Skip to content

Add AWS Bedrock support to ai-gateway-provider#521

Open
vikas-shopos wants to merge 1 commit into
cloudflare:mainfrom
vikas-shopos:feat/ai-gateway-bedrock-support
Open

Add AWS Bedrock support to ai-gateway-provider#521
vikas-shopos wants to merge 1 commit into
cloudflare:mainfrom
vikas-shopos:feat/ai-gateway-bedrock-support

Conversation

@vikas-shopos
Copy link
Copy Markdown

@vikas-shopos vikas-shopos commented May 2, 2026
edited
Loading

Summary

  • Add AWS Bedrock as a supported provider in the ai-gateway-provider package
  • Register URL pattern for bedrock-runtime.{region}.amazonaws.com with endpoint transform producing bedrock-runtime/{region}/{path} (matching Cloudflare AI Gateway's expected format)
  • Fix amazon-bedrock.ts provider wrapper to handle Bedrock's AWS SigV4 auth model (accessKeyId/secretAccessKey) instead of the generic authWrapper which only supports apiKey
  • Strip AWS SigV4 companion headers (x-amz-date, x-amz-security-token, x-amz-content-sha256) only in BYOK mode (when CF_TEMP_TOKEN is detected) — user-provided credentials are preserved
  • Add ProviderConfig type for type safety across the provider registry
  • Add endpoint transform tests including URL-encoded model IDs (v1%3A0)

Context

The Bedrock provider wrapper existed (providers/amazon-bedrock.ts) but requests failed with "provider not supported" because:

  1. No URL regex in providers.ts matched Bedrock's bedrock-runtime.{region}.amazonaws.com URLs
  2. The generic authWrapper tried to set apiKey, but Bedrock uses accessKeyId/secretAccessKey for AWS SigV4 signing
  3. AWS SigV4 headers needed to be stripped before forwarding to the gateway (Cloudflare re-signs with stored credentials)

Usage

import { createAiGateway } from "ai-gateway-provider";
import { createAmazonBedrock } from "ai-gateway-provider/providers/amazon-bedrock";
import { generateText } from "ai";

// BYOK mode — Cloudflare holds the AWS credentials
const gateway = createAiGateway({
  accountId: "your-cf-account-id",
  gateway: "your-gateway",
  apiKey: "your-cf-token",
});
const bedrock = createAmazonBedrock({ region: "us-east-1" });

const { text } = await generateText({
  model: gateway(bedrock("us.anthropic.claude-sonnet-4-5-20250929-v1:0")),
  prompt: "Hello!",
});

Test plan

  • Endpoint transform tests pass (15/15), including 2 new Bedrock cases (unencoded + URL-encoded model IDs)
  • All existing provider tests still pass (no regressions)
  • Manually verified end-to-end: request successfully routed through Cloudflare AI Gateway to Bedrock and received a valid response
  • Verify with client-provided AWS credentials (non-BYOK mode)

🤖 Generated with Claude Code

@vikas-shopos @claude
Add AWS Bedrock support to ai-gateway-provider
2ae0c44 
Bedrock was listed as a provider but requests failed with "provider not
supported" because no URL regex or endpoint transform existed in the
provider registry. This commit wires up full support:

- Add provider config for aws-bedrock in providers.ts with URL regex
  matching bedrock-runtime.{region}.amazonaws.com and endpoint transform
  that produces bedrock-runtime/{region}/{path}
- Fix amazon-bedrock.ts provider wrapper to inject CF_TEMP_TOKEN into
  accessKeyId/secretAccessKey (Bedrock uses AWS SigV4, not apiKey)
- Add extraStripHeaders for AWS SigV4 companion headers (x-amz-date,
  x-amz-security-token, x-amz-content-sha256), stripped only when
  BYOK mode is detected via CF_TEMP_TOKEN — real credentials are
  preserved when provided by the user
- Add ProviderConfig type to providers.ts for type safety
- Add endpoint transform tests including URL-encoded model IDs

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@changeset-bot
Copy link
Copy Markdown

changeset-bot Bot commented May 2, 2026

⚠️ No Changeset found

Latest commit: 2ae0c44

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

ArshVermaGit
ArshVermaGit reviewed May 11, 2026
View reviewed changes
Copy link
Copy Markdown

@ArshVermaGit ArshVermaGit left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Really solid addition overall — this closes the gap for Bedrock support cleanly and the approach makes sense, especially handling AWS SigV4 separately instead of forcing it through the generic authWrapper. I also like that the header stripping is scoped only to BYOK mode, which avoids accidentally breaking user-supplied credentials. The endpoint transform coverage for URL-encoded model IDs is a nice catch too since Bedrock model naming can get tricky. Given the added tests, manual end-to-end verification, and no regressions in existing providers, this looks ready to merge from my side.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@ArshVermaGit ArshVermaGit ArshVermaGit left review comments

Reviewers whose approvals may not affect merge requirements

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@vikas-shopos @ArshVermaGit