Add AWS Bedrock provider (#316)

* Add AWS Bedrock provider for Anthropic models

Enables using Anthropic Claude models hosted on AWS Bedrock via the
existing `anthropic` gem's BedrockClient. The provider inherits all
functionality from AnthropicProvider (streaming, tool use, multimodal,
structured output) and overrides only client construction for AWS
authentication.

Implementation:

- BedrockProvider inherits AnthropicProvider, overrides client() to
  return Anthropic::BedrockClient with SigV4 signing
- Bedrock::Options handles AWS credential resolution: explicit options,
  environment variables (AWS_REGION, AWS_ACCESS_KEY_ID, etc.), then
  AWS SDK default chain (profiles, IAM roles, instance metadata)
- Reuses Anthropic request/response types — no protocol translation
  needed as BedrockClient handles this internally
- Sensitive credentials (access key, secret key, session token, profile)
  excluded from Options#serialize

Test coverage (28 tests, 37 assertions):

- Provider class: service_name, inheritance, client construction,
  client memoization, prompt_request_type delegation to Anthropic
- Options: initialization, all AWS ENV fallbacks, explicit-over-ENV
  precedence, default/custom retry and timeout, serialization security
- Provider loading: require path resolution, convention-based lookup

Follows the same pattern established by the Azure provider in #301.

* Add bearer token authentication for AWS Bedrock API keys

AWS Bedrock supports API key authentication via bearer tokens
(Authorization: Bearer <token>), as an alternative to SigV4 signing.
See: https://docs.aws.amazon.com/bedrock/latest/userguide/api-keys-use.html

The existing Anthropic::BedrockClient only supports SigV4, so this adds
a BearerClient that subclasses Anthropic::Client directly, reusing its
built-in auth_token support while copying the Bedrock-specific request
transformations (URL path rewriting, anthropic_version injection).

The provider now checks for a bearer token first (via aws_bearer_token
option or AWS_BEARER_TOKEN_BEDROCK env var) and falls back to the
existing SigV4 path when no token is present.

Also adds extra_headers and anthropic_beta to Bedrock::Options, which
are required by the inherited AnthropicProvider at runtime.

* Add tests for bearer token authentication

- Options: bearer token from explicit value, env var resolution,
  preference of explicit over env, and serialize exclusion
- Provider: client returns BearerClient when token is present,
  falls back to Anthropic::BedrockClient otherwise, memoization
- BearerClient: initialization, auth_token, region, base_url,
  inheritance, and resource accessors (messages, completions, beta)

* Fix missing retry delay options and isolate provider tests from env

Pass initial_retry_delay and max_retry_delay through to both
BearerClient and Anthropic::BedrockClient constructors so user-
configured retry backoff is no longer silently ignored.

Also clear AWS_BEARER_TOKEN_BEDROCK in provider test setup/teardown
so tests expecting the SigV4 client path aren't broken by the
environment.

Author: Davidslv

activeagent.gemspec

@@ -28,6 +28,7 @@ Gem::Specification.new do |spec|
   spec.add_development_dependency "jbuilder", "~> 2.14"
 
   spec.add_development_dependency "anthropic", "~> 1.12"
+  spec.add_development_dependency "aws-sdk-bedrockruntime"
   spec.add_development_dependency "openai", "~> 0.34"
   spec.add_development_dependency "ruby_llm", ">= 1.0"
 

lib/active_agent/providers/bedrock/_types.rb

@@ -0,0 +1,8 @@
+# frozen_string_literal: true
+
+require_relative "options"
+require_relative "bearer_client"
+require_relative "../anthropic/_types"
+
+# Bedrock uses the same request/response types as Anthropic.
+# The BedrockClient handles all protocol translation internally.

