refactor: move Bedrock config from meta to key level by Pratham-Mishra04 · Pull Request #218 · maximhq/bifrost

Pratham-Mishra04 · 2025-08-05T21:50:31Z

Move Bedrock configuration from provider meta config to key-level config

This PR refactors the AWS Bedrock provider to use key-level configuration instead of provider-level meta configuration. This change aligns Bedrock with other providers like Azure and Vertex AI that already use key-level configuration.

Key changes:

Added BedrockKeyConfig struct to store AWS credentials and configuration
Removed the provider-level meta field and MetaConfig interface
Updated the Bedrock provider to read configuration from key config
Added support for empty key values when provider uses alternative credentials
Updated UI to show Bedrock configuration fields at the key level
Updated documentation and example configuration

This change improves consistency across providers and allows for more flexible configuration when using multiple AWS credentials with different regions or deployments.

coderabbitai · 2025-08-05T21:50:37Z

Summary by CodeRabbit

New Features
- Introduced structured key-level configuration for AWS Bedrock, allowing explicit fields for access key, secret key, session token, region, ARN, and deployments within each API key.
- Bedrock credentials and settings are now managed per key, supporting more granular and flexible configuration.
Refactor
- Removed all provider-level meta configuration support across backend, frontend, and documentation.
- Unified Azure, Vertex, and Bedrock provider configuration to use key-level settings only.
Bug Fixes
- Improved error messages for missing region in Vertex and Bedrock key configurations.
Documentation
- Updated all configuration and usage examples to reflect the new Bedrock key-level configuration.
- Removed references to meta config from guides and API documentation.
Style
- Simplified UI by removing the "Meta Config" tab and integrating Bedrock key settings directly into the API Keys tab.
Chores
- Cleaned up obsolete code and documentation related to meta config handling.

Walkthrough

This change removes all support for provider-level "meta config" and migrates AWS Bedrock provider configuration to a per-key BedrockKeyConfig structure. All backend, HTTP transport, database, and UI code is refactored to use key-level Bedrock configuration fields. Documentation, OpenAPI schemas, and tests are updated to reflect this new approach.

Changes

Cohort / File(s)	Change Summary
Core Bedrock Provider Refactor `core/providers/bedrock.go`, `core/schemas/account.go`, `core/schemas/meta/bedrock.go`, `core/schemas/provider.go`, `core/utils.go`	Removes provider-level meta config for Bedrock; introduces and uses per-key `BedrockKeyConfig` struct; deletes meta config struct and interface; adds utility for key value emptiness.
Key Selection and Vertex Provider Updates `core/bifrost.go`, `core/providers/vertex.go`	Updates key selection logic to generalize empty-value allowance; minor error message update in Vertex provider for region config.
HTTP Transport: Provider and Config Handling `transports/bifrost-http/handlers/providers.go`, `transports/bifrost-http/lib/account.go`, `transports/bifrost-http/lib/config.go`, `transports/bifrost-http/lib/models.go`, `transports/bifrost-http/lib/store.go`, `transports/bifrost-http/main.go`	Removes all meta config handling from HTTP handlers, config structs, database models, and store logic; adds support for Bedrock key config environment variable processing and storage.
Documentation and OpenAPI Schema `docs/contributing/provider.md`, `docs/usage/http-transport/openapi.json`, `docs/usage/go-package/account.md`, `docs/usage/http-transport/configuration/providers.md`	Removes meta config documentation; updates OpenAPI schema and usage docs to use `bedrock_key_config` in place of meta config.
UI Refactor: Bedrock Config and Meta Config Removal `ui/components/config/meta-config-renderer.tsx`, `ui/components/config/provider-form.tsx`, `ui/lib/types/config.ts`, `ui/lib/utils/validation.ts`	Deletes meta config renderer; removes all meta config handling from provider form and types; adds Bedrock key config fields and validation.
Example and Test Config Updates `transports/config.example.json`, `tests/core-providers/config/account.go`, `tests/core-providers/go.mod`	Updates example and test configs to use new Bedrock key config; adjusts test dependencies.

Sequence Diagram(s)

sequenceDiagram
    participant User
    participant UI
    participant HTTP_API
    participant Store
    participant BedrockProvider

    User->>UI: Enter Bedrock key config fields (access_key, secret_key, etc.)
    UI->>HTTP_API: Submit provider config with bedrock_key_config
    HTTP_API->>Store: Store provider and key config (no meta config)
    Store-->>HTTP_API: Confirmation
    HTTP_API-->>UI: Success

    User->>UI: Make Bedrock model request
    UI->>HTTP_API: Send request with selected key (includes bedrock_key_config)
    HTTP_API->>BedrockProvider: Call Bedrock with key config fields
    BedrockProvider-->>HTTP_API: Return result
    HTTP_API-->>UI: Show result

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~40 minutes

Possibly related PRs

feat: add bifrost ui #145: Both PRs modify the Bifrost UI and related HTTP handlers, with feat: add bifrost ui #145 embedding the Next.js UI build and this PR refactoring provider config handling in the UI and backend.
feat: add context-aware key selection with dynamic provider routing #172: Both PRs touch key selection and provider key configuration logic, with feat: add context-aware key selection with dynamic provider routing #172 introducing context-aware key selection and this PR refactoring Bedrock key handling.

Suggested reviewers

akshaydeo
danpiths

Poem

In fields of config, rabbits leap and bound,
Meta configs are gone, nowhere to be found!
Bedrock keys now shine with clarity and cheer,
Each key holds secrets, credentials near.
With docs and UI in harmony anew—
Bifrost’s garden grows, thanks to you! 🥕✨

✨ Finishing Touches

📝 Generate Docstrings

🧪 Generate unit tests

Create PR with unit tests
Post copyable unit tests in a comment
Commit unit tests in branch 08-06-fix_bedrock_key_config_structure_fixes

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

Review comments: Directly reply to a review comment made by CodeRabbit. Example:
- I pushed a fix in commit <commit_id>, please review it.
- Explain this complex logic.
- Open a follow-up GitHub issue for this discussion.
Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
- @coderabbitai explain this code block.
PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
- @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
- @coderabbitai read src/utils.ts and explain its main purpose.
- @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.

Support

Need help? Create a ticket on our support page for assistance with any issues or questions.

CodeRabbit Commands (Invoked using PR comments)

@coderabbitai pause to pause the reviews on a PR.
@coderabbitai resume to resume the paused reviews.
@coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
@coderabbitai full review to do a full review from scratch and review all the files again.
@coderabbitai summary to regenerate the summary of the PR.
@coderabbitai generate docstrings to generate docstrings for this PR.
@coderabbitai generate sequence diagram to generate a sequence diagram of the changes in this PR.
@coderabbitai generate unit tests to generate unit tests for this PR.
@coderabbitai resolve resolve all the CodeRabbit review comments.
@coderabbitai configuration to show the current CodeRabbit configuration for the repository.
@coderabbitai help to get help.

