credentials

package
v1.1.9 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jan 24, 2026 License: Apache-2.0 Imports: 22 Imported by: 0

Documentation

Overview

Package credentials provides credential management for LLM provider authentication. It supports multiple credential types including API keys, AWS SigV4, GCP OAuth, and Azure AD.

Index

Constants

This section is empty.

Variables

View Source 
var BedrockModelMapping = map[string]string{
	"claude-3-5-sonnet-20241022": "anthropic.claude-3-5-sonnet-20241022-v2:0",
	"claude-3-5-sonnet-20240620": "anthropic.claude-3-5-sonnet-20240620-v1:0",
	"claude-3-opus-20240229":     "anthropic.claude-3-opus-20240229-v1:0",
	"claude-3-sonnet-20240229":   "anthropic.claude-3-sonnet-20240229-v1:0",
	"claude-3-haiku-20240307":    "anthropic.claude-3-haiku-20240307-v1:0",
	"claude-3-5-haiku-20241022":  "anthropic.claude-3-5-haiku-20241022-v1:0",
}

BedrockModelMapping maps Claude model names to Bedrock model IDs.

View Source 
var DefaultEnvVars = map[string][]string{
	"claude": {"ANTHROPIC_API_KEY", "CLAUDE_API_KEY"},
	"openai": {"OPENAI_API_KEY", "OPENAI_TOKEN"},
	"gemini": {"GEMINI_API_KEY", "GOOGLE_API_KEY"},
	"imagen": {"GEMINI_API_KEY", "GOOGLE_API_KEY"},
}

DefaultEnvVars maps provider types to their default environment variable names. This maintains backward compatibility with existing configurations.

View Source 
var ProviderHeaderConfig = map[string]struct {
	HeaderName string
	Prefix     string
}{
	"claude": {HeaderName: "X-API-Key", Prefix: ""},
	"openai": {HeaderName: "Authorization", Prefix: "Bearer "},
	"gemini": {HeaderName: "", Prefix: ""},
	"imagen": {HeaderName: "", Prefix: ""},
}

ProviderHeaderConfig maps provider types to their API key header configuration.

Functions

func BedrockEndpoint 

func BedrockEndpoint(region string) string

BedrockEndpoint returns the Bedrock endpoint URL for a region.

func VertexEndpoint 

func VertexEndpoint(project, region string) string

VertexEndpoint returns the Vertex AI endpoint URL for a project and region.

Types

type APIKeyCredential 

type APIKeyCredential struct {
	// contains filtered or unexported fields
}

APIKeyCredential implements header-based API key authentication. It supports flexible header names for different providers.

func NewAPIKeyCredential 

func NewAPIKeyCredential(apiKey string, opts ...APIKeyOption) *APIKeyCredential

NewAPIKeyCredential creates a new API key credential. By default, it uses "Authorization" header with "Bearer " prefix.

func (*APIKeyCredential) APIKey 

func (c *APIKeyCredential) APIKey() string

APIKey returns the raw API key value. This is useful for providers that need the key for non-HTTP operations.

func (*APIKeyCredential) Apply 

func (c *APIKeyCredential) Apply(_ context.Context, req *http.Request) error

Apply adds the API key to the request header.

func (*APIKeyCredential) Type 

func (c *APIKeyCredential) Type() string

Type returns "api_key".

type APIKeyOption 

type APIKeyOption func(*APIKeyCredential)

APIKeyOption configures an APIKeyCredential.

func WithBearerPrefix 

func WithBearerPrefix() APIKeyOption

WithBearerPrefix adds "Bearer " prefix to the API key.

func WithHeaderName 

func WithHeaderName(name string) APIKeyOption

WithHeaderName sets the header name for the API key.

func WithPrefix 

func WithPrefix(prefix string) APIKeyOption

WithPrefix sets a custom prefix for the API key.

type AWSCredential 

type AWSCredential struct {
	// contains filtered or unexported fields
}

AWSCredential implements AWS SigV4 signing for Bedrock.

func NewAWSCredential 

func NewAWSCredential(ctx context.Context, region string) (*AWSCredential, error)

NewAWSCredential creates a new AWS credential using the default credential chain. This supports IRSA (IAM Roles for Service Accounts), instance profiles, and environment variables (AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY).

func NewAWSCredentialWithRole 

func NewAWSCredentialWithRole(ctx context.Context, region, roleARN string) (*AWSCredential, error)

NewAWSCredentialWithRole creates an AWS credential that assumes a role.

func (*AWSCredential) Apply 

func (c *AWSCredential) Apply(ctx context.Context, req *http.Request) error

Apply signs the request using AWS SigV4.

func (*AWSCredential) Config 

func (c *AWSCredential) Config() aws.Config

Config returns the AWS config for advanced use cases.

