feat(goose): add support for AWS_BEARER_TOKEN_BEDROCK environment variable#6739
Merged
michaelneale merged 1 commit intoblock:mainfrom Jan 29, 2026
Merged
feat(goose): add support for AWS_BEARER_TOKEN_BEDROCK environment variable#6739michaelneale merged 1 commit intoblock:mainfrom
michaelneale merged 1 commit intoblock:mainfrom
Conversation
Contributor
There was a problem hiding this comment.
Pull request overview
Adds bearer token authentication support for the Amazon Bedrock provider via AWS_BEARER_TOKEN_BEDROCK, with a fallback to the existing AWS credentials flow when the token is not set.
Changes:
- Add bearer-token-based Bedrock client construction and runtime region validation when a bearer token is used.
- Update Bedrock provider metadata/config keys to include
AWS_BEARER_TOKEN_BEDROCK(secret) and makeAWS_PROFILE/AWS_REGIONoptional in metadata. - Update provider integration tests to improve env handling and add a bearer-token Bedrock test case.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.
| File | Description |
|---|---|
| crates/goose/src/providers/bedrock.rs | Implements bearer token auth path, conditional region validation, updates provider metadata, and adds metadata-focused unit tests. |
| crates/goose/tests/providers.rs | Refines env handling in the shared provider test helper and adds an integration test for bearer-token Bedrock auth. |
Collaborator
|
thanks @andreswebs - just wanted to confirm as a little hard to look at just diffs, but this will be fine for non bearer token cases as before - and the new stuff only kick in when there is a bearer token variable configured? is that right? |
andreswebs
force-pushed
the
dev
branch
3 times, most recently
from
156322a to
7489ebf
Compare
michaelneale
approved these changes
Jan 28, 2026
Collaborator
michaelneale
left a comment
michaelneale
left a comment
There was a problem hiding this comment.
Looks good - the one copilot comment on potentially filtering out AWS_BEARER_TOKEN_BEDROCK is a nice to have I think @andreswebs if you wanted to include that and test it, but otherwise LGTM
Contributor
Author
|
Awesome, thanks @michaelneale |
Collaborator
|
thanks for seeing this through @andreswebs and appreciate all the permutation testing and patience! |
Signed-off-by: Andre Silva <andreswebs@pm.me>
This was referenced Jan 29, 2026
zanesq
added a commit
that referenced
this pull request
Jan 29, 2026
* 'main' of github.com:block/goose: (62 commits) Swap canonical model from openrouter to models.dev (#6625) Hook thinking status (#6815) Fetch new skills hourly (#6814) copilot instructions: Update "No prerelease docs" instruction (#6795) refactor: centralize audience filtering before providers receive messages (#6728) update doc to remind contributors to activate hermit and document minimal npm and node version (#6727) nit: don't spit out compaction when in term mode as it fills up the screen (#6799) fix: correct tool support detection in Tetrate provider model fetching (#6808) Session manager fixes (#6809) fix(desktop): handle quoted paths with spaces in extension commands (#6430) fix: we can default gooseignore without writing it out (#6802) fix broken link (#6810) docs: add Beads MCP extension tutorial (#6792) feat(goose): add support for AWS_BEARER_TOKEN_BEDROCK environment variable (#6739) [docs] Add OSS Skills Marketplace (#6752) feat: make skills available in codemode (#6763) Fix: Recipe Extensions Not Loading in Desktop (#6777) Different approach to determining final confidence level of prompt injection evaluation outcomes (#6729) fix: read_resource_tool deadlock causing test_compaction to hang (#6737) Upgrade error handling (#6747) ...
zanesq
added a commit
that referenced
this pull request
Jan 29, 2026
…sion-session * 'main' of github.com:block/goose: (78 commits) copilot instructions: Update "No prerelease docs" instruction (#6795) refactor: centralize audience filtering before providers receive messages (#6728) update doc to remind contributors to activate hermit and document minimal npm and node version (#6727) nit: don't spit out compaction when in term mode as it fills up the screen (#6799) fix: correct tool support detection in Tetrate provider model fetching (#6808) Session manager fixes (#6809) fix(desktop): handle quoted paths with spaces in extension commands (#6430) fix: we can default gooseignore without writing it out (#6802) fix broken link (#6810) docs: add Beads MCP extension tutorial (#6792) feat(goose): add support for AWS_BEARER_TOKEN_BEDROCK environment variable (#6739) [docs] Add OSS Skills Marketplace (#6752) feat: make skills available in codemode (#6763) Fix: Recipe Extensions Not Loading in Desktop (#6777) Different approach to determining final confidence level of prompt injection evaluation outcomes (#6729) fix: read_resource_tool deadlock causing test_compaction to hang (#6737) Upgrade error handling (#6747) Fix/filter audience 6703 local (#6773) chore: re-sync package-lock.json (#6783) upgrade electron to 39.3.0 (#6779) ...
lifeizhou-ap
added a commit
that referenced
this pull request
Jan 29, 2026
* main: docs: usage data collection (#6822) feat: platform extension migrator + code mode rename (#6611) feat: CLI flag to skip loading profile extensions (#6780) Swap canonical model from openrouter to models.dev (#6625) Hook thinking status (#6815) Fetch new skills hourly (#6814) copilot instructions: Update "No prerelease docs" instruction (#6795) refactor: centralize audience filtering before providers receive messages (#6728) update doc to remind contributors to activate hermit and document minimal npm and node version (#6727) nit: don't spit out compaction when in term mode as it fills up the screen (#6799) fix: correct tool support detection in Tetrate provider model fetching (#6808) Session manager fixes (#6809) fix(desktop): handle quoted paths with spaces in extension commands (#6430) fix: we can default gooseignore without writing it out (#6802) fix broken link (#6810) docs: add Beads MCP extension tutorial (#6792) feat(goose): add support for AWS_BEARER_TOKEN_BEDROCK environment variable (#6739)
Tyler-Hardin
pushed a commit
to Tyler-Hardin/goose
that referenced
this pull request
Feb 11, 2026
…iable (block#6739) Signed-off-by: Andre Silva <andreswebs@pm.me>
Tyler-Hardin
pushed a commit
to Tyler-Hardin/goose
that referenced
this pull request
Feb 11, 2026
…iable (block#6739) Signed-off-by: Andre Silva <andreswebs@pm.me>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Add support for bearer token authentication in the AWS Bedrock provider via the
AWS_BEARER_TOKEN_BEDROCKenvironment variable.This change allows users to authenticate with Amazon Bedrock using a bearer token as an alternative to standard AWS credentials (IAM/SSO). When
AWS_BEARER_TOKEN_BEDROCKis set, the provider uses bearer token authentication; otherwise, it falls back to the existing credential-based authentication flow.Changes:
AWS_BEARER_TOKEN_BEDROCKas a new optional secret config keyAWS_PROFILEoptional (since bearer token auth doesn't require it)AWS_REGIONrequired at runtime whenAWS_BEARER_TOKEN_BEDROCKis usedType of Change
AI Assistance
Testing
AWS_PROFILEmarked as optionaltest_bedrock_provider_bearer_tokenthat validates authentication flow with bearer token (requires -AWS_BEARER_TOKEN_BEDROCKandAWS_REGIONenv vars)Related Issues
Relates to #6577