Direct IAM Federation, Inference Profiles, and Claude Sonnet 4.5 Support (#36)

* feat: Add Direct IAM federation support alongside Cognito Identity Pool (#32)

This major update introduces Direct IAM federation as an alternative to Cognito Identity Pool,
providing more flexibility in authentication methods. Both federation types are fully supported
and can be selected during initialization.

Key changes:
- Add Direct IAM federation using STS AssumeRoleWithWebIdentity
- Support for Okta, Azure AD, Auth0, and Cognito User Pools via Direct IAM
- Rename cognito_auth module to credential_provider (more accurate name)
- Add provider-specific CloudFormation templates for better organization
- Improve CloudFormation error handling with custom exceptions
- Add automatic federation type detection in credential provider
- Update all CLI commands to support both federation methods
- Session duration configurable up to 12 hours for Direct IAM

Infrastructure:
- New bedrock-authentication.yaml as unified template
- Provider-specific templates for Okta, Azure, Auth0, Cognito User Pools
- Remove dual mode option - users choose either Direct IAM or Cognito
- Improved IAM role structure with provider-specific roles

Documentation:
- Update README, ARCHITECTURE, DEPLOYMENT, and CLI_REFERENCE docs
- Document both authentication methods without bias
- Clear explanations of configuration options

Breaking changes:
- cognito_auth module renamed to credential_provider
- New configuration field: federation_type (direct/cognito)
- New configuration field: federated_role_arn (for Direct IAM)

Migration:
- Existing Cognito deployments continue to work
- Auto-detection of federation type based on config
- Backward compatibility maintained

* feat: Add Bedrock inference profile permissions for cross-region support (#33) (#34)

- Added bedrock:ListInferenceProfiles permission to list available inference profiles
- Added bedrock:GetInferenceProfile permission to get details about specific profiles
- Updated ARCHITECTURE.md to document all IAM permissions granted to authenticated users
- These permissions enable cross-region inference profile discovery and selection

* feat: Add Bedrock inference profile permissions to Direct IAM templates

- Added bedrock:ListInferenceProfiles and bedrock:GetInferenceProfile permissions
- Updated all provider-specific templates (Okta, Azure, Auth0, Cognito User Pool)
- Updated legacy bedrock-authentication.yaml for consistency
- Enables cross-region inference profile discovery and selection for all federation types

Related: #35 (tracks removal of deprecated fallback template)

* feat: Add Direct IAM federation, inference profiles, and Claude Sonnet 4.5 support

Author: schuettc

.gitignore

@@ -53,4 +53,9 @@ tests/
 assets/docs/planning
 
 .pytest_cache/
-.ruff_cache/
+.ruff_cache/
+.coverage
+.epcc
+
+EPCC_*
+PRs/

.prettierignore

@@ -0,0 +1 @@
+*.yaml

CHANGELOG.md

@@ -0,0 +1,58 @@
+# Changelog
+
+All notable changes to this project will be documented in this file.
+
+The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
+and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
+
+## [1.1.0] - 2025-09-30
+
+### Added
+
+- **Direct IAM Federation**: Alternative to Cognito Identity Pool for authentication (#32)
+  - Support for Okta, Azure AD, Auth0, and Cognito User Pools
+  - Session duration configurable up to 12 hours
+  - Provider-specific CloudFormation templates
+  - Automatic federation type detection
+- **Claude Sonnet 4.5 Support**: Full support for the latest Claude Sonnet 4.5 model
+  - US CRIS profile (us-east-1, us-east-2, us-west-1, us-west-2)
+  - EU CRIS profile (8 European regions: Frankfurt, Zurich, Stockholm, Ireland, London, Paris, Milan, Spain)
+  - Japan CRIS profile (Tokyo, Osaka)
+  - Global CRIS profile (23 regions worldwide including North America, Europe, Asia Pacific, and South America)
+- **Inference Profile Permissions**: Added bedrock:ListInferenceProfiles and bedrock:GetInferenceProfile (#33, #34)
+- **CloudFormation Utilities**: New exception handling and CloudFormation helper utilities
+- **Global Endpoint Support**: IAM policies now properly support global inference profile ARNs
+
+### Changed
+
+- **Module Rename**: `cognito_auth` → `credential_provider` (more accurate naming)
+- **IAM Policy Structure**: Split IAM policy statements into separate regional and global statements
+  - Regional resources use `aws:RequestedRegion` condition
+  - Global resources have no region condition
+- **Deploy Command**: Refactored deploy.py with improved error handling and provider template support
+- **Region Configuration**: Init wizard now dynamically uses regions from model profiles instead of hardcoded fallbacks
+- **CloudWatch Metrics**: Fixed Resource specification to use '\*' instead of Bedrock ARNs
+- **Configuration Schema**: Added federation_type and federated_role_arn fields
+
+### Fixed
+
+- Global endpoint access now works correctly without region condition blocking
+- CloudFormation error handling improved across all commands
+- Region condition no longer incorrectly applied to regionless global endpoints
+- Init process properly handles all CRIS profile regions for selected model
+
+### Infrastructure
+
+- 4 new provider-specific CloudFormation templates (Okta, Azure AD, Auth0, Cognito User Pool)
+- Improved IAM role structure with provider-specific roles
+- CloudFormation exception handling and utilities
+
+### Documentation
+
+- Updated README, ARCHITECTURE, DEPLOYMENT, and CLI_REFERENCE
+- Clear explanations of both authentication methods
+- Documented configuration options for all providers
+
+## [1.0.0] - Previous Release
+
+Initial release with enterprise authentication support.

