Please let me know if I'm missing something When using aws_sdk_bedrock_runtime to invoke Amazon Nova Sonic in a private VPC (us-west-2), the HTTP stack cannot honor HTTP_PROXY / HTTPS_PROXY because the CRT-based HTTP client does not expose any proxy configuration.
This makes aws_sdk_bedrock_runtime unusable in environments where all outbound internet access must go through a proxy (e.g., ECS Fargate in private subnets without NAT or VPC endpoint).
Application creates a Bedrock client:
crt_http_client = create_crt_http_client(PROXY_URL if not IS_DEV else None)
bedrock_nova_sonic_config = BedrockConfig(
endpoint_uri=f"https://bedrock-runtime.{ONLY_AVAILABLE_REGION_FOR_AWS_NOVA}.amazonaws.com",
region=ONLY_AVAILABLE_REGION_FOR_AWS_NOVA,
aws_credentials_identity_resolver=EnvironmentCredentialsResolver(),
http_auth_scheme_resolver=HTTPAuthSchemeResolver(),
http_auth_schemes={"aws.auth#sigv4": SigV4AuthScheme()},
http_client=crt_http_client,
)
bedrock_client = BedrockRuntimeClient(bedrock_nova_sonic_config)
That crt_http_client is always an instance of:
from smithy_http.aio.crt import AWSCRTHTTPClient
Which in turn requires AWSCRTHTTPClientConfig:
class AWSCRTHTTPClientConfig(http_interfaces.HTTPClientConfiguration):
def __post_init__(self) -> None:
_assert_crt()
And the actual client implementation:
class AWSCRTHTTPClient(http_aio_interfaces.HTTPClient):
_HTTP_PORT = 80
_HTTPS_PORT = 443
def __init__(self, eventloop=None, client_config=None):
_assert_crt()
self._config = client_config or AWSCRTHTTPClientConfig()
self._eventloop = eventloop or _AWSCRTEventLoop()
self._client_bootstrap = self._eventloop.bootstrap
self._tls_ctx = crt_io.ClientTlsContext(crt_io.TlsContextOptions())
self._socket_options = crt_io.SocketOptions()
self._connections = {}
The only config type available is:
@dataclass(kw_only=True)
class HTTPClientConfiguration:
"""Client-level HTTP configuration.
:param force_http_2: Whether to require HTTP/2.
"""
force_http_2: bool = False
There is no field for proxy configuration, nor does AWSCRTHTTPClient internally handle HTTP_PROXY / HTTPS_PROXY.
The underlying call in _build_new_connection goes directly to crt_http.HttpClientConnection.new(...) with just host_name, port, socket_options, and tls_connection_options.
Please add first-class proxy support to smithy-http’s AWSCRTHTTPClient.
Please let me know if I'm missing something When using
aws_sdk_bedrock_runtimeto invoke Amazon Nova Sonic in a private VPC (us-west-2), the HTTP stack cannot honor HTTP_PROXY / HTTPS_PROXY because the CRT-based HTTP client does not expose any proxy configuration.This makes
aws_sdk_bedrock_runtimeunusable in environments where all outbound internet access must go through a proxy (e.g., ECS Fargate in private subnets without NAT or VPC endpoint).Application creates a Bedrock client:
That
crt_http_clientis always an instance of:from smithy_http.aio.crt import AWSCRTHTTPClientWhich in turn requires AWSCRTHTTPClientConfig:
The only config type available is:
There is no field for proxy configuration, nor does AWSCRTHTTPClient internally handle HTTP_PROXY / HTTPS_PROXY.
The underlying call in _build_new_connection goes directly to crt_http.HttpClientConnection.new(...) with just host_name, port, socket_options, and tls_connection_options.
Please add first-class proxy support to smithy-http’s
AWSCRTHTTPClient.