Skip to content

feat(idp): Add custom Bedrock endpoint support for VPC interface endpoints #4993

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
wants to merge 3 commits into
base: main
Choose a base branch
from
Draft

feat(idp): Add custom Bedrock endpoint support for VPC interface endpoints #4993

wants to merge 3 commits into from

Conversation

Copilot
Copy link
Contributor

@Copilot Copilot AI commented Jun 30, 2025
edited
Loading

Summary

Enables customers to use custom Bedrock endpoints for the IDP connector to support Virtual VPC interface endpoints, as requested in the issue.

Problem

The IDP connector's BedrockRuntimeClientSupplier was not utilizing the custom endpoint configuration that was already available through AwsBaseConfiguration.endpoint. This prevented customers from using VPC interface endpoints for AWS Bedrock as described in the AWS documentation.

Solution

Modified BedrockRuntimeClientSupplier.getBedrockRuntimeClient() to check for and use custom endpoints when provided:

public BedrockRuntimeClient getBedrockRuntimeClient(final AwsProvider request) {
  var builder = BedrockRuntimeClient.builder()
      .credentialsProvider(CredentialsProviderSupportV2.credentialsProvider(request))
      .region(Region.of(request.getConfiguration().region()));

  if (request.getConfiguration().endpoint() != null && 
      !request.getConfiguration().endpoint().trim().isEmpty()) {
    builder.endpointOverride(URI.create(request.getConfiguration().endpoint()));
  }

  return builder.build();
}

Changes

  • BedrockRuntimeClientSupplier: Added logic to use endpointOverride() when a custom endpoint is configured
  • Tests: Added comprehensive test coverage for custom endpoints, null endpoints, and empty endpoints
  • Backward compatibility: Existing behavior preserved when no custom endpoint is specified

Testing

Added test cases covering:

  • ✅ Custom VPC endpoint usage (e.g., https://bedrock-runtime.vpce-12345.us-east-1.vpce.amazonaws.com)
  • ✅ Null endpoint handling (uses default AWS endpoints)
  • ✅ Empty/whitespace endpoint handling (uses default AWS endpoints)
  • ✅ Successful BedrockRuntimeClient creation in all scenarios

Example Usage

With this change, customers can now configure VPC interface endpoints in their IDP connector configuration:

{
  "configuration": {
    "region": "us-east-1",
    "endpoint": "https://bedrock-runtime.vpce-12345.us-east-1.vpce.amazonaws.com"
  }
}

Fixes #4992.

Warning

Firewall rules blocked me from connecting to one or more addresses

I tried to connect to the following addresses, but was blocked by firewall rules:

