avante.nvim icon indicating copy to clipboard operation
avante.nvim copied to clipboard
verified publisher icon yetone

Resolve AWS credentials using default credentials provider chain for Bedrock

Open msvechla opened this issue 8 months ago • 2 comments

This switches to resolving AWS credentials using the default AWS credentials provider chain.

This has the advantage that AWS credentials are resolved in the same way as other AWS tools do. It also supports more mechanisms now like AWS profiles, AWS authentication via single-sign on and more.

It is a breaking change for bedrock users, as the old BEDROCK_KEYS env var will no longer work, however it gives much more flexibility in terms of authentication.

I have used this in my custom provider for quite some time successfully: https://gitlab.com/msvechla/avante-provider-bedrock.nvim

Let me know if you have some thoughts on this or other improvements ideas.

Thanks a lot!

msvechla avatar Mar 27 '25 21:03 msvechla

@yetone the Lint Lua CI findings appear to be false-positives. Is there anything else I should work on to get this merged? Thanks a lot!

msvechla avatar Mar 31 '25 11:03 msvechla

‌‌‌It doesn't seem to be a false alarm. I'll find some time to fix these two lint errors.

yetone avatar Apr 01 '25 08:04 yetone

This PR is stale because it has been open 14 days with no activity. Remove stale label or comment or this will be closed in 10 days.

github-actions[bot] avatar Apr 16 '25 02:04 github-actions[bot]

This PR is stale because it has been open 14 days with no activity. Remove stale label or comment or this will be closed in 10 days.

github-actions[bot] avatar May 01 '25 02:05 github-actions[bot]

@yetone looks like all checks are passing now and I removed the dependency as requested. Let me know if there is something else I should check!

msvechla avatar May 14 '25 07:05 msvechla

Hey, this seems like an awesome enhancement but it doesn't seem to be working for me. I've validated that

aws configure export-credentials --profile default --region us-east-1

works for me and returns the expected 3 fields as JSON, and I know this account has access to the model because when I use the same values in a BEDROCK_KEYS format like so:

        AWS_ACCESS_KEY_ID=$(aws configure get aws_access_key_id)
        AWS_SECRET_ACCESS_KEY=$(aws configure get aws_secret_access_key)
        AWS_SESSION_TOKEN=$(aws configure get aws_session_token)
        AWS_REGION="us-east-1"
        export BEDROCK_KEYS="$AWS_ACCESS_KEY_ID,$AWS_SECRET_ACCESS_KEY,$AWS_REGION,$AWS_SESSION_TOKEN"

the plugin works as expected. However without setting BEDROCK_KEYS the plugin doesn't work. It still prompts me to enter a value for BEDROCK_KEYS. Is that expected?

uthmanmoh avatar May 22 '25 04:05 uthmanmoh

I am using this setup daily, so there should be no issues.

Can you paste your avante.nvim config? Also what version of avante are you using and what version of curl do you have setup on your machine?

return {
	{
		"yetone/avante.nvim",
		event = "VeryLazy",
		lazy = false,
		opts = {
			auto_suggestions_provider = "claude",
			provider = "bedrock",
			bedrock = {
				model = "eu.anthropic.claude-3-7-sonnet-20250219-v1:0",
				max_tokens = 20480,
				temperature = 0,
				aws_profile = "bedrock",
				aws_region = "eu-central-1",
			},
		},
	},
}

msvechla avatar May 22 '25 09:05 msvechla 

  {
    "yetone/avante.nvim",
    version = false,
    build = "make",
    keys = {
      "<leader>aa",
      "<leader>at",
    },
    cmd = { "AvanteChat", "AvanteEdit", "AvanteModels", "AvanteShowRepoMap", "AvanteToggle", "AvanteAsk" },
    opts = {
      -- Default configuration
      hints = { enabled = false },

      auto_suggestions_provider = "bedrock",
      cursor_applying_provider = "bedrock",
      behaviour = {
        enable_cursor_planning_mode = true, -- enable cursor planning mode!
        auto_suggestions = true,
      },

