getcompanion-ai/co-mono
1
0
Fork 0
mirror of https://github.com/getcompanion-ai/co-mono.git synced 2026-04-18 19:03:41 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

feat(ai): add AWS ECS/IRSA credential detection for Bedrock, fixes #848

Browse source 
Added support for additional AWS credential environment variables:
- AWS_CONTAINER_CREDENTIALS_RELATIVE_URI (ECS task roles)
- AWS_CONTAINER_CREDENTIALS_FULL_URI (ECS task roles)
- AWS_WEB_IDENTITY_TOKEN_FILE (IRSA for Kubernetes)

Also fixed undefined currentModel variable in OAuth error handling.
This commit is contained in:
Mario Zechner 2026-01-19 16:09:59 +01:00
parent cd0df4c0dd
commit 2b04aefa6d
3 changed files with 17 additions and 6 deletions
Download patch file Download diff file Expand all files Collapse all files

4
packages/ai/CHANGELOG.md
View file

@ -2,6 +2,10 @@
## [Unreleased] ## [Unreleased]
### Added
- Added AWS credential detection for ECS/Kubernetes environments: `AWS_CONTAINER_CREDENTIALS_RELATIVE_URI`, `AWS_CONTAINER_CREDENTIALS_FULL_URI`, `AWS_WEB_IDENTITY_TOKEN_FILE` ([#848](https://github.com/badlogic/pi-mono/issues/848))
### Fixed ### Fixed
- Fixed OpenAI Responses 400 error "reasoning without following item" by skipping errored/aborted assistant messages entirely in transform-messages.ts ([#838](https://github.com/badlogic/pi-mono/pull/838)) - Fixed OpenAI Responses 400 error "reasoning without following item" by skipping errored/aborted assistant messages entirely in transform-messages.ts ([#838](https://github.com/badlogic/pi-mono/pull/838))

8
packages/ai/src/stream.ts
View file

@ -80,10 +80,16 @@ export function getEnvApiKey(provider: any): string | undefined {
// 1. AWS_PROFILE - named profile from ~/.aws/credentials // 1. AWS_PROFILE - named profile from ~/.aws/credentials
// 2. AWS_ACCESS_KEY_ID + AWS_SECRET_ACCESS_KEY - standard IAM keys // 2. AWS_ACCESS_KEY_ID + AWS_SECRET_ACCESS_KEY - standard IAM keys
// 3. AWS_BEARER_TOKEN_BEDROCK - Bedrock API keys (bearer token) // 3. AWS_BEARER_TOKEN_BEDROCK - Bedrock API keys (bearer token)
// 4. AWS_CONTAINER_CREDENTIALS_RELATIVE_URI - ECS task roles
// 5. AWS_CONTAINER_CREDENTIALS_FULL_URI - ECS task roles (full URI)
// 6. AWS_WEB_IDENTITY_TOKEN_FILE - IRSA (IAM Roles for Service Accounts)
if ( if (
process.env.AWS_PROFILE || process.env.AWS_PROFILE ||
(process.env.AWS_ACCESS_KEY_ID && process.env.AWS_SECRET_ACCESS_KEY) || (process.env.AWS_ACCESS_KEY_ID && process.env.AWS_SECRET_ACCESS_KEY) ||
process.env.AWS_BEARER_TOKEN_BEDROCK process.env.AWS_BEARER_TOKEN_BEDROCK ||
process.env.AWS_CONTAINER_CREDENTIALS_RELATIVE_URI ||
process.env.AWS_CONTAINER_CREDENTIALS_FULL_URI ||
process.env.AWS_WEB_IDENTITY_TOKEN_FILE
) { ) {
return "<authenticated>"; return "<authenticated>";
} }

11
packages/coding-agent/src/core/sdk.ts
View file

@ -641,17 +641,18 @@ export async function createAgentSession(options: CreateAgentSessionOptions = {}
} }
const key = await modelRegistry.getApiKeyForProvider(resolvedProvider); const key = await modelRegistry.getApiKeyForProvider(resolvedProvider);
if (!key) { if (!key) {
const isOAuth = modelRegistry.isUsingOAuth(currentModel); const model = agent.state.model;
const isOAuth = model && modelRegistry.isUsingOAuth(model);
if (isOAuth) { if (isOAuth) {
throw new Error( throw new Error(
`Authentication failed for "${currentModel.provider}". ` + `Authentication failed for "${resolvedProvider}". ` +
`Credentials may have expired or network is unavailable. ` + `Credentials may have expired or network is unavailable. ` +
`Run '/login ${currentModel.provider}' to re-authenticate.`, `Run '/login ${resolvedProvider}' to re-authenticate.`,
); );
} }
throw new Error( throw new Error(
`No API key found for "${currentModel.provider}". ` + `No API key found for "${resolvedProvider}". ` +
`Set an API key environment variable or run '/login ${currentModel.provider}'.`, `Set an API key environment variable or run '/login ${resolvedProvider}'.`,
); );
} }
return key; return key;