A lightweight library for generating short-term bearer tokens for AWS Bedrock API authentication
Project Links
Meta
Author: Amazon Web Services
Requires Python: >=3.7
Classifiers
Development Status
- 4 - Beta
Intended Audience
- Developers
License
- OSI Approved :: Apache Software License
Operating System
- OS Independent
Programming Language
- Python :: 3
- Python :: 3.7
- Python :: 3.8
- Python :: 3.9
- Python :: 3.10
- Python :: 3.11
- Python :: 3.12
AWS Bedrock Token Generator for Python
The AWS Bedrock Token Generator for Python is a lightweight utility library that generates short-term bearer tokens for AWS Bedrock API authentication. This library simplifies the process of creating secure, time-limited tokens that can be used to authenticate with AWS Bedrock services without exposing long-term credentials.
Installation
Using pip
pip install aws-bedrock-token-generator
From source
git clone https://github.com/aws/aws-bedrock-token-generator-python.git
cd aws-bedrock-token-generator-python
pip install -e .
Quick Start
Basic Usage
Create token with no parameters, uses default region, credentials and token expiry time (1 hour)
from aws_bedrock_token_generator import provide_token
token = provide_token() # uses AWS_REGION env var and default credential chain
print(f"Token: {token}")
Create token using EnvProvider credentials provider
from aws_bedrock_token_generator import provide_token
from botocore.credentials import EnvProvider
token = provide_token(region="us-east-1", aws_credentials_provider=EnvProvider())
print(f"Token: {token}")
Create token with AssumeRole credentials provider
from aws_bedrock_token_generator import provide_token
from botocore.credentials import AssumeRoleProvider, CanonicalNameCredentialSourcer, EnvProvider
from botocore.session import Session
from datetime import timedelta
session = Session()
assume_role_provider = AssumeRoleProvider(
profile_name="bearertoken",
load_config=lambda: session.full_config,
client_creator=session.create_client,
credential_sourcer=CanonicalNameCredentialSourcer([EnvProvider()]),
cache={}
)
bearer_token = provide_token(
region="us-east-1",
aws_credentials_provider=assume_role_provider,
expiry=timedelta(seconds=900)
)
print(f"Bearer Token: {bearer_token}")
Token Format
The generated tokens follow this format:
bedrock-api-key-<base64-encoded-presigned-url>&Version=1
- Prefix:
bedrock-api-key-identifies the token type - Payload: Base64-encoded presigned URL with embedded credentials
- Version:
&Version=1for future compatibility - Expiration: The token has a default expiration of 12 hours. If the expires parameter is specified during token creation, the expiration can be configured up to a maximum of 12 hours. However, the actual token validity period will always be the minimum of the requested expiration time and the AWS credentials' expiry time
Security Considerations
- Token Expiration: The token has a default expiration of 12 hours. If the expiry parameter is specified during token creation, the expiration can be configured up to a maximum of 12 hours. However, the actual token validity period will always be the minimum of the requested expiration time and the AWS credentials' expiry time. The token must be generated again once it expires, as it cannot be refreshed or extended
- Secure Storage: Store tokens securely and avoid logging them
- Credential Management: Use IAM roles and temporary credentials when possible
- Network Security: Always use HTTPS when transmitting tokens
- Principle of Least Privilege: Ensure underlying credentials have minimal required permissions
Requirements
- Python: 3.7 or later
- boto3: 1.26.0 or later
- botocore: 1.29.0 or later
Development
Setting up Development Environment
# Clone the repository
git clone https://github.com/aws/aws-bedrock-token-generator-python.git
cd aws-bedrock-token-generator-python
# Install in development mode with dev dependencies
pip install -e .[dev]
Running Tests
# Run all tests
pytest
# Run tests with coverage
pytest --cov=aws_bedrock_token_generator
# Run tests with verbose output
pytest -v
Code Quality
# Format code with black
black aws_bedrock_token_generator tests
# Check code style with flake8
flake8 aws_bedrock_token_generator tests
# Type checking with mypy
mypy aws_bedrock_token_generator
Building Distribution
# Build wheel and source distribution
python -m build
# Install from local build
pip install dist/aws_bedrock_token_generator-*.whl
Contributing
We welcome contributions! Please see CONTRIBUTING.md for details on how to contribute to this project.
Development Workflow
- Fork the repository
- Create a feature branch:
git checkout -b feature-name - Make changes and add tests
- Run tests:
pytest - Format code:
black . - Submit a pull request
Support
- Documentation: AWS Bedrock Documentation
- Issues: GitHub Issues
- AWS Support: AWS Support Center
License
This project is licensed under the Apache License 2.0 - see the LICENSE file for details.
Related Projects
Changelog
See CHANGELOG.md for a list of changes and version history.
