Missing proxy support in AWSCRTHTTPClient → blocks aws_sdk_bedrock_runtime in private VPCs

[j-j-kam]

Please let me know if I'm missing something When using aws_sdk_bedrock_runtime to invoke Amazon Nova Sonic in a private VPC (us-west-2), the HTTP stack cannot honor HTTP_PROXY / HTTPS_PROXY because the CRT-based HTTP client does not expose any proxy configuration.

This makes aws_sdk_bedrock_runtime unusable in environments where all outbound internet access must go through a proxy (e.g., ECS Fargate in private subnets without NAT or VPC endpoint).

Application creates a Bedrock client:

crt_http_client = create_crt_http_client(PROXY_URL if not IS_DEV else None)

bedrock_nova_sonic_config = BedrockConfig(
    endpoint_uri=f"https://bedrock-runtime.{ONLY_AVAILABLE_REGION_FOR_AWS_NOVA}.amazonaws.com",
    region=ONLY_AVAILABLE_REGION_FOR_AWS_NOVA,
    aws_credentials_identity_resolver=EnvironmentCredentialsResolver(),
    http_auth_scheme_resolver=HTTPAuthSchemeResolver(),
    http_auth_schemes={"aws.auth#sigv4": SigV4AuthScheme()},
    http_client=crt_http_client,
)
bedrock_client = BedrockRuntimeClient(bedrock_nova_sonic_config)

That crt_http_client is always an instance of:
from smithy_http.aio.crt import AWSCRTHTTPClient

Which in turn requires AWSCRTHTTPClientConfig:

class AWSCRTHTTPClientConfig(http_interfaces.HTTPClientConfiguration):
    def __post_init__(self) -> None:
        _assert_crt()
And the actual client implementation:
class AWSCRTHTTPClient(http_aio_interfaces.HTTPClient):
    _HTTP_PORT = 80
    _HTTPS_PORT = 443

    def __init__(self, eventloop=None, client_config=None):
        _assert_crt()
        self._config = client_config or AWSCRTHTTPClientConfig()
        self._eventloop = eventloop or _AWSCRTEventLoop()
        self._client_bootstrap = self._eventloop.bootstrap
        self._tls_ctx = crt_io.ClientTlsContext(crt_io.TlsContextOptions())
        self._socket_options = crt_io.SocketOptions()
        self._connections = {}

The only config type available is:

@dataclass(kw_only=True)
class HTTPClientConfiguration:
    """Client-level HTTP configuration.

    :param force_http_2: Whether to require HTTP/2.
    """
    force_http_2: bool = False

There is no field for proxy configuration, nor does AWSCRTHTTPClient internally handle HTTP_PROXY / HTTPS_PROXY.
The underlying call in _build_new_connection goes directly to crt_http.HttpClientConnection.new(...) with just host_name, port, socket_options, and tls_connection_options.

Please add first-class proxy support to smithy-http’s AWSCRTHTTPClient.