Other keywords and placeholders

Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (`.coderabbit.yaml`)

You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
Please see the configuration documentation for more information.
If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

Visit our Documentation for detailed information on how to use CodeRabbit.
Join our Discord Community to get help, request features, and share feedback.
Follow us on X/Twitter for updates and announcements.

Pratham-Mishra04 · 2025-08-05T21:50:52Z

refactor: move Bedrock config from meta to key level #218 👈 (View in Graphite)
main

This stack of pull requests is managed by Graphite. Learn more about stacking.

coderabbitai

Actionable comments posted: 6

🔭 Outside diff range comments (6)

transports/bifrost-http/lib/models.go (2)

169-188: Missing Bedrock deployments serialization in BeforeSave hook

The BeforeSave hook handles Azure deployments serialization but is missing the logic to serialize Bedrock deployments. This will cause Bedrock deployment mappings to be lost when saving to the database.

Add the following serialization logic after the Azure config handling:

 func (k *DBKey) BeforeSave(tx *gorm.DB) error {
 	if k.Models != nil {
 		data, err := json.Marshal(k.Models)
 		if err != nil {
 			return err
 		}
 		k.ModelsJSON = string(data)
 	}
 
 	if k.AzureKeyConfig != nil && k.AzureKeyConfig.Deployments != nil {
 		data, err := json.Marshal(k.AzureKeyConfig.Deployments)
 		if err != nil {
 			return err
 		}
 		deployments := string(data)
 		k.AzureDeploymentsJSON = &deployments
 	}
 
+	if k.BedrockKeyConfig != nil && k.BedrockKeyConfig.Deployments != nil {
+		data, err := json.Marshal(k.BedrockKeyConfig.Deployments)
+		if err != nil {
+			return err
+		}
+		deployments := string(data)
+		k.BedrockDeploymentsJSON = &deployments
+	}
+
 	return nil
 }

264-306: Missing Bedrock config reconstruction in AfterFind hook

The AfterFind hook reconstructs Azure and Vertex configs but is missing the logic to reconstruct Bedrock config from database fields. This will cause Bedrock configuration to be unavailable after loading from the database.

Add the following deserialization logic after the Vertex config handling:

 	// Reconstruct Vertex config if fields are present
 	if k.VertexProjectID != nil {
 		config := &schemas.VertexKeyConfig{
 			ProjectID: *k.VertexProjectID,
 		}
 
 		if k.VertexRegion != nil {
 			config.Region = *k.VertexRegion
 		}
 		if k.VertexAuthCredentials != nil {
 			config.AuthCredentials = *k.VertexAuthCredentials
 		}
 
 		k.VertexKeyConfig = config
 	}
 
+	// Reconstruct Bedrock config if fields are present
+	if k.BedrockAccessKey != nil {
+		config := &schemas.BedrockKeyConfig{
+			AccessKey: *k.BedrockAccessKey,
+		}
+
+		if k.BedrockSecretKey != nil {
+			config.SecretKey = *k.BedrockSecretKey
+		}
+		if k.BedrockSessionToken != nil {
+			config.SessionToken = k.BedrockSessionToken
+		}
+		if k.BedrockRegion != nil {
+			config.Region = k.BedrockRegion
+		}
+		if k.BedrockARN != nil {
+			config.ARN = k.BedrockARN
+		}
+		if k.BedrockDeploymentsJSON != nil {
+			var deployments map[string]string
+			if err := json.Unmarshal([]byte(*k.BedrockDeploymentsJSON), &deployments); err != nil {
+				return err
+			}
+			config.Deployments = deployments
+		}
+
+		k.BedrockKeyConfig = config
+	}
+
 	return nil
 }

transports/bifrost-http/lib/store.go (4)

834-940: Missing redaction logic for BedrockKeyConfig in GetProviderConfigRedacted

The GetProviderConfigRedacted function currently handles redaction for Azure and Vertex key configs but is missing redaction logic for BedrockKeyConfig. This could expose sensitive AWS credentials (AccessKey, SecretKey, SessionToken) in API responses.

Add redaction logic for BedrockKeyConfig after the Vertex config handling (after line 936):

 			redactedConfig.Keys[i].VertexKeyConfig = vertexConfig
 		}
+
+		// Redact Bedrock key config if present
+		if key.BedrockKeyConfig != nil {
+			bedrockConfig := &schemas.BedrockKeyConfig{
+				Deployments: key.BedrockKeyConfig.Deployments,
+			}
+
+			// Redact AccessKey
+			path = fmt.Sprintf("providers.%s.keys[%s].bedrock_key_config.access_key", provider, key.ID)
+			if envVar, ok := envVarsByPath[path]; ok {
+				bedrockConfig.AccessKey = "env." + envVar
+			} else {
+				bedrockConfig.AccessKey = RedactKey(key.BedrockKeyConfig.AccessKey)
+			}
+
+			// Redact SecretKey
+			path = fmt.Sprintf("providers.%s.keys[%s].bedrock_key_config.secret_key", provider, key.ID)
+			if envVar, ok := envVarsByPath[path]; ok {
+				bedrockConfig.SecretKey = "env." + envVar
+			} else {
+				bedrockConfig.SecretKey = RedactKey(key.BedrockKeyConfig.SecretKey)
+			}
+
+			// Redact SessionToken if present
+			if key.BedrockKeyConfig.SessionToken != nil {
+				path = fmt.Sprintf("providers.%s.keys[%s].bedrock_key_config.session_token", provider, key.ID)
+				if envVar, ok := envVarsByPath[path]; ok {
+					sessionToken := "env." + envVar
+					bedrockConfig.SessionToken = &sessionToken
+				} else {
+					redactedToken := RedactKey(*key.BedrockKeyConfig.SessionToken)
+					bedrockConfig.SessionToken = &redactedToken
+				}
+			}
+
+			// Region is not sensitive, handle env vars only
+			if key.BedrockKeyConfig.Region != nil {
+				path = fmt.Sprintf("providers.%s.keys[%s].bedrock_key_config.region", provider, key.ID)
+				if envVar, ok := envVarsByPath[path]; ok {
+					region := "env." + envVar
+					bedrockConfig.Region = &region
+				} else {
+					bedrockConfig.Region = key.BedrockKeyConfig.Region
+				}
+			}
+
+			// Redact ARN if present
+			if key.BedrockKeyConfig.ARN != nil {
+				path = fmt.Sprintf("providers.%s.keys[%s].bedrock_key_config.arn", provider, key.ID)
+				if envVar, ok := envVarsByPath[path]; ok {
+					arn := "env." + envVar
+					bedrockConfig.ARN = &arn
+				} else {
+					redactedARN := RedactKey(*key.BedrockKeyConfig.ARN)
+					bedrockConfig.ARN = &redactedARN
+				}
+			}
+
+			redactedConfig.Keys[i].BedrockKeyConfig = bedrockConfig
+		}
 	}

441-574: Missing restoration logic for BedrockKeyConfig in writeConfigToFile

The writeConfigToFile function currently restores environment variable references for Azure and Vertex key configs but is missing restoration logic for BedrockKeyConfig. This breaks round-trip fidelity when saving configuration back to file, potentially exposing AWS credentials as plain text instead of environment variable references.

