ReqLLM.Providers.AmazonBedrock.STS (ReqLLM v1.0.0)

View Source

AWS Security Token Service (STS) integration for AssumeRole.

Provides temporary credentials via AssumeRole without requiring ex_aws. Uses built-in :xmerl for XML parsing and existing ex_aws_auth for signing.

Usage

# AssumeRole with base credentials
{:ok, temp_creds} = STS.assume_role(
  role_arn: "arn:aws:iam::123456789012:role/MyRole",
  role_session_name: "my-session",
  access_key_id: "AKIA...",
  secret_access_key: "...",
  region: "us-east-1"
)

# Use temporary credentials with Bedrock
model = ReqLLM.Model.from("bedrock:anthropic.claude-3-sonnet-20240229-v1:0",
  access_key_id: temp_creds.access_key_id,
  secret_access_key: temp_creds.secret_access_key,
  session_token: temp_creds.session_token,
  region: "us-east-1"
)

Summary

Functions

assume_role(opts)

Assume an AWS IAM role and get temporary credentials.

parse_credentials(xml_body)

Parse AWS STS AssumeRole XML response into credentials.

Functions

assume_role(opts)

Assume an AWS IAM role and get temporary credentials.

Options

  • :role_arn (required) - ARN of the role to assume
  • :role_session_name (required) - Name for the role session
  • :access_key_id (required) - AWS access key ID of the caller
  • :secret_access_key (required) - AWS secret access key of the caller
  • :region - AWS region (default: "us-east-1")
  • :duration_seconds - Session duration in seconds (default: 3600, max: 43200)
  • :external_id - External ID for role assumption
  • :policy - IAM policy to further restrict permissions (JSON string)

Returns

  • {:ok, credentials} - Map with access_key_id, secret_access_key, session_token, expiration
  • {:error, reason} - Error details

Examples

{:ok, creds} = STS.assume_role(
  role_arn: "arn:aws:iam::123456789012:role/MyRole",
  role_session_name: "bedrock-session",
  access_key_id: System.get_env("AWS_ACCESS_KEY_ID"),
  secret_access_key: System.get_env("AWS_SECRET_ACCESS_KEY")
)

# creds = %{
#   access_key_id: "ASIAXXX...",
#   secret_access_key: "xxx...",
#   session_token: "xxx...",
#   expiration: ~U[2025-10-14 12:00:00Z]
# }

parse_credentials(xml_body)

Parse AWS STS AssumeRole XML response into credentials.

Exposed for testing purposes.

Examples

xml = "<AssumeRoleResponse>...</AssumeRoleResponse>"
{:ok, creds} = STS.parse_credentials(xml)