fix(bedrock): address upstream review findings

skamenan7 · skamenan7 · commit 742fe2a22928 · 2026-03-30T18:03:25.000-04:00
- catch PermissionDeniedError (403) alongside AuthenticationError (401)
  in openai_chat_completion; SigV4 AccessDenied and SignatureDoesNotMatch
  from AWS come back as 403, not 401, and were bypassing the sanitized
  error path and leaking raw provider messages

- add boto3 to pip_packages in the inference Bedrock provider registry
  spec; sigv4_auth.py imports botocore at module level so provider-scoped
  installs without boto3 would fail at runtime (safety spec already had it)

- make aws_role_arn the first branch in create_bedrock_client so that
  static credentials plus a role ARN correctly triggers assume-role
  instead of silently ignoring the role (matches inference adapter behavior)

- fix broken import in test_network_config.py; _build_network_client_kwargs
  was renamed to build_network_client_kwargs (public) in this PR but the
  test file was not updated, causing an ImportError at collection time

Signed-off-by: skamenan7 &lt;skamenan@redhat.com&gt;
diff --git a/src/llama_stack/providers/remote/inference/bedrock/bedrock.py b/src/llama_stack/providers/remote/inference/bedrock/bedrock.py
@@ -12,7 +12,7 @@
     from llama_stack.providers.remote.inference.bedrock.config import BedrockConfig
 
 import httpx
-from openai import AuthenticationError
+from openai import AuthenticationError, PermissionDeniedError
 from pydantic import PrivateAttr
 
 from llama_stack.log import get_logger
@@ -217,7 +217,9 @@ async def openai_chat_completion(
                 )
 
             return result
-        except AuthenticationError as e:
+        except (AuthenticationError, PermissionDeniedError) as e:
+            # PermissionDeniedError (403) covers SigV4 failures like SignatureDoesNotMatch
+            # and AccessDenied — same sanitized path as AuthenticationError (401)
             error_msg = str(e)
             self._handle_auth_error(error_msg, e, use_sigv4=use_sigv4)
         except Exception as e:
diff --git a/tests/unit/providers/utils/inference/test_network_config.py b/tests/unit/providers/utils/inference/test_network_config.py
@@ -12,11 +12,13 @@
 import pytest
 
 from llama_stack.providers.utils.inference.http_client import (
-    _build_network_client_kwargs,
     _build_proxy_mounts,
     _build_ssl_context,
     build_http_client,
 )
+from llama_stack.providers.utils.inference.http_client import (
+    build_network_client_kwargs as _build_network_client_kwargs,
+)
 from llama_stack.providers.utils.inference.model_registry import (
     NetworkConfig,
     ProxyConfig,
