Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Feature Request: Enable default authentication method with Amazon EC2 Instance Profile for Amazon Bedrock LLM provider #1700

Open
trevorstr opened this issue Feb 18, 2025 · 0 comments
Open

Feature Request: Enable default authentication method with Amazon EC2 Instance Profile for Amazon Bedrock LLM provider #1700

trevorstr opened this issue Feb 18, 2025 · 0 comments

Comments

@trevorstr
Copy link

Feature description

By default, all of the AWS SDKs (including boto3) attempt to dynamically retrieve temporary credentials using a "metadata endpoint" on EC2 instances, Lambda Functions, and AWS Fargate tasks. This authentication mechanism avoids the requirement of providing static credentials from an AWS IAM User account, in favor of creating an IAM Role identity.

According to the documentation for MetaGPT, the only supported authentication mechanism for Amazon Bedrock is to create an IAM User, with a static access key and secret key.

Could you please support using the default IAM Instance Profile, which requires no additional configuration, provided that MetaGPT is running on AWS Fargate or EC2 instances?

Image

In AWS Fargate, it's called a "Task Role": https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task-iam-roles.html

For EC2 instances it's called the "IAM Instance Profile": https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_switch-role-ec2_instance-profiles.html

Here's the boto3 documentation that describes the process that the AWS SDK uses to "find" credentials: https://boto3.amazonaws.com/v1/documentation/api/latest/guide/credentials.html

Boto3 will look in several locations when searching for credentials. The mechanism in which Boto3 looks for credentials is to search through a list of possible locations and stop as soon as it finds credentials. The order in which Boto3 searches for credentials is:

  • Passing credentials as parameters in the boto3.client() method
  • Passing credentials as parameters when creating a Session object
  • Environment variables
  • Assume role provider
  • Assume role with web identity provider
  • AWS IAM Identity Center credential provider
  • Shared credential file (~/.aws/credentials)
  • AWS config file (~/.aws/config)
  • Boto2 config file (/etc/boto.cfg and ~/.boto)
  • Container credential provider
  • Instance metadata service on an Amazon EC2 instance that has an IAM role configured.
Image

I'm referring to 10 and 11 in the above screenshot, rather than specifying static credentials.

Honestly, it's quite possible that MetaGPT already supports this authentication mechanism for Bedrock, but I don't see documentation (for MetaGPT) on how to configure it to use the default credential chain.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@trevorstr