      ---@alias AvanteProvider "claude" | "openai" | "azure" | "gemini" | "cohere" | "copilot" | "bedrock" | string
      provider = "bedrock",
      bedrock = {
        model = "us.anthropic.claude-3-7-sonnet-20250219-v1:0",
        aws_profile = "default",
        aws_region = "us-east-1",
      },

      -- File selector configuration
      --- @alias FileSelectorProvider "native" | "fzf" | "mini.pick" | "snacks" | "telescope" | string
      selector = {
        provider = "snacks", -- Avoid native provider issues
      },
    },
  },

Currently on commit 87c4c6b and

❯ curl --version
curl 8.13.0 (x86_64-pc-linux-gnu) libcurl/8.13.0 OpenSSL/3.5.0 zlib/1.3.1 brotli/1.1.0 zstd/1.5.7 libidn2/2.3.8 libssh2/1.11.1 nghttp2/1.65.0 librtmp/2.3 OpenLDAP/2.6.9
Release-Date: 2025-04-02
Protocols: dict file ftp ftps gopher gophers http https imap imaps ipfs ipns ldap ldaps mqtt pop3 pop3s rtmp rtsp scp sftp smb smbs smtp smtps telnet tftp ws wss
Features: alt-svc AsynchDNS brotli GSS-API HSTS HTTP2 HTTPS-proxy IDN IPv6 Kerberos Largefile libz NTLM SPNEGO SSL threadsafe TLS-SRP UnixSockets zstd

❯ aws --version
aws-cli/2.17.65 Python/3.12.6 Linux/5.10.236-208.928.amzn2int.x86_64 exe/x86_64.amzn.2

❯ vi --version
NVIM v0.12.0-dev-375+gd25eb246ef
Build type: RelWithDebInfo
LuaJIT 2.1.1744317938
Run "nvim -V1 -v" for more info

uthmanmoh avatar May 22 '25 14:05 uthmanmoh

@uthmanmoh that looks good, what error do you get from avante? How does it prompt you for the BEDROCK_KEYS?

msvechla avatar May 22 '25 15:05 msvechla

https://github.com/user-attachments/assets/bc6b3131-13d1-4688-8db9-11dbd0e74b4d

Hmm interestingly it's behaving a bit different today. It seems like it actually ends up working after I ignore the input for BEDROCK_KEYS. Yesterday I was getting an error when making a request too.

So seems like it always expects BEDROCK_KEYS to be set?

uthmanmoh avatar May 22 '25 16:05 uthmanmoh

Hello,

Thanks for the nice addition!

First, I can confirm that ignoring the input for key, instead of blindly hitting enter, would allow nvim to read the config through credential provider normally. A bit counterintuitive but not too bad.

Cross-region inference seems to be a problem though. Probably this is a US thing, but Amazon has been ramping up with its requirements of cross-region inference for their top models, so that their top models (Claude Sonnet 4/3.7, Deepseek R1...) can only be called when an inference profile ID and inference profile ARN are provided. (Link to the description).

For example, the following error will arise without providing the cross-regeion inference parameters:

- Datetime: 2025-06-04 15:42:41

- Model: bedrock/anthropic.claude-3-7-sonnet-20250219-v1:0

- Selected files:
  - src/components/PostRendering.vue

> Who are you?


Error: API request failed with status 400. Body: '{"message":"Invocation of model ID anthropic.claude-3-7-sonnet-20250219-v1:0 with on-demand throughput isn’t supported. Retry your request with the ID or ARN of an inference profile that contains this model."}'

Is their a plan to add support of Inference Profile ID and Inference Profile ARN as two optional parameters in the bedrock config?

tixwho avatar Jun 04 '25 21:06 tixwho

Inference profiles should already work, you just have to use the correct model identifier. E.g.

			providers = {
				bedrock = {
					model = "us.anthropic.claude-sonnet-4-20250514-v1:0",
					extra_request_body = {
						max_tokens = 32000,
						temperature = 0,
					},
					aws_profile = "bedrock",
					aws_region = "us-east-1",
				},
			},

Should use cross-region inference for the US (see the us.) at the model arn. Or are you talking about some other inference?

msvechla avatar Jun 05 '25 10:06 msvechla