feat: Add AWS Bedrock API key authentication support

- Add AWS_BEARER_TOKEN_BEDROCK environment variable to CLI constants - Update English and Portuguese documentation with both IAM and API key auth methods - Document boto3 v1.393+ requirement for API key authentication - Add comprehensive tests for both authentication methods - Include links to AWS console for API key generation Addresses issue #3125 Co-Authored-By: Jo\u00E3o <joao@crewai.com>
2026-01-09 08:08:32 +00:00 · 2025-07-09 12:15:57 +00:00
parent f071966951
commit a670b2b35e
4 changed files with 152 additions and 3 deletions
--- a/docs/en/concepts/llms.mdx
+++ b/docs/en/concepts/llms.mdx
@@ -311,20 +311,38 @@ In this section, you'll find detailed examples that help you select, configure,
  </Accordion>

  <Accordion title="AWS Bedrock">
+    Amazon Bedrock supports two authentication methods:
+
+    **Method 1: IAM Role Authentication (Recommended for Production)**
    ```toml Code
    AWS_ACCESS_KEY_ID=<your-access-key>
    AWS_SECRET_ACCESS_KEY=<your-secret-key>
    AWS_DEFAULT_REGION=<your-region>
    ```

+    **Method 2: API Key Authentication (Recommended for Development)**
+    ```toml Code
+    AWS_BEARER_TOKEN_BEDROCK=<your-api-key>
+    AWS_DEFAULT_REGION=<your-region>
+    ```
+
    Example usage in your CrewAI project:
    ```python Code
+    # Using IAM role authentication
+    llm = LLM(
+        model="bedrock/anthropic.claude-3-sonnet-20240229-v1:0"
+    )
+
+    # Using API key authentication  
    llm = LLM(
        model="bedrock/anthropic.claude-3-sonnet-20240229-v1:0"
    )
    ```

-    Before using Amazon Bedrock, make sure you have boto3 installed in your environment
+    **Requirements:**
+    - Before using Amazon Bedrock, make sure you have boto3 v1.393+ installed in your environment
+    - For API key authentication, you can generate a 30-day API key from the [Amazon Bedrock console](https://console.aws.amazon.com/bedrock/)
+    - For production applications, use IAM roles or temporary credentials instead of long-term API keys

    [Amazon Bedrock](https://docs.aws.amazon.com/bedrock/latest/userguide/models-regions.html) is a managed service that provides access to multiple foundation models from top AI companies through a unified API, enabling secure and responsible AI application development.

--- a/docs/pt-BR/concepts/llms.mdx
+++ b/docs/pt-BR/concepts/llms.mdx
@@ -309,20 +309,38 @@ Nesta seção, você encontrará exemplos detalhados que ajudam a selecionar, co
  </Accordion>

  <Accordion title="AWS Bedrock">
+    O Amazon Bedrock suporta dois métodos de autenticação:
+
+    **Método 1: Autenticação por Função IAM (Recomendado para Produção)**
    ```toml Code
    AWS_ACCESS_KEY_ID=<your-access-key>
    AWS_SECRET_ACCESS_KEY=<your-secret-key>
    AWS_DEFAULT_REGION=<your-region>
    ```

+    **Método 2: Autenticação por Chave de API (Recomendado para Desenvolvimento)**
+    ```toml Code
+    AWS_BEARER_TOKEN_BEDROCK=<your-api-key>
+    AWS_DEFAULT_REGION=<your-region>
+    ```
+
    Exemplo de uso em seu projeto CrewAI:
    ```python Code
+    # Usando autenticação por função IAM
+    llm = LLM(
+        model="bedrock/anthropic.claude-3-sonnet-20240229-v1:0"
+    )
+
+    # Usando autenticação por chave de API
    llm = LLM(
        model="bedrock/anthropic.claude-3-sonnet-20240229-v1:0"
    )
    ```

-    Antes de usar o Amazon Bedrock, certifique-se de ter o boto3 instalado em seu ambiente
+    **Requisitos:**
+    - Antes de usar o Amazon Bedrock, certifique-se de ter o boto3 v1.393+ instalado em seu ambiente
+    - Para autenticação por chave de API, você pode gerar uma chave de 30 dias no [console do Amazon Bedrock](https://console.aws.amazon.com/bedrock/)
+    - Para aplicações de produção, use funções IAM ou credenciais temporárias em vez de chaves de API de longo prazo

    [Amazon Bedrock](https://docs.aws.amazon.com/bedrock/latest/userguide/models-regions.html) é um serviço gerenciado que fornece acesso a múltiplos modelos fundamentais dos principais provedores de IA através de uma API unificada, permitindo o desenvolvimento seguro e responsável de aplicações de IA.

