From c2edeab4c3cc272a5eb238f1d321cd231c7c04ca Mon Sep 17 00:00:00 2001
From: Jose Garcia <garcia@sysz.com.br>
Date: Thu, 20 Nov 2025 18:47:12 -0300
Subject: [PATCH] added: AWS_BEARER_TOKEN_BEDROCK authentication capabilities
 (#692)

---
 action.yml                            |  1 +
 base-action/action.yml                |  1 +
 base-action/src/validate-env.ts       | 28 +++++++++++------
 base-action/test/validate-env.test.ts | 45 +++++++++++++++++++++------
 4 files changed, 55 insertions(+), 20 deletions(-)

diff --git a/action.yml b/action.yml
index 69482a0..ded2fec 100644
--- a/action.yml
+++ b/action.yml
@@ -250,6 +250,7 @@ runs:
         AWS_ACCESS_KEY_ID: ${{ env.AWS_ACCESS_KEY_ID }}
         AWS_SECRET_ACCESS_KEY: ${{ env.AWS_SECRET_ACCESS_KEY }}
         AWS_SESSION_TOKEN: ${{ env.AWS_SESSION_TOKEN }}
+        AWS_BEARER_TOKEN_BEDROCK: ${{ env.AWS_BEARER_TOKEN_BEDROCK }}
         ANTHROPIC_BEDROCK_BASE_URL: ${{ env.ANTHROPIC_BEDROCK_BASE_URL || (env.AWS_REGION && format('https://bedrock-runtime.{0}.amazonaws.com', env.AWS_REGION)) }}
 
         # GCP configuration
diff --git a/base-action/action.yml b/base-action/action.yml
index b37af85..f78d9c3 100644
--- a/base-action/action.yml
+++ b/base-action/action.yml
@@ -159,6 +159,7 @@ runs:
         AWS_ACCESS_KEY_ID: ${{ env.AWS_ACCESS_KEY_ID }}
         AWS_SECRET_ACCESS_KEY: ${{ env.AWS_SECRET_ACCESS_KEY }}
         AWS_SESSION_TOKEN: ${{ env.AWS_SESSION_TOKEN }}
+        AWS_BEARER_TOKEN_BEDROCK: ${{ env.AWS_BEARER_TOKEN_BEDROCK }}
         ANTHROPIC_BEDROCK_BASE_URL: ${{ env.ANTHROPIC_BEDROCK_BASE_URL || (env.AWS_REGION && format('https://bedrock-runtime.{0}.amazonaws.com', env.AWS_REGION)) }}
 
         # GCP configuration
diff --git a/base-action/src/validate-env.ts b/base-action/src/validate-env.ts
index 6e48a68..2781c50 100644
--- a/base-action/src/validate-env.ts
+++ b/base-action/src/validate-env.ts
@@ -23,17 +23,25 @@ export function validateEnvironmentVariables() {
       );
     }
   } else if (useBedrock) {
-    const requiredBedrockVars = {
-      AWS_REGION: process.env.AWS_REGION,
-      AWS_ACCESS_KEY_ID: process.env.AWS_ACCESS_KEY_ID,
-      AWS_SECRET_ACCESS_KEY: process.env.AWS_SECRET_ACCESS_KEY,
-    };
+    const awsRegion = process.env.AWS_REGION;
+    const awsAccessKeyId = process.env.AWS_ACCESS_KEY_ID;
+    const awsSecretAccessKey = process.env.AWS_SECRET_ACCESS_KEY;
+    const awsBearerToken = process.env.AWS_BEARER_TOKEN_BEDROCK;
 
-    Object.entries(requiredBedrockVars).forEach(([key, value]) => {
-      if (!value) {
-        errors.push(`${key} is required when using AWS Bedrock.`);
-      }
-    });
+    // AWS_REGION is always required for Bedrock
+    if (!awsRegion) {
+      errors.push("AWS_REGION is required when using AWS Bedrock.");
+    }
+
+    // Either bearer token OR access key credentials must be provided
+    const hasAccessKeyCredentials = awsAccessKeyId && awsSecretAccessKey;
+    const hasBearerToken = awsBearerToken;
+
+    if (!hasAccessKeyCredentials && !hasBearerToken) {
+      errors.push(
+        "Either AWS_BEARER_TOKEN_BEDROCK or both AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY are required when using AWS Bedrock.",
+      );
+    }
   } else if (useVertex) {
     const requiredVertexVars = {
       ANTHROPIC_VERTEX_PROJECT_ID: process.env.ANTHROPIC_VERTEX_PROJECT_ID,
diff --git a/base-action/test/validate-env.test.ts b/base-action/test/validate-env.test.ts
index 754f704..554071c 100644
--- a/base-action/test/validate-env.test.ts
+++ b/base-action/test/validate-env.test.ts
@@ -17,6 +17,7 @@ describe("validateEnvironmentVariables", () => {
     delete process.env.AWS_ACCESS_KEY_ID;
     delete process.env.AWS_SECRET_ACCESS_KEY;
     delete process.env.AWS_SESSION_TOKEN;
+    delete process.env.AWS_BEARER_TOKEN_BEDROCK;
     delete process.env.ANTHROPIC_BEDROCK_BASE_URL;
     delete process.env.ANTHROPIC_VERTEX_PROJECT_ID;
     delete process.env.CLOUD_ML_REGION;
@@ -92,31 +93,58 @@ describe("validateEnvironmentVariables", () => {
       );
     });
 