README.md

@@ -113,9 +113,9 @@ Step-by-step flow for end-users:
 
 ## Architecture Overview
 
-![Architecture Diagram](assets/images/credential-flow-diagram.png)
+### Authentication Flow (with Cognito Identity Pool)
 
-### Authentication Flow
+![Architecture Diagram](assets/images/credential-flow-diagram.png)
 
 1. **User initiates authentication**: User requests access to Amazon Bedrock through Claude Code
 2. **OIDC authentication**: User authenticates with their OIDC provider and receives an ID token
@@ -126,6 +126,17 @@ Step-by-step flow for end-users:
 7. **Access Amazon Bedrock**: Application uses the temporary credentials to call Amazon Bedrock
 8. **Bedrock response**: Amazon Bedrock processes the request and returns the response
 
+### Authentication Flow (direct to IAM)
+
+![Architecture Diagram](assets/images/credential-flow-direct-diagram.png)
+
+1. **User initiates authentication**: User requests access to Amazon Bedrock through Claude Code
+2. **OIDC authentication**: User authenticates with their OIDC provider and receives an ID token
+3. **Token submission to IAM**: Application sends the OIDC ID token to Amazon Cognito
+4. **IAM returns credentials**: AWS IAM validates and returns temporary AWS credentials
+5. **Access Amazon Bedrock**: Application uses the temporary credentials to call Amazon Bedrock
+6. **Bedrock response**: Amazon Bedrock processes the request and returns the response
+
 ### Cost
 
 _You are responsible for the cost of the AWS services used while running this guidance._
@@ -155,7 +166,7 @@ Based on AWS Pricing Calculator: [View Detailed Estimate](https://calculator.aws
 
 - AWS account with appropriate IAM permissions to create:
   - CloudFormation stacks
-  - Cognito Identity Pools
+  - IAM OIDC Providers or Cognito Identity Pools
   - IAM roles and policies
   - (Optional) Amazon Elastic Container Service (Amazon ECS) tasks and Amazon CloudWatch dashboards
   - (Optional) Amazon Athena, AWS Glue, AWS Lambda, and Amazon Data Firehose resources
@@ -182,7 +193,7 @@ Based on AWS Pricing Calculator: [View Detailed Estimate](https://calculator.aws
 
 The guidance can be deployed in any AWS region that supports:
 
-- Amazon Cognito Identity Pools
+- IAM OIDC Providers or Amazon Cognito Identity Pools
 - Amazon Bedrock
 - (Optional) Amazon Elastic Container Service (Amazon ECS) tasks and Amazon CloudWatch dashboards
 - (Optional) Amazon Athena, AWS Glue, AWS Lambda, and Amazon Data Firehose resources
@@ -257,8 +268,8 @@ This creates the following AWS resources:
 
 **Authentication Infrastructure:**
 
-- Amazon Cognito Identity Pool for OIDC federation
-- IAM OIDC Provider trust relationship
+- IAM OIDC Provider or Amazon Cognito Identity Pool for OIDC federation
+- IAM trust relationship for federated access
 - IAM role with policies for:
   - Bedrock model invocation in specified regions
   - CloudWatch metrics (if monitoring enabled)

assets/docs/ARCHITECTURE.md

@@ -12,13 +12,27 @@ The Claude Code authentication system enables secure, scalable access to Amazon
 
 ### Authentication Components
 
-The core authentication component is the credential process located in `source/cognito_auth/`. This implements a complete OAuth2/OIDC client with PKCE flow for secure authentication without client secrets. When packaged for distribution, PyInstaller compiles this into a standalone executable that end users can run without needing Python installed. The credential process supports multiple identity providers including Okta, Azure AD, Auth0, and Cognito User Pools through a flexible provider registry system. Once authenticated, credentials are cached either in the operating system's secure keyring or in session files, depending on the organization's preference. The implementation follows the AWS CLI credential process protocol, making it transparent to any AWS SDK or tool.
+The core authentication component is the credential process located in `source/credential_provider/`. This implements a complete OAuth2/OIDC client with PKCE flow for secure authentication without client secrets. When packaged for distribution, PyInstaller compiles this into a standalone executable that end users can run without needing Python installed. The credential process supports multiple identity providers including Okta, Azure AD, Auth0, and Cognito User Pools through a flexible provider registry system. Once authenticated, credentials are cached either in the operating system's secure keyring or in session files, depending on the organization's preference. The implementation follows the AWS CLI credential process protocol, making it transparent to any AWS SDK or tool.
 
