feat(providers): server-side credential hiding for Azure and Bedrock

.cursor/skills/add-hosted-key/SKILL.md

@@ -192,7 +192,7 @@ In the block config (`blocks/blocks/{service}.ts`), add `hideWhenHosted: true` t
 },
 ```
 
-The visibility is controlled by `isSubBlockHiddenByHostedKey()` in `lib/workflows/subblocks/visibility.ts`, which checks the `isHosted` feature flag.
+The visibility is controlled by `isSubBlockHidden()` in `lib/workflows/subblocks/visibility.ts`, which checks both the `isHosted` feature flag (`hideWhenHosted`) and optional env var conditions (`hideWhenEnvSet`).
 
 ### Excluding Specific Operations from Hosted Key Support
 

apps/sim/.env.example

@@ -29,6 +29,14 @@ API_ENCRYPTION_KEY=your_api_encryption_key # Use `openssl rand -hex 32` to gener
 # VLLM_BASE_URL=http://localhost:8000    # Base URL for your self-hosted vLLM (OpenAI-compatible)
 # VLLM_API_KEY=                          # Optional bearer token if your vLLM instance requires auth
 # FIREWORKS_API_KEY=                     # Optional Fireworks AI API key for model listing
+# NEXT_PUBLIC_BEDROCK_DEFAULT_CREDENTIALS=true  # Set when using AWS default credential chain (IAM roles, ECS task roles, IRSA). Hides credential fields in Agent block UI.
+# AZURE_OPENAI_ENDPOINT=                        # Azure OpenAI endpoint (hides field in UI when set alongside NEXT_PUBLIC_AZURE_CONFIGURED)
+# AZURE_OPENAI_API_KEY=                         # Azure OpenAI API key
+# AZURE_OPENAI_API_VERSION=                     # Azure OpenAI API version
+# AZURE_ANTHROPIC_ENDPOINT=                     # Azure Anthropic endpoint (AI Foundry)
+# AZURE_ANTHROPIC_API_KEY=                      # Azure Anthropic API key
+# AZURE_ANTHROPIC_API_VERSION=                  # Azure Anthropic API version (e.g., 2023-06-01)
+# NEXT_PUBLIC_AZURE_CONFIGURED=true             # Set when Azure credentials are pre-configured above. Hides endpoint/key/version fields in Agent block UI.
 
 # Admin API (Optional - for self-hosted GitOps)
 # ADMIN_API_KEY=  # Use `openssl rand -hex 32` to generate. Enables admin API for workflow export/import.

apps/sim/app/api/tools/secrets_manager/utils.ts

@@ -1,3 +1,4 @@
+import type { SecretListEntry, Tag } from '@aws-sdk/client-secrets-manager'
 import {
   CreateSecretCommand,
   DeleteSecretCommand,
@@ -61,15 +62,15 @@ export async function listSecrets(
   })
 
   const response = await client.send(command)
-  const secrets = (response.SecretList ?? []).map((secret) => ({
+  const secrets = (response.SecretList ?? []).map((secret: SecretListEntry) => ({
     name: secret.Name ?? '',
     arn: secret.ARN ?? '',
     description: secret.Description ?? null,
     createdDate: secret.CreatedDate?.toISOString() ?? null,
     lastChangedDate: secret.LastChangedDate?.toISOString() ?? null,
     lastAccessedDate: secret.LastAccessedDate?.toISOString() ?? null,
     rotationEnabled: secret.RotationEnabled ?? false,
-    tags: secret.Tags?.map((t) => ({ key: t.Key ?? '', value: t.Value ?? '' })) ?? [],
+    tags: secret.Tags?.map((t: Tag) => ({ key: t.Key ?? '', value: t.Value ?? '' })) ?? [],
   }))
 
   return {

apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/hooks/use-editor-subblock-layout.ts

@@ -3,7 +3,7 @@ import {
   buildCanonicalIndex,
   evaluateSubBlockCondition,
   isSubBlockFeatureEnabled,
-  isSubBlockHiddenByHostedKey,
+  isSubBlockHidden,
   isSubBlockVisibleForMode,
 } from '@/lib/workflows/subblocks/visibility'
 import type { BlockConfig, SubBlockConfig, SubBlockType } from '@/blocks/types'
@@ -109,8 +109,8 @@ export function useEditorSubblockLayout(
       // Check required feature if specified - declarative feature gating
       if (!isSubBlockFeatureEnabled(block)) return false
 
-      // Hide tool API key fields when hosted
-      if (isSubBlockHiddenByHostedKey(block)) return false
+      // Hide tool API key fields when hosted or when env var is set
+      if (isSubBlockHidden(block)) return false
 
