Skip to content

agent-network: identity metadata setting and Bedrock cost allocation#857

Open
mlsmaycon wants to merge 7 commits into
mainfrom
docs/agent-network-identity-metadata
Open

agent-network: identity metadata setting and Bedrock cost allocation#857
mlsmaycon wants to merge 7 commits into
mainfrom
docs/agent-network-identity-metadata

Conversation

@mlsmaycon

@mlsmaycon mlsmaycon commented Jul 15, 2026

Copy link
Copy Markdown
Contributor

Documents the per-provider identity metadata behavior and the new Disable identity
metadata
setting, plus AWS Bedrock cost allocation.

Companion to netbirdio/netbird#6791 (proxy/management) and netbirdio/dashboard#715
(the modal toggle).

Changes

  • Providers — new Identity Metadata section: NetBird forwards the caller's user and
    the authorizing group to the upstream as provider-specific metadata by default, and how
    the Disable identity metadata toggle turns it off per provider.
  • AWS Bedrock — new Cost Allocation section: NetBird stamps
    X-Amzn-Bedrock-Request-Metadata with the caller's user and authorizing group so
    Bedrock spend can be broken down by AWS cost-allocation tags; values are sanitized to
    Bedrock's accepted character set.
  • How It Works — broadened the identity-stamping step to mention provider-side cost
    metadata (not just gateway attribution), linking to the new Providers section.

Heading-hierarchy lint (npm run lint:mdx) passes.

Rendered preview

Full Providers page with the new Identity Metadata section (and the embedded dashboard toggle screenshot):

Rendered Providers page


View with Codesmith Autofix with Codesmith
Need help on this PR? Tag /codesmith with what you need. Autofix is disabled.

Summary by CodeRabbit

  • Documentation
    • Expanded “Lifecycle of an LLM Request” to clarify gateway identity stamping and forwarding into provider-specific cost-allocation metadata by default, with the option to disable per provider.
    • Updated the AWS Bedrock integration with a new Cost Allocation subsection, including request metadata (e.g., identity in X-Amzn-Bedrock-Request-Metadata), identity sanitization, and steps to enable AWS Billing/Cost Management tagging for cost attribution.
    • Added an Identity Metadata subsection for custom/self-hosted providers, documenting Forward identity metadata (on by default) and when it appears; includes a provider modal screenshot.
    • Refreshed LiteLLM guidance to note client-supplied identity is stripped before forwarding, plus instructions to disable Forward identity metadata and an identity-mapping diagram.

@coderabbitai

coderabbitai Bot commented Jul 15, 2026

Copy link
Copy Markdown
Contributor

Review Change Stack

Important

Review skipped

Review was skipped due to path filters

⛔ Files ignored due to path filters (2)
  • public/docs-static/img/agent-network/integrations/agent-network-bedrock-connect.png is excluded by !**/*.png
  • public/docs-static/img/agent-network/integrations/agent-network-bedrock-mappings.png is excluded by !**/*.png

CodeRabbit blocks several paths by default. You can override this behavior by explicitly including those paths in the path filters. For example, including **/dist/** will override the default block on the dist directory, by removing the pattern from both the lists.

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 30138a0b-bb5f-433d-9f32-6cb8e8de1d75

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

  • 🔍 Trigger review
📝 Walkthrough

Walkthrough

Documentation now describes provider identity metadata forwarding, its per-provider disable option, LiteLLM identity handling, and AWS Bedrock cost allocation using forwarded caller identity.

Changes

Identity Metadata Documentation

Layer / File(s) Summary
Provider identity metadata flow
src/pages/agent-network/providers.mdx, src/pages/agent-network/how-it-works.mdx, src/pages/agent-network/integrations/litellm.mdx
Documents default provider-specific identity forwarding, the per-provider disable option, client-value stripping, and LiteLLM identity mapping.
Bedrock cost allocation details
src/pages/agent-network/integrations/bedrock.mdx
Explains Bedrock request metadata forwarding, AWS Cost Explorer attribution, matching cost-allocation tags, mappings, sanitization, and setup screenshots.