Add restoration logic for BedrockKeyConfig after the Vertex config handling (after line 542):

 				redactedKeys[i].VertexKeyConfig = vertexConfig
 			}
+
+			// Restore Bedrock key config if present
+			if key.BedrockKeyConfig != nil {
+				bedrockConfig := &schemas.BedrockKeyConfig{
+					Deployments: key.BedrockKeyConfig.Deployments,
+				}
+
+				// Restore AccessKey
+				path = fmt.Sprintf("providers.%s.keys[%s].bedrock_key_config.access_key", provider, key.ID)
+				if envVar, ok := envVarsByPath[path]; ok {
+					bedrockConfig.AccessKey = "env." + envVar
+				} else {
+					bedrockConfig.AccessKey = key.BedrockKeyConfig.AccessKey
+				}
+
+				// Restore SecretKey
+				path = fmt.Sprintf("providers.%s.keys[%s].bedrock_key_config.secret_key", provider, key.ID)
+				if envVar, ok := envVarsByPath[path]; ok {
+					bedrockConfig.SecretKey = "env." + envVar
+				} else {
+					bedrockConfig.SecretKey = key.BedrockKeyConfig.SecretKey
+				}
+
+				// Restore SessionToken if present
+				if key.BedrockKeyConfig.SessionToken != nil {
+					path = fmt.Sprintf("providers.%s.keys[%s].bedrock_key_config.session_token", provider, key.ID)
+					if envVar, ok := envVarsByPath[path]; ok {
+						sessionToken := "env." + envVar
+						bedrockConfig.SessionToken = &sessionToken
+					} else {
+						bedrockConfig.SessionToken = key.BedrockKeyConfig.SessionToken
+					}
+				}
+
+				// Restore Region if present
+				if key.BedrockKeyConfig.Region != nil {
+					path = fmt.Sprintf("providers.%s.keys[%s].bedrock_key_config.region", provider, key.ID)
+					if envVar, ok := envVarsByPath[path]; ok {
+						region := "env." + envVar
+						bedrockConfig.Region = &region
+					} else {
+						bedrockConfig.Region = key.BedrockKeyConfig.Region
+					}
+				}
+
+				// Restore ARN if present
+				if key.BedrockKeyConfig.ARN != nil {
+					path = fmt.Sprintf("providers.%s.keys[%s].bedrock_key_config.arn", provider, key.ID)
+					if envVar, ok := envVarsByPath[path]; ok {
+						arn := "env." + envVar
+						bedrockConfig.ARN = &arn
+					} else {
+						bedrockConfig.ARN = key.BedrockKeyConfig.ARN
+					}
+				}
+
+				redactedKeys[i].BedrockKeyConfig = bedrockConfig
+			}
 		}

341-349: Missing BedrockKeyConfig when loading providers from database

The loadProvidersFromDB function is not restoring BedrockKeyConfig when converting DBKey to schemas.Key. This will cause loss of Bedrock configurations on system restart.

Add BedrockKeyConfig to the key conversion:

 			keys[i] = schemas.Key{
 				ID:              dbKey.KeyID,
 				Value:           dbKey.Value,
 				Models:          dbKey.Models,
 				Weight:          dbKey.Weight,
 				AzureKeyConfig:  dbKey.AzureKeyConfig,
 				VertexKeyConfig: dbKey.VertexKeyConfig,
+				BedrockKeyConfig: dbKey.BedrockKeyConfig,
 			}

680-705: Missing BedrockKeyConfig assignment and field extraction in saveProvidersToDB

The saveProvidersToDB function is not properly handling BedrockKeyConfig when creating DBKey records. While Azure and Vertex configs are saved with both the full config objects and individual fields, Bedrock config is missing.

Add BedrockKeyConfig handling similar to Azure and Vertex:

 				dbKey := DBKey{
 					ProviderID:      dbProvider.ID,
 					KeyID:           key.ID,
 					Value:           key.Value,
 					Models:          key.Models,
 					Weight:          key.Weight,
 					AzureKeyConfig:  key.AzureKeyConfig,
 					VertexKeyConfig: key.VertexKeyConfig,
+					BedrockKeyConfig: key.BedrockKeyConfig,
 				}
 
 				// Handle Azure config
 				if key.AzureKeyConfig != nil {
 					dbKey.AzureEndpoint = &key.AzureKeyConfig.Endpoint
 					dbKey.AzureAPIVersion = key.AzureKeyConfig.APIVersion
 				}
 
 				// Handle Vertex config
 				if key.VertexKeyConfig != nil {
 					dbKey.VertexProjectID = &key.VertexKeyConfig.ProjectID
 					dbKey.VertexRegion = &key.VertexKeyConfig.Region
 					dbKey.VertexAuthCredentials = &key.VertexKeyConfig.AuthCredentials
 				}
+
+				// Handle Bedrock config
+				if key.BedrockKeyConfig != nil {
+					dbKey.BedrockAccessKey = &key.BedrockKeyConfig.AccessKey
+					dbKey.BedrockSecretKey = &key.BedrockKeyConfig.SecretKey
+					dbKey.BedrockSessionToken = key.BedrockKeyConfig.SessionToken
+					dbKey.BedrockRegion = key.BedrockKeyConfig.Region
+					dbKey.BedrockARN = key.BedrockKeyConfig.ARN
+				}
 
 				dbKeys = append(dbKeys, dbKey)

Note: This assumes the DBKey struct has been updated with the appropriate Bedrock fields. Please verify that the database model includes these fields.

coderabbitai

Actionable comments posted: 1

🔭 Outside diff range comments (7)

transports/bifrost-http/lib/models.go (2)

169-188: Add serialization for Bedrock deployments in BeforeSave hook

The BeforeSave hook is missing serialization logic for BedrockKeyConfig.Deployments. Without this, Bedrock deployments won't be persisted to the database.

