fix(site/src/pages/AISettingsPage): allow Bedrock IAM-role setup by dannykopping · Pull Request #26400 · coder/coder · GitHub
Skip to content

fix(site/src/pages/AISettingsPage): allow Bedrock IAM-role setup#26400

Merged
dannykopping merged 3 commits into
mainfrom
danny/codagt-626-bedrock-ui-requires-access-keys-for-iam-role-setup
Jun 16, 2026
Merged

fix(site/src/pages/AISettingsPage): allow Bedrock IAM-role setup#26400
dannykopping merged 3 commits into
mainfrom
danny/codagt-626-bedrock-ui-requires-access-keys-for-iam-role-setup

Conversation

@dannykopping

@dannykopping dannykopping commented Jun 16, 2026

Copy link
Copy Markdown
Contributor

The Bedrock create form required both access_key and access_key_secret, blocking deployments that authenticate against AWS through an IAM role, instance profile, or AWS_PROFILE. The backend already accepts a Bedrock provider that is configured by region alone (see codersdk.AIProviderBedrockSettings.IsConfigured), so the UI was the only thing standing between the operator and a working IAM-role provider.

The Yup schema now treats both fields as optional while keeping the cross-validation that forces the pair to travel together. A descriptive note under the inputs tells the operator that leaving both blank falls back to ambient AWS credentials, and links to the Amazon Bedrock section of the AI Gateway providers docs for the credential chain and IAM permissions. The mapping into CreateAIProviderRequest already omits empty credential fields, so the wire payload sends only region, model, and small_fast_model, which is enough for IsConfigured() on the backend.

The model and small-fast model fields are now pre-filled with the modern Sonnet 4.5 and Haiku 4.5 IDs from codersdk.aiGatewayBedrockModel / codersdk.aiGatewayBedrockSmallFastModel, matching the legacy environment seed path. A second docs note under those fields points at the AWS Bedrock model cards page so operators can find the canonical model IDs without leaving the form. This also addresses the AIGOV-411 ask.

Adds providerFormValuesToCreate coverage for the no-credential and whitespace-only paths, plus three new ProviderForm stories: one that verifies the model fields pre-fill, one that submits without static credentials, and one that verifies a half-typed credential pair stays blocked.

Closes CODAGT-626. Partial coverage for AIGOV-411 (model pre-fill plus docs link; combobox, model ID pattern validation, and docs site updates remain).

The Slack thread also flagged a separate edit-time regression: "if I go to edit an existing provider, all the fields I set are not on the UI." I did not see that reproduce against the masked-credential edit story, and the issue description focuses on the create flow, so I left it for a separate investigation rather than bundling it into this fix.

image

This PR was created by a Coder Agent on behalf of @dannykopping.

The Bedrock create form required access_key and access_key_secret,
blocking deployments that authenticate against AWS via an IAM role,
instance profile, or AWS_PROFILE. The backend already accepts a
Bedrock provider configured by region alone (see
codersdk.AIProviderBedrockSettings.IsConfigured), so the UI was the
only thing standing between the operator and a working IAM-role
provider.

Drop the required() rule from accessKey/accessKeySecret in
makeBedrockSchema while keeping the cross-validation that forces
the two values to travel as a pair. Surface the new behavior in the
form copy so an operator knows that blank inputs mean 'use ambient
AWS credentials.'

Adds providerFormValuesToCreate coverage for the no-credential and
whitespace-only paths and two new ProviderForm stories: one that
submits without static credentials, and one that verifies the
half-typed pair stays blocked.

Fixes CODAGT-626.
@linear-code

linear-code Bot commented Jun 16, 2026

Copy link
Copy Markdown

The AWS-environment fallback under the Bedrock access key fields now
links to the canonical Bedrock provider section in the AI Gateway
docs (Amazon Bedrock heading), so an operator who is unsure how the
default credential chain resolves can land on the documented
permissions and credential sources without leaving the page.
@dannykopping dannykopping requested a review from jakehwll June 16, 2026 09:02
…WS docs

The Bedrock model and small-fast model fields started blank with
outdated Claude 3.x placeholders. Operators had to hand-type the
fully qualified model ID, which is error-prone and easy to drift
from the deployment defaults the env-seeded path already uses.

Seed BEDROCK_DEFAULT_MODEL and BEDROCK_DEFAULT_SMALL_FAST_MODEL with
the modern Sonnet 4.5 and Haiku 4.5 IDs from
codersdk.aiGatewayBedrockModel and codersdk.aiGatewayBedrockSmallFastModel
defaults so the form lines up with the legacy environment seed, and
add the same values as placeholders so a cleared field still hints
the canonical ID.

Add a docs note under the model row pointing at the AWS Bedrock
model cards page so an operator can find the latest model IDs
without leaving the form.

Refs AIGOV-411.
@dannykopping dannykopping marked this pull request as ready for review June 16, 2026 09:30
@dannykopping dannykopping merged commit 0c1c4af into main Jun 16, 2026
42 checks passed
@dannykopping dannykopping deleted the danny/codagt-626-bedrock-ui-requires-access-keys-for-iam-role-setup branch June 16, 2026 14:37
@github-actions github-actions Bot locked and limited conversation to collaborators Jun 16, 2026
@johnstcn johnstcn added the cherry-pick/v2.34 Cherry-pick PR targeting release/2.34 label Jun 16, 2026
@dannykopping dannykopping added backport and removed cherry-pick/v2.34 Cherry-pick PR targeting release/2.34 labels Jun 17, 2026
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Labels

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants