Skip to content

Added support for Bedrock API keys #983

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Added support for Bedrock API keys #983

wants to merge 1 commit into from

Conversation

andykuszyk
Copy link

Bedrock API keys offer a convenient alternative to authenticating with AWS to use Bedrock. This commit introduces an optional :api-key parameter for providing an API key, which takes precedence over other authentication methods.

@karthink
Copy link
Owner

Thanks for the PR, @andykuszyk.

  1. All gptel-backend structs including gptel-bedrock already provide a :key field, there is no need to add :api-key.
  2. I'm not sure about how this interacts with the now many other ways of authenticating provided by gptel-bedrock. @felipeochoa, @akssri: thoughts?

@andykuszyk
Copy link
Author

  1. All gptel-backend structs including gptel-bedrock already provide a :key field, there is no need to add :api-key.

Ah right, I didnt realise that! I'll test Bedrock access using :key and see how it goes 👍

@karthink
Copy link
Owner

karthink commented Jul 23, 2025 via email

@andykuszyk
Copy link
Author

  1. All gptel-backend structs including gptel-bedrock already provide a :key field, there is no need to add :api-key. Ah right, I didnt realise that! I'll test Bedrock access using :key and see how it goes 👍
    I doubt it will work, since AFAICT the auth functionality isn't implemented for :key. I was commention only on the name of the field. The authors of gptel-bedrock (pinged above) might have more information for us.

You're right, it doesn't work as-is:

image

felipeochoa
felipeochoa reviewed Jul 29, 2025
View reviewed changes
gptel-bedrock.el Outdated
@@ -628,11 +637,12 @@ STREAM - Whether to use streaming responses or not."
:header nil ; x-amz-security-token is set in curl-args if needed
:models (gptel--process-models models)
:model-region model-region
:api-key api-key
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this just needs to be replaced with :key api-key to use the default gptel field. But can you call this bedrock-api-key so it's clear what it refers to?

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@felipeochoa I've refactored this PR based on your comment, and changed the name of this parameter 👍

@felipeochoa
Copy link

I think it would be better to not touch gptel-bedrock--get-credentials since the AWS credential search space is complex enough.

Better would be to handle this directly in gptel-bedrock--curl-args using the built-in :key field as @karthink mentioned. Something like:

(defun gptel-bedrock--curl-args (region backend)
  "Generate the curl arguments to get a bedrock request signed for use in REGION."
  (let* ((api-key (gptel-backend-key backend))
         (auth-args (if api-key (new-code) (existing-code))))
   (nconc etc.)))

@andykuszyk
Added support for Bedrock API keys
0a4cf87 
[Bedrock API keys](https://docs.aws.amazon.com/bedrock/latest/userguide/api-keys.html)
offer a convenient alternative to authenticating with AWS to use
Bedrock. This commit introduces an optional `:bedrock-api-key` parameter for
providing an API key, which takes precedence over other authentication methods.
@andykuszyk
Copy link
Author

@felipeochoa @karthink I've re-worked this PR based on your feedback (thanks for your advice 🙏 🙂 ).

I've also tested this locally with both a Bedrock API key and an AWS profile for authentication, and it seems to work fine for both 👍

@karthink
Copy link
Owner

karthink commented Aug 6, 2025

@andykuszyk I can merge this with a minimal review once @felipeochoa or @akssri give us the go-ahead.

@karthink karthink mentioned this pull request Aug 7, 2025
Open
leezu
leezu reviewed Aug 7, 2025
View reviewed changes
gptel-bedrock.el
@@ -635,7 +642,9 @@ parameters (as plist keys) and values supported by the API."
(gptel--make-bedrock
:name name
:host host
:header nil ; x-amz-security-token is set in curl-args if needed
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why not set the bearer token in curl-args as well to keep the logic centralized? See https://github.com/karthink/gptel/pull/1007/files as an example

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good idea 👍

I guess we could allow the API key to be set as either an elisp parameter, or as an environment variable?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
2 more reviewers

@leezu leezu leezu left review comments

@felipeochoa felipeochoa felipeochoa left review comments

Reviewers whose approvals may not affect merge requirements
Assignees
No one assigned
Labels
bedrock
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@andykuszyk @karthink @felipeochoa @leezu