-    test("should fail when AWS_ACCESS_KEY_ID is missing", () => {
+    test("should fail when only AWS_SECRET_ACCESS_KEY is provided without bearer token", () => {
       process.env.CLAUDE_CODE_USE_BEDROCK = "1";
       process.env.AWS_REGION = "us-east-1";
       process.env.AWS_SECRET_ACCESS_KEY = "test-secret-key";
 
       expect(() => validateEnvironmentVariables()).toThrow(
-        "AWS_ACCESS_KEY_ID is required when using AWS Bedrock.",
+        "Either AWS_BEARER_TOKEN_BEDROCK or both AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY are required when using AWS Bedrock.",
       );
     });
 
-    test("should fail when AWS_SECRET_ACCESS_KEY is missing", () => {
+    test("should fail when only AWS_ACCESS_KEY_ID is provided without bearer token", () => {
       process.env.CLAUDE_CODE_USE_BEDROCK = "1";
       process.env.AWS_REGION = "us-east-1";
       process.env.AWS_ACCESS_KEY_ID = "test-access-key";
 
       expect(() => validateEnvironmentVariables()).toThrow(
-        "AWS_SECRET_ACCESS_KEY is required when using AWS Bedrock.",
+        "Either AWS_BEARER_TOKEN_BEDROCK or both AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY are required when using AWS Bedrock.",
       );
     });
 
-    test("should report all missing Bedrock variables", () => {
+    test("should pass when AWS_BEARER_TOKEN_BEDROCK is provided instead of access keys", () => {
+      process.env.CLAUDE_CODE_USE_BEDROCK = "1";
+      process.env.AWS_REGION = "us-east-1";
+      process.env.AWS_BEARER_TOKEN_BEDROCK = "test-bearer-token";
+
+      expect(() => validateEnvironmentVariables()).not.toThrow();
+    });
+
+    test("should pass when both bearer token and access keys are provided", () => {
+      process.env.CLAUDE_CODE_USE_BEDROCK = "1";
+      process.env.AWS_REGION = "us-east-1";
+      process.env.AWS_BEARER_TOKEN_BEDROCK = "test-bearer-token";
+      process.env.AWS_ACCESS_KEY_ID = "test-access-key";
+      process.env.AWS_SECRET_ACCESS_KEY = "test-secret-key";
+
+      expect(() => validateEnvironmentVariables()).not.toThrow();
+    });
+
+    test("should fail when no authentication method is provided", () => {
+      process.env.CLAUDE_CODE_USE_BEDROCK = "1";
+      process.env.AWS_REGION = "us-east-1";
+
+      expect(() => validateEnvironmentVariables()).toThrow(
+        "Either AWS_BEARER_TOKEN_BEDROCK or both AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY are required when using AWS Bedrock.",
+      );
+    });
+
+    test("should report missing region and authentication", () => {
       process.env.CLAUDE_CODE_USE_BEDROCK = "1";
 
       expect(() => validateEnvironmentVariables()).toThrow(
-        /AWS_REGION is required when using AWS Bedrock.*AWS_ACCESS_KEY_ID is required when using AWS Bedrock.*AWS_SECRET_ACCESS_KEY is required when using AWS Bedrock/s,
+        /AWS_REGION is required when using AWS Bedrock.*Either AWS_BEARER_TOKEN_BEDROCK or both AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY are required when using AWS Bedrock/s,
       );
     });
   });
@@ -204,10 +232,7 @@ describe("validateEnvironmentVariables", () => {
         "  - AWS_REGION is required when using AWS Bedrock.",
       );
       expect(error!.message).toContain(
-        "  - AWS_ACCESS_KEY_ID is required when using AWS Bedrock.",
-      );
-      expect(error!.message).toContain(
-        "  - AWS_SECRET_ACCESS_KEY is required when using AWS Bedrock.",
+        "  - Either AWS_BEARER_TOKEN_BEDROCK or both AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY are required when using AWS Bedrock.",
       );
     });
   });