       // Special handling for trigger-config type (legacy trigger configuration UI)
       if (block.type === ('trigger-config' as SubBlockType)) {

apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/workflow-block/workflow-block.tsx

@@ -17,7 +17,7 @@ import {
   evaluateSubBlockCondition,
   hasAdvancedValues,
   isSubBlockFeatureEnabled,
-  isSubBlockHiddenByHostedKey,
+  isSubBlockHidden,
   isSubBlockVisibleForMode,
   resolveDependencyValue,
 } from '@/lib/workflows/subblocks/visibility'
@@ -980,7 +980,7 @@ export const WorkflowBlock = memo(function WorkflowBlock({
       if (block.hidden) return false
       if (block.hideFromPreview) return false
       if (!isSubBlockFeatureEnabled(block)) return false
-      if (isSubBlockHiddenByHostedKey(block)) return false
+      if (isSubBlockHidden(block)) return false
 
       const isPureTriggerBlock = config?.triggers?.enabled && config.category === 'triggers'
 

apps/sim/blocks/blocks/agent.ts

@@ -1,9 +1,12 @@
 import { createLogger } from '@sim/logger'
 import { AgentIcon } from '@/components/icons'
-import { getScopesForService } from '@/lib/oauth/utils'
 import type { BlockConfig } from '@/blocks/types'
 import { AuthMode, IntegrationType } from '@/blocks/types'
-import { getApiKeyCondition, getModelOptions, RESPONSE_FORMAT_WAND_CONFIG } from '@/blocks/utils'
+import {
+  getModelOptions,
+  getProviderCredentialSubBlocks,
+  RESPONSE_FORMAT_WAND_CONFIG,
+} from '@/blocks/utils'
 import {
   getBaseModelProviders,
   getMaxTemperature,
@@ -12,7 +15,6 @@ import {
   getModelsWithReasoningEffort,
   getModelsWithThinking,
   getModelsWithVerbosity,
-  getProviderModels,
   getReasoningEffortValuesForModel,
   getThinkingLevelsForModel,
   getVerbosityValuesForModel,
@@ -23,9 +25,6 @@ import { useSubBlockStore } from '@/stores/workflows/subblock/store'
 import type { ToolResponse } from '@/tools/types'
 
 const logger = createLogger('AgentBlock')
-const VERTEX_MODELS = getProviderModels('vertex')
-const BEDROCK_MODELS = getProviderModels('bedrock')
-const AZURE_MODELS = [...getProviderModels('azure-openai'), ...getProviderModels('azure-anthropic')]
 const MODELS_WITH_REASONING_EFFORT = getModelsWithReasoningEffort()
 const MODELS_WITH_VERBOSITY = getModelsWithVerbosity()
 const MODELS_WITH_THINKING = getModelsWithThinking()
@@ -134,34 +133,6 @@ Return ONLY the JSON array.`,
       defaultValue: 'claude-sonnet-4-5',
       options: getModelOptions,
     },
-    {
-      id: 'vertexCredential',
-      title: 'Google Cloud Account',
-      type: 'oauth-input',
-      serviceId: 'vertex-ai',
-      canonicalParamId: 'oauthCredential',
-      mode: 'basic',
-      requiredScopes: getScopesForService('vertex-ai'),
-      placeholder: 'Select Google Cloud account',
-      required: true,
-      condition: {
-        field: 'model',
-        value: VERTEX_MODELS,
-      },
-    },
-    {
-      id: 'manualCredential',
-      title: 'Google Cloud Account',
-      type: 'short-input',
-      canonicalParamId: 'oauthCredential',
-      mode: 'advanced',
-      placeholder: 'Enter credential ID',
-      required: true,
-      condition: {
-        field: 'model',
-        value: VERTEX_MODELS,
-      },
-    },
     {
       id: 'reasoningEffort',
       title: 'Reasoning Effort',
@@ -318,100 +289,7 @@ Return ONLY the JSON array.`,
       },
     },
 
-    {
-      id: 'azureEndpoint',
-      title: 'Azure Endpoint',
-      type: 'short-input',
-      password: true,
-      placeholder: 'https://your-resource.services.ai.azure.com',
-      connectionDroppable: false,
-      condition: {
-        field: 'model',
-        value: AZURE_MODELS,
-      },
-    },
-    {
-      id: 'azureApiVersion',
-      title: 'Azure API Version',
-      type: 'short-input',
-      placeholder: 'Enter API version',
-      connectionDroppable: false,
-      condition: {
-        field: 'model',
-        value: AZURE_MODELS,
-      },
-    },
