|
| 1 | +import logging |
| 2 | +import os |
| 3 | +from typing import Optional |
| 4 | + |
| 5 | +from naas_abi_core.module.Module import ( |
| 6 | + BaseModule, |
| 7 | + ModuleConfiguration, |
| 8 | + ModuleDependencies, |
| 9 | +) |
| 10 | +from naas_abi_core.services.object_storage.ObjectStorageService import ( |
| 11 | + ObjectStorageService, |
| 12 | +) |
| 13 | +from pydantic import model_validator |
| 14 | + |
| 15 | +logger = logging.getLogger(__name__) |
| 16 | + |
| 17 | + |
| 18 | +class BedrockValidationError(RuntimeError): |
| 19 | + """Raised when the Bedrock module cannot authenticate or reach AWS Bedrock.""" |
| 20 | + |
| 21 | + |
| 22 | +class ABIModule(BaseModule): |
| 23 | + dependencies: ModuleDependencies = ModuleDependencies( |
| 24 | + modules=[], |
| 25 | + services=[ObjectStorageService], |
| 26 | + ) |
| 27 | + |
| 28 | + class Configuration(ModuleConfiguration): |
| 29 | + """ |
| 30 | + Configuration example: |
| 31 | +
|
| 32 | + module: naas_abi_marketplace.ai.bedrock |
| 33 | + enabled: true |
| 34 | + config: |
| 35 | + aws_access_key_id: "{{ secret.AWS_ACCESS_KEY_ID }}" |
| 36 | + aws_secret_access_key: "{{ secret.AWS_SECRET_ACCESS_KEY }}" |
| 37 | + aws_session_token: "{{ secret.AWS_SESSION_TOKEN }}" |
| 38 | + region_name: "us-east-1" |
| 39 | + validate_on_load: true |
| 40 | + validation_model_id: null # optional: invoke this model to prove access |
| 41 | + """ |
| 42 | + |
| 43 | + aws_access_key_id: Optional[str] = None |
| 44 | + aws_secret_access_key: Optional[str] = None |
| 45 | + aws_session_token: Optional[str] = None |
| 46 | + region_name: str = "us-east-1" |
| 47 | + datastore_path: str = "bedrock" |
| 48 | + |
| 49 | + # When true (default), the module verifies on load that: |
| 50 | + # 1. boto3 can resolve AWS credentials, |
| 51 | + # 2. sts:GetCallerIdentity succeeds, |
| 52 | + # 3. bedrock:ListFoundationModels succeeds in `region_name`. |
| 53 | + # If `validation_model_id` is also set, a 1-token Converse call is made |
| 54 | + # against that model to prove model-level access. |
| 55 | + # On failure, BedrockValidationError is raised — the module will not load. |
| 56 | + validate_on_load: bool = True |
| 57 | + validation_model_id: Optional[str] = None |
| 58 | + |
| 59 | + @model_validator(mode="after") |
| 60 | + def _validate_bedrock_access(self) -> "ABIModule.Configuration": |
| 61 | + if not self.validate_on_load: |
| 62 | + return self |
| 63 | + |
| 64 | + # Auto-skip under pytest so test collection doesn't require AWS access. |
| 65 | + # Users who want to validate during tests can unset PYTEST_CURRENT_TEST |
| 66 | + # or explicitly set validate_on_load=true in a dedicated integration test. |
| 67 | + if os.environ.get("PYTEST_CURRENT_TEST") or os.environ.get( |
| 68 | + "BEDROCK_SKIP_VALIDATION" |
| 69 | + ): |
| 70 | + logger.debug( |
| 71 | + "Bedrock module validation skipped (pytest or " |
| 72 | + "BEDROCK_SKIP_VALIDATION env var detected)." |
| 73 | + ) |
| 74 | + return self |
| 75 | + |
| 76 | + try: |
| 77 | + import boto3 |
| 78 | + from botocore.exceptions import ( |
| 79 | + BotoCoreError, |
| 80 | + ClientError, |
| 81 | + NoCredentialsError, |
| 82 | + ) |
| 83 | + except ImportError as exc: |
| 84 | + raise BedrockValidationError( |
| 85 | + "boto3 is required for the Bedrock module. Install with " |
| 86 | + "`uv pip install \"naas-abi-marketplace[ai-bedrock]\"`." |
| 87 | + ) from exc |
| 88 | + |
| 89 | + # Only pass credentials explicitly if provided; otherwise let boto3 |
| 90 | + # walk its credential chain (env -> shared file -> container -> IMDS). |
| 91 | + session_kwargs: dict = {"region_name": self.region_name} |
| 92 | + if self.aws_access_key_id: |
| 93 | + session_kwargs["aws_access_key_id"] = self.aws_access_key_id |
| 94 | + if self.aws_secret_access_key: |
