build-on-aws · sebsto · Jun 26, 2025 · Jun 26, 2025 · Jun 26, 2025 · Jun 26, 2025
diff --git a/Sources/BedrockAuthentication+JWT.swift b/Sources/BedrockAuthentication+JWT.swift
@@ -16,6 +16,13 @@
 import AWSSDKIdentity
 import Logging
 
+// for setenv and unsetenv functions
+#if os(Linux)
+import Glibc
+#else
+import Darwin.C
+#endif
+
 #if canImport(FoundationEssentials)
 import FoundationEssentials
 #else
@@ -60,18 +67,22 @@ extension BedrockAuthentication {
         // to create AWS credentials
         do {
             logger.trace("Creating identity resolver using web identity token")
-            let identityResolver = try STSWebIdentityAWSCredentialIdentityResolver(
-                region: region.rawValue,
-                roleArn: roleARN,
-                roleSessionName: "SwiftBedrockService-\(UUID().uuidString)",
-                tokenFilePath: tokenFilePath
-            )
+            setenv("AWS_REGION", region.rawValue, 1)
+            setenv("AWS_ROLE_ARN", roleARN, 1)
+            setenv("AWS_ROLE_SESSION_NAME", "SwiftBedrockService-\(UUID().uuidString)", 1)
+            setenv("AWS_WEB_IDENTITY_TOKEN_FILE", tokenFilePath, 1)
+            let identityResolver = STSWebIdentityAWSCredentialIdentityResolver(source: .env)
 
             // Test the resolver by retrieving credentials to ensure it works
             logger.trace("Retrieving credentials using web identity token")
-            _ = try await identityResolver.crtAWSCredentialIdentityResolver.getCredentials()
+            _ = try await identityResolver.getIdentity(identityProperties: nil)
             logger.trace("Successfully retrieved credentials using web identity token")
 
+            unsetenv("AWS_REGION")
+            unsetenv("AWS_ROLE_ARN")
+            unsetenv("AWS_ROLE_SESSION_NAME")
+            unsetenv("AWS_WEB_IDENTITY_TOKEN_FILE")
+
             // Notify observers, if any
             logger.trace("Notifying observers of credentials update")
             await MainActor.run {

diff --git a/Sources/BedrockAuthentication.swift b/Sources/BedrockAuthentication.swift
@@ -76,7 +76,7 @@ public enum BedrockAuthentication: Sendable, CustomStringConvertible {
         case .static(let accessKey, let secretKey, let sessionToken):
             logger.warning("Using static AWS credentials. This is not recommended for production.")
             let creds = AWSCredentialIdentity(accessKey: accessKey, secret: secretKey, sessionToken: sessionToken)
-            return try StaticAWSCredentialIdentityResolver(creds)
+            return StaticAWSCredentialIdentityResolver(creds)
         }
     }
 }