Module: OpenAI::Providers::Bedrock Private

Defined in:
lib/openai/providers/bedrock.rb

This module is part of a private API. You should avoid using this module if possible, as it may be removed or be changed in the future.

Defined Under Namespace

Classes: BearerAuth, CustomCredentialsProvider, DefaultCredentialsProvider, Definition, ProfileCredentialsProvider, SigV4Auth

Constant Summary collapse

SERVICE =

This constant is part of a private API. You should avoid using this constant if possible, as it may be removed or be changed in the future.

"bedrock-mantle"
CANONICAL_HOST =

This constant is part of a private API. You should avoid using this constant if possible, as it may be removed or be changed in the future.

/\Abedrock-mantle\.([a-z0-9-]+)\.api\.aws\z/i
SIGNING_HEADERS =

This constant is part of a private API. You should avoid using this constant if possible, as it may be removed or be changed in the future.

%w[authorization x-amz-content-sha256 x-amz-date x-amz-security-token].freeze
BEARER_AUTH_MARKER =

This constant is part of a private API. You should avoid using this constant if possible, as it may be removed or be changed in the future.

:openai_bedrock_bearer
SIGV4_AUTH_MARKER =

This constant is part of a private API. You should avoid using this constant if possible, as it may be removed or be changed in the future.

:openai_bedrock_sigv4
MISSING_REGION_MESSAGE =

This constant is part of a private API. You should avoid using this constant if possible, as it may be removed or be changed in the future.

"Bedrock requires an AWS region. Pass `region` to `bedrock(...)`, or set `AWS_REGION` " \
"or `AWS_DEFAULT_REGION`."
MISSING_CREDENTIALS_MESSAGE =

This constant is part of a private API. You should avoid using this constant if possible, as it may be removed or be changed in the future.

"Could not find credentials for Bedrock. Pass a bearer credential or AWS credentials " \
"to `bedrock(...)`, set `AWS_BEARER_TOKEN_BEDROCK`, or configure the default AWS credential chain."
CREDENTIAL_RESOLUTION_MESSAGE =

This constant is part of a private API. You should avoid using this constant if possible, as it may be removed or be changed in the future.

"Failed to resolve AWS credentials for Bedrock. Verify your AWS profile, environment " \
"variables, or runtime identity configuration and try again."
NON_REPLAYABLE_BODY_MESSAGE =

This constant is part of a private API. You should avoid using this constant if possible, as it may be removed or be changed in the future.

"Bedrock SigV4 authentication requires a replayable request body. Buffer the body " \
"before sending or use bearer authentication."
MISSING_DEPENDENCY_MESSAGE =

This constant is part of a private API. You should avoid using this constant if possible, as it may be removed or be changed in the future.

"Bedrock AWS authentication requires optional AWS dependencies. Add `gem \"aws-sdk-core\"` " \
"to your Gemfile, run `bundle install`, and try again."
PARTIAL_STATIC_CREDENTIALS_MESSAGE =

This constant is part of a private API. You should avoid using this constant if possible, as it may be removed or be changed in the future.

"Static AWS credentials require both `access_key_id` and `secret_access_key`. " \
"A `session_token` may only be used with both."
AMBIGUOUS_AWS_AUTH_MESSAGE =

This constant is part of a private API. You should avoid using this constant if possible, as it may be removed or be changed in the future.

"Bedrock authentication is ambiguous. Configure exactly one explicit AWS mode: " \
"static credentials, profile, or credential provider."
AMBIGUOUS_AUTH_MESSAGE =

This constant is part of a private API. You should avoid using this constant if possible, as it may be removed or be changed in the future.

"Bedrock authentication is ambiguous. Configure exactly one explicit mode: bearer " \
"credential, static AWS credentials, profile, or credential provider."

Class Method Summary collapse

Class Method Details

.load_aws!Object

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.



257
258
259
260
261
262
# File 'lib/openai/providers/bedrock.rb', line 257

def load_aws!
  require("aws-sdk-core")
  require("aws-sigv4")
rescue LoadError => e
  raise OpenAI::Errors::Error.new(MISSING_DEPENDENCY_MESSAGE), cause: e
end

.normalize_base_url(base_url) ⇒ Object

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.



