{{ message }}
fix(site/src/pages/AISettingsPage): allow Bedrock IAM-role setup#26400
Merged
dannykopping merged 3 commits intoJun 16, 2026
Merged
Conversation
The Bedrock create form required access_key and access_key_secret, blocking deployments that authenticate against AWS via an IAM role, instance profile, or AWS_PROFILE. The backend already accepts a Bedrock provider configured by region alone (see codersdk.AIProviderBedrockSettings.IsConfigured), so the UI was the only thing standing between the operator and a working IAM-role provider. Drop the required() rule from accessKey/accessKeySecret in makeBedrockSchema while keeping the cross-validation that forces the two values to travel as a pair. Surface the new behavior in the form copy so an operator knows that blank inputs mean 'use ambient AWS credentials.' Adds providerFormValuesToCreate coverage for the no-credential and whitespace-only paths and two new ProviderForm stories: one that submits without static credentials, and one that verifies the half-typed pair stays blocked. Fixes CODAGT-626.
The AWS-environment fallback under the Bedrock access key fields now links to the canonical Bedrock provider section in the AI Gateway docs (Amazon Bedrock heading), so an operator who is unsure how the default credential chain resolves can land on the documented permissions and credential sources without leaving the page.
…WS docs The Bedrock model and small-fast model fields started blank with outdated Claude 3.x placeholders. Operators had to hand-type the fully qualified model ID, which is error-prone and easy to drift from the deployment defaults the env-seeded path already uses. Seed BEDROCK_DEFAULT_MODEL and BEDROCK_DEFAULT_SMALL_FAST_MODEL with the modern Sonnet 4.5 and Haiku 4.5 IDs from codersdk.aiGatewayBedrockModel and codersdk.aiGatewayBedrockSmallFastModel defaults so the form lines up with the legacy environment seed, and add the same values as placeholders so a cleared field still hints the canonical ID. Add a docs note under the model row pointing at the AWS Bedrock model cards page so an operator can find the latest model IDs without leaving the form. Refs AIGOV-411.
jeremyruppel
approved these changes
Jun 16, 2026
dannykopping
deleted the
danny/codagt-626-bedrock-ui-requires-access-keys-for-iam-role-setup
branch
dannykopping
added
backport
and removed
cherry-pick/v2.34
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
The Bedrock create form required both
access_keyandaccess_key_secret, blocking deployments that authenticate against AWS through an IAM role, instance profile, orAWS_PROFILE. The backend already accepts a Bedrock provider that is configured by region alone (seecodersdk.AIProviderBedrockSettings.IsConfigured), so the UI was the only thing standing between the operator and a working IAM-role provider.The Yup schema now treats both fields as optional while keeping the cross-validation that forces the pair to travel together. A descriptive note under the inputs tells the operator that leaving both blank falls back to ambient AWS credentials, and links to the Amazon Bedrock section of the AI Gateway providers docs for the credential chain and IAM permissions. The mapping into
CreateAIProviderRequestalready omits empty credential fields, so the wire payload sends onlyregion,model, andsmall_fast_model, which is enough forIsConfigured()on the backend.The model and small-fast model fields are now pre-filled with the modern Sonnet 4.5 and Haiku 4.5 IDs from
codersdk.aiGatewayBedrockModel/codersdk.aiGatewayBedrockSmallFastModel, matching the legacy environment seed path. A second docs note under those fields points at the AWS Bedrock model cards page so operators can find the canonical model IDs without leaving the form. This also addresses the AIGOV-411 ask.Adds
providerFormValuesToCreatecoverage for the no-credential and whitespace-only paths, plus three newProviderFormstories: one that verifies the model fields pre-fill, one that submits without static credentials, and one that verifies a half-typed credential pair stays blocked.Closes CODAGT-626. Partial coverage for AIGOV-411 (model pre-fill plus docs link; combobox, model ID pattern validation, and docs site updates remain).
This PR was created by a Coder Agent on behalf of @dannykopping.