Estimated code review effort: 1 (Trivial) | ~3 minutes

Possibly related issues

  • netbirdio/netbird#6793 — The documentation covers the Bedrock cost-allocation metadata and provider-level disable toggle described by this issue.

Suggested reviewers: braginini

Poem

A rabbit hops through docs so bright,
With identity tags tucked just right.
Bedrock costs now wear a name,
A toggle keeps control in frame.
LiteLLM maps the trail with cheer!

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title clearly summarizes the main changes: identity metadata settings and Bedrock cost allocation documentation.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch docs/agent-network-identity-metadata

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@src/pages/agent-network/integrations/bedrock.mdx`:
- Around line 69-80: Revise the Bedrock integration documentation to remove the
claim that X-Amzn-Bedrock-Request-Metadata enables AWS Cost Explorer breakdowns
or requires activating cost-allocation tags. Describe the header as providing
per-request identity metadata for Bedrock logging and attribution, or replace it
with a documented, supported billing mechanism.

In `@src/pages/agent-network/providers.mdx`:
- Around line 103-104: Update the identity metadata toggle description near
“Disable identity metadata” to state that it is independently configurable for
each provider, while preserving that it is off by default and metadata is sent
unless disabled.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 15f79d08-2e0d-40e0-8976-06a6ed47510f

📥 Commits

Reviewing files that changed from the base of the PR and between 31f2b6c and 918e1e4.

📒 Files selected for processing (3)
  • src/pages/agent-network/how-it-works.mdx
  • src/pages/agent-network/integrations/bedrock.mdx
  • src/pages/agent-network/providers.mdx

Comment on lines +69 to +80
To attribute Bedrock spend in AWS the same way the NetBird dashboard attributes it, NetBird
forwards each request's identity to Bedrock in the
[`X-Amzn-Bedrock-Request-Metadata`](https://docs.aws.amazon.com/bedrock/latest/userguide/cost-mgmt-request-metadata.html)
header, carrying the caller's **user** and the **group that authorized the request**:

```
X-Amzn-Bedrock-Request-Metadata: {"user": "user@example.com", "group": "engineering"}
```

Activate the matching **cost-allocation tags** in **AWS Billing and Cost Management → Cost
allocation tags**; Bedrock spend in AWS Cost Explorer can then be broken down by NetBird user
and group. Values are sanitized to Bedrock's accepted character set before they are sent.

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🗄️ Data Integrity & Integration | 🟠 Major | ⚡ Quick win

Don't describe request metadata as a cost-allocation tag
X-Amzn-Bedrock-Request-Metadata is for per-request attribution in Bedrock logs, not a native AWS Cost Explorer/CUR breakdown. Reword this section to describe log-based attribution, or point to a supported billing mechanism instead.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@src/pages/agent-network/integrations/bedrock.mdx` around lines 69 - 80,
Revise the Bedrock integration documentation to remove the claim that
X-Amzn-Bedrock-Request-Metadata enables AWS Cost Explorer breakdowns or requires
activating cost-allocation tags. Describe the header as providing per-request
identity metadata for Bedrock logging and attribution, or replace it with a
documented, supported billing mechanism.

Comment thread src/pages/agent-network/providers.mdx Outdated

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@src/pages/agent-network/integrations/litellm.mdx`:
- Around line 57-59: Update the earlier identity-forwarding statement in the
LiteLLM integration documentation to clarify that forwarding happens by default
or only when the provider’s Forward identity metadata setting is enabled. Keep
the existing opt-out guidance and meaning unchanged.

In `@src/pages/agent-network/providers.mdx`:
- Around line 103-106: Use a single label consistently for the provider toggle
described in the “Forward identity metadata” section, matching the actual UI
wording and screenshot alt text. If the control is disable-style, explicitly
document which on/off state forwards identity metadata and which prevents it.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 045be004-51c3-47d1-a7f0-c63de48303cb

📥 Commits

Reviewing files that changed from the base of the PR and between f6179bc and d9b2011.

