15<!-- x-release-please-start-version -->15<!-- x-release-please-start-version -->
16 16
17```ruby17```ruby
18gem "openai", "~> 0.69.0"18gem "openai", "~> 0.70.0"
19```19```
20 20
21<!-- x-release-please-end -->21<!-- x-release-please-end -->
107 107
108Note that you can also pass a raw `IO` descriptor, but this disables retries, as the library can't be sure if the descriptor is a file or pipe (which cannot be rewound).108Note that you can also pass a raw `IO` descriptor, but this disables retries, as the library can't be sure if the descriptor is a file or pipe (which cannot be rewound).
109 109
110## Amazon Bedrock
111
112Use the standard client with the Bedrock provider to call OpenAI models through Amazon Bedrock's OpenAI-compatible API. Add `aws-sdk-core` to your application for AWS credential discovery and SigV4 signing:
113
114```ruby
115gem "openai"
116gem "aws-sdk-core", "~> 3"
117```
118
119With your normal AWS credentials configured, only the region is required:
120
121```ruby
122require "openai"
123
124client = OpenAI::Client.new(
125 provider: OpenAI::Providers.bedrock(region: "us-west-2")
126)
127
128response = client.responses.create(
129 model: ENV.fetch("BEDROCK_MODEL"),
130 input: "Say hello!"
131)
132
133puts(response.output_text)
134```
135
136The provider uses the standard AWS credential chain, including environment credentials, `~/.aws/credentials`, `~/.aws/config`, `AWS_PROFILE`, named profiles, SSO and assume-role profiles, and workload credentials. Select a profile explicitly with:
137
138```ruby
139client = OpenAI::Client.new(
140 provider: OpenAI::Providers.bedrock(
141 region: "us-west-2",
142 profile: "engineering"
143 )
144)
145```
146
147`AWS_BEARER_TOKEN_BEDROCK` and explicit Bedrock bearer credentials are also supported. Bearer authentication does not load or require `aws-sdk-core`:
148
149```ruby
150client = OpenAI::Client.new(
151 provider: OpenAI::Providers.bedrock(
152 region: "us-west-2",
153 api_key: ENV.fetch("AWS_BEARER_TOKEN_BEDROCK")
154 )
155)
156```
157
158See [bedrock.md](bedrock.md) for authentication precedence, static and refreshable credentials, endpoint configuration, and SigV4 request constraints.
159
110## Workload Identity Authentication160## Workload Identity Authentication
111 161
112For secure, automated environments like cloud-managed Kubernetes, Azure, and GCP, you can use workload identity authentication with short-lived tokens from cloud identity providers instead of long-lived API keys.162For secure, automated environments like cloud-managed Kubernetes, Azure, and GCP, you can use workload identity authentication with short-lived tokens from cloud identity providers instead of long-lived API keys.