IAM roles for service accounts integration with AWS Bedrock auth

[shivam-dubey-1]

Description:

What issue is being seen? Describe what should be happening instead of
The AI Gateway's BackendSecurityPolicy CRD doesn't properly support IRSA (IAM Roles for Service Accounts) for AWS authentication. When attempting to use a service account with an associated IAM role for AWS Bedrock access, the configuration fails with validation errors.

Current behavior: The BackendSecurityPolicy CRD validation rejects IRSA configuration.
Expected behavior: The BackendSecurityPolicy should support IRSA configuration for AWS authentication.

Repro steps:

eksctl create iamserviceaccount
--name bedrock-sa
--namespace default
--cluster cluster_name
--region us-east-1
--attach-policy-arn arn:aws:iam::aws:policy/AmazonBedrockFullAccess
--approve

apiVersion: aigateway.envoyproxy.io/v1alpha1
kind: BackendSecurityPolicy
metadata:
name: envoy-ai-gateway-basic-aws-credentials
namespace: default
spec:
type: AWSCredentials
awsCredentials:
region: us-east-1
serviceAccount:
name: bedrock-sa

Error from server (BadRequest): error when creating "bedrock.yaml": BackendSecurityPolicy in version "v1alpha1" cannot be handled as a BackendSecurityPolicy: strict decoding error: unknown field "spec.awsCredentials.serviceAccount"

[github-actions]

This issue has been automatically marked as stale because it has not had activity in the last 30 days.

[shivam-dubey-1]

Is there any workaround for not using secrets(aws credentials) for bedrock?

[mathetake]

Unfortunately no currently. But you are welcome to contribute the necessary change if that's your priority