fix: Add optional ARN to AWS Bedrock connection to assume role when u…

[mcjraquel]

Summary

  Added AWS IAM role assumption support for Bedrock providers, enabling users to supply a Role ARN as an alternative to static credentials.

  - SDK: new _resolve_aws_credentials() in handlers.py — when aws_role_arn is present, calls AWS STS assume_role and replaces any static credentials with the short-lived session token before
  forwarding to litellm. Wired into both auto_ai_critique_v0 and _run_prompt_llm_config_with_retry. Adds boto3 as a production dependency.
  - Frontend: adds an optional Role ARN field to the Configure Provider drawer for Bedrock / Bedrock Converse / SageMaker; fixes a bug where required: false fields were forced required when a known
  provider was selected; wires roleArn :left_right_arrow: aws_role_arn through LlmProvider type and secret transforms.

  ## Testing

  ### Verified locally

  - uv run pytest sdks/python/oss/tests/pytest/unit/ -v — all 32 unit tests pass
  - ruff format + ruff check --fix — clean in sdks/python/ and services/
  - pnpm lint-fix — no ESLint or TypeScript errors across all 11 web packages

  ### Added or updated tests

  New: sdks/python/oss/tests/pytest/unit/test_resolve_aws_credentials.py — 15 unit tests covering:
  - No-op path (no ARN → settings returned unchanged)
  - Both aws_role_arn and AWS_ROLE_ARN key casings trigger STS assume_role
  - Role ARN and uppercase AWS_* credential keys removed from result
  - Session token injected from STS response
  - Region defaults to us-east-1; resolved from aws_region_name, aws_region, or AWS_REGION
  - Base credentials forwarded to the STS client constructor
  - Original dict not mutated

  ### QA follow-up

  - Open Configure Provider drawer, select Bedrock — verify Role ARN field renders without * and form submits without a value
  - Supply a valid Role ARN — verify credentials are assumed correctly end-to-end against a real AWS account

  ## Demo

  N/A — backend credential resolution; no visible UI change beyond the new optional Role ARN input field in the drawer.

  ## Checklist

  - [x] I have included a video or screen recording for UI changes, or marked Demo as N/A
  - [x] Relevant tests pass locally
  - [x] Relevant linting and formatting pass locally
  - [x] I have signed the CLA, or I will sign it when the bot prompts me

Contributor Resources

• Contributing guide
• Creating your first PR
• Development mode
• Testing
• Formatting and linting
• Slack support

[vercel]

@mcjraquel is attempting to deploy a commit to the agenta projects Team on Vercel.

A member of the Team first needs to authorize it.

[CLAassistant]

All committers have signed the CLA.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro Plus

Run ID: 9b7d3485-c325-44f7-9212-c59918f8c37c

📥 Commits

Reviewing files that changed from the base of the PR and between cb9caa0 and 527672b.

📒 Files selected for processing (2)

• sdks/python/agenta/sdk/engines/running/handlers.py
• sdks/python/oss/tests/pytest/unit/test_resolve_aws_credentials.py

---

📝 Walkthrough

Summary by CodeRabbit

• New Features

  • AWS IAM role assumption support for Bedrock and SageMaker providers.
  • Users can enter an AWS IAM Role ARN in provider settings to enable role-based credentials.
  • Temporary STS credentials are obtained automatically when a Role ARN is configured.

• UI

  • Provider configuration form now exposes a Role ARN field and refines required-field behavior for provider-specific inputs.

• Tests

  • Added unit tests covering AWS role-assumption credential resolution.

Walkthrough

This PR introduces AWS IAM role assumption credential resolution across the Agenta platform. The backend adds a helper function that detects role ARNs and uses boto3 STS to obtain temporary credentials, integrates it into two LLM execution paths, and includes comprehensive unit tests. The frontend extends provider types and configuration UI to capture role ARN input and maps it through form initialization and secret transforms.

