Skip to content

Bedrock: support cross-account AssumeRole credential provider#566

Open
amjosuesanchez wants to merge 1 commit into
laravel:0.xfrom
amjosuesanchez:bedrock-assume-role-credentials
Open

Bedrock: support cross-account AssumeRole credential provider#566
amjosuesanchez wants to merge 1 commit into
laravel:0.xfrom
amjosuesanchez:bedrock-assume-role-credentials

Conversation

@amjosuesanchez

@amjosuesanchez amjosuesanchez commented May 12, 2026

Copy link
Copy Markdown

Summary

Adds STS AssumeRole support to the Bedrock provider, enabling cross-account access to Bedrock models. This is the standard AWS pattern for workloads that run in one account but need to invoke Bedrock in another (e.g., an ECS task in account A assuming a Bedrock-invoker role in account B).

Tested in production with ECS Fargate workloads assuming cross-account roles.

Usage

// config/ai.php
'bedrock' => [
    'driver' => 'bedrock',
    'region' => env('AWS_BEDROCK_REGION', 'us-east-1'),
    'use_default_credential_provider' => true,
    'assume_role_arn' => env('AWS_BEDROCK_ASSUME_ROLE_ARN'),
    'assume_role_session_name' => env('AWS_BEDROCK_ASSUME_ROLE_SESSION_NAME'),
    'assume_role_duration_seconds' => env('AWS_BEDROCK_ASSUME_ROLE_DURATION_SECONDS', 3600),
    'assume_role_external_id' => env('AWS_BEDROCK_ASSUME_ROLE_EXTERNAL_ID'),
],

When assume_role_arn is set, the provider creates an STS client using the SDK's default credential chain (instance profile, ECS task role, etc.), assumes the target role, and passes the resulting temporary credentials to the Bedrock client. Credentials are memoized and automatically refreshed ~5 minutes before expiration.

Approach

The implementation follows the same trait-based concern pattern used by CreatesBedrockClient. No new Composer dependencies — aws/aws-sdk-php (already required) includes Aws\Sts\StsClient and Aws\Credentials\AssumeRoleCredentialProvider.

Credential Resolution Priority

  1. Bearer token (key)
  2. Static IAM credentials (access_key_id + secret_access_key)
  3. AssumeRole (assume_role_arn) — new
  4. Default credential provider chain (SDK auto-discovery)

AssumeRole is checked before use_default_credential_provider because an explicit role ARN represents a stronger intent signal than the boolean flag — disabling default credentials should not silently ignore a configured role.

Tests

Added 8 unit tests covering:

  • Assume role produces a callable credential provider
  • Empty/null ARN is ignored
  • Priority: bearer token > static IAM > assume role > default chain
  • Assume role wins over use_default_credential_provider: false
  • Provider passes through all four config keys

Doc: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_switch-role-api.html

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@amjosuesanchez