Dynamic credential resolution for AWS endpoints (#1419)

* Dynamic credential resolution for AWS endpoints

If AWS credentials are provided, they will continue to be used. With this
change, they become optional parameters and the AWS SDK will attempt to
use the default resolution chain if they are not provided.

* cleanup deps

* restore optional aws region in endpointAwsParametersSchema

---------

Co-authored-by: Nathan Sarrazin <[email protected]>

Author: nason

package-lock.json

@@ -69,6 +69,7 @@
 		"@resvg/resvg-js": "^2.6.2",
 		"autoprefixer": "^10.4.14",
 		"aws4": "^1.13.0",
+		"aws-sigv4-fetch": "^4.0.1",
 		"browser-image-resizer": "^2.4.1",
 		"date-fns": "^2.29.3",
 		"dotenv": "^16.0.3",

package.json

@@ -8,8 +8,20 @@ export const endpointAwsParametersSchema = z.object({
 	model: z.any(),
 	type: z.literal("aws"),
 	url: z.string().url(),
-	accessKey: z.string().min(1),
-	secretKey: z.string().min(1),
+	accessKey: z
+		.string({
+			description:
+				"An AWS Access Key ID. If not provided, the default AWS identity resolution will be used",
+		})
+		.min(1)
+		.optional(),
+	secretKey: z
+		.string({
+			description:
+				"An AWS Access Key Secret. If not provided, the default AWS identity resolution will be used",
+		})
+		.min(1)
+		.optional(),
 	sessionToken: z.string().optional(),
 	service: z.union([z.literal("sagemaker"), z.literal("lambda")]).default("sagemaker"),
 	region: z.string().optional(),
@@ -18,22 +30,23 @@ export const endpointAwsParametersSchema = z.object({
 export async function endpointAws(
 	input: z.input<typeof endpointAwsParametersSchema>
 ): Promise<Endpoint> {
-	let AwsClient;
+	let createSignedFetcher;
 	try {
-		AwsClient = (await import("aws4fetch")).AwsClient;
+		createSignedFetcher = (await import("aws-sigv4-fetch")).createSignedFetcher;
 	} catch (e) {
-		throw new Error("Failed to import aws4fetch");
+		throw new Error("Failed to import aws-sigv4-fetch");
 	}
 
 	const { url, accessKey, secretKey, sessionToken, model, region, service } =
 		endpointAwsParametersSchema.parse(input);
 
-	const aws = new AwsClient({
-		accessKeyId: accessKey,
-		secretAccessKey: secretKey,
-		sessionToken,
+	const signedFetch = createSignedFetcher({
 		service,
 		region,
+		credentials:
+			accessKey && secretKey
+				? { accessKeyId: accessKey, secretAccessKey: secretKey, sessionToken }
+				: undefined,
 	});
 
 	return async ({ messages, preprompt, continueMessage, generateSettings }) => {
@@ -52,7 +65,7 @@ export async function endpointAws(
 			},
 			{
 				use_cache: false,
-				fetch: aws.fetch.bind(aws) as typeof fetch,
+				fetch: signedFetch,
 			}
 		);
 	};