lib/active_agent/providers/bedrock/bearer_client.rb

@@ -0,0 +1,109 @@
+# frozen_string_literal: true
+
+module ActiveAgent
+  module Providers
+    module Bedrock
+      # Client for AWS Bedrock using bearer token (API key) authentication.
+      #
+      # Subclasses Anthropic::Client directly to reuse its built-in bearer
+      # token support via the +auth_token+ parameter, while adding Bedrock-
+      # specific request transformations (URL path rewriting, anthropic_version
+      # injection) copied from Anthropic::BedrockClient.
+      #
+      # This avoids Anthropic::BedrockClient which requires SigV4 credentials
+      # and would fail when only a bearer token is available.
+      #
+      # @see https://docs.aws.amazon.com/bedrock/latest/userguide/api-keys-use.html
+      class BearerClient < ::Anthropic::Client
+        BEDROCK_VERSION = "bedrock-2023-05-31"
+
+        # @return [String]
+        attr_reader :aws_region
+
+        # @param aws_region [String] AWS region for the Bedrock endpoint
+        # @param bearer_token [String] AWS Bedrock API key (bearer token)
+        # @param base_url [String, nil] Override the default Bedrock endpoint
+        # @param max_retries [Integer]
+        # @param timeout [Float]
+        # @param initial_retry_delay [Float]
+        # @param max_retry_delay [Float]
+        def initialize(
+          aws_region:,
+          bearer_token:,
+          base_url: nil,
+          max_retries: self.class::DEFAULT_MAX_RETRIES,
+          timeout: self.class::DEFAULT_TIMEOUT_IN_SECONDS,
+          initial_retry_delay: self.class::DEFAULT_INITIAL_RETRY_DELAY,
+          max_retry_delay: self.class::DEFAULT_MAX_RETRY_DELAY
+        )
+          @aws_region = aws_region
+
+          base_url ||= "https://bedrock-runtime.#{aws_region}.amazonaws.com"
+
+          super(
+            auth_token: bearer_token,
+            api_key: nil,
+            base_url: base_url,
+            max_retries: max_retries,
+            timeout: timeout,
+            initial_retry_delay: initial_retry_delay,
+            max_retry_delay: max_retry_delay
+          )
+
+          @messages = ::Anthropic::Resources::Messages.new(client: self)
+          @completions = ::Anthropic::Resources::Completions.new(client: self)
+          @beta = ::Anthropic::Resources::Beta.new(client: self)
+        end
+
+        private
+
+        # Intercepts request building to apply Bedrock-specific transformations
+        # before the parent class processes the request.
+        def build_request(req, opts)
+          fit_req_to_bedrock_specs!(req)
+          req = super
+          body = req.fetch(:body)
+          req[:body] = StringIO.new(body.to_a.join) if body.is_a?(Enumerator)
+          req
+        end
+
+        # Rewrites Anthropic API paths to Bedrock endpoint paths and injects
+        # the Bedrock anthropic_version field.
+        #
+        # Adapted from Anthropic::Helpers::Bedrock::Client#fit_req_to_bedrock_specs!
+        def fit_req_to_bedrock_specs!(request_components)
+          if (body = request_components[:body]).is_a?(Hash)
+            body[:anthropic_version] ||= BEDROCK_VERSION
+            body.transform_keys!("anthropic-beta": :anthropic_beta)
+          end
+
+          case request_components[:path]
+          in %r{^v1/messages/batches}
+            raise NotImplementedError, "The Batch API is not supported in Bedrock yet"
+          in %r{v1/messages/count_tokens}
+            raise NotImplementedError, "Token counting is not supported in Bedrock yet"
+          in %r{v1/models\?beta=true}
+            raise NotImplementedError,
+                  "Please instead use https://docs.anthropic.com/en/api/claude-on-amazon-bedrock#list-available-models " \
+                  "to list available models on Bedrock."
+          else
+          end
+
+          if %w[
+            v1/complete
+            v1/messages
+            v1/messages?beta=true
+          ].include?(request_components[:path]) && request_components[:method] == :post && body.is_a?(Hash)
+            model = body.delete(:model)
+            model = URI.encode_www_form_component(model.to_s)
+            stream = body.delete(:stream) || false
+            request_components[:path] =
+              stream ? "model/#{model}/invoke-with-response-stream" : "model/#{model}/invoke"
+          end
+
+          request_components
+        end
+      end
+    end
+  end
+end

lib/active_agent/providers/bedrock/options.rb

@@ -0,0 +1,77 @@
+# frozen_string_literal: true
+
+require "active_agent/providers/common/model"
+
+module ActiveAgent
+  module Providers
+    module Bedrock
+      # Configuration for AWS Bedrock provider.
+      #
+      # AWS credentials are resolved in order:
+      # 1. Explicit options (aws_access_key, aws_secret_key)
+      # 2. Environment variables (AWS_REGION, AWS_ACCESS_KEY_ID, etc.)
+      # 3. AWS SDK default chain (profiles, IAM roles, instance metadata)
+      #
+      # Unlike the Anthropic provider, no API key is needed — authentication
+      # is handled entirely through AWS credentials.
+      #
+      # @example Minimal config (uses SDK default chain)
+      #   Bedrock::Options.new(aws_region: "eu-west-2")
+      #
+      # @example Explicit credentials
+      #   Bedrock::Options.new(
+      #     aws_region: "eu-west-2",
+      #     aws_access_key: "AKIA...",
+      #     aws_secret_key: "..."
+      #   )
+      #
+      # @example With profile
+      #   Bedrock::Options.new(
+      #     aws_region: "eu-west-2",
+      #     aws_profile: "my-profile"
+      #   )
+      class Options < Common::BaseModel
+        attribute :aws_region,        :string
+        attribute :aws_access_key,    :string
+        attribute :aws_secret_key,    :string
+        attribute :aws_session_token, :string
+        attribute :aws_profile,       :string
+        attribute :aws_bearer_token,  :string
+        attribute :base_url,          :string
+        attribute :anthropic_beta,    :string
+
+        attribute :max_retries,         :integer, default: ::Anthropic::Client::DEFAULT_MAX_RETRIES
+        attribute :timeout,             :float,   default: ::Anthropic::Client::DEFAULT_TIMEOUT_IN_SECONDS
+        attribute :initial_retry_delay, :float,   default: ::Anthropic::Client::DEFAULT_INITIAL_RETRY_DELAY
+        attribute :max_retry_delay,     :float,   default: ::Anthropic::Client::DEFAULT_MAX_RETRY_DELAY
+
+        def initialize(kwargs = {})
+          kwargs = kwargs.deep_symbolize_keys if kwargs.respond_to?(:deep_symbolize_keys)
+
+          super(**deep_compact(kwargs.except(:default_url_options).merge(
+            aws_region:        kwargs[:aws_region]        || ENV["AWS_REGION"] || ENV["AWS_DEFAULT_REGION"],
+            aws_access_key:    kwargs[:aws_access_key]    || ENV["AWS_ACCESS_KEY_ID"],
+            aws_secret_key:    kwargs[:aws_secret_key]    || ENV["AWS_SECRET_ACCESS_KEY"],
+            aws_session_token: kwargs[:aws_session_token] || ENV["AWS_SESSION_TOKEN"],
+            aws_profile:       kwargs[:aws_profile]       || ENV["AWS_PROFILE"],
+            aws_bearer_token:  kwargs[:aws_bearer_token]  || ENV["AWS_BEARER_TOKEN_BEDROCK"]
+          )))
+        end
+
+        # Bedrock handles authentication at the client level (SigV4 or bearer token),
+        # so no extra headers are needed in request options.
+        def extra_headers
+          {}
+        end
+
+        # Excludes sensitive AWS credentials from serialized output.
+        # The provider's client() method reads credentials directly from options attributes.
+        def serialize
+          attributes.symbolize_keys.except(
+            :aws_access_key, :aws_secret_key, :aws_session_token, :aws_profile, :aws_bearer_token
+          )
+        end
+      end
+    end
+  end
+end

lib/active_agent/providers/bedrock_provider.rb

@@ -0,0 +1,84 @@
+# frozen_string_literal: true
+
+require_relative "anthropic_provider"
+require_relative "bedrock/_types"
+
+module ActiveAgent
+  module Providers
+    # Provider for Anthropic models hosted on AWS Bedrock.
+    #
+    # Inherits all functionality from AnthropicProvider (streaming, tool use,
+    # multimodal, JSON format emulation) and overrides only the client
+    # construction to use Anthropic::BedrockClient for AWS authentication.
+    #
+    # @example Configuration in active_agent.yml
+    #   bedrock:
+    #     service: "Bedrock"
+    #     aws_region: "eu-west-2"
+    #     model: "eu.anthropic.claude-sonnet-4-5-20250929-v1:0"
+    #
+    # @example Agent usage
+    #   class SummaryAgent < ApplicationAgent
+    #     generate_with :bedrock, model: "eu.anthropic.claude-sonnet-4-5-20250929-v1:0"
+    #
+    #     def summarize
+    #       prompt(message: params[:message])
+    #     end
+    #   end
+    #
+    # @see AnthropicProvider
+    class BedrockProvider < AnthropicProvider
+      # @return [String]
+      def self.service_name
+        "Bedrock"
+      end
+
+      # @return [Class]
+      def self.options_klass
+        Bedrock::Options
+      end
+
+      # @return [ActiveModel::Type::Value]
+      def self.prompt_request_type
+        Anthropic::RequestType.new
+      end
+
+      # Returns a configured Bedrock client.
+      #
+      # When a bearer token is available (via +aws_bearer_token+ option or
+      # +AWS_BEARER_TOKEN_BEDROCK+ env var), uses {Bedrock::BearerClient}
+      # which sends an +Authorization: Bearer+ header.
+      #
+      # Otherwise, falls back to {Anthropic::BedrockClient} which handles
+      # SigV4 signing, credential resolution, and Bedrock URL path rewriting.
+      #
+      # @return [Bedrock::BearerClient, Anthropic::Helpers::Bedrock::Client]
+      def client
+        @client ||= if options.aws_bearer_token.present?
+          Bedrock::BearerClient.new(
+            aws_region:          options.aws_region,
+            bearer_token:        options.aws_bearer_token,
+            base_url:            options.base_url.presence,
+            max_retries:         options.max_retries,
+            timeout:             options.timeout,
+            initial_retry_delay: options.initial_retry_delay,
+            max_retry_delay:     options.max_retry_delay
+          )
+        else
+          ::Anthropic::BedrockClient.new(
+            aws_region:          options.aws_region,
+            aws_access_key:      options.aws_access_key,
+            aws_secret_key:      options.aws_secret_key,
+            aws_session_token:   options.aws_session_token,
+            aws_profile:         options.aws_profile,
+            base_url:            options.base_url.presence,
+            max_retries:         options.max_retries,
+            timeout:             options.timeout,
+            initial_retry_delay: options.initial_retry_delay,
+            max_retry_delay:     options.max_retry_delay
+          )
+        end
+      end
+    end
+  end
+end

test/dummy/app/agents/providers/bedrock_agent.rb

@@ -0,0 +1,22 @@
+# frozen_string_literal: true
+
+module Providers
+  # Example agent using Anthropic models via AWS Bedrock.
+  #
+  # Demonstrates basic prompt generation with the Bedrock provider.
+  # Configured to use Claude Sonnet via cross-region inference.
+  #
+  # @example Basic usage
+  #   response = Providers::BedrockAgent.ask(message: "Hello").generate_now
+  #   response.message.content  #=> "Hi! How can I help you today?"
+  # region agent
+  class BedrockAgent < ApplicationAgent
+    generate_with :bedrock, model: "eu.anthropic.claude-sonnet-4-5-20250929-v1:0"
+
+    # @return [ActiveAgent::Generation]
+    def ask
+      prompt(message: params[:message])
+    end
+  end
+  # endregion agent
+end

test/dummy/config/active_agent.yml

@@ -24,6 +24,11 @@ ollama: &ollama
   service: "Ollama"
   model: "gpt-oss:20b"
 # endregion ollama_anchor
+# region bedrock_anchor
+bedrock: &bedrock
+  service: "Bedrock"
+  aws_region: <%= ENV.fetch("AWS_REGION", "us-east-1") %>
+# endregion bedrock_anchor
 # region mock_anchor
 mock: &mock
   service: "Mock"
@@ -55,6 +60,10 @@ development:
   anthropic:
     <<: *anthropic
   # endregion anthropic_dev_config
+  # region bedrock_dev_config
+  bedrock:
+    <<: *bedrock
+  # endregion bedrock_dev_config
   # region mock_dev_config
   mock:
     <<: *mock
@@ -77,6 +86,8 @@ test:
     <<: *ollama
   anthropic:
     <<: *anthropic
+  bedrock:
+    <<: *bedrock
   mock:
     <<: *mock
   ruby_llm: