fix: support AWS IAM credentials for Bedrock models without LLM_API_KEY#612
Open
ixchio wants to merge 7 commits into
Open
fix: support AWS IAM credentials for Bedrock models without LLM_API_KEY#612ixchio wants to merge 7 commits into
ixchio wants to merge 7 commits into
Conversation
When using --override-with-envs, AWS Bedrock/SageMaker models no longer require LLM_API_KEY. These models use AWS IAM credentials instead, which can be provided via: - Environment variables: AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, AWS_REGION_NAME - Default AWS credential chain (boto3): ~/.aws/credentials, IAM roles, etc. Changes: - Add AWS credential support to LLMEnvOverrides (aws_access_key_id, aws_secret_access_key, aws_region_name) - Add is_aws_auth_model() helper to detect bedrock/, bedrock_converse/, sagemaker/ model prefixes - Update require_for_headless() to skip LLM_API_KEY validation for AWS models - Update _ensure_agent() to build LLM kwargs dynamically, allowing api_key to be None for AWS-authenticated models - Improve error messages with AWS-specific guidance - Add comprehensive tests for AWS authentication path Fixes OpenHands#611 Co-authored-by: openhands <openhands@all-hands.dev>
enyst
reviewed
Apr 7, 2026
enyst
left a comment
enyst
left a comment
Member
There was a problem hiding this comment.
Thank you for the PR!
I'm a bit curious, do we need to use --override-with-envs for AWS at all?
I believe the SDK has now LLM class attributes for Bedrock, maybe we could use those?
Contributor
Author
Thanks @enyst, you're right! I checked and the SDK (openhands-sdk v1.16.1) already has native AWS/Bedrock support built into the LLM class: So this PR could be simplified significantly. The only thing the CLI really needs to fix is: I'll simplify the PR to remove the custom AWS credential plumbing from LLMEnvOverrides and just lean on the SDK's existing support. Want me to go that route? |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Hey! 👋
So this PR fixes the issue where you couldn't use AWS Bedrock with the CLI using IAM credentials.
What was happening?
When running
openhands --override-with-envswith a Bedrock model, the CLI would complain about missingLLM_API_KEY- but Bedrock doesn't use API keys! It uses AWS IAM credentials instead.The fix
Now the CLI is smart enough to detect when you're using a Bedrock (or SageMaker) model and won't ask for an API key. It'll use your AWS credentials instead, which can come from:
AWS_ACCESS_KEY_ID,AWS_SECRET_ACCESS_KEY,AWS_REGION_NAME)~/.aws/credentialsfileHow to use it
Just set your model and go:
Or with the full ARN like in the issue:
No need to set a fake API key or anything like that anymore!
Testing
Fixes #611