feat(bedrock_mantle): add SigV4/IAM auth to Responses API route#29711
feat(bedrock_mantle): add SigV4/IAM auth to Responses API route#29711jeremymcgee73 wants to merge 2 commits into
Conversation
|
|
Codecov Report❌ Patch coverage is
📢 Thoughts on this report? Let us know! |
jeremymcgee73
force-pushed
the
litellm_bedrock-mantle-responses-sigv4
branch
3 times, most recently
from
7c32b91 to
64c07d6
Compare
Greptile SummaryThis PR adds SigV4/IAM authentication to the Bedrock Mantle Responses API route, complementing the existing Bearer-token path added in #29490.
Confidence Score: 4/5The SigV4 signing flow is correct for primary IAM/IRSA use cases, but Region resolution is split across two helpers: litellm/llms/bedrock_mantle/responses/transformation.py — specifically the
|
| Filename | Overview |
|---|---|
| litellm/llms/base_llm/responses/transformation.py | Adds a no-op sign_request hook to BaseResponsesAPIConfig; clean extension point with no correctness concerns. |
| litellm/llms/bedrock_mantle/responses/transformation.py | Adds SigV4/IAM auth alongside existing Bearer-token auth; introduces _use_sigv4, sign_request, and _explicit_region. Region resolution diverges between URL building and signing when AWS_REGION_NAME is the sole signal. |
| litellm/llms/custom_httpx/llm_http_handler.py | Wires sign_request hook into all four Responses API send paths. Logic is correct and consistent across all call sites. |
| tests/test_litellm/llms/bedrock_mantle/test_bedrock_mantle_responses_transformation.py | Comprehensive unit tests using mocks only (respx_mock / _RecordingConfig) — no real network calls. |
Reviews (5): Last reviewed commit: "fix(bedrock_mantle): validate aws_region..." | Re-trigger Greptile
![greptile-apps[bot]](https://avatars.githubusercontent.com/in/867647?s=60&v=4){kind=small}
|
@jeremymcgee73 Can you please resolve the comments by greptile? Also please take it out of draft once ready for review again |
Follow-up to BerriAI#29490, which landed routing and price-map entries for gpt-5.5/gpt-5.4 on the bedrock-mantle /openai/v1/responses path but implemented only the Bearer-token auth path. IAM-only deployments (EKS/ECS with IRSA, no long-lived static secrets) had no working path. BedrockMantleResponsesAPIConfig now multi-inherits BaseAWSLLM and selects auth automatically: a bearer key (api_key, BEDROCK_MANTLE_API_KEY, or AWS_BEARER_TOKEN_BEDROCK) keeps the existing behavior, otherwise it signs with SigV4 from the standard AWS credential chain, reusing the same signing the sibling bedrock/mantle Claude route already performs. Signing is done through the provider sign_request hook, which the Responses HTTP handler now invokes just before the request goes out and whose returned body bytes it sends verbatim. This mirrors the chat and embedding handlers and is required for SigV4 correctness: signing has to happen after every body mutation (normalize, extra_body, and the fake-stream "stream" strip) and the exact signed bytes must reach the wire, otherwise the body hash in the signature would not match what is sent. The default hook is a no-op, so other Responses providers are unaffected. get_llm_provider injects a default Mantle host whose region is resolved without aws_region_name, so the signing region could diverge from the host region and the endpoint rejected the request. The host region is now pinned to the resolved signing region, and signing uses the region in the URL actually posted to. The default region is corrected to us-east-2, where these models are currently available. No routing or price-map changes; BerriAI#29490 covers those.
jeremymcgee73
force-pushed
the
litellm_bedrock-mantle-responses-sigv4
branch
from
64c07d6 to
6edd986
Compare
![veria-ai[bot]](https://avatars.githubusercontent.com/in/1723776?s=60&v=4){kind=small}
PR overviewAll previously flagged issues have been addressed. No open security concerns remain on this pull request. Security reviewNo open security issues remain on this pull request. Fixed/addressed: 1 · PR risk: 0/10 |
Prevents bearer-token exfiltration via a malicious region value injected through a proxy request. The resolved region is now validated against the existing _validate_aws_region_name regex (lowercase alphanumerics and hyphens only) before it is interpolated into the endpoint URL. Flagged by Veria AI on PR BerriAI#29711.
|
Hey @jeremymcgee73 this already got merged: #29788 |
|
@jeremymcgee73 — could you add a screenshot or short video showing that this change works as expected? It really helps reviewers verify the fix quickly. Thanks! |
I think we should be good with this MR. |
4 participants
Relevant issues
Resolves #29665 (SigV4 / IAM-role auth)
Follow-up to #29490, which landed routing and Bearer-token auth for the bedrock-mantle
/openai/v1/responsespath but explicitly deferred SigV4/IAM auth. This leaves IAM-only deployments (EKS/ECS with IRSA, no long-lived static secrets) with no working path to the Responses endpoint.Pre-Submission checklist
make test-unit@greptileaiand received a Confidence Score of at least 4/5 before requesting a maintainer reviewScreenshots / Proof of Fix
Tested live against
bedrock-mantle.us-east-2.api.aws/openai/v1/responseswith IAM creds (Isengard Admin role, no bearer token). Verified sync non-stream, sync stream, and async stream all return 200 with valid Responses payloads, signed with SigV4 from the standard boto3 credential chain.Streaming SSE events returned successfully. Full QA runbook will be added before removing draft status.
Type
New Feature
Changes
BedrockMantleResponsesAPIConfignow multi-inheritsBaseAWSLLMand selects auth automatically: a bearer key keeps existing behavior, otherwise it signs with SigV4 from the standard AWS credential chain. Signing uses the providersign_requesthook (added toBaseResponsesAPIConfig), which the Responses HTTP handler invokes after all body mutations and whose returned body bytes it sends verbatim. This mirrors the chat/embedding handler pattern and guarantees the signed body hash matches what goes on the wire.The default region is corrected to us-east-2 (where these models are currently available), and
get_complete_urlpins the host region to the resolved signing region so they never diverge.No routing or price-map changes; #29490 covers those.