⛔ Files ignored due to path filters (4)
  • public/docs-static/img/agent-network/integrations/agent-network-bedrock-connect.png is excluded by !**/*.png
  • public/docs-static/img/agent-network/integrations/agent-network-bedrock-mappings.png is excluded by !**/*.png
  • public/docs-static/img/agent-network/integrations/agent-network-litellm-mappings.png is excluded by !**/*.png
  • public/docs-static/img/agent-network/providers/agent-network-provider-metadata.png is excluded by !**/*.png
📒 Files selected for processing (3)
  • src/pages/agent-network/integrations/bedrock.mdx
  • src/pages/agent-network/integrations/litellm.mdx
  • src/pages/agent-network/providers.mdx
🚧 Files skipped from review as they are similar to previous changes (1)
  • src/pages/agent-network/integrations/bedrock.mdx

Comment on lines +57 to +59
The proxy strips any client-supplied value first, so an app can't spoof its identity. To stop
forwarding identity to LiteLLM, turn off
[Forward identity metadata](/agent-network/providers#identity-metadata) on the provider.

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🎯 Functional Correctness | 🟡 Minor | ⚡ Quick win

Qualify the earlier “every request” claim.

This page currently says NetBird forwards identity on every request, but this section introduces a provider-level opt-out. Change the earlier wording to “by default” or otherwise state that forwarding occurs only while the setting is enabled.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@src/pages/agent-network/integrations/litellm.mdx` around lines 57 - 59,
Update the earlier identity-forwarding statement in the LiteLLM integration
documentation to clarify that forwarding happens by default or only when the
provider’s Forward identity metadata setting is enabled. Keep the existing
opt-out guidance and meaning unchanged.

Comment on lines +103 to +106
This is controlled by the **Forward identity metadata** toggle on the provider — **on by
default**, and shown only for providers that support it (first-party APIs such as OpenAI or
Anthropic have no such metadata channel, so the toggle doesn't appear for them). Turn it off
to keep the caller's identity out of the upstream request.

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🎯 Functional Correctness | 🟡 Minor | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

# Inspect the target MDX file around the cited lines and nearby references to the toggle label.
git ls-files src/pages/agent-network/providers.mdx
wc -l src/pages/agent-network/providers.mdx
sed -n '80,120p' src/pages/agent-network/providers.mdx
printf '\n--- search for toggle wording ---\n'
rg -n "Disable identity metadata|Forward identity metadata|identity metadata" src/pages/agent-network/providers.mdx

Repository: netbirdio/docs

Length of output: 2783


🏁 Script executed:

#!/bin/bash
set -euo pipefail

sed -n '90,115p' src/pages/agent-network/providers.mdx
printf '\n--- occurrences ---\n'
rg -n "Disable identity metadata|Forward identity metadata|identity metadata" src/pages/agent-network/providers.mdx

Repository: netbirdio/docs

Length of output: 1856


🏁 Script executed:

#!/bin/bash
set -euo pipefail

python3 - <<'PY'
from pathlib import Path
p = Path('src/pages/agent-network/providers.mdx')
text = p.read_text()
for needle in ['Disable identity metadata', 'Forward identity metadata', 'identity metadata']:
    print(f'--- {needle} ---')
    for i, line in enumerate(text.splitlines(), 1):
        if needle.lower() in line.lower():
            print(f'{i}: {line}')
PY

Repository: netbirdio/docs

Length of output: 852


Use one label for this toggle. The body says Forward identity metadata, while the screenshot alt text says Disable identity metadata. Match the UI wording and, if the control is disable-style, make the on/off behavior explicit.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@src/pages/agent-network/providers.mdx` around lines 103 - 106, Use a single
label consistently for the provider toggle described in the “Forward identity
metadata” section, matching the actual UI wording and screenshot alt text. If
the control is disable-style, explicitly document which on/off state forwards
identity metadata and which prevents it.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants