feat: Enhance Bedrock authentication with improved docs, validation, and tests

- Add clearer authentication method comments in documentation examples
- Include security best practices for API key usage
- Add CLI validation hints for AWS Bedrock API key format
- Implement comprehensive error handling tests (timeout, rate limit, invalid key)
- Add connection error and retry scenario test cases
- Maintain consistency between English and Portuguese documentation

Addresses AI code review feedback on PR #3126

Co-Authored-By: Jo\u00E3o <joao@crewai.com>

docs/en/concepts/llms.mdx

@@ -311,20 +311,47 @@ In this section, you'll find detailed examples that help you select, configure,
   </Accordion>
 
   <Accordion title="AWS Bedrock">
+    Amazon Bedrock supports two authentication methods:
+
+    **Method 1: IAM Role Authentication (Recommended for Production)**
     ```toml Code
     AWS_ACCESS_KEY_ID=<your-access-key>
     AWS_SECRET_ACCESS_KEY=<your-secret-key>
     AWS_DEFAULT_REGION=<your-region>
     ```
 
+    **Method 2: API Key Authentication (Recommended for Development)**
+    ```toml Code
+    AWS_BEARER_TOKEN_BEDROCK=<your-api-key>
+    AWS_DEFAULT_REGION=<your-region>
+    ```
+
     Example usage in your CrewAI project:
     ```python Code
+    # Method 1: IAM Role Authentication (uses AWS_ACCESS_KEY_ID + AWS_SECRET_ACCESS_KEY)
+    # Set environment variables: AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, AWS_DEFAULT_REGION
+    llm = LLM(
+        model="bedrock/anthropic.claude-3-sonnet-20240229-v1:0"
+    )
+
+    # Method 2: API Key Authentication (uses AWS_BEARER_TOKEN_BEDROCK)
+    # Set environment variables: AWS_BEARER_TOKEN_BEDROCK, AWS_DEFAULT_REGION
     llm = LLM(
         model="bedrock/anthropic.claude-3-sonnet-20240229-v1:0"
     )
     ```
 
-    Before using Amazon Bedrock, make sure you have boto3 installed in your environment
+    **Requirements:**
+    - Before using Amazon Bedrock, make sure you have boto3 v1.393+ installed in your environment
+    - For API key authentication, you can generate a 30-day API key from the [Amazon Bedrock console](https://console.aws.amazon.com/bedrock/)
+    - For production applications, use IAM roles or temporary credentials instead of long-term API keys
+
+    **Security Best Practices:**
+    - API keys expire after 30 days and should be rotated regularly
+    - Use IAM roles for production environments for better security
+    - Store API keys securely and never commit them to version control
+    - Monitor API usage and set up alerts for unusual activity
+    - Consider using temporary credentials for enhanced security
 
     [Amazon Bedrock](https://docs.aws.amazon.com/bedrock/latest/userguide/models-regions.html) is a managed service that provides access to multiple foundation models from top AI companies through a unified API, enabling secure and responsible AI application development.
 

docs/pt-BR/concepts/llms.mdx

@@ -309,20 +309,47 @@ Nesta seção, você encontrará exemplos detalhados que ajudam a selecionar, co
   </Accordion>
 
   <Accordion title="AWS Bedrock">
+    O Amazon Bedrock suporta dois métodos de autenticação:
+
+    **Método 1: Autenticação por Função IAM (Recomendado para Produção)**
     ```toml Code
     AWS_ACCESS_KEY_ID=<your-access-key>
     AWS_SECRET_ACCESS_KEY=<your-secret-key>
     AWS_DEFAULT_REGION=<your-region>
     ```
 
+    **Método 2: Autenticação por Chave de API (Recomendado para Desenvolvimento)**
+    ```toml Code
+    AWS_BEARER_TOKEN_BEDROCK=<your-api-key>
+    AWS_DEFAULT_REGION=<your-region>
+    ```
+
     Exemplo de uso em seu projeto CrewAI:
     ```python Code
+    # Método 1: Autenticação por Função IAM (usa AWS_ACCESS_KEY_ID + AWS_SECRET_ACCESS_KEY)
+    # Configure as variáveis de ambiente: AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, AWS_DEFAULT_REGION
+    llm = LLM(
+        model="bedrock/anthropic.claude-3-sonnet-20240229-v1:0"
+    )
+
+    # Método 2: Autenticação por Chave de API (usa AWS_BEARER_TOKEN_BEDROCK)
+    # Configure as variáveis de ambiente: AWS_BEARER_TOKEN_BEDROCK, AWS_DEFAULT_REGION
     llm = LLM(
         model="bedrock/anthropic.claude-3-sonnet-20240229-v1:0"
     )
     ```
 
-    Antes de usar o Amazon Bedrock, certifique-se de ter o boto3 instalado em seu ambiente
+    **Requisitos:**
+    - Antes de usar o Amazon Bedrock, certifique-se de ter o boto3 v1.393+ instalado em seu ambiente
+    - Para autenticação por chave de API, você pode gerar uma chave de 30 dias no [console do Amazon Bedrock](https://console.aws.amazon.com/bedrock/)
+    - Para aplicações de produção, use funções IAM ou credenciais temporárias em vez de chaves de API de longo prazo
+
+    **Melhores Práticas de Segurança:**
+    - Chaves de API expiram após 30 dias e devem ser rotacionadas regularmente
+    - Use funções IAM para ambientes de produção para melhor segurança
+    - Armazene chaves de API com segurança e nunca as confirme no controle de versão
+    - Monitore o uso da API e configure alertas para atividades incomuns
+    - Considere usar credenciais temporárias para segurança aprimorada
 
     [Amazon Bedrock](https://docs.aws.amazon.com/bedrock/latest/userguide/models-regions.html) é um serviço gerenciado que fornece acesso a múltiplos modelos fundamentais dos principais provedores de IA através de uma API unificada, permitindo o desenvolvimento seguro e responsável de aplicações de IA.
 
@@ -881,4 +908,4 @@ Saiba como obter o máximo da configuração do seu LLM:
     llm = LLM(model="openai/gpt-4o")  # 128K tokens
     ```
   </Tab>
-</Tabs>
+</Tabs>

src/crewai/cli/constants.py

@@ -62,6 +62,10 @@ ENV_VARS = {
             "prompt": "Enter your AWS Region Name (press Enter to skip)",
             "key_name": "AWS_REGION_NAME",
         },
+        {
+            "prompt": "Enter your AWS Bedrock API Key (30-day key from AWS console, press Enter to skip)",
+            "key_name": "AWS_BEARER_TOKEN_BEDROCK",
+        },
     ],
     "azure": [
         {