270
271
272
273
274
275
276
277
278
279
280
281
# File 'lib/openai/providers/bedrock.rb', line 270

def normalize_base_url(base_url)
  uri = URI(base_url)
  unless uri.is_a?(URI::HTTP) && uri.host
    raise ArgumentError, "The Bedrock `base_url` must be an absolute HTTP or HTTPS URL."
  end
  uri.path = uri.path.sub(%r{/responses(?:/.*)?\z}, "")
  uri.path = "" if uri.path == "/"
  uri.to_s.sub(%r{/\z}, "")
rescue URI::InvalidURIError => e
  message = "The Bedrock `base_url` must be an absolute HTTP or HTTPS URL."
  raise ArgumentError.new(message), cause: e
end

.normalize_optional_string(value) ⇒ Object

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.



333
334
335
336
337
338
# File 'lib/openai/providers/bedrock.rb', line 333

def normalize_optional_string(value)
  return nil if value.nil?
  return nil unless value.is_a?(String)
  normalized = value.strip
  normalized unless normalized.empty?
end

.profile_region(profile) ⇒ Object

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.



283
284
285
286
287
288
289
# File 'lib/openai/providers/bedrock.rb', line 283

def profile_region(profile)
  configured_profile = profile || ENV["AWS_PROFILE"] || ENV["AWS_DEFAULT_PROFILE"] || "default"
  region = Aws.shared_config.region(profile: configured_profile)
  normalize_optional_string(region)
rescue StandardError => e
  raise OpenAI::Errors::Error.new(CREDENTIAL_RESOLUTION_MESSAGE), cause: e
end

.provider_headers(request, marker:) ⇒ Object

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.



291
292
293
294
295
296
297
298
299
300
# File 'lib/openai/providers/bedrock.rb', line 291

def provider_headers(request, marker:)
  headers = request.fetch(:headers).dup
  if request[:provider_auth] == marker
    headers.delete("authorization")
  elsif headers.key?("authorization")
    raise OpenAI::Errors::Error,
          "Bedrock provider authentication cannot be combined with a custom `Authorization` header."
  end
  headers
end

.resolve_base_url(base_url, region) ⇒ Object

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.

Raises:

  • (ArgumentError)


264
265
266
267
268
# File 'lib/openai/providers/bedrock.rb', line 264

def resolve_base_url(base_url, region)
  return base_url if base_url
  raise ArgumentError, MISSING_REGION_MESSAGE if region.nil?
  "https://bedrock-mantle.#{region}.api.aws/v1"
end

.validate_credentials!(credentials) ⇒ Object

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.



321
322
323
324
325
326
327
328
329
330
331
# File 'lib/openai/providers/bedrock.rb', line 321

def validate_credentials!(credentials)
  access_key_id = credentials&.access_key_id
  secret_access_key = credentials&.secret_access_key
  session_token = credentials&.session_token if credentials.respond_to?(:session_token)
  valid =
    access_key_id.is_a?(String) && !access_key_id.strip.empty? &&
    secret_access_key.is_a?(String) && !secret_access_key.strip.empty? &&
    (session_token.nil? || (session_token.is_a?(String) && !session_token.strip.empty?))
  return credentials if valid
  raise OpenAI::Errors::Error, CREDENTIAL_RESOLUTION_MESSAGE
end

.validate_endpoint_region!(url, region) ⇒ Object

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.



311
312
313
314
315
316
317
318
319
# File 'lib/openai/providers/bedrock.rb', line 311

def validate_endpoint_region!(url, region)
  endpoint_region = CANONICAL_HOST.match(url.host)&.[](1)
  return if endpoint_region.nil? || endpoint_region == region
  message =
    "The Bedrock endpoint region `#{endpoint_region}` does not match the SigV4 " \
    "region `#{region}`."
  raise OpenAI::Errors::Error,
        message
end

.validate_origin!(url, base_url, action:) ⇒ Object

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.



302
303
304
305
306
307
308
309
# File 'lib/openai/providers/bedrock.rb', line 302

def validate_origin!(url, base_url, action:)
  return if OpenAI::Internal::Util.uri_origin(url) == OpenAI::Internal::Util.uri_origin(base_url)
  message =
    "Refusing to #{action} a Bedrock request for an origin other than the configured " \
    "provider URL."
  raise OpenAI::Errors::Error,
        message
end