func (*AWSCredential) Region 

func (c *AWSCredential) Region() string

Region returns the configured AWS region.

func (*AWSCredential) Type 

func (c *AWSCredential) Type() string

Type returns "aws".

type AzureCredential 

type AzureCredential struct {
	// contains filtered or unexported fields
}

AzureCredential implements Azure AD token-based authentication for Azure AI services.

func NewAzureCredential 

func NewAzureCredential(ctx context.Context, endpoint string) (*AzureCredential, error)

NewAzureCredential creates a new Azure credential using the default credential chain. This supports Managed Identity, Azure CLI, environment variables, and more.

func NewAzureCredentialWithClientSecret 

func NewAzureCredentialWithClientSecret(
	ctx context.Context, endpoint, tenantID, clientID, clientSecret string,
) (*AzureCredential, error)

NewAzureCredentialWithClientSecret creates an Azure credential using client secret.

func NewAzureCredentialWithManagedIdentity 

func NewAzureCredentialWithManagedIdentity(
	ctx context.Context, endpoint string, clientID *string,
) (*AzureCredential, error)

NewAzureCredentialWithManagedIdentity creates an Azure credential using Managed Identity.

func (*AzureCredential) Apply 

func (c *AzureCredential) Apply(ctx context.Context, req *http.Request) error

Apply adds the Azure AD token to the request.

func (*AzureCredential) Endpoint 

func (c *AzureCredential) Endpoint() string

Endpoint returns the configured Azure endpoint.

func (*AzureCredential) Type 

func (c *AzureCredential) Type() string

Type returns "azure".

type Credential 

type Credential interface {
	// Apply adds authentication to the HTTP request.
	// It may modify headers, query parameters, or the request body.
	Apply(ctx context.Context, req *http.Request) error

	// Type returns the credential type identifier (e.g., "api_key", "aws", "gcp", "azure").
	Type() string
}

Credential applies authentication to HTTP requests. Implementations handle different authentication schemes like API keys, AWS SigV4 signing, OAuth tokens, etc.

func MustResolve 

func MustResolve(ctx context.Context, cfg ResolverConfig) Credential

MustResolve resolves credentials and panics on error. Use this only in initialization code where errors are unrecoverable.

func Resolve 

func Resolve(ctx context.Context, cfg ResolverConfig) (Credential, error)

Resolve resolves credentials according to the chain: 1. api_key (explicit value) 2. credential_file (read from file) 3. credential_env (read from environment variable) 4. default env vars for provider type

For platform configurations (bedrock, vertex, azure), it returns the appropriate cloud credential type that uses the respective SDK's default credential chain.

type GCPCredential 

type GCPCredential struct {
	// contains filtered or unexported fields
}

GCPCredential implements OAuth2 token-based authentication for Vertex AI.

func NewGCPCredential 

func NewGCPCredential(ctx context.Context, project, region string) (*GCPCredential, error)

NewGCPCredential creates a new GCP credential using Application Default Credentials. This supports Workload Identity, service account keys, and gcloud auth.

func NewGCPCredentialWithServiceAccount 

func NewGCPCredentialWithServiceAccount(ctx context.Context, project, region, keyFile string) (*GCPCredential, error)

NewGCPCredentialWithServiceAccount creates a GCP credential from a service account key file.

func (*GCPCredential) Apply 

func (c *GCPCredential) Apply(ctx context.Context, req *http.Request) error

Apply adds the OAuth2 token to the request.

func (*GCPCredential) Project 

func (c *GCPCredential) Project() string

Project returns the configured GCP project ID.

func (*GCPCredential) Region 

func (c *GCPCredential) Region() string

Region returns the configured GCP region.

func (*GCPCredential) Type 

func (c *GCPCredential) Type() string

Type returns "gcp".

type NoOpCredential 

type NoOpCredential struct{}

NoOpCredential is a credential that does nothing. Used for providers that don't require authentication or handle it internally.

func (*NoOpCredential) Apply 

func (c *NoOpCredential) Apply(_ context.Context, _ *http.Request) error

Apply does nothing.

func (*NoOpCredential) Type 

func (c *NoOpCredential) Type() string

Type returns "none".

type ResolverConfig 

type ResolverConfig struct {
	// ProviderType is the provider type (claude, openai, gemini, etc.)
	ProviderType string

	// CredentialConfig is the explicit credential configuration from the provider.
	CredentialConfig *config.CredentialConfig

	// PlatformConfig is the platform configuration (bedrock, vertex, azure).
	PlatformConfig *config.PlatformConfig

	// ConfigDir is the base directory for resolving relative credential file paths.
	ConfigDir string
}

ResolverConfig holds configuration for credential resolution.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.