Skip to content

Commit 742fe2a

Browse files
committed
fix(bedrock): address upstream review findings
- catch PermissionDeniedError (403) alongside AuthenticationError (401) in openai_chat_completion; SigV4 AccessDenied and SignatureDoesNotMatch from AWS come back as 403, not 401, and were bypassing the sanitized error path and leaking raw provider messages - add boto3 to pip_packages in the inference Bedrock provider registry spec; sigv4_auth.py imports botocore at module level so provider-scoped installs without boto3 would fail at runtime (safety spec already had it) - make aws_role_arn the first branch in create_bedrock_client so that static credentials plus a role ARN correctly triggers assume-role instead of silently ignoring the role (matches inference adapter behavior) - fix broken import in test_network_config.py; _build_network_client_kwargs was renamed to build_network_client_kwargs (public) in this PR but the test file was not updated, causing an ImportError at collection time Signed-off-by: skamenan7 <skamenan@redhat.com>
1 parent 51f319e commit 742fe2a

File tree

2 files changed

+7
-3
lines changed

2 files changed

+7
-3
lines changed

src/llama_stack/providers/remote/inference/bedrock/bedrock.py

Lines changed: 4 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -12,7 +12,7 @@
1212
from llama_stack.providers.remote.inference.bedrock.config import BedrockConfig
1313

1414
import httpx
15-
from openai import AuthenticationError
15+
from openai import AuthenticationError, PermissionDeniedError
1616
from pydantic import PrivateAttr
1717

1818
from llama_stack.log import get_logger
@@ -217,7 +217,9 @@ async def openai_chat_completion(
217217
)
218218

219219
return result
220-
except AuthenticationError as e:
220+
except (AuthenticationError, PermissionDeniedError) as e:
221+
# PermissionDeniedError (403) covers SigV4 failures like SignatureDoesNotMatch
222+
# and AccessDenied — same sanitized path as AuthenticationError (401)
221223
error_msg = str(e)
222224
self._handle_auth_error(error_msg, e, use_sigv4=use_sigv4)
223225
except Exception as e:

tests/unit/providers/utils/inference/test_network_config.py

Lines changed: 3 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -12,11 +12,13 @@
1212
import pytest
1313

1414
from llama_stack.providers.utils.inference.http_client import (
15-
_build_network_client_kwargs,
1615
_build_proxy_mounts,
1716
_build_ssl_context,
1817
build_http_client,
1918
)
19+
from llama_stack.providers.utils.inference.http_client import (
20+
build_network_client_kwargs as _build_network_client_kwargs,
21+
)
2022
from llama_stack.providers.utils.inference.model_registry import (
2123
NetworkConfig,
2224
ProxyConfig,

0 commit comments

Comments
 (0)