 The management CLI in `source/claude_code_with_bedrock/` provides IT administrators with tools to deploy and manage the infrastructure. Built on the Cleo framework, it offers an intuitive command-line interface for initialization, deployment, and package generation. This component is used only during setup and is not distributed to end users.
 
 ### AWS Infrastructure Components
 
-The authentication infrastructure centers on an Amazon Cognito Identity Pool that federates OIDC tokens into AWS credentials. This creates a trust relationship between the organization's identity provider and AWS through an IAM OIDC Provider. The associated IAM role grants permissions specifically for Amazon Bedrock model invocation in configured regions. Every API call includes session tags containing the user's email and subject claim, ensuring complete attribution in CloudTrail logs.
+The authentication infrastructure supports two federation methods. With Direct IAM Federation, an IAM OIDC Provider creates the trust relationship between the organization's identity provider and AWS, allowing direct token exchange via STS. With Cognito Identity Pool, Amazon Cognito acts as an intermediary that federates OIDC tokens into AWS credentials. Both methods use IAM roles that grant permissions specifically for Amazon Bedrock model invocation in configured regions. Every API call includes session tags containing the user's email and subject claim, ensuring complete attribution in CloudTrail logs.
+
+#### IAM Permissions
+
+The IAM role assigned to authenticated users grants the following Amazon Bedrock permissions:
+
+- `bedrock:InvokeModel` - Invoke foundation models for text generation
+- `bedrock:InvokeModelWithResponseStream` - Invoke models with streaming responses
+- `bedrock:ListFoundationModels` - List available foundation models
+- `bedrock:GetFoundationModel` - Get details about specific models
+- `bedrock:GetFoundationModelAvailability` - Check model availability in regions
+- `bedrock:ListInferenceProfiles` - List available cross-region inference profiles
+- `bedrock:GetInferenceProfile` - Get details about specific inference profiles
+
+These permissions are scoped to the configured regions and enable users to discover and invoke models through cross-region inference profiles, ensuring optimal performance and availability.
 
 #### IAM Permissions
 
@@ -42,9 +56,25 @@ For organizations requiring detailed analytics, the optional analytics stack pro
 
 The authentication flow begins when Claude Code requests AWS credentials through the AWS CLI. The CLI invokes our credential process executable, which initiates an OAuth2 flow with PKCE (Proof Key for Code Exchange) to ensure security without requiring client secrets. A browser window opens automatically, directing the user to their organization's identity provider for authentication.
 
-After successful authentication, the identity provider redirects back to the local callback server with an authorization code. The credential process exchanges this code for OIDC tokens, then presents the ID token to Amazon Cognito Identity Pool. Cognito validates the token and calls STS AssumeRoleWithWebIdentity to obtain temporary AWS credentials. These credentials include session tags containing the user's email and subject claim, ensuring every subsequent API call to Amazon Bedrock can be attributed to the specific user.
+After successful authentication, the identity provider redirects back to the local callback server with an authorization code. The credential process exchanges this code for OIDC tokens. The system then uses one of two authentication methods to obtain AWS credentials:
+
+### Authentication Methods
+
+The system supports two authentication methods:
+
+**Direct IAM Federation**
+- Uses IAM OIDC Provider with STS AssumeRoleWithWebIdentity
+- Direct federation from OIDC tokens to AWS credentials
+- Configurable session duration up to 12 hours
+
+**Cognito Identity Pool**
+- Uses Amazon Cognito Identity Pool as federation broker
+- Cognito manages the OIDC to AWS credential exchange
+- Configurable session duration up to 8 hours
+
+The authentication method is selected during initial configuration and both methods provide full CloudTrail attribution through session tags. These credentials include session tags containing the user's email and subject claim, ensuring every subsequent API call to Amazon Bedrock can be attributed to the specific user.
 