-    {
-      id: 'vertexProject',
-      title: 'Vertex AI Project',
-      type: 'short-input',
-      placeholder: 'your-gcp-project-id',
-      connectionDroppable: false,
-      required: true,
-      condition: {
-        field: 'model',
-        value: VERTEX_MODELS,
-      },
-    },
-    {
-      id: 'vertexLocation',
-      title: 'Vertex AI Location',
-      type: 'short-input',
-      placeholder: 'us-central1',
-      connectionDroppable: false,
-      required: true,
-      condition: {
-        field: 'model',
-        value: VERTEX_MODELS,
-      },
-    },
-    {
-      id: 'bedrockAccessKeyId',
-      title: 'AWS Access Key ID',
-      type: 'short-input',
-      password: true,
-      placeholder: 'Enter your AWS Access Key ID',
-      connectionDroppable: false,
-      required: true,
-      condition: {
-        field: 'model',
-        value: BEDROCK_MODELS,
-      },
-    },
-    {
-      id: 'bedrockSecretKey',
-      title: 'AWS Secret Access Key',
-      type: 'short-input',
-      password: true,
-      placeholder: 'Enter your AWS Secret Access Key',
-      connectionDroppable: false,
-      required: true,
-      condition: {
-        field: 'model',
-        value: BEDROCK_MODELS,
-      },
-    },
-    {
-      id: 'bedrockRegion',
-      title: 'AWS Region',
-      type: 'short-input',
-      placeholder: 'us-east-1',
-      connectionDroppable: false,
-      condition: {
-        field: 'model',
-        value: BEDROCK_MODELS,
-      },
-    },
-    {
-      id: 'apiKey',
-      title: 'API Key',
-      type: 'short-input',
-      placeholder: 'Enter your API key',
-      password: true,
-      connectionDroppable: false,
-      required: true,
-      condition: getApiKeyCondition(),
-    },
+    ...getProviderCredentialSubBlocks(),
     {
       id: 'tools',
       title: 'Tools',
@@ -661,7 +539,7 @@ Return ONLY the JSON array.`,
     apiKey: { type: 'string', description: 'Provider API key' },
     azureEndpoint: { type: 'string', description: 'Azure endpoint URL' },
     azureApiVersion: { type: 'string', description: 'Azure API version' },
-    oauthCredential: { type: 'string', description: 'OAuth credential for Vertex AI' },
+    vertexCredential: { type: 'string', description: 'OAuth credential for Vertex AI' },
     vertexProject: { type: 'string', description: 'Google Cloud project ID for Vertex AI' },
     vertexLocation: { type: 'string', description: 'Google Cloud location for Vertex AI' },
     bedrockAccessKeyId: { type: 'string', description: 'AWS Access Key ID for Bedrock' },

apps/sim/blocks/blocks/function.ts

@@ -29,7 +29,7 @@ export const FunctionBlock: BlockConfig<CodeExecutionOutput> = {
       ],
       placeholder: 'Select language',
       value: () => CodeLanguage.JavaScript,
-      requiresFeature: 'NEXT_PUBLIC_E2B_ENABLED',
+      showWhenEnvSet: 'NEXT_PUBLIC_E2B_ENABLED',
     },
     {
       id: 'code',

apps/sim/blocks/types.ts

@@ -327,8 +327,9 @@ export interface SubBlockConfig {
   connectionDroppable?: boolean
   hidden?: boolean
   hideFromPreview?: boolean // Hide this subblock from the workflow block preview
-  requiresFeature?: string // Environment variable name that must be truthy for this subblock to be visible
+  showWhenEnvSet?: string // Show this subblock only when the named NEXT_PUBLIC_ env var is truthy
   hideWhenHosted?: boolean // Hide this subblock when running on hosted sim
+  hideWhenEnvSet?: string // Hide this subblock when the named NEXT_PUBLIC_ env var is truthy
   description?: string
   tooltip?: string // Tooltip text displayed via info icon next to the title
   value?: (params: Record<string, any>) => string

apps/sim/blocks/utils.ts

@@ -1,4 +1,5 @@
-import { isHosted } from '@/lib/core/config/feature-flags'
+import { isAzureConfigured, isHosted } from '@/lib/core/config/feature-flags'
+import { getScopesForService } from '@/lib/oauth/utils'
 import type { BlockOutput, OutputFieldDefinition, