Michael Suchacz
9634739aed
> This PR was authored by Mux on behalf of Mike. Adds AWS Bedrock ambient credential support to the Agents provider path. Bedrock providers can now be saved without a stored API key and authenticated via the standard AWS SDK credential chain on the Coder server (IAM roles, `AWS_ACCESS_KEY_ID`, etc.). Also fixes missing `Base URL` forwarding for Bedrock. ## Changes **Backend runtime** (`coderd/x/chatd/chatprovider/chatprovider.go`): - New `ProviderAllowsAmbientCredentials(provider)` helper. Currently returns true only for Bedrock. - `ModelFromConfig` no longer errors on an empty API key when the provider is in the ambient-allowed set AND was explicitly resolved via `ByProvider`. This preserves the policy gate: unresolvable providers (disabled central key, user-key-required without a user key) still error. - `setResolvedProviderAPIKey` internalizes the ambient-credentials contract via `ProviderAllowsAmbientCredentials`, so a resolved-but-keyless Bedrock provider is represented as an empty `ByProvider` entry rather than a post-hoc sentinel patch in the caller. - `WithAPIKey` is only appended when a token is present. - `WithBaseURL(baseURL)` is now forwarded for Bedrock (was previously missing). **Backend admin API** (`coderd/exp_chats.go`): - `validateChatProviderCentralAPIKey` exempts Bedrock from requiring a stored API key when central credentials are enabled. - AI Gateway separation (`ChatProviderAPIKeysFromDeploymentValues`) is unchanged. No silent reuse of `CODER_AIBRIDGE_BEDROCK_*` flags. **Frontend** (`site/src/pages/AgentsPage/components/ChatModelAdminPanel/*`): - API Key field is optional for Bedrock when central credentials are enabled. - Bedrock-specific descriptions on API Key and Base URL fields (bearer-token vs ambient modes, `AWS_REGION` guidance). - Right-aligned "Clear stored token" action switches an existing Bedrock provider back to ambient mode. - `hasEffectiveAPIKey` treats Bedrock with central credentials enabled as configured, so the provider list shows the correct status icon. - Three new stories: `ProviderFormBedrockAmbientCredentials`, `ProviderFormBedrockBearerToken`, `ProviderFormBedrockClearBearerToken`. **Docs** (`docs/ai-coder/agents/models.md`, `docs/ai-coder/ai-gateway/setup.md`): - New "Configuring AWS Bedrock" section covering both credential modes, region resolution, and the Base URL override. - Explicit note that the `us-east-1` region fallback only applies to bearer-token mode; ambient credentials require a region from the standard AWS SDK chain. - Cross-reference in AI Gateway docs clarifying that `CODER_AIBRIDGE_BEDROCK_*` flags are a separate configuration path from Agents. ## Not in scope - Reusing AI Gateway Bedrock flags as an implicit Agents fallback. - Per-provider AWS access key, secret, or region fields (would need a migration and audit-table review). - IMDS or network-backed credential probes in admin/listing request paths. ## Related Dogfood deployment integration: https://github.com/coder/dogfood/pull/324
About
Coder is a self-hosted, open source, cloud development environment that works with any cloud, IDE, OS, Git provider, and IDP.
Screenshots of Coder workspaces and connections
Coder is built on common development interfaces and infrastructure tools to make the process of provisioning and accessing remote workspaces approachable for organizations of various sizes and stages of cloud-native maturity.
IDE support
You can use:
-
Any Web IDE, such as
- code-server
- JetBrains Projector
- Jupyter
- And others
-
Your existing remote development environment:
-
A file sync such as Mutagen
Why remote development
Remote development offers several benefits for users and administrators, including:
-
Increased speed
- Server-grade cloud hardware speeds up operations in software development, from loading the IDE to compiling and building code, and running large workloads such as those for monolith or microservice applications.
-
Easier environment management
- Built-in infrastructure tools such as Terraform, nix, Docker, Dev Containers, and others make it easier to onboard developers with consistent environments.
-
Increased security
- Centralize source code and other data onto private servers or cloud services instead of local developers' machines.
- Manage users and groups with SSO and Role-based access controlled (RBAC).
-
Improved compatibility
- Remote workspaces can share infrastructure configurations with other development, staging, and production environments, reducing configuration drift.
-
Improved accessibility
- Connect to remote workspaces via browser-based IDEs or remote IDE extensions to enable developers regardless of the device they use, whether it's their main device, a lightweight laptop, Chromebook, or iPad.
Read more about why organizations and engineers are moving to remote development on our blog, the Slack engineering blog, or from OpenFaaS's Alex Ellis.
Why Coder
The key difference between Coder and other remote IDE platforms is the added layer of infrastructure control. This additional layer allows admins to:
- Simultaneously support ARM, Windows, Linux, and macOS workspaces.
- Modify pod/container specs, such as adding disks, managing network policies, or setting/updating environment variables.
- Use VM or dedicated workspaces, developing with Kernel features (no container knowledge required).
- Enable persistent workspaces, which are like local machines, but faster and hosted by a cloud service.
How much does it cost?
Coder is free and open source under GNU Affero General Public License v3.0. All developer productivity features are included in the Open Source version of Coder. A Premium license is available for enhanced support options and custom deployments.
How does Coder work
Coder workspaces are represented with Terraform, but you don't need to know Terraform to get started. We have a database of production-ready templates for use with AWS EC2, Azure, Google Cloud, Kubernetes, and more.
Providers and compute environments
Coder workspaces can be used for more than just compute. You can use Terraform to add storage buckets, secrets, sidecars, and more.
Visit the templates documentation to learn more.
What Coder is not
-
Coder is not an infrastructure as code (IaC) platform.
- Terraform is the first IaC provisioner in Coder, allowing Coder admins to define Terraform resources as Coder workspaces.
-
Coder is not a DevOps/CI platform.
- Coder workspaces can be configured to follow best practices for cloud-service-based workloads, but Coder is not responsible for how you define or deploy the software you write.
-
Coder is not an online IDE.
- Coder supports common editors, such as VS Code, vim, and JetBrains, all over HTTPS or SSH.
-
Coder is not a collaboration platform.
- You can use Git with your favorite Git platform and dedicated IDE extensions for pull requests, code reviews, and pair programming.
-
Coder is not a SaaS/fully-managed offering.
- Coder is a self-hosted solution. You must host Coder in a private data center or on a cloud service, such as AWS, Azure, or GCP.
Using Coder v1?
If you're a Coder v1 customer, view the v1 documentation or the v2 migration guide and FAQ.
Up next
- Template
- Installing Coder
- Quickstart to try Coder out for yourself.