| 95 | + session_kwargs["aws_secret_access_key"] = self.aws_secret_access_key |
| 96 | + if self.aws_session_token: |
| 97 | + session_kwargs["aws_session_token"] = self.aws_session_token |
| 98 | + |
| 99 | + try: |
| 100 | + session = boto3.Session(**session_kwargs) |
| 101 | + except (BotoCoreError, ValueError) as exc: |
| 102 | + raise BedrockValidationError( |
| 103 | + f"Failed to build boto3 Session: {exc}" |
| 104 | + ) from exc |
| 105 | + |
| 106 | + # Step 1: credentials must resolve. |
| 107 | + creds = session.get_credentials() |
| 108 | + if creds is None: |
| 109 | + raise BedrockValidationError( |
| 110 | + "No AWS credentials could be resolved. Checked: explicit " |
| 111 | + "config, env vars, shared credentials file, container " |
| 112 | + "credentials endpoint, and EC2 IMDS. Attach an IAM role to " |
| 113 | + "the instance/task/pod or provide credentials in config." |
| 114 | + ) |
| 115 | + method = getattr(creds, "method", "unknown") |
| 116 | + logger.info("Bedrock module: resolved AWS credentials via %s", method) |
| 117 | + |
| 118 | + # Step 2: prove the credentials work. |
| 119 | + try: |
| 120 | + identity = session.client("sts").get_caller_identity() |
| 121 | + logger.info( |
| 122 | + "Bedrock module: authenticated as %s (account %s)", |
| 123 | + identity.get("Arn"), |
| 124 | + identity.get("Account"), |
| 125 | + ) |
| 126 | + except (ClientError, BotoCoreError, NoCredentialsError) as exc: |
| 127 | + raise BedrockValidationError( |
| 128 | + f"sts:GetCallerIdentity failed — credentials resolved via " |
| 129 | + f"{method} but are not usable: {exc}" |
| 130 | + ) from exc |
| 131 | + |
| 132 | + # Step 3: prove Bedrock is reachable in the configured region. |
| 133 | + try: |
| 134 | + bedrock = session.client("bedrock", region_name=self.region_name) |
| 135 | + bedrock.list_foundation_models() |
| 136 | + logger.info( |
| 137 | + "Bedrock module: bedrock:ListFoundationModels succeeded in %s", |
| 138 | + self.region_name, |
| 139 | + ) |
| 140 | + except ClientError as exc: |
| 141 | + code = exc.response.get("Error", {}).get("Code", "") |
| 142 | + if code in ("AccessDeniedException", "UnauthorizedOperation"): |
| 143 | + raise BedrockValidationError( |
| 144 | + f"Bedrock is reachable in {self.region_name} but the " |
| 145 | + f"caller lacks bedrock:ListFoundationModels permission: " |
| 146 | + f"{exc}" |
| 147 | + ) from exc |
| 148 | + raise BedrockValidationError( |
| 149 | + f"bedrock:ListFoundationModels failed in " |
| 150 | + f"{self.region_name}: {exc}" |
| 151 | + ) from exc |
| 152 | + except BotoCoreError as exc: |
| 153 | + raise BedrockValidationError( |
| 154 | + f"Could not reach Bedrock endpoint in {self.region_name} " |
| 155 | + f"(network/VPC endpoint issue?): {exc}" |
| 156 | + ) from exc |
| 157 | + |
| 158 | + # Step 4 (optional): prove a specific model is invokable. |
| 159 | + if self.validation_model_id: |
| 160 | + try: |
| 161 | + runtime = session.client( |
| 162 | + "bedrock-runtime", region_name=self.region_name |
| 163 | + ) |
| 164 | + runtime.converse( |
| 165 | + modelId=self.validation_model_id, |
| 166 | + messages=[ |
| 167 | + {"role": "user", "content": [{"text": "ping"}]} |
| 168 | + ], |
| 169 | + inferenceConfig={"maxTokens": 1}, |
| 170 | + ) |
| 171 | + logger.info( |
| 172 | + "Bedrock module: validated invocation of %s", |
| 173 | + self.validation_model_id, |
| 174 | + ) |
| 175 | + except (ClientError, BotoCoreError) as exc: |
| 176 | + raise BedrockValidationError( |
| 177 | + f"Failed to invoke validation model " |
| 178 | + f"'{self.validation_model_id}' in {self.region_name}. " |
| 179 | + f"Has model access been granted in the Bedrock console? " |
| 180 | + f"Error: {exc}" |
| 181 | + ) from exc |
| 182 | + |
| 183 | + return self |
0 commit comments