Changes

AWS Role Assumption Credential Resolution

Layer / File(s)	Summary
Core credential resolution implementation sdks/python/agenta/sdk/engines/running/handlers.py, sdks/python/pyproject.toml	_resolve_aws_credentials() detects role ARN (case-insensitive) and uses boto3 STS to assume the role, replacing long-lived credentials with temporary session credentials while removing role ARN and uppercase credential keys from output. Added boto3>=1,<2 dependency.
Backend integration and comprehensive validation sdks/python/agenta/sdk/engines/running/handlers.py, sdks/python/oss/tests/pytest/unit/test_resolve_aws_credentials.py	auto_ai_critique_v0 and _run_prompt_llm_config_with_retry now call _resolve_aws_credentials() before credential coercion. Tests validate no-op paths, role ARN case variations, output shape normalization, credential key cleanup, value replacement, region resolution, STS client initialization with base credentials, and dict immutability.
Frontend type contracts and provider configuration web/packages/agenta-shared/src/types/llmProvider.ts, web/oss/src/components/ModelRegistry/Drawers/ConfigureProviderDrawer/assets/constants.ts	LlmProvider interface includes optional roleArn field. PROVIDER_FIELDS adds roleArn as optional for Bedrock/Bedrock-converse/SageMaker models.
Frontend form initialization and secret transformation web/oss/src/components/ModelRegistry/Drawers/ConfigureProviderDrawer/assets/ConfigureProviderDrawerContent.tsx, web/packages/agenta-entities/src/secret/core/transforms.ts	Form initialValues includes roleArn (empty string). isRequired validation treats explicitly non-required fields as optional even when provider filtering is active. Secret transforms map extras.aws_role_arn ↔ values.roleArn.

🎯 3 (Moderate) | ⏱️ ~25 minutes

🚥 Pre-merge checks | ✅ 3 | ❌ 2

❌ Failed checks (1 warning, 1 inconclusive)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 15.00% which is insufficient. The required threshold is 60.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.
Title check	❓ Inconclusive	The title is partially related to the changeset, mentioning the main feature (optional ARN for AWS Bedrock role assumption) but is truncated and incomplete.	Complete the title to reflect the full scope. Example: 'fix: Add optional IAM role ARN support for AWS Bedrock connections' or clarify the intended ending of 'when u...' with complete wording.

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description check	✅ Passed	The description is comprehensive and directly related to the changeset, covering SDK changes, frontend updates, testing, and verification across all modified files.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

sdks/python/oss/tests/pytest/unit/test_resolve_aws_credentials.py (1)

195-232: ⚡ Quick win

Add regression coverage for forwarding source AWS_SESSION_TOKEN

Current forwarding tests cover key/secret but not source session token. Please add a case asserting aws_session_token (and/or AWS_SESSION_TOKEN) is passed into boto3.client(...).

🧪 Suggested test addition

+def test_base_session_token_forwarded_to_sts():
+    sts = _mock_sts()
+    settings = {
+        "aws_role_arn": _ROLE_ARN,
+        "aws_access_key_id": "BASE_KEY",
+        "aws_secret_access_key": "BASE_SECRET",
+        "aws_session_token": "BASE_TOKEN",
+    }
+
+    with patch("boto3.client", return_value=sts) as mock_client:
+        _resolve_aws_credentials(settings)
+
+    mock_client.assert_called_once_with(
+        "sts",
+        aws_access_key_id="BASE_KEY",
+        aws_secret_access_key="BASE_SECRET",
+        aws_session_token="BASE_TOKEN",
+        region_name="us-east-1",
+    )

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro Plus

Run ID: 4fd33654-96e0-4922-9315-d8c180805f5e

📥 Commits

Reviewing files that changed from the base of the PR and between 5eef689 and 659384e.

⛔ Files ignored due to path filters (3)

• api/uv.lock is excluded by !**/*.lock
• sdks/python/uv.lock is excluded by !**/*.lock
• services/uv.lock is excluded by !**/*.lock

📒 Files selected for processing (7)

• sdks/python/agenta/sdk/engines/running/handlers.py
• sdks/python/oss/tests/pytest/unit/test_resolve_aws_credentials.py
• sdks/python/pyproject.toml
• web/oss/src/components/ModelRegistry/Drawers/ConfigureProviderDrawer/assets/ConfigureProviderDrawerContent.tsx
• web/oss/src/components/ModelRegistry/Drawers/ConfigureProviderDrawer/assets/constants.ts
• web/packages/agenta-entities/src/secret/core/transforms.ts
• web/packages/agenta-shared/src/types/llmProvider.ts

[junaway]

Hi @mcjraquel,

Thank you for your contribution.

While we review it, could you please take a look at the QA agent's comments.
Also, would you be interested in opening a PR for this issue?

Cheers,

[mcjraquel]

Hi, @junaway. I can work on the issue you linked.