@@ -881,4 +899,4 @@ Saiba como obter o máximo da configuração do seu LLM:
    llm = LLM(model="openai/gpt-4o")  # 128K tokens
    ```
  </Tab>
-</Tabs>
+</Tabs>
--- a/src/crewai/cli/constants.py
+++ b/src/crewai/cli/constants.py
@@ -62,6 +62,10 @@ ENV_VARS = {
            "prompt": "Enter your AWS Region Name (press Enter to skip)",
            "key_name": "AWS_REGION_NAME",
        },
+        {
+            "prompt": "Enter your AWS Bedrock API Key (press Enter to skip)",
+            "key_name": "AWS_BEARER_TOKEN_BEDROCK",
+        },
    ],
    "azure": [
        {
--- a/tests/test_bedrock_authentication.py
+++ b/tests/test_bedrock_authentication.py
@@ -0,0 +1,109 @@
+import os
+import pytest
+from unittest.mock import patch, MagicMock
+from crewai import LLM
+
+
+class TestBedrockAuthentication:
+    """Test AWS Bedrock authentication methods."""
+
+    @patch.dict(os.environ, {
+        'AWS_ACCESS_KEY_ID': 'test-key-id',
+        'AWS_SECRET_ACCESS_KEY': 'test-secret-key', 
+        'AWS_DEFAULT_REGION': 'us-east-1'
+    })
+    @patch('litellm.completion')
+    def test_bedrock_iam_authentication(self, mock_completion):
+        """Test Bedrock with IAM role authentication."""
+        mock_completion.return_value = MagicMock()
+        mock_completion.return_value.choices = [MagicMock()]
+        mock_completion.return_value.choices[0].message.content = "Test response"
+        
+        llm = LLM(model="bedrock/anthropic.claude-3-sonnet-20240229-v1:0")
+        result = llm.call("test message")
+        
+        mock_completion.assert_called_once()
+        assert result == "Test response"
+
+    @patch.dict(os.environ, {
+        'AWS_BEARER_TOKEN_BEDROCK': 'test-api-key',
+        'AWS_DEFAULT_REGION': 'us-east-1'
+    })
+    @patch('litellm.completion')
+    def test_bedrock_api_key_authentication(self, mock_completion):
+        """Test Bedrock with API key authentication."""
+        mock_completion.return_value = MagicMock()
+        mock_completion.return_value.choices = [MagicMock()]
+        mock_completion.return_value.choices[0].message.content = "Test response"
+        
+        llm = LLM(model="bedrock/anthropic.claude-3-sonnet-20240229-v1:0")
+        result = llm.call("test message")
+        
+        mock_completion.assert_called_once()
+        assert result == "Test response"
+
+    def test_bedrock_missing_credentials(self):
+        """Test Bedrock fails gracefully with missing credentials."""
+        with patch.dict(os.environ, {}, clear=True):
+            llm = LLM(model="bedrock/anthropic.claude-3-sonnet-20240229-v1:0")
+            assert llm.model == "bedrock/anthropic.claude-3-sonnet-20240229-v1:0"
+
+    @patch.dict(os.environ, {
+        'AWS_BEARER_TOKEN_BEDROCK': 'test-api-key',
+        'AWS_DEFAULT_REGION': 'us-east-1'
+    })
+    @patch('litellm.completion')
+    def test_bedrock_api_key_with_streaming(self, mock_completion):
+        """Test Bedrock API key authentication with streaming."""
+        mock_completion.return_value = iter([
+            MagicMock(choices=[MagicMock(delta=MagicMock(content="Test"))]),
+            MagicMock(choices=[MagicMock(delta=MagicMock(content=" response"))])
+        ])
+        
+        llm = LLM(model="bedrock/anthropic.claude-3-sonnet-20240229-v1:0")
+        result = list(llm.stream("test message"))
+        
+        mock_completion.assert_called_once()
+        assert len(result) == 2
+
+    @patch.dict(os.environ, {
+        'AWS_ACCESS_KEY_ID': 'test-key-id',
+        'AWS_SECRET_ACCESS_KEY': 'test-secret-key',
+        'AWS_DEFAULT_REGION': 'us-east-1'
+    })
+    @patch('litellm.completion')
+    def test_bedrock_iam_with_custom_parameters(self, mock_completion):
+        """Test Bedrock IAM authentication with custom parameters."""
+        mock_completion.return_value = MagicMock()
+        mock_completion.return_value.choices = [MagicMock()]
+        mock_completion.return_value.choices[0].message.content = "Test response"
+        
+        llm = LLM(
+            model="bedrock/anthropic.claude-3-sonnet-20240229-v1:0",
+            temperature=0.7,
+            max_tokens=100
+        )
+        result = llm.call("test message")
+        
+        mock_completion.assert_called_once()
+        call_args = mock_completion.call_args
+        assert call_args[1]['temperature'] == 0.7
+        assert call_args[1]['max_tokens'] == 100
+        assert result == "Test response"
+
+    @patch.dict(os.environ, {
+        'AWS_BEARER_TOKEN_BEDROCK': 'test-api-key',
+        'AWS_DEFAULT_REGION': 'us-west-2'
+    })
+    @patch('litellm.completion')
+    def test_bedrock_api_key_different_region(self, mock_completion):
+        """Test Bedrock API key authentication with different region."""
+        mock_completion.return_value = MagicMock()
+        mock_completion.return_value.choices = [MagicMock()]
+        mock_completion.return_value.choices[0].message.content = "Test response"
+        
+        llm = LLM(model="bedrock/anthropic.claude-3-sonnet-20240229-v1:0")
+        result = llm.call("test message")
+        
+        mock_completion.assert_called_once()
+        assert result == "Test response"