Add the following serialization logic after the Azure deployments serialization:

 	if k.AzureKeyConfig != nil && k.AzureKeyConfig.Deployments != nil {
 		data, err := json.Marshal(k.AzureKeyConfig.Deployments)
 		if err != nil {
 			return err
 		}
 		deployments := string(data)
 		k.AzureDeploymentsJSON = &deployments
 	}
+
+	if k.BedrockKeyConfig != nil && k.BedrockKeyConfig.Deployments != nil {
+		data, err := json.Marshal(k.BedrockKeyConfig.Deployments)
+		if err != nil {
+			return err
+		}
+		deployments := string(data)
+		k.BedrockDeploymentsJSON = &deployments
+	}

 	return nil

264-305: Add reconstruction logic for BedrockKeyConfig in AfterFind hook

The AfterFind hook is missing logic to reconstruct BedrockKeyConfig from the database fields. This will cause the Bedrock configuration to be lost when keys are loaded from the database.

Add the following reconstruction logic after the Vertex config reconstruction:

 	// Reconstruct Vertex config if fields are present
 	if k.VertexProjectID != nil {
 		config := &schemas.VertexKeyConfig{
 			ProjectID: *k.VertexProjectID,
 		}

 		if k.VertexRegion != nil {
 			config.Region = *k.VertexRegion
 		}
 		if k.VertexAuthCredentials != nil {
 			config.AuthCredentials = *k.VertexAuthCredentials
 		}

 		k.VertexKeyConfig = config
 	}
+
+	// Reconstruct Bedrock config if fields are present
+	if k.BedrockAccessKey != nil {
+		config := &schemas.BedrockKeyConfig{
+			AccessKey: *k.BedrockAccessKey,
+		}
+
+		if k.BedrockSecretKey != nil {
+			config.SecretKey = *k.BedrockSecretKey
+		}
+		if k.BedrockSessionToken != nil {
+			config.SessionToken = k.BedrockSessionToken
+		}
+		if k.BedrockRegion != nil {
+			config.Region = k.BedrockRegion
+		}
+		if k.BedrockARN != nil {
+			config.ARN = k.BedrockARN
+		}
+		if k.BedrockDeploymentsJSON != nil {
+			var deployments map[string]string
+			if err := json.Unmarshal([]byte(*k.BedrockDeploymentsJSON), &deployments); err != nil {
+				return err
+			}
+			config.Deployments = deployments
+		}
+
+		k.BedrockKeyConfig = config
+	}

 	return nil

transports/bifrost-http/lib/store.go (5)

543-543: Missing Bedrock config restoration in writeConfigToFile.

The writeConfigToFile method restores environment variable references for Azure (lines 485-511) and Vertex (lines 513-542) configs, but Bedrock config restoration is missing. This means Bedrock environment variables won't be properly restored when writing config back to file.

Add Bedrock config restoration after the Vertex config section:

 				redactedKeys[i].VertexKeyConfig = vertexConfig
 			}
+
+			// Restore Bedrock key config if present
+			if key.BedrockKeyConfig != nil {
+				bedrockConfig := &schemas.BedrockKeyConfig{
+					Deployments: key.BedrockKeyConfig.Deployments,
+				}
+
+				// Restore AccessKey
+				path = fmt.Sprintf("providers.%s.keys[%s].bedrock_key_config.access_key", provider, key.ID)
+				if envVar, ok := envVarsByPath[path]; ok {
+					bedrockConfig.AccessKey = "env." + envVar
+				} else {
+					bedrockConfig.AccessKey = key.BedrockKeyConfig.AccessKey
+				}
+
+				// Restore SecretKey
+				path = fmt.Sprintf("providers.%s.keys[%s].bedrock_key_config.secret_key", provider, key.ID)
+				if envVar, ok := envVarsByPath[path]; ok {
+					bedrockConfig.SecretKey = "env." + envVar
+				} else {
+					bedrockConfig.SecretKey = key.BedrockKeyConfig.SecretKey
+				}
+
+				// Restore SessionToken if present
+				if key.BedrockKeyConfig.SessionToken != nil {
+					path = fmt.Sprintf("providers.%s.keys[%s].bedrock_key_config.session_token", provider, key.ID)
+					if envVar, ok := envVarsByPath[path]; ok {
+						sessionToken := "env." + envVar
+						bedrockConfig.SessionToken = &sessionToken
+					} else {
+						bedrockConfig.SessionToken = key.BedrockKeyConfig.SessionToken
+					}
+				}
+
+				// Restore Region if present
+				if key.BedrockKeyConfig.Region != nil {
+					path = fmt.Sprintf("providers.%s.keys[%s].bedrock_key_config.region", provider, key.ID)
+					if envVar, ok := envVarsByPath[path]; ok {
+						region := "env." + envVar
+						bedrockConfig.Region = &region
+					} else {
+						bedrockConfig.Region = key.BedrockKeyConfig.Region
+					}
+				}
+
+				// Restore ARN if present
+				if key.BedrockKeyConfig.ARN != nil {
+					path = fmt.Sprintf("providers.%s.keys[%s].bedrock_key_config.arn", provider, key.ID)
+					if envVar, ok := envVarsByPath[path]; ok {
+						arn := "env." + envVar
+						bedrockConfig.ARN = &arn
+					} else {
+						bedrockConfig.ARN = key.BedrockKeyConfig.ARN
+					}
+				}
+
+				redactedKeys[i].BedrockKeyConfig = bedrockConfig
+			}
 		}

937-937: Missing Bedrock config redaction in GetProviderConfigRedacted.

The GetProviderConfigRedacted method redacts sensitive values for Azure (lines 878-904) and Vertex (lines 907-936) configs, but Bedrock config redaction is missing. This could expose sensitive AWS credentials in API responses.

Add Bedrock config redaction after the Vertex config section:

 			redactedConfig.Keys[i].VertexKeyConfig = vertexConfig
 		}
+
+		// Redact Bedrock key config if present
+		if key.BedrockKeyConfig != nil {
+			bedrockConfig := &schemas.BedrockKeyConfig{
+				Deployments: key.BedrockKeyConfig.Deployments,
+			}
+
+			// Redact AccessKey
+			path = fmt.Sprintf("providers.%s.keys[%s].bedrock_key_config.access_key", provider, key.ID)
+			if envVar, ok := envVarsByPath[path]; ok {
+				bedrockConfig.AccessKey = "env." + envVar
+			} else {
+				bedrockConfig.AccessKey = RedactKey(key.BedrockKeyConfig.AccessKey)
+			}
+
+			// Redact SecretKey
+			path = fmt.Sprintf("providers.%s.keys[%s].bedrock_key_config.secret_key", provider, key.ID)
+			if envVar, ok := envVarsByPath[path]; ok {
+				bedrockConfig.SecretKey = "env." + envVar
+			} else {
+				bedrockConfig.SecretKey = RedactKey(key.BedrockKeyConfig.SecretKey)
+			}
+
+			// Redact SessionToken if present
+			if key.BedrockKeyConfig.SessionToken != nil {
+				path = fmt.Sprintf("providers.%s.keys[%s].bedrock_key_config.session_token", provider, key.ID)
+				if envVar, ok := envVarsByPath[path]; ok {
+					sessionToken := "env." + envVar
+					bedrockConfig.SessionToken = &sessionToken
+				} else {
+					redactedToken := RedactKey(*key.BedrockKeyConfig.SessionToken)
+					bedrockConfig.SessionToken = &redactedToken
+				}
+			}
+
+			// Region is not sensitive, handle env vars only
+			if key.BedrockKeyConfig.Region != nil {
+				path = fmt.Sprintf("providers.%s.keys[%s].bedrock_key_config.region", provider, key.ID)
+				if envVar, ok := envVarsByPath[path]; ok {
+					region := "env." + envVar
+					bedrockConfig.Region = &region
+				} else {
+					bedrockConfig.Region = key.BedrockKeyConfig.Region
+				}
+			}
+
+			// Redact ARN if present
+			if key.BedrockKeyConfig.ARN != nil {
+				path = fmt.Sprintf("providers.%s.keys[%s].bedrock_key_config.arn", provider, key.ID)
+				if envVar, ok := envVarsByPath[path]; ok {
+					arn := "env." + envVar
+					bedrockConfig.ARN = &arn
+				} else {
+					redactedARN := RedactKey(*key.BedrockKeyConfig.ARN)
+					bedrockConfig.ARN = &redactedARN
+				}
+			}
+
+			redactedConfig.Keys[i].BedrockKeyConfig = bedrockConfig
+		}
 	}

341-349: Missing BedrockKeyConfig in loadProvidersFromDB.

The function loads Azure and Vertex key configs from the database but doesn't include BedrockKeyConfig when reconstructing the keys.

Add BedrockKeyConfig to the key reconstruction:

 			keys[i] = schemas.Key{
 				ID:              dbKey.KeyID,
 				Value:           dbKey.Value,
 				Models:          dbKey.Models,
 				Weight:          dbKey.Weight,
 				AzureKeyConfig:  dbKey.AzureKeyConfig,
 				VertexKeyConfig: dbKey.VertexKeyConfig,
+				BedrockKeyConfig: dbKey.BedrockKeyConfig,
 			}

682-690: Missing BedrockKeyConfig in saveProvidersToDB.

The function saves Azure and Vertex key configs to the database but doesn't include BedrockKeyConfig.

Add BedrockKeyConfig to the DBKey struct initialization:

 			dbKey := DBKey{
 				ProviderID:      dbProvider.ID,
 				KeyID:           key.ID,
 				Value:           key.Value,
 				Models:          key.Models,
 				Weight:          key.Weight,
 				AzureKeyConfig:  key.AzureKeyConfig,
 				VertexKeyConfig: key.VertexKeyConfig,
+				BedrockKeyConfig: key.BedrockKeyConfig,
 			}

704-704: Add Bedrock config persistence in saveProvidersToDB

The DBKey struct defines Bedrock fields but saveProvidersToDB only populates Azure and Vertex. After the Vertex block in
transports/bifrost-http/lib/store.go (around line 699), add:

 			// Handle Vertex config
 			if key.VertexKeyConfig != nil {
 				dbKey.VertexProjectID = &key.VertexKeyConfig.ProjectID
 				dbKey.VertexRegion = &key.VertexKeyConfig.Region
 				dbKey.VertexAuthCredentials = &key.VertexKeyConfig.AuthCredentials
 			}

+			// Handle Bedrock config
+			if key.BedrockKeyConfig != nil {
+				dbKey.BedrockAccessKey = &key.BedrockKeyConfig.AccessKey
+				dbKey.BedrockSecretKey = &key.BedrockKeyConfig.SecretKey
+				dbKey.BedrockSessionToken = &key.BedrockKeyConfig.SessionToken
+				dbKey.BedrockRegion = &key.BedrockKeyConfig.Region
+				dbKey.BedrockARN = &key.BedrockKeyConfig.ARN
+
+				// Serialize Bedrock deployments map into JSON
+				depsJSON, err := json.Marshal(key.BedrockKeyConfig.Deployments)
+				if err != nil {
+					return fmt.Errorf("failed to marshal Bedrock deployments: %w", err)
+				}
+				depsStr := string(depsJSON)
+				dbKey.BedrockDeploymentsJSON = &depsStr
+			}
 
 			dbKeys = append(dbKeys, dbKey)

Also ensure import ( "encoding/json"; "fmt" ) is present at the top of the file.

♻️ Duplicate comments (6)

core/utils.go (1)

20-24: Fix the comment grammar as previously noted.

The grammar issue in the comment was already identified in a previous review but hasn't been addressed yet.

docs/contributing/provider.md (2)

493-493: Fix grammatical and formatting issues.

578-578: Fix formatting and punctuation issues.

docs/usage/http-transport/openapi.json (1)

2777-2813: Add description to bedrock_key_config for schema parity with other provider configs
The new bedrock_key_config block still lacks a top-level "description" field, whereas both azure_key_config and vertex_key_config include one. This breaks consistency and downstream tooling (doc generators, UI forms) will render this object without context.

Same feedback was provided earlier; please address.

ui/components/config/provider-form.tsx (2)

181-197: Fix validation logic for Bedrock deployments

The validation logic incorrectly treats Bedrock deployments as required, but according to the schema and UI label, deployments should be optional.

779-806: Add proper label associations for accessibility

The label elements for Bedrock configuration fields are not properly associated with their input elements, which impacts accessibility for screen reader users.

coderabbitai

Actionable comments posted: 7

🔭 Outside diff range comments (2)

core/providers/bedrock.go (2)
295-306: Reconsider the credential validation approach to align with established patterns.

The current implementation checks for an empty SecretKey before signing, but based on the team's established pattern (from PR #54), AWS credential validation should be left to AWS itself. This preemptive check prevents the use of alternative AWS authentication methods like IAM roles or environment variables.

Consider removing the preemptive validation to allow AWS SDK to handle authentication naturally:
-	if config.SecretKey != "" {
-		if err := signAWSRequest(req, config.AccessKey, config.SecretKey, config.SessionToken, region, "bedrock"); err != nil {
-			return nil, err
-		}
-	} else {
-		return nil, &schemas.BifrostError{
-			IsBifrostError: false,
-			Error: schemas.ErrorField{
-				Message: "secret access key not set",
-			},
-		}
-	}
+	if err := signAWSRequest(req, config.AccessKey, config.SecretKey, config.SessionToken, region, "bedrock"); err != nil {
+		return nil, err
+	}
This allows AWS to provide its own authentication error messages which can be more informative than custom validation errors.