  • artifacts.camunda.com
    • Triggering command: /usr/lib/jvm/temurin-17-jdk-amd64/bin/java --enable-native-access=ALL-UNNAMED --add-exports jdk.compiler/com.sun.tools.javac.api=ALL-UNNAMED --add-exports jdk.compiler/com.sun.tools.javac.file=ALL-UNNAMED --add-exports jdk.compiler/com.sun.tools.javac.parser=ALL-UNNAMED --add-exports jdk.compiler/com.sun.tools.javac.tree=ALL-UNNAMED --add-exports jdk.compiler/com.sun.tools.javac.util=ALL-UNNAMED --add-opens=java.base/java.util=ALL-UNNAMED --add-opens=java.base/java.lang.reflect=ALL-UNNAMED --add-opens=java.base/java.text=ALL-UNNAMED --add-opens=java.desktop/java.awt.font=ALL-UNNAMED -classpath /usr/share/apache-maven-3.9.10/boot/plexus-classworlds-2.9.0.jar -Dclassworlds.conf=/usr/share/apache-maven-3.9.10/bin/m2.conf -Dmaven.home=/usr/share/apache-maven-3.9.10 -Dlibrary.jansi.path=/usr/share/apache-maven-3.9.10/lib/jansi-native -Dmaven.multiModuleProjectDirectory=/home/REDACTED/work/connectors/connectors org.codehaus.plexus.classworlds.launcher.Launcher clean compile -pl connectors/idp-extraction (dns block)
  • build.shibboleth.net
    • Triggering command: /usr/lib/jvm/temurin-17-jdk-amd64/bin/java --enable-native-access=ALL-UNNAMED --add-exports jdk.compiler/com.sun.tools.javac.api=ALL-UNNAMED --add-exports jdk.compiler/com.sun.tools.javac.file=ALL-UNNAMED --add-exports jdk.compiler/com.sun.tools.javac.parser=ALL-UNNAMED --add-exports jdk.compiler/com.sun.tools.javac.tree=ALL-UNNAMED --add-exports jdk.compiler/com.sun.tools.javac.util=ALL-UNNAMED --add-opens=java.base/java.util=ALL-UNNAMED --add-opens=java.base/java.lang.reflect=ALL-UNNAMED --add-opens=java.base/java.text=ALL-UNNAMED --add-opens=java.desktop/java.awt.font=ALL-UNNAMED -classpath /usr/share/apache-maven-3.9.10/boot/plexus-classworlds-2.9.0.jar -Dclassworlds.conf=/usr/share/apache-maven-3.9.10/bin/m2.conf -Dmaven.home=/usr/share/apache-maven-3.9.10 -Dlibrary.jansi.path=/usr/share/apache-maven-3.9.10/lib/jansi-native -Dmaven.multiModuleProjectDirectory=/home/REDACTED/work/connectors/connectors org.codehaus.plexus.classworlds.launcher.Launcher clean compile -pl connectors/idp-extraction (dns block)
  • packages.confluent.io
    • Triggering command: /usr/lib/jvm/temurin-17-jdk-amd64/bin/java --enable-native-access=ALL-UNNAMED --add-exports jdk.compiler/com.sun.tools.javac.api=ALL-UNNAMED --add-exports jdk.compiler/com.sun.tools.javac.file=ALL-UNNAMED --add-exports jdk.compiler/com.sun.tools.javac.parser=ALL-UNNAMED --add-exports jdk.compiler/com.sun.tools.javac.tree=ALL-UNNAMED --add-exports jdk.compiler/com.sun.tools.javac.util=ALL-UNNAMED --add-opens=java.base/java.util=ALL-UNNAMED --add-opens=java.base/java.lang.reflect=ALL-UNNAMED --add-opens=java.base/java.text=ALL-UNNAMED --add-opens=java.desktop/java.awt.font=ALL-UNNAMED -classpath /usr/share/apache-maven-3.9.10/boot/plexus-classworlds-2.9.0.jar -Dclassworlds.conf=/usr/share/apache-maven-3.9.10/bin/m2.conf -Dmaven.home=/usr/share/apache-maven-3.9.10 -Dlibrary.jansi.path=/usr/share/apache-maven-3.9.10/lib/jansi-native -Dmaven.multiModuleProjectDirectory=/home/REDACTED/work/connectors/connectors org.codehaus.plexus.classworlds.launcher.Launcher clean compile -pl connectors/idp-extraction (dns block)
  • repository.sonatype.org

If you need me to access, download, or install something from one of these locations, you can either:

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

@Copilot Copilot AI changed the title [WIP] feat(idp): custom Bedrock endpoints supported for IDP feat(idp): Add custom Bedrock endpoint support for VPC interface endpoints Jun 30, 2025
Copilot finished work on behalf of mathieu-stennier June 30, 2025 15:00
@Copilot Copilot AI requested a review from mathieu-stennier June 30, 2025 15:00
@mathieu-stennier mathieu-stennier requested review from reiballa and removed request for mathieu-stennier June 30, 2025 15:05
reiballa
reiballa approved these changes Jun 30, 2025
View reviewed changes
Copy link
Contributor

@reiballa reiballa left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm, checking tests

@reiballa reiballa self-requested a review June 30, 2025 19:32
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@reiballa reiballa Awaiting requested review from reiballa

Assignees

@mathieu-stennier mathieu-stennier

Copilot code review Copilot

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

feat(idp): custom Bedrock endpoints supported for IDP
3 participants
@Copilot @reiballa @mathieu-stennier