Client directly to reuse its built-in bearer
+      # token support via the +auth_token+ parameter, while adding Bedrock-
+      # specific request transformations (URL path rewriting, anthropic_version
+      # injection) copied from Anthropic::BedrockClient.
+      #
+      # This avoids Anthropic::BedrockClient which requires SigV4 credentials
+      # and would fail when only a bearer token is available.
+      #
+      # @see https://docs.aws.amazon.com/bedrock/latest/userguide/api-keys-use.html
+      class BearerClient < ::Anthropic::Client
+        BEDROCK_VERSION = "bedrock-2023-05-31"
+
+        # @return [String]
+        attr_reader :aws_region
+
+        # @param aws_region [String] AWS region for the Bedrock endpoint
+        # @param bearer_token [String] AWS Bedrock API key (bearer token)
+        # @param base_url [String, nil] Override the default Bedrock endpoint
+        # @param max_retries [Integer]
+        # @param timeout [Float]
+        # @param initial_retry_delay [Float]
+        # @param max_retry_delay [Float]
+        def initialize(
+          aws_region:,
+          bearer_token:,
+          base_url: nil,
+          max_retries: self.class::DEFAULT_MAX_RETRIES,
+          timeout: self.class::DEFAULT_TIMEOUT_IN_SECONDS,
+          initial_retry_delay: self.class::DEFAULT_INITIAL_RETRY_DELAY,
+          max_retry_delay: self.class::DEFAULT_MAX_RETRY_DELAY
+        )
+          @aws_region = aws_region
+
+          base_url ||= "https://bedrock-runtime.#{aws_region}.amazonaws.com"
+
+          super(
+            auth_token: bearer_token,
+            api_key: nil,
+            base_url: base_url,
+            max_retries: max_retries,
+            timeout: timeout,
+            initial_retry_delay: initial_retry_delay,
+            max_retry_delay: max_retry_delay
+          )
+
+          @messages = ::Anthropic::Resources::Messages.new(client: self)
+          @completions = ::Anthropic::Resources::Completions.new(client: self)
+          @beta = ::Anthropic::Resources::Beta.new(client: self)
+        end
+
+        private
+
+        # Intercepts request building to apply Bedrock-specific transformations
+        # before the parent class processes the request.
+        def build_request(req, opts)
+          fit_req_to_bedrock_specs!(req)
+          req = super
+          body = req.fetch(:body)
+          req[:body] = StringIO.new(body.to_a.join) if body.is_a?(Enumerator)
+          req
+        end
+
+        # Rewrites Anthropic API paths to Bedrock endpoint paths and injects
+        # the Bedrock anthropic_version field.
+        #
+        # Adapted from Anthropic::Helpers::Bedrock::Client#fit_req_to_bedrock_specs!
+        def fit_req_to_bedrock_specs!(request_components)
+          if (body = request_components[:body]).is_a?(Hash)
+            body[:anthropic_version] ||= BEDROCK_VERSION
+            body.transform_keys!("anthropic-beta": :anthropic_beta)
+          end
+
+          case request_components[:path]
+          in %r{^v1/messages/batches}
+            raise NotImplementedError, "The Batch API is not supported in Bedrock yet"
+          in %r{v1/messages/count_tokens}
+            raise NotImplementedError, "Token counting is not supported in Bedrock yet"
+          in %r{v1/models\?beta=true}
+            raise NotImplementedError,
+                  "Please instead use https://docs.anthropic.com/en/api/claude-on-amazon-bedrock#list-available-models " \
+                  "to list available models on Bedrock."
+          else
+          end
+
+          if %w[
+            v1/complete
+            v1/messages
+            v1/messages?beta=true
+          ].include?(request_components[:path]) && request_components[:method] == :post && body.is_a?(Hash)
+            model = body.delete(:model)
+            model = URI.encode_www_form_component(model.to_s)
+            stream = body.delete(:stream) || false
+            request_components[:path] =
+              stream ? "model/#{model}/invoke-with-response-stream" : "model/#{model}/invoke"
+          end
+
+          request_components
+        end
+      end
+    end
+  end
+end

lib/active_agent/providers/bedrock/options.rb

@@ -36,7 +36,9 @@ class Options < Common::BaseModel
         attribute :aws_secret_key,    :string
         attribute :aws_session_token, :string
         attribute :aws_profile,       :string
+        attribute :aws_bearer_token,  :string
         attribute :base_url,          :string
+        attribute :anthropic_beta,    :string
 
         attribute :max_retries,         :integer, default: ::Anthropic::Client::DEFAULT_MAX_RETRIES
         attribute :timeout,             :float,   default: ::Anthropic::Client::DEFAULT_TIMEOUT_IN_SECONDS
@@ -51,15 +53,22 @@ def initialize(kwargs = {})
             aws_access_key:    kwargs[:aws_access_key]    || ENV["AWS_ACCESS_KEY_ID"],
             aws_secret_key:    kwargs[:aws_secret_key]    || ENV["AWS_SECRET_ACCESS_KEY"],
             aws_session_token: kwargs[:aws_session_token] || ENV["AWS_SESSION_TOKEN"],
-            aws_profile:       kwargs[:aws_profile]       || ENV["AWS_PROFILE"]
+            aws_profile:       kwargs[:aws_profile]       || ENV["AWS_PROFILE"],
+            aws_bearer_token:  kwargs[:aws_bearer_token]  || ENV["AWS_BEARER_TOKEN_BEDROCK"]
           )))
         end
 
+        # Bedrock handles authentication at the client level (SigV4 or bearer token),
+        # so no extra headers are needed in request options.
+        def extra_headers
+          {}
+        end
+
         # Excludes sensitive AWS credentials from serialized output.
         # The provider's client() method reads credentials directly from options attributes.
         def serialize
           attributes.symbolize_keys.except(
-            :aws_access_key, :aws_secret_key, :aws_session_token, :aws_profile
+            :aws_access_key, :aws_secret_key, :aws_session_token, :aws_profile, :aws_bearer_token
           )
         end
       end

lib/active_agent/providers/bedrock_provider.rb

@@ -43,23 +43,37 @@ def self.prompt_request_type
         Anthropic::RequestType.new
       end
 
-      # Returns a configured Bedrock client using AWS credentials.
+      # Returns a configured Bedrock client.
       #
-      # Uses Anthropic::BedrockClient which handles SigV4 signing,
-      # credential resolution, and Bedrock URL path rewriting internally.
+      # When a bearer token is available (via +aws_bearer_token+ option or
+      # +AWS_BEARER_TOKEN_BEDROCK+ env var), uses {Bedrock::BearerClient}
+      # which sends an +Authorization: Bearer+ header.
       #
-      # @return [Anthropic::Helpers::Bedrock::Client]
+      # Otherwise, falls back to {Anthropic::BedrockClient} which handles
+      # SigV4 signing, credential resolution, and Bedrock URL path rewriting.
+      #
+      # @return [Bedrock::BearerClient, Anthropic::Helpers::Bedrock::Client]
       def client
-        @client ||= ::Anthropic::BedrockClient.new(
-          aws_region:        options.aws_region,
-          aws_access_key:    options.aws_access_key,
-          aws_secret_key:    options.aws_secret_key,
-          aws_session_token: options.aws_session_token,
-          aws_profile:       options.aws_profile,
-          base_url:          options.base_url.presence,
-          max_retries:       options.max_retries,
-          timeout:           options.timeout
-        )
+        @client ||= if options.aws_bearer_token.present?
+          Bedrock::BearerClient.new(
+            aws_region:    options.aws_region,
+            bearer_token:  options.aws_bearer_token,
+            base_url:      options.base_url.presence,
+            max_retries:   options.max_retries,
+            timeout:       options.timeout
+          )
+        else
+          ::Anthropic::BedrockClient.new(
+            aws_region:        options.aws_region,
+            aws_access_key:    options.aws_access_key,
+            aws_secret_key:    options.aws_secret_key,
+            aws_session_token: options.aws_session_token,
+            aws_profile:       options.aws_profile,
+            base_url:          options.base_url.presence,
+            max_retries:       options.max_retries,
+            timeout:           options.timeout
+          )
+        end
       end
     end
   end