feat: add AWS_USE_IMDS support for ambient IAM credential resolution on Bedrock (#2307)

Co-authored-by: Ira Abramov <ira@agrematch.com>

Author: ira-at-work

docs/docs/installation/github.md

@@ -280,6 +280,35 @@ To use local models via Ollama:
 
 **Note:** For local models, you'll need to use a self-hosted runner with Ollama installed, as GitHub Actions hosted runners cannot access localhost services.
 
+##### Using Amazon Bedrock
+
+To use Amazon Bedrock models with static IAM credentials:
+
+```yaml
+      env:
+        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        config.model: "bedrock/anthropic.claude-3-5-sonnet-20240620-v1:0"
+        config.fallback_models: '["bedrock/anthropic.claude-3-5-sonnet-20240620-v1:0"]'
+        aws.AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
+        aws.AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+        aws.AWS_REGION_NAME: "us-east-1"
+```
+
+**Recommended: IAM Role Credentials on AWS Compute**
+
+When the GitHub Actions runner is on AWS infrastructure (EC2, ECS, EKS), use the instance/task IAM role directly — no secrets required:
+
+```yaml
+      env:
+        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        config.model: "bedrock/anthropic.claude-3-5-sonnet-20240620-v1:0"
+        config.fallback_models: '["bedrock/anthropic.claude-3-5-sonnet-20240620-v1:0"]'
+        AWS_USE_IMDS: "true"
+        # AWS_REGION_NAME: us-east-1  # optional if instance metadata provides the region
+```
+
+The IAM role must have `bedrock:InvokeModel` on the target model ARN. See [Bedrock model configuration](../usage-guide/changing_a_model.md#amazon-bedrock) for the full IAM policy example and supported models.
+
 #### Advanced Configuration Options
 
 ##### Custom Review Instructions
@@ -732,4 +761,4 @@ After you set up AWS CodeCommit using the instructions above, here is an example
 PYTHONPATH="/PATH/TO/PROJECTS/pr-agent" python pr_agent/cli.py \
   --pr_url https://us-east-1.console.aws.amazon.com/codesuite/codecommit/repositories/MY_REPO_NAME/pull-requests/321 \
   review
-```
+```

docs/docs/usage-guide/changing_a_model.md

@@ -111,7 +111,7 @@ Please note that the `custom_model_max_tokens` setting should be configured in a
     Commercial models such as GPT-5, Claude Sonnet, and Gemini have demonstrated robust capabilities in generating structured output for code analysis tasks with large input. In contrast, most open-source models currently available (as of January 2025) face challenges with these complex tasks.
 
     Based on our testing, local open-source models are suitable for experimentation and learning purposes (mainly for the `ask` command), but they are not suitable for production-level code analysis tasks.
-    
+
     Hence, for production workflows and real-world usage, we recommend using commercial models.
 
 ### Hugging Face
@@ -251,6 +251,43 @@ model="bedrock/us.meta.llama4-scout-17b-instruct-v1:0"
 fallback_models=["bedrock/us.meta.llama4-maverick-17b-instruct-v1:0"]
 ```
 
+#### Using IAM Role Credentials (Recommended on AWS Compute)
+
+When running PR-Agent on AWS infrastructure (EC2, ECS/Fargate, EKS with IRSA, Lambda, or any self-hosted GitHub Actions runner on AWS), the instance or task already has an IAM role attached. You can use those ambient credentials directly instead of storing long-lived static keys.
+
+Set `AWS_USE_IMDS=true` in the environment. PR-Agent will resolve credentials via boto3's standard provider chain, which handles all AWS compute contexts transparently:
+
+| Compute context | Mechanism |
+|---|---|
+| EC2 instance with IAM role | IMDSv2 (169.254.169.254) |
+| ECS / Fargate task role | Task metadata endpoint |
+| EKS pod with IRSA | Web identity token + STS |
+| Lambda function | Runtime-injected credentials |
+
+Minimal GitHub Actions workflow (no AWS secret keys required):
+
+```yaml
+- uses: Codium-ai/pr-agent@main
+  env:
+    GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+    AWS_USE_IMDS: "true"
+    # AWS_REGION_NAME: us-east-1  # optional if the instance metadata provides it
+  with:
+    command: review
+```
+
+The IAM role must have `bedrock:InvokeModel` permission on the target model ARN, for example:
+
+```json
+{
+  "Effect": "Allow",
+  "Action": "bedrock:InvokeModel",
+  "Resource": "arn:aws:bedrock:us-east-1::foundation-model/anthropic.claude-3-5-sonnet-20240620-v1:0"
+}
+```
+
+If you also configure static keys in `[aws]`, they serve as an automatic fallback: if the ambient credentials fail a Bedrock call (e.g., the role lacks `bedrock:InvokeModel`), PR-Agent retries with the static keys and logs a warning.
+
 #### Custom Inference Profiles
 
 To use a custom inference profile with Amazon Bedrock (for cost allocation tags and other configuration settings), add the `model_id` parameter to your configuration:
@@ -339,7 +376,7 @@ key = "..." # your Codestral api key
 To use model from Openrouter, for example, set:
 
 ```toml
-[config] # in configuration.toml 
+[config] # in configuration.toml
 model="openrouter/anthropic/claude-3.7-sonnet"
 fallback_models=["openrouter/deepseek/deepseek-chat"]
 custom_model_max_tokens=20000

pr_agent/algo/__init__.py

@@ -165,12 +165,22 @@
     'bedrock/anthropic.claude-sonnet-4-20250514-v1:0': 200000,
     'bedrock/anthropic.claude-sonnet-4-5-20250929-v1:0': 200000,
     'bedrock/anthropic.claude-sonnet-4-6': 200000,
+    'bedrock/anthropic.claude-sonnet-4-6-v1:0': 200000,
+    'bedrock/anthropic.claude-opus-4-5-20251101-v1:0': 200000,
     "bedrock/us.anthropic.claude-opus-4-20250514-v1:0": 200000,
     "bedrock/us.anthropic.claude-opus-4-1-20250805-v1:0": 200000,
     "bedrock/us.anthropic.claude-opus-4-6-20260120-v1:0": 200000,
     "bedrock/global.anthropic.claude-opus-4-5-20251101-v1:0": 200000,
+    "bedrock/eu.anthropic.claude-opus-4-5-20251101-v1:0": 200000,
+    "bedrock/au.anthropic.claude-opus-4-5-20251101-v1:0": 200000,
+    "bedrock/jp.anthropic.claude-opus-4-5-20251101-v1:0": 200000,
+    "bedrock/apac.anthropic.claude-opus-4-5-20251101-v1:0": 200000,
     "bedrock/us.anthropic.claude-opus-4-5-20251101-v1:0": 200000,
     "bedrock/global.anthropic.claude-opus-4-6-v1:0": 200000,
+    "bedrock/eu.anthropic.claude-opus-4-6-v1:0": 200000,
+    "bedrock/au.anthropic.claude-opus-4-6-v1:0": 200000,
+    "bedrock/jp.anthropic.claude-opus-4-6-v1:0": 200000,
+    "bedrock/apac.anthropic.claude-opus-4-6-v1:0": 200000,
     "bedrock/us.anthropic.claude-opus-4-6-v1:0": 200000,
     "bedrock/global.anthropic.claude-opus-4-7": 1000000,
     "bedrock/us.anthropic.claude-opus-4-7": 1000000,
@@ -187,16 +197,23 @@
     "bedrock/us.anthropic.claude-sonnet-4-5-20250929-v1:0": 200000,
     "bedrock/au.anthropic.claude-sonnet-4-5-20250929-v1:0": 200000,
     "bedrock/us.anthropic.claude-sonnet-4-6": 200000,
+    "bedrock/us.anthropic.claude-sonnet-4-6-v1:0": 200000,
     "bedrock/au.anthropic.claude-sonnet-4-6": 200000,
+    "bedrock/au.anthropic.claude-sonnet-4-6-v1:0": 200000,
     "bedrock/apac.anthropic.claude-3-5-sonnet-20241022-v2:0": 100000,
     "bedrock/apac.anthropic.claude-3-7-sonnet-20250219-v1:0": 200000,
     "bedrock/apac.anthropic.claude-sonnet-4-20250514-v1:0": 200000,
     "bedrock/eu.anthropic.claude-sonnet-4-5-20250929-v1:0": 200000,
     "bedrock/eu.anthropic.claude-sonnet-4-6": 200000,
+    "bedrock/eu.anthropic.claude-sonnet-4-6-v1:0": 200000,
     "bedrock/jp.anthropic.claude-sonnet-4-5-20250929-v1:0": 200000,
     "bedrock/jp.anthropic.claude-sonnet-4-6": 200000,
+    "bedrock/jp.anthropic.claude-sonnet-4-6-v1:0": 200000,
+    "bedrock/apac.anthropic.claude-sonnet-4-6": 200000,
+    "bedrock/apac.anthropic.claude-sonnet-4-6-v1:0": 200000,
     "bedrock/global.anthropic.claude-sonnet-4-5-20250929-v1:0": 200000,
     "bedrock/global.anthropic.claude-sonnet-4-6": 200000,
+    "bedrock/global.anthropic.claude-sonnet-4-6-v1:0": 200000,
     'claude-3-5-sonnet': 100000,
     'bedrock/us.meta.llama4-scout-17b-instruct-v1:0': 128000,
     'bedrock/us.meta.llama4-maverick-17b-instruct-v1:0': 128000,