-The temporary credentials are returned to Claude Code through the standard AWS CLI credential process protocol. By default, credentials last for one hour but can be configured up to eight hours. The entire flow operates without any client secrets or long-lived credentials, following zero-trust security principles. Credentials are cached securely using either the operating system's keyring service or encrypted session files, preventing repeated authentication requests during the session lifetime.
+The temporary credentials are returned to Claude Code through the standard AWS CLI credential process protocol. The entire flow operates without any client secrets or long-lived credentials, following zero-trust security principles. Credentials are cached securely using either the operating system's keyring service or encrypted session files, preventing repeated authentication requests during the session lifetime.
 
 ## AWS CLI Credential Process Protocol
 

assets/docs/CLI_REFERENCE.md

@@ -60,7 +60,10 @@ poetry run ccwb init [options]
 
 - Checks prerequisites (AWS CLI, credentials, Python version)
 - Prompts for OIDC provider configuration
-- Configures AWS settings (region, identity pool name)
+- Prompts for authentication method selection:
+  - Direct IAM: Uses IAM OIDC Provider for federation
+  - Cognito: Uses Cognito Identity Pool for federation
+- Configures AWS settings (region, stack names)
 - Prompts for Claude model selection (Opus, Sonnet, Haiku)
 - Configures cross-region inference profiles (US, Europe, APAC)
 - Prompts for source region selection for model inference
@@ -90,14 +93,14 @@ poetry run ccwb deploy [stack] [options]
 
 **What it does:**
 
-- Deploys Cognito Identity Pool for authentication
+- Deploys authentication infrastructure (IAM OIDC Provider or Cognito Identity Pool)
 - Creates IAM roles and policies for Bedrock access
 - Deploys monitoring infrastructure (if enabled)
-- Shows stack outputs including Identity Pool ID
+- Shows stack outputs including authentication resource identifiers
 
 **Stacks deployed:**
 
-1. **auth** - Cognito Identity Pool and IAM roles (always required)
+1. **auth** - Authentication infrastructure and IAM roles (always required)
 2. **networking** - VPC and networking resources for monitoring (optional)
 3. **monitoring** - OpenTelemetry collector on ECS Fargate (optional)
 4. **dashboard** - CloudWatch dashboard for usage metrics (optional)

assets/docs/DEPLOYMENT.md

@@ -34,6 +34,8 @@ poetry install
 
 The `ccwb` (Claude Code with Bedrock) CLI tool guides you through deployment with an interactive wizard. Run `poetry run ccwb init` to begin. The wizard walks you through each configuration decision, starting with your OIDC provider details - enter the domain and Client ID you noted earlier.
 
+The wizard asks you to choose an authentication method. You can select either Direct IAM federation or Cognito Identity Pool based on your organization's requirements. Both methods provide secure OIDC federation to AWS credentials.
+
 Next, you'll select your Claude model and configure regional access. Choose from available Claude models (Opus, Sonnet, Haiku) and select a cross-region inference profile (US, Europe, or APAC) for optimal performance. The wizard will then prompt you to select a source region within your chosen profile for model inference. Finally, choose where to deploy the authentication infrastructure (typically your primary AWS region) and configure optional monitoring setup, which provides usage analytics and cost tracking through OpenTelemetry.
 
 Once configuration is complete, deploy the infrastructure with:
@@ -42,7 +44,7 @@ Once configuration is complete, deploy the infrastructure with:
 poetry run ccwb deploy
 ```
 
-This single command orchestrates the creation of multiple AWS resources. A Cognito Identity Pool establishes the trust relationship with your identity provider. IAM roles and policies grant precisely scoped Bedrock access. If you enabled monitoring, it also deploys an ECS Fargate cluster running OpenTelemetry collector, complete with CloudWatch dashboards.
+This single command orchestrates the creation of multiple AWS resources. Depending on your chosen authentication method, it creates either an IAM OIDC Provider or a Cognito Identity Pool to establish the trust relationship with your identity provider. IAM roles and policies grant precisely scoped Bedrock access. If you enabled monitoring, it also deploys an ECS Fargate cluster running OpenTelemetry collector, complete with CloudWatch dashboards.
 
 > **Deployment Options**: For more control, see the [CLI Reference](CLI_REFERENCE.md) for deploying specific stacks or using dry-run mode.
 

assets/docs/WINDOWS_BUILD_SYSTEM.md

@@ -513,7 +513,7 @@ C:\Python312\python.exe -m nuitka \
   --output-filename=credential-process-windows.exe \
   --output-dir=. \
   --remove-output \                # Clean up build artifacts
-  source/cognito_auth/__main__.py
+  source/credential_provider/__main__.py
 ```
 
 ### Build Performance
@@ -600,7 +600,7 @@ C:\Python312\python.exe -m nuitka \
 
 ```
 /source/
-├── cognito_auth/
+├── credential_provider/
 │   └── __main__.py           # Main authentication module
 ├── otel_helper/
 │   └── __main__.py           # Telemetry helper module