Skip to content

feat(bedrock): detect SSO token expiration and provide actionable error#1988

Open
loafoe wants to merge 1 commit intosipeed:mainfrom
loafoe:main
Open

feat(bedrock): detect SSO token expiration and provide actionable error#1988
loafoe wants to merge 1 commit intosipeed:mainfrom
loafoe:main

Conversation

@loafoe
Copy link
Contributor

@loafoe loafoe commented Mar 25, 2026
edited
Loading

📝 Description

When AWS SSO credentials expire, the Bedrock provider now detects the specific error and provides a clear, actionable message instructing users to refresh their session.

Before:

Error processing message: LLM call failed after retries: bedrock converse: operation error Bedrock Runtime: Converse, get identity: get credentials: failed to refresh cached credentials, refresh cached SSO token failed...

After:

bedrock converse: AWS credentials may have expired. If using AWS SSO, run 'aws sso login' to refresh: <original error>

The detection is conservative - it only matches SSO-specific error patterns (SSO OIDC, cached SSO token errors, InvalidGrantException) to avoid misclassifying other AWS credential failures like STS ExpiredToken.

🗣️ Type of Change

  • 🐞 Bug fix (non-breaking change which fixes an issue)
  • ✨ New feature (non-breaking change which adds functionality)
  • 📖 Documentation update
  • ⚡ Code refactoring (no functional changes, no api changes)

🤖 AI Code Generation

  • 🤖 Fully AI-generated (100% AI, 0% Human)
  • 🛠️ Mostly AI-generated (AI draft, Human verified/modified)
  • 👨‍💻 Mostly Human-written (Human lead, AI assisted or none)

🔗 Related Issue

Follows up on #1903 (AWS Bedrock provider)

📚 Technical Context (Skip for Docs)

  • Reference URL: https://docs.aws.amazon.com/cli/latest/userguide/sso-using-profile.html
  • Reasoning: AWS SSO tokens expire after a configured period (default 8 hours). When users authenticate via aws sso login, credentials are cached but will eventually expire. The original error message from the AWS SDK is cryptic and doesn't clearly indicate the solution.

🧪 Test Environment

  • Hardware: MacBook Pro M3
  • OS: macOS
  • Model/Provider: AWS Bedrock with Claude
  • Channels: Telegram

📸 Evidence (Optional)

Click to view test results 
=== RUN   TestIsSSOTokenError
=== RUN   TestIsSSOTokenError/nil_error
=== RUN   TestIsSSOTokenError/generic_error
=== RUN   TestIsSSOTokenError/SSO_config_error_not_expiration
=== RUN   TestIsSSOTokenError/STS_ExpiredToken_error
=== RUN   TestIsSSOTokenError/SSO_token_refresh_error
=== RUN   TestIsSSOTokenError/InvalidGrantException
=== RUN   TestIsSSOTokenError/SSO_OIDC_error
=== RUN   TestIsSSOTokenError/full_SSO_error_message
=== RUN   TestIsSSOTokenError/SSO_token_file_missing
--- PASS: TestIsSSOTokenError (0.00s)

☑️ Checklist

  • My code/docs follow the style of this project.
  • I have performed a self-review of my own changes.
  • I have updated the documentation accordingly.

Copilot AI review requested due to automatic review settings March 25, 2026 06:04
Copilot AI reviewed Mar 25, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Adds a more actionable error message for AWS Bedrock Converse calls when AWS SSO credentials are expired, guiding users to re-authenticate via aws sso login.

Changes:

  • Detect SSO-token-related failures on Converse errors and return a targeted “SSO session expired” message.
  • Add unit tests for the SSO token error detection helper.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.

File Description
pkg/providers/bedrock/provider_bedrock.go Adds SSO-expiration detection and wraps Converse errors with an actionable message.
pkg/providers/bedrock/provider_bedrock_test.go Adds tests validating isSSOTokenError behavior.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@loafoe loafoe marked this pull request as draft March 25, 2026 06:09
@loafoe loafoe requested a review from Copilot March 25, 2026 06:19
Copilot AI reviewed Mar 25, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 2 out of 2 changed files in this pull request and generated 3 comments.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@loafoe
feat(bedrock): detect SSO token expiration and provide actionable error
c4f3560 
When AWS SSO credentials expire, provide a clear error message instructing
the user to run 'aws sso login' to refresh their session.
@loafoe loafoe requested a review from Copilot March 25, 2026 06:24
Copilot AI reviewed Mar 25, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@loafoe loafoe requested a review from Copilot March 25, 2026 06:30
Copilot AI reviewed Mar 25, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 2 out of 2 changed files in this pull request and generated no new comments.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@loafoe loafoe marked this pull request as ready for review March 25, 2026 06:34
@loafoe
Copy link
Contributor Author

loafoe commented Mar 25, 2026

@yinwm small change to improve error messaging for bedrock, mostly when developing

@sipeed-bot sipeed-bot bot added type: enhancement New feature or request domain: provider go Pull requests that update go code labels Mar 25, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

domain: provider go Pull requests that update go code type: enhancement New feature or request

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@loafoe