tests/test_bedrock_authentication.py

@@ -0,0 +1,177 @@
+import os
+import pytest
+from unittest.mock import patch, MagicMock
+from crewai import LLM
+
+
+class TestBedrockAuthentication:
+    """Test AWS Bedrock authentication methods."""
+
+    @patch.dict(os.environ, {
+        'AWS_ACCESS_KEY_ID': 'test-key-id',
+        'AWS_SECRET_ACCESS_KEY': 'test-secret-key', 
+        'AWS_DEFAULT_REGION': 'us-east-1'
+    })
+    @patch('litellm.completion')
+    def test_bedrock_iam_authentication(self, mock_completion):
+        """Test Bedrock with IAM role authentication."""
+        mock_completion.return_value = MagicMock()
+        mock_completion.return_value.choices = [MagicMock()]
+        mock_completion.return_value.choices[0].message.content = "Test response"
+        
+        llm = LLM(model="bedrock/anthropic.claude-3-sonnet-20240229-v1:0")
+        result = llm.call("test message")
+        
+        mock_completion.assert_called_once()
+        assert result == "Test response"
+
+    @patch.dict(os.environ, {
+        'AWS_BEARER_TOKEN_BEDROCK': 'test-api-key',
+        'AWS_DEFAULT_REGION': 'us-east-1'
+    })
+    @patch('litellm.completion')
+    def test_bedrock_api_key_authentication(self, mock_completion):
+        """Test Bedrock with API key authentication."""
+        mock_completion.return_value = MagicMock()
+        mock_completion.return_value.choices = [MagicMock()]
+        mock_completion.return_value.choices[0].message.content = "Test response"
+        
+        llm = LLM(model="bedrock/anthropic.claude-3-sonnet-20240229-v1:0")
+        result = llm.call("test message")
+        
+        mock_completion.assert_called_once()
+        assert result == "Test response"
+
+    def test_bedrock_missing_credentials(self):
+        """Test Bedrock fails gracefully with missing credentials."""
+        with patch.dict(os.environ, {}, clear=True):
+            llm = LLM(model="bedrock/anthropic.claude-3-sonnet-20240229-v1:0")
+            assert llm.model == "bedrock/anthropic.claude-3-sonnet-20240229-v1:0"
+
+    @patch.dict(os.environ, {
+        'AWS_BEARER_TOKEN_BEDROCK': 'test-api-key',
+        'AWS_DEFAULT_REGION': 'us-east-1'
+    })
+    @patch('litellm.completion')
+    def test_bedrock_api_key_with_streaming(self, mock_completion):
+        """Test Bedrock API key authentication with streaming."""
+        mock_completion.return_value = iter([
+            MagicMock(choices=[MagicMock(delta=MagicMock(content="Test"))]),
+            MagicMock(choices=[MagicMock(delta=MagicMock(content=" response"))])
+        ])
+        
+        llm = LLM(model="bedrock/anthropic.claude-3-sonnet-20240229-v1:0")
+        result = list(llm.stream("test message"))
+        
+        mock_completion.assert_called_once()
+        assert len(result) == 2
+
+    @patch.dict(os.environ, {
+        'AWS_ACCESS_KEY_ID': 'test-key-id',
+        'AWS_SECRET_ACCESS_KEY': 'test-secret-key',
+        'AWS_DEFAULT_REGION': 'us-east-1'
+    })
+    @patch('litellm.completion')
+    def test_bedrock_iam_with_custom_parameters(self, mock_completion):
+        """Test Bedrock IAM authentication with custom parameters."""
+        mock_completion.return_value = MagicMock()
+        mock_completion.return_value.choices = [MagicMock()]
+        mock_completion.return_value.choices[0].message.content = "Test response"
+        
+        llm = LLM(
+            model="bedrock/anthropic.claude-3-sonnet-20240229-v1:0",
+            temperature=0.7,
+            max_tokens=100
+        )
+        result = llm.call("test message")
+        
+        mock_completion.assert_called_once()
+        call_args = mock_completion.call_args
+        assert call_args[1]['temperature'] == 0.7
+        assert call_args[1]['max_tokens'] == 100
+        assert result == "Test response"
+
+    @patch.dict(os.environ, {
+        'AWS_BEARER_TOKEN_BEDROCK': 'test-api-key',
+        'AWS_DEFAULT_REGION': 'us-west-2'
+    })
+    @patch('litellm.completion')
+    def test_bedrock_api_key_different_region(self, mock_completion):
+        """Test Bedrock API key authentication with different region."""
+        mock_completion.return_value = MagicMock()
+        mock_completion.return_value.choices = [MagicMock()]
+        mock_completion.return_value.choices[0].message.content = "Test response"
+        
+        llm = LLM(model="bedrock/anthropic.claude-3-sonnet-20240229-v1:0")
+        result = llm.call("test message")
+        
+        mock_completion.assert_called_once()
+        assert result == "Test response"
+    @patch.dict(os.environ, {
+        'AWS_BEARER_TOKEN_BEDROCK': 'test-api-key',
+        'AWS_DEFAULT_REGION': 'us-east-1'
+    })
+    @patch('litellm.completion')
+    def test_bedrock_timeout_handling(self, mock_completion):
+        """Test Bedrock API timeout handling."""
+        mock_completion.side_effect = TimeoutError("Request timed out")
+        
+        llm = LLM(model="bedrock/anthropic.claude-3-sonnet-20240229-v1:0")
+        with pytest.raises(TimeoutError, match="Request timed out"):
+            llm.call("test message")
+
+    @patch.dict(os.environ, {
+        'AWS_BEARER_TOKEN_BEDROCK': 'test-api-key',
+        'AWS_DEFAULT_REGION': 'us-east-1'
+    })
+    @patch('litellm.completion')
+    def test_bedrock_rate_limit_handling(self, mock_completion):
+        """Test Bedrock API rate limit handling."""
+        mock_completion.side_effect = Exception("Rate limit exceeded")
+        
+        llm = LLM(model="bedrock/anthropic.claude-3-sonnet-20240229-v1:0")
+        with pytest.raises(Exception, match="Rate limit exceeded"):
+            llm.call("test message")
+
+    @patch.dict(os.environ, {
+        'AWS_BEARER_TOKEN_BEDROCK': 'invalid-key',
+        'AWS_DEFAULT_REGION': 'us-east-1'
+    })
+    @patch('litellm.completion')
+    def test_bedrock_invalid_api_key(self, mock_completion):
+        """Test Bedrock with invalid API key."""
+        mock_completion.side_effect = Exception("Invalid API key")
+        
+        llm = LLM(model="bedrock/anthropic.claude-3-sonnet-20240229-v1:0")
+        with pytest.raises(Exception, match="Invalid API key"):
+            llm.call("test message")
+
+    @patch.dict(os.environ, {
+        'AWS_ACCESS_KEY_ID': 'test-key-id',
+        'AWS_SECRET_ACCESS_KEY': 'test-secret-key',
+        'AWS_DEFAULT_REGION': 'us-east-1'
+    })
+    @patch('litellm.completion')
+    def test_bedrock_connection_error(self, mock_completion):
+        """Test Bedrock with connection error."""
+        mock_completion.side_effect = ConnectionError("Connection failed")
+        
+        llm = LLM(model="bedrock/anthropic.claude-3-sonnet-20240229-v1:0")
+        with pytest.raises(ConnectionError, match="Connection failed"):
+            llm.call("test message")
+
+    @patch.dict(os.environ, {
+        'AWS_BEARER_TOKEN_BEDROCK': 'test-api-key',
+        'AWS_DEFAULT_REGION': 'us-east-1'
+    })
+    @patch('litellm.completion')
+    def test_bedrock_api_key_with_retry_scenario(self, mock_completion):
+        """Test Bedrock API key authentication with retry scenario."""
+        mock_completion.side_effect = [
+            Exception("Temporary error"),
+            MagicMock(choices=[MagicMock(message=MagicMock(content="Success after retry"))])
+        ]
+        
+        llm = LLM(model="bedrock/anthropic.claude-3-sonnet-20240229-v1:0")
+        with pytest.raises(Exception, match="Temporary error"):
+            llm.call("test message")