1332-1338: Duplicate credential validation should follow the same pattern as completeRequest.

This code duplicates the SecretKey validation from completeRequest. If the earlier suggestion to remove preemptive validation is accepted, this should be updated similarly to allow AWS SDK to handle authentication naturally.
-	if key.BedrockKeyConfig.SecretKey != "" {
-		if signErr := signAWSRequest(req, key.BedrockKeyConfig.AccessKey, key.BedrockKeyConfig.SecretKey, key.BedrockKeyConfig.SessionToken, region, "bedrock"); signErr != nil {
-			return nil, signErr
-		}
-	} else {
-		return nil, newConfigurationError("secret access key not set", schemas.Bedrock)
-	}
+	if signErr := signAWSRequest(req, key.BedrockKeyConfig.AccessKey, key.BedrockKeyConfig.SecretKey, key.BedrockKeyConfig.SessionToken, region, "bedrock"); signErr != nil {
+		return nil, signErr
+	}

♻️ Duplicate comments (6)

transports/bifrost-http/main.go (1)

20-20: Terminology correctly updated to reflect key config approach.

The change from "meta config" to "key config" properly aligns with the broader refactor in this PR that removes provider-level meta configuration support in favor of key-level configuration.

core/utils.go (1)

20-24: Fix the comment grammar as noted in previous review.

The function implementation is correct and properly centralizes the logic for providers that allow empty key values. However, the comment grammar needs to be fixed.

Fix the comment grammar:
-// Some provider like Vertex and Bedrock have their credentials in additional key configs..
+// Some providers like Vertex and Bedrock have their credentials in additional key configs.

docs/contributing/provider.md (2)

493-493: Fix grammatical and formatting issues.

The sentence has grammatical and spacing issues that affect readability.

Apply this diff to fix the issues:
-The HTTP transport layer requires specific changes to handle provider configuration, and model patterns.
+The HTTP transport layer requires specific changes to handle provider configuration and model patterns.
578-578: Fix formatting and punctuation issues.

The line has spacing and dash usage issues that affect readability.

Apply this diff to fix the formatting:
-Note: API key handling is automatic - you only need to implement the key config processing if your provider requires additional configuration beyond API keys.
+Note: API key handling is automatic—you only need to implement the key config processing if your provider requires additional configuration beyond API keys.

docs/usage/http-transport/openapi.json (1)

2777-2813: Add missing description for bedrock_key_config to stay consistent with other provider key-config objects
azure_key_config and vertex_key_config both include a top-level description. Omitting it here breaks schema uniformity and causes downstream docs tooling to render this block without context.

ui/components/config/provider-form.tsx (1)

778-841: Add proper label associations for accessibility

The label elements for Bedrock configuration fields are not properly associated with their input elements, which impacts accessibility for screen reader users.

Associate each label with its corresponding input using the htmlFor attribute:

                                 <div>
-                                  <label className="text-sm font-medium">Access Key (Required)</label>
+                                  <label htmlFor={`bedrock-access-key-${index}`} className="text-sm font-medium">Access Key (Required)</label>
                                   <Input
+                                    id={`bedrock-access-key-${index}`}
                                     placeholder="your-aws-access-key or env.AWS_ACCESS_KEY"
                                     value={key.bedrock_key_config?.access_key || ''}
                                     onChange={(e) => updateKeyBedrockConfig(index, 'access_key', e.target.value)}
                                     className="transition-all duration-200 ease-in-out"
                                   />
                                 </div>
                                 <div>
-                                  <label className="text-sm font-medium">Secret Key (Required)</label>
+                                  <label htmlFor={`bedrock-secret-key-${index}`} className="text-sm font-medium">Secret Key (Required)</label>
                                   <Input
+                                    id={`bedrock-secret-key-${index}`}
                                     placeholder="your-aws-secret-key or env.AWS_SECRET_KEY"
                                     value={key.bedrock_key_config?.secret_key || ''}
                                     onChange={(e) => updateKeyBedrockConfig(index, 'secret_key', e.target.value)}
                                     className="transition-all duration-200 ease-in-out"
                                   />
                                 </div>
                                 <div>
-                                  <label className="text-sm font-medium">Session Token (Optional)</label>
+                                  <label htmlFor={`bedrock-session-token-${index}`} className="text-sm font-medium">Session Token (Optional)</label>
                                   <Input
+                                    id={`bedrock-session-token-${index}`}
                                     placeholder="your-aws-session-token or env.AWS_SESSION_TOKEN"
                                     value={key.bedrock_key_config?.session_token || ''}
                                     onChange={(e) => updateKeyBedrockConfig(index, 'session_token', e.target.value)}
                                     className="transition-all duration-200 ease-in-out"
                                   />
                                 </div>
                                 <div>
-                                  <label className="text-sm font-medium">Deployments (Optional)</label>
+                                  <label htmlFor={`bedrock-deployments-${index}`} className="text-sm font-medium">Deployments (Optional)</label>
                                   <div className="text-muted-foreground mb-2 text-xs">
                                     JSON object mapping model names to inference profile names
                                   </div>
                                   <Textarea
+                                    id={`bedrock-deployments-${index}`}

coderabbitai

Actionable comments posted: 5

♻️ Duplicate comments (9)

core/utils.go (1)

20-24: Well-implemented utility function.

The canProviderKeyValueBeEmpty function properly centralizes the logic for identifying providers that allow empty key values, supporting more maintainable key selection logic throughout the codebase.

The grammar issue in the comment was already identified in a previous review.

docs/contributing/provider.md (2)

493-493: Fix grammatical and formatting issues.

The sentence has grammatical and spacing issues that affect readability.

Apply this diff to fix the issues:
-The HTTP transport layer requires specific changes to handle provider configuration, and model patterns.
+The HTTP transport layer requires specific changes to handle provider configuration and model patterns.
578-578: Fix formatting and punctuation issues.

The line has spacing and dash usage issues that affect readability.

Apply this diff to fix the formatting:
-Note: API key handling is automatic - you only need to implement the key config processing if your provider requires additional configuration beyond API keys.
+Note: API key handling is automatic—you only need to implement the key config processing if your provider requires additional configuration beyond API keys.

docs/usage/http-transport/configuration/providers.md (1)

485-487: Fix environment variable name inconsistency.

There's an inconsistency between the environment variable name used here (AWS_SECRET_KEY) and the one referenced in the configuration examples (AWS_SECRET_ACCESS_KEY).

Apply this diff to match the configuration examples:
-export AWS_SECRET_KEY="your-secret-key"
+export AWS_SECRET_ACCESS_KEY="your-secret-key"

docs/usage/http-transport/openapi.json (1)

2777-2813: Add missing description for bedrock_key_config to align with other provider configs

azure_key_config and vertex_key_config objects have a human-readable description; omitting it here breaks schema consistency and downstream doc generation.
-          "bedrock_key_config": {
-            "type": "object",
+          "bedrock_key_config": {
+            "type": "object",
+            "description": "Bedrock key configuration",

ui/components/config/provider-form.tsx (1)

776-841: Fix missing label associations for accessibility.

The label elements for Bedrock configuration fields lack proper association with their inputs, impacting screen reader users. Add htmlFor attributes and corresponding id attributes:

-                                  <label className="text-sm font-medium">Access Key (Required)</label>
+                                  <label htmlFor={`bedrock-access-key-${index}`} className="text-sm font-medium">Access Key (Required)</label>
                                   <Input
+                                    id={`bedrock-access-key-${index}`}
                                     placeholder="your-aws-access-key or env.AWS_ACCESS_KEY"
                                     value={key.bedrock_key_config?.access_key || ''}
                                     onChange={(e) => updateKeyBedrockConfig(index, 'access_key', e.target.value)}
                                     className="transition-all duration-200 ease-in-out"
                                   />

-                                  <label className="text-sm font-medium">Secret Key (Required)</label>
+                                  <label htmlFor={`bedrock-secret-key-${index}`} className="text-sm font-medium">Secret Key (Required)</label>
                                   <Input
+                                    id={`bedrock-secret-key-${index}`}
                                     placeholder="your-aws-secret-key or env.AWS_SECRET_KEY"
                                     value={key.bedrock_key_config?.secret_key || ''}
                                     onChange={(e) => updateKeyBedrockConfig(index, 'secret_key', e.target.value)}
                                     className="transition-all duration-200 ease-in-out"
                                   />

-                                  <label className="text-sm font-medium">Session Token (Optional)</label>
+                                  <label htmlFor={`bedrock-session-token-${index}`} className="text-sm font-medium">Session Token (Optional)</label>
                                   <Input
+                                    id={`bedrock-session-token-${index}`}
                                     placeholder="your-aws-session-token or env.AWS_SESSION_TOKEN"
                                     value={key.bedrock_key_config?.session_token || ''}
                                     onChange={(e) => updateKeyBedrockConfig(index, 'session_token', e.target.value)}
                                     className="transition-all duration-200 ease-in-out"
                                   />

-                                  <label className="text-sm font-medium">Deployments (Optional)</label>
+                                  <label htmlFor={`bedrock-deployments-${index}`} className="text-sm font-medium">Deployments (Optional)</label>
                                   <div className="text-muted-foreground mb-2 text-xs">
                                     JSON object mapping model names to inference profile names
                                   </div>
                                   <Textarea
+                                    id={`bedrock-deployments-${index}`}

transports/bifrost-http/lib/store.go (2)

544-590: Critical: Missing assignment of restored Bedrock config to key

The restored bedrockConfig is never assigned back to redactedKeys[i].BedrockKeyConfig. This means the Bedrock configuration won't be written to the config file.

Add the missing assignment after line 588:
 				bedrockConfig.ARN = key.BedrockKeyConfig.ARN
 			}
 
+			redactedKeys[i].BedrockKeyConfig = bedrockConfig
 		}
754-761: Missing ARN field in database save operation

The BedrockKeyConfig.ARN field is not being saved to the database. Based on the BedrockKeyConfig struct definition, the ARN field should be persisted.

Add the missing ARN field assignment:
 			// Handle Bedrock config
 			if key.BedrockKeyConfig != nil {
 				dbKey.BedrockAccessKey = &key.BedrockKeyConfig.AccessKey
 				dbKey.BedrockSecretKey = &key.BedrockKeyConfig.SecretKey
 				dbKey.BedrockSessionToken = key.BedrockKeyConfig.SessionToken
 				dbKey.BedrockRegion = key.BedrockKeyConfig.Region
+				dbKey.BedrockARN = key.BedrockKeyConfig.ARN
 			}

core/providers/bedrock.go (1)

1120-1122: Embedding handlers correctly updated to use BedrockKeyConfig.

The method calls now pass the complete BedrockKeyConfig instead of just the access key, enabling full AWS credential and region access.

coderabbitai

Actionable comments posted: 1

♻️ Duplicate comments (20)

transports/bifrost-http/main.go (1)
20-20: Synchronize provider list across comment sections for clarity

Nice catch on switching to “key config support”, but the earlier overview sentence (Line 2) still omits Azure and Vertex. Keeping both lists in sync avoids reader confusion.
-// for text and chat completions using various AI model providers (OpenAI, Anthropic, Bedrock, Mistral, Ollama, etc.).
+// for text and chat completions using various AI model providers (OpenAI, Anthropic, Azure, Bedrock, Mistral, Vertex, Ollama, etc.).
tests/core-providers/go.mod (1)

28-30: Previous concerns about Sonic dependency chain still apply.

The addition of bytedance/sonic and related dependencies (loader, base64x, cpuid/v2, golang-asm, x/arch) was already flagged in previous reviews regarding the cost/benefit analysis of these dependencies versus standard library or existing alternatives.

Also applies to: 34-34, 38-38, 42-42

core/utils.go (1)

20-24: Well-implemented utility function supporting the key-level config refactor.

The canProviderKeyValueBeEmpty function properly centralizes the logic for identifying providers (Vertex and Bedrock) that allow empty key values. This aligns well with the broader refactoring to move Bedrock configuration from meta to key level.

tests/core-providers/config/account.go (1)

99-105: LGTM! Well-structured key-level configuration for Bedrock.

The migration from meta config to BedrockKeyConfig is well-implemented and aligns perfectly with the PR objectives. The structure matches the schema definition and uses standard AWS environment variable names.

Note: There was a previous suggestion about handling empty SessionToken more explicitly by checking if the environment variable is empty and setting it to nil rather than a pointer to an empty string. However, based on the established patterns in the codebase and the preference to let AWS handle authentication naturally, the current implementation is acceptable.

docs/usage/go-package/account.md (1)

148-153: Fix environment variable inconsistency.

There's an inconsistency in AWS access key environment variable names - Line 100 checks for AWS_ACCESS_KEY_ID but Line 149 uses AWS_ACCESS_KEY. This should be consistent throughout the file using the standard AWS environment variable naming.
docs/contributing/provider.md (2)
493-493: Fix grammatical and formatting issues.

The sentence has grammatical and spacing issues that affect readability.

Apply this diff to fix the issues:
-The HTTP transport layer requires specific changes to handle provider configuration, and model patterns.
+The HTTP transport layer requires specific changes to handle provider configuration and model patterns.
578-578: Fix formatting and punctuation issues.

The line has spacing and dash usage issues that affect readability.

Apply this diff to fix the formatting:
-Note: API key handling is automatic - you only need to implement the key config processing if your provider requires additional configuration beyond API keys.
+Note: API key handling is automatic—you only need to implement the key config processing if your provider requires additional configuration beyond API keys.
docs/usage/http-transport/configuration/providers.md (1)
484-485: Fix environment variable name inconsistency.

There's an inconsistency between the environment variable name used here (AWS_SECRET_KEY) and the one referenced in the configuration examples (AWS_SECRET_ACCESS_KEY).

Apply this diff to match the configuration examples:
-export AWS_SECRET_KEY="your-secret-key"
+export AWS_SECRET_ACCESS_KEY="your-secret-key"
docs/usage/http-transport/openapi.json (1)
2777-2813: Add missing description for bedrock_key_config to keep schema uniform

azure_key_config and vertex_key_config each include a description field. bedrock_key_config omits it, which breaks consistency and causes autogenerated docs to render this object without context.
           "bedrock_key_config": {
             "type": "object",
+            "description": "Bedrock key configuration",
             "properties": {
ui/components/config/provider-form.tsx (3)
435-441: Initialize all optional fields for consistency.

Consider initializing all optional fields when creating a new bedrock_key_config to match the pattern used in createDefaultKey:
    if (!keyToUpdate.bedrock_key_config) {
      keyToUpdate.bedrock_key_config = {
        access_key: '',
        secret_key: '',
        session_token: '',
+       region: '',
+       arn: '',
+       deployments: {},
      }
    }
780-807: Fix missing label associations for accessibility.

The label elements are not properly associated with their input elements, impacting screen reader accessibility:
-                                  <label className="text-sm font-medium">Access Key (Required)</label>
+                                  <label htmlFor={`bedrock-access-key-${index}`} className="text-sm font-medium">Access Key (Required)</label>
                                   <Input
+                                    id={`bedrock-access-key-${index}`}
                                     placeholder="your-aws-access-key or env.AWS_ACCESS_KEY"
                                     value={key.bedrock_key_config?.access_key || ''}
                                     onChange={(e) => updateKeyBedrockConfig(index, 'access_key', e.target.value)}
                                     className="transition-all duration-200 ease-in-out"
                                   />
                                 </div>
                                 <div>
-                                  <label className="text-sm font-medium">Secret Key (Required)</label>
+                                  <label htmlFor={`bedrock-secret-key-${index}`} className="text-sm font-medium">Secret Key (Required)</label>
                                   <Input
+                                    id={`bedrock-secret-key-${index}`}
                                     placeholder="your-aws-secret-key or env.AWS_SECRET_KEY"
                                     value={key.bedrock_key_config?.secret_key || ''}
                                     onChange={(e) => updateKeyBedrockConfig(index, 'secret_key', e.target.value)}
                                     className="transition-all duration-200 ease-in-out"
                                   />
                                 </div>
                                 <div>
-                                  <label className="text-sm font-medium">Session Token (Optional)</label>
+                                  <label htmlFor={`bedrock-session-token-${index}`} className="text-sm font-medium">Session Token (Optional)</label>
                                   <Input
+                                    id={`bedrock-session-token-${index}`}
                                     placeholder="your-aws-session-token or env.AWS_SESSION_TOKEN"
                                     value={key.bedrock_key_config?.session_token || ''}
                                     onChange={(e) => updateKeyBedrockConfig(index, 'session_token', e.target.value)}
                                     className="transition-all duration-200 ease-in-out"
                                   />
                                 </div>
                                 <div>
-                                  <label className="text-sm font-medium">Deployments (Optional)</label>
+                                  <label htmlFor={`bedrock-deployments-${index}`} className="text-sm font-medium">Deployments (Optional)</label>
811-838: Add id attribute to deployments Textarea for accessibility.

Complete the accessibility fix by adding the id attribute to the Textarea element:
                                   <Textarea
+                                    id={`bedrock-deployments-${index}`}
                                     placeholder='{"gpt-4": "my-gpt4-deployment", "gpt-3.5-turbo": "my-gpt35-deployment"}'
transports/bifrost-http/lib/store.go (2)
55-55: Fix misleading comment about KeyID for bedrock_config

The comment incorrectly states that KeyID is empty for bedrock_config. Since Bedrock config is now a key-level configuration (like azure_config and vertex_config), the KeyID field is populated when processing Bedrock key configs.

544-590: Critical: Missing assignment of restored Bedrock config to key

The restored bedrockConfig is created and populated but never assigned back to redactedKeys[i].BedrockKeyConfig. Add the missing assignment before the closing brace:
 			bedrockConfig.ARN = key.BedrockKeyConfig.ARN
 		}
 
+		redactedKeys[i].BedrockKeyConfig = bedrockConfig
 	}
core/providers/bedrock.go (6)

253-253: Consider passing BedrockKeyConfig by pointer for better performance.

The completeRequest method signature should accept *schemas.BedrockKeyConfig instead of schemas.BedrockKeyConfig to avoid copying the struct, which may contain large deployment mappings.

820-820: Update method call if pointer parameter suggestion is accepted.

If completeRequest is updated to accept *schemas.BedrockKeyConfig, this call should pass key.BedrockKeyConfig directly without dereferencing.

945-945: Update method call if pointer parameter suggestion is accepted.

If completeRequest is updated to accept *schemas.BedrockKeyConfig, this call should pass key.BedrockKeyConfig directly without dereferencing.

1120-1122: Consider updating embedding handler signatures to accept pointer parameters.

Similar to the earlier suggestion, the embedding handler methods should accept *schemas.BedrockKeyConfig to avoid struct copying, and these calls should pass the pointer directly.

1129-1129: Update method signature to accept pointer parameter.

For consistency with the earlier suggestion, this method should accept *schemas.BedrockKeyConfig instead of schemas.BedrockKeyConfig by value.

1200-1200: Update method signature to accept pointer parameter.

For consistency with the earlier suggestion, this method should accept *schemas.BedrockKeyConfig instead of schemas.BedrockKeyConfig by value.

# Move Bedrock configuration from provider meta config to key-level config This PR refactors the AWS Bedrock provider to use key-level configuration instead of provider-level meta configuration. This change aligns Bedrock with other providers like Azure and Vertex AI that already use key-level configuration. Key changes: - Added `BedrockKeyConfig` struct to store AWS credentials and configuration - Removed the provider-level `meta` field and `MetaConfig` interface - Updated the Bedrock provider to read configuration from key config - Added support for empty key values when provider uses alternative credentials - Updated UI to show Bedrock configuration fields at the key level - Updated documentation and example configuration This change improves consistency across providers and allows for more flexible configuration when using multiple AWS credentials with different regions or deployments.

Pratham-Mishra04 requested review from akshaydeo and danpiths August 5, 2025 21:50