braintrustdata · Ken Jiang (knjiang) · Feb 27, 2026 · Mar 3, 2026 · chatgpt-codex-connector · Feb 27, 2026
diff --git a/packages/proxy/schema/secrets.ts b/packages/proxy/schema/secrets.ts
@@ -40,17 +40,20 @@ const BedrockMetadataSchemaBase = BaseMetadataSchema.merge(
   z.object({
     region: z.string().min(1, "Region cannot be empty"),
     auth_type: z
-      .enum(["iam_credentials", "api_key"])
+      .enum(["iam_credentials", "api_key", "assume_role"])
       .default("iam_credentials"),
     access_key: z.string().nullish(),
     session_token: z.string().nullish(),
+    external_id: z.string().nullish(),
+    role_arn: z.string().nullish(),
     api_base: z.union([z.string().url(), z.string().length(0)]).nullish(),
   }),
 ).strict();
 export const BedrockMetadataSchema = BedrockMetadataSchemaBase;
 export const BedrockMetadataSchemaWithAuth =
   BedrockMetadataSchemaBase.superRefine((data, ctx) => {
-    if ((data.auth_type ?? "iam_credentials") === "iam_credentials") {
+    const authType = data.auth_type ?? "iam_credentials";
+    if (authType === "iam_credentials") {
       if (!data.access_key) {
         ctx.addIssue({
           code: z.ZodIssueCode.custom,
@@ -59,6 +62,22 @@ export const BedrockMetadataSchemaWithAuth =
         });
       }
     }
+    if (authType === "assume_role") {
+      if (!data.external_id?.trim()) {
+        ctx.addIssue({
+          code: z.ZodIssueCode.custom,
+          message: "External ID is required for assume role",
+          path: ["external_id"],
+        });
+      }
+      if (!data.role_arn?.trim()) {
+        ctx.addIssue({
+          code: z.ZodIssueCode.custom,
+          message: "Role ARN is required for assume role",
+          path: ["role_arn"],
+        });
+      }
+    }
   });
 export type BedrockMetadata = z.infer<typeof BedrockMetadataSchema>;