gptel-bedrock: aws profile keyword argument

leezu · leezu · commit 5447f4581bab · 2025-06-26T16:06:51.000Z
This extends the previous AWS_PROFILE based get-credentials
implementation to allow explicit setting of the profile
diff --git a/README.org b/README.org
@@ -1002,8 +1002,7 @@ Register a backend with
   :model-region 'apac)
 #+end_src
 
-The Bedrock backend gets your AWS credentials from the environment variables. It expects to find either
-~AWS_ACCESS_KEY_ID~, ~AWS_SECRET_ACCESS_KEY~, ~AWS_SESSION_TOKEN~ (optional), or if present, can use ~AWS_PROFILE~ to get these directly from the ~aws~ cli.
+When the ~:profile~ option is specified, the Bedrock backend uses the shared AWS config and credentials files to obtain credentials based on the AWS Profile selected. Alternatively ~AWS_PROFILE~ environment variable can be used to provide the profile name. If ~AWS_ACCESS_KEY_ID~, ~AWS_SECRET_ACCESS_KEY~ and ~AWS_SESSION_TOKEN~ environment variables are provided the profile will be ignored.
 
 NOTE: The Bedrock backend needs curl >= 8.5 in order for the sigv4 signing to work properly,
 https://github.com/curl/curl/issues/11794
@@ -1022,6 +1021,8 @@ The above code makes the backend available to select.  If you want it to be the
       (gptel-make-bedrock "AWS"
         ;; optionally enable streaming
         :stream t
+        ;; optionally specify the aws profile
+        ;; :profile
         :region "ap-northeast-1"
         ;; subset of gptel--bedrock-models
         :models '(claude-sonnet-4-20250514)
diff --git a/gptel-bedrock.el b/gptel-bedrock.el
@@ -513,9 +513,16 @@ Non-nil CLEAR-CACHE will refresh credentials."
        (gptel-bedrock--fetch-aws-profile-credentials profile t))
       (t (user-error "AWS credentials expired for profile: %s" profile)))))
 
-(defun gptel-bedrock--get-credentials ()
+(defun gptel-bedrock--get-credentials (profile)
   "Return the AWS credentials to use for the request.
 
+If credentials are not available based on the AWS_ACCESS_KEY_ID
+AWS_SECRET_ACCESS_KEY AWS_SESSION_TOKEN environment variables,
+aws configure export-credentials is used to obtain
+credentials.  PROFILE specifies the AWS profile to use for
+retrieving credentials if AWS_PROFILE environment variable is not
+set.
+
 Returns a list of 2-3 elements, depending on whether a session
 token is needed, with this form: (AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY
 AWS_SESSION_TOKEN).
@@ -524,11 +531,12 @@ Convenient to use with `cl-multiple-value-bind'"
   (let ((key-id (getenv "AWS_ACCESS_KEY_ID"))
         (secret-key (getenv "AWS_SECRET_ACCESS_KEY"))
         (token (getenv "AWS_SESSION_TOKEN"))
-	(profile (getenv "AWS_PROFILE")))
+	(profile (or (getenv "AWS_PROFILE")
+                     profile)))
     (cond
       ((and key-id secret-key) (cl-values key-id secret-key token))
       ((and profile) (gptel-bedrock--fetch-aws-profile-credentials profile))
-      (t (user-error "Missing AWS credentials; currently only environment variables are supported")))))
+      (t (user-error "Missing AWS credentials; provide them either via environment variables or specify PROFILE when calling gptel-make-bedrock")))))
 
 (defvar gptel-bedrock--model-ids
   ;; https://docs.aws.amazon.com/bedrock/latest/userguide/models-supported.html
@@ -577,10 +585,12 @@ REGION is one of apac, eu or us."
    (or (alist-get model gptel-bedrock--model-ids nil nil #'eq)
        (error "Unknown Bedrock model: %s" model))))
 
-(defun gptel-bedrock--curl-args (region)
-  "Generate the curl arguments to get a bedrock request signed for use in REGION."
+(defun gptel-bedrock--curl-args (region profile)
+  "Generate the curl arguments to get a bedrock request signed for use in REGION.
+
+PROFILE specifies the aws profile to use for aws configure export-credentials."
   ;; https://curl.se/docs/manpage.html#--aws-sigv4
-  (cl-multiple-value-bind (key-id secret token) (gptel-bedrock--get-credentials)
+  (cl-multiple-value-bind (key-id secret token) (gptel-bedrock--get-credentials profile)
     (nconc
      (list
       "--user" (format "%s:%s" key-id secret)
@@ -604,6 +614,7 @@ REGION is one of apac, eu or us."
           region
           (models gptel--bedrock-models)
 	  (model-region nil)
+	  (profile nil)
           (stream nil)
 	  curl-args
           (protocol "https"))
@@ -614,6 +625,7 @@ Keyword arguments:
 REGION - AWS region name (e.g. \"us-east-1\")
 MODELS - The list of models supported by this backend
 MODEL-REGION - one of apac, eu, us or nil
+PROFILE - the aws profile to use for aws configure export-credentials
 CURL-ARGS - additional curl args
 STREAM - Whether to use streaming responses or not."
   (declare (indent 1))
@@ -627,12 +639,12 @@ STREAM - Whether to use streaming responses or not."
            :host host
            :header nil           ; x-amz-security-token is set in curl-args if needed
            :models (gptel--process-models models)
-	   :model-region model-region
+           :model-region model-region
            :protocol protocol
            :endpoint "" ; Url is dynamically constructed based on other args
            :stream stream
            :coding-system (and stream 'binary)
-           :curl-args (lambda () (append curl-args (gptel-bedrock--curl-args region)))
+           :curl-args (lambda () (append curl-args (gptel-bedrock--curl-args region profile)))
            :url
            (lambda ()
              (concat protocol "://" host
