Skip to content

fix(bedrock): don't raise KeyError when signing requests lacking a connection header#1741

Open
sean-kim05 wants to merge 1 commit into
anthropics:mainfrom
sean-kim05:fix/bedrock-connection-header-keyerror
Open

fix(bedrock): don't raise KeyError when signing requests lacking a connection header#1741
sean-kim05 wants to merge 1 commit into
anthropics:mainfrom
sean-kim05:fix/bedrock-connection-header-keyerror

Conversation

@sean-kim05

Copy link
Copy Markdown

Summary

AnthropicBedrock's SigV4 signer raises KeyError: 'connection' when the outgoing request has no Connection header.

get_auth_headers in src/anthropic/lib/bedrock/_auth.py strips the connection header before signing (it may be altered by proxies, so it must not be part of the signature) via:

headers = headers.copy()
del headers["connection"]

httpx.Headers.__delitem__ raises KeyError when the key is absent. A request can legitimately lack a Connection header:

  • HTTP/2 forbids it — per RFC 9113 §8.2.2 the Connection header is not used in HTTP/2, so a client created with http2=True produces requests without it.
  • Custom transports / manually-built requests may omit it.

In those cases signing crashes before the request is ever sent.

Fix

Filter the header out instead of deleting it, so an absent header is a no-op. This mirrors the sibling aws/_auth.py implementation, which already strips connection this way — now both AWS auth paths handle it identically:

new_headers = {k: v for k, v in dict(headers).items() if k.lower() != "connection"}

Testing

Added two tests in tests/lib/test_bedrock.py:

  • test_get_auth_headers_without_connection_header — signing succeeds when no connection header is present (fails with KeyError before this fix).
  • test_get_auth_headers_strips_connection_header — regression guard that connection is still excluded from SignedHeaders.

Verified RED (KeyError: 'connection' at _auth.py:60) → GREEN. Full test_bedrock.py + test_aws_auth.py + test_aws.py pass (113 tests); ./scripts/lint clean (ruff + pyright + mypy).

…nnection header

`get_auth_headers` stripped the `connection` header before SigV4 signing via
`del headers["connection"]`, which raises `KeyError` when the request has no
Connection header. HTTP/2 forbids the Connection header entirely, and custom
transports may omit it, so `request.headers` can legitimately lack it — signing
then crashes before the request is ever sent.

Filter the header out instead of deleting it, matching the sibling
`aws/_auth.py` implementation so both auth paths strip `connection` the same
safe way.
@sean-kim05 sean-kim05 requested a review from a team as a code owner July 7, 2026 04:09
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant