Skip to content

Native AWS Bedrock provider (Claude/GPT) with AWS profile support #1557

Description

@mxschmitt

Feature summary

Native AWS Bedrock support as a model provider (Claude, GPT-OSS, etc.), with the ability to specify an AWS profile for credentials.

What problem are you trying to solve?

The current custom/BYOK provider integration assumes an OpenAI-compatible HTTP endpoint authenticated with a static API key (the same shape used for Microsoft Foundry, OpenCode, Ollama, etc.). AWS Bedrock doesn't fit that model in two ways:

  1. Auth — Bedrock authenticates with AWS SigV4 / IAM credentials (access key + secret, session tokens, assume-role), not a single bearer/API key. Many AWS shops disable long-lived keys entirely and rely on profiles/SSO.
  2. Protocol — Bedrock speaks its native Converse / InvokeModel API, not OpenAI /chat/completions. The request/response and streaming shapes differ, so pointing the existing custom-endpoint client at a Bedrock endpoint doesn't work.

Today the only way to use Bedrock models is to stand up a translation proxy (e.g. LiteLLM or the Bedrock Access Gateway) that exposes an OpenAI-compatible endpoint and handles SigV4 + Converse on the backend. That's extra infrastructure to deploy, secure, and maintain — a real barrier for teams that are already standardized on Bedrock.

Proposed solution

Add a first-class AWS Bedrock provider that:

  • Resolves credentials via the standard AWS credential chain, and crucially lets the user specify an AWS profile (e.g. a profile field that maps to a named profile in ~/.aws/credentials / ~/.aws/config). This naturally supports SSO and assume-role profiles, which is how most orgs manage Bedrock access without static keys.
  • Lets the user pick a region and select from available Bedrock model IDs (e.g. anthropic.claude-*, openai.gpt-oss-*).
  • Speaks the native Bedrock Converse / ConverseStream API under the hood so no external gateway/proxy is required.
  • Optionally supports Bedrock API keys (the bearer-token style AWS introduced in 2025) for the simpler single-credential case, in addition to profile-based auth.

A minimal first step would be profile + region selection wired to Converse/ConverseStream.

Workflow impact

Helps any team standardized on AWS Bedrock — common in enterprises with data-residency, compliance, or existing AWS billing/governance requirements. It removes the need to run and maintain a translation proxy, and respecting AWS profiles means it works with SSO/assume-role setups where static API keys are disallowed by policy.

Installation context

Local desktop install, used by developers who already have AWS credentials/profiles configured on their machine.

Additional context

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type
    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions