agent-network: identity metadata setting and Bedrock cost allocation#857
agent-network: identity metadata setting and Bedrock cost allocation#857mlsmaycon wants to merge 7 commits into
Conversation
|
Important Review skippedReview was skipped due to path filters ⛔ Files ignored due to path filters (2)
CodeRabbit blocks several paths by default. You can override this behavior by explicitly including those paths in the path filters. For example, including ⚙️ Run configurationConfiguration used: Organization UI Review profile: CHILL Plan: Pro Run ID: You can disable this status message by setting the Use the checkbox below for a quick retry:
📝 WalkthroughWalkthroughDocumentation now describes provider identity metadata forwarding, its per-provider disable option, LiteLLM identity handling, and AWS Bedrock cost allocation using forwarded caller identity. ChangesIdentity Metadata Documentation
Estimated code review effort: 1 (Trivial) | ~3 minutes Possibly related issues
Suggested reviewers: Poem
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
There was a problem hiding this comment.
Actionable comments posted: 2
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@src/pages/agent-network/integrations/bedrock.mdx`:
- Around line 69-80: Revise the Bedrock integration documentation to remove the
claim that X-Amzn-Bedrock-Request-Metadata enables AWS Cost Explorer breakdowns
or requires activating cost-allocation tags. Describe the header as providing
per-request identity metadata for Bedrock logging and attribution, or replace it
with a documented, supported billing mechanism.
In `@src/pages/agent-network/providers.mdx`:
- Around line 103-104: Update the identity metadata toggle description near
“Disable identity metadata” to state that it is independently configurable for
each provider, while preserving that it is off by default and metadata is sent
unless disabled.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro
Run ID: 15f79d08-2e0d-40e0-8976-06a6ed47510f
📒 Files selected for processing (3)
src/pages/agent-network/how-it-works.mdxsrc/pages/agent-network/integrations/bedrock.mdxsrc/pages/agent-network/providers.mdx
| To attribute Bedrock spend in AWS the same way the NetBird dashboard attributes it, NetBird | ||
| forwards each request's identity to Bedrock in the | ||
| [`X-Amzn-Bedrock-Request-Metadata`](https://docs.aws.amazon.com/bedrock/latest/userguide/cost-mgmt-request-metadata.html) | ||
| header, carrying the caller's **user** and the **group that authorized the request**: | ||
|
|
||
| ``` | ||
| X-Amzn-Bedrock-Request-Metadata: {"user": "user@example.com", "group": "engineering"} | ||
| ``` | ||
|
|
||
| Activate the matching **cost-allocation tags** in **AWS Billing and Cost Management → Cost | ||
| allocation tags**; Bedrock spend in AWS Cost Explorer can then be broken down by NetBird user | ||
| and group. Values are sanitized to Bedrock's accepted character set before they are sent. |
There was a problem hiding this comment.
🗄️ Data Integrity & Integration | 🟠 Major | ⚡ Quick win
Don't describe request metadata as a cost-allocation tag
X-Amzn-Bedrock-Request-Metadata is for per-request attribution in Bedrock logs, not a native AWS Cost Explorer/CUR breakdown. Reword this section to describe log-based attribution, or point to a supported billing mechanism instead.
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In `@src/pages/agent-network/integrations/bedrock.mdx` around lines 69 - 80,
Revise the Bedrock integration documentation to remove the claim that
X-Amzn-Bedrock-Request-Metadata enables AWS Cost Explorer breakdowns or requires
activating cost-allocation tags. Describe the header as providing per-request
identity metadata for Bedrock logging and attribution, or replace it with a
documented, supported billing mechanism.
…l identity metadata
…ocs + screenshots
There was a problem hiding this comment.
Actionable comments posted: 2
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@src/pages/agent-network/integrations/litellm.mdx`:
- Around line 57-59: Update the earlier identity-forwarding statement in the
LiteLLM integration documentation to clarify that forwarding happens by default
or only when the provider’s Forward identity metadata setting is enabled. Keep
the existing opt-out guidance and meaning unchanged.
In `@src/pages/agent-network/providers.mdx`:
- Around line 103-106: Use a single label consistently for the provider toggle
described in the “Forward identity metadata” section, matching the actual UI
wording and screenshot alt text. If the control is disable-style, explicitly
document which on/off state forwards identity metadata and which prevents it.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro
Run ID: 045be004-51c3-47d1-a7f0-c63de48303cb
⛔ Files ignored due to path filters (4)
public/docs-static/img/agent-network/integrations/agent-network-bedrock-connect.pngis excluded by!**/*.pngpublic/docs-static/img/agent-network/integrations/agent-network-bedrock-mappings.pngis excluded by!**/*.pngpublic/docs-static/img/agent-network/integrations/agent-network-litellm-mappings.pngis excluded by!**/*.pngpublic/docs-static/img/agent-network/providers/agent-network-provider-metadata.pngis excluded by!**/*.png
📒 Files selected for processing (3)
src/pages/agent-network/integrations/bedrock.mdxsrc/pages/agent-network/integrations/litellm.mdxsrc/pages/agent-network/providers.mdx
🚧 Files skipped from review as they are similar to previous changes (1)
- src/pages/agent-network/integrations/bedrock.mdx
| The proxy strips any client-supplied value first, so an app can't spoof its identity. To stop | ||
| forwarding identity to LiteLLM, turn off | ||
| [Forward identity metadata](/agent-network/providers#identity-metadata) on the provider. |
There was a problem hiding this comment.
🎯 Functional Correctness | 🟡 Minor | ⚡ Quick win
Qualify the earlier “every request” claim.
This page currently says NetBird forwards identity on every request, but this section introduces a provider-level opt-out. Change the earlier wording to “by default” or otherwise state that forwarding occurs only while the setting is enabled.
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In `@src/pages/agent-network/integrations/litellm.mdx` around lines 57 - 59,
Update the earlier identity-forwarding statement in the LiteLLM integration
documentation to clarify that forwarding happens by default or only when the
provider’s Forward identity metadata setting is enabled. Keep the existing
opt-out guidance and meaning unchanged.
| This is controlled by the **Forward identity metadata** toggle on the provider — **on by | ||
| default**, and shown only for providers that support it (first-party APIs such as OpenAI or | ||
| Anthropic have no such metadata channel, so the toggle doesn't appear for them). Turn it off | ||
| to keep the caller's identity out of the upstream request. |
There was a problem hiding this comment.
🎯 Functional Correctness | 🟡 Minor | ⚡ Quick win
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
set -euo pipefail
# Inspect the target MDX file around the cited lines and nearby references to the toggle label.
git ls-files src/pages/agent-network/providers.mdx
wc -l src/pages/agent-network/providers.mdx
sed -n '80,120p' src/pages/agent-network/providers.mdx
printf '\n--- search for toggle wording ---\n'
rg -n "Disable identity metadata|Forward identity metadata|identity metadata" src/pages/agent-network/providers.mdxRepository: netbirdio/docs
Length of output: 2783
🏁 Script executed:
#!/bin/bash
set -euo pipefail
sed -n '90,115p' src/pages/agent-network/providers.mdx
printf '\n--- occurrences ---\n'
rg -n "Disable identity metadata|Forward identity metadata|identity metadata" src/pages/agent-network/providers.mdxRepository: netbirdio/docs
Length of output: 1856
🏁 Script executed:
#!/bin/bash
set -euo pipefail
python3 - <<'PY'
from pathlib import Path
p = Path('src/pages/agent-network/providers.mdx')
text = p.read_text()
for needle in ['Disable identity metadata', 'Forward identity metadata', 'identity metadata']:
print(f'--- {needle} ---')
for i, line in enumerate(text.splitlines(), 1):
if needle.lower() in line.lower():
print(f'{i}: {line}')
PYRepository: netbirdio/docs
Length of output: 852
Use one label for this toggle. The body says Forward identity metadata, while the screenshot alt text says Disable identity metadata. Match the UI wording and, if the control is disable-style, make the on/off behavior explicit.
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In `@src/pages/agent-network/providers.mdx` around lines 103 - 106, Use a single
label consistently for the provider toggle described in the “Forward identity
metadata” section, matching the actual UI wording and screenshot alt text. If
the control is disable-style, explicitly document which on/off state forwards
identity metadata and which prevents it.
Documents the per-provider identity metadata behavior and the new Disable identity
metadata setting, plus AWS Bedrock cost allocation.
Companion to netbirdio/netbird#6791 (proxy/management) and netbirdio/dashboard#715
(the modal toggle).
Changes
the authorizing group to the upstream as provider-specific metadata by default, and how
the Disable identity metadata toggle turns it off per provider.
X-Amzn-Bedrock-Request-Metadatawith the caller'suserand authorizinggroupsoBedrock spend can be broken down by AWS cost-allocation tags; values are sanitized to
Bedrock's accepted character set.
metadata (not just gateway attribution), linking to the new Providers section.
Heading-hierarchy lint (
npm run lint:mdx) passes.Rendered preview
Full Providers page with the new Identity Metadata section (and the embedded dashboard toggle screenshot):
Need help on this PR? Tag
/codesmithwith what you need. Autofix is disabled.Summary by CodeRabbit
X-Amzn-Bedrock-Request-Metadata), identity sanitization, and steps to enable AWS Billing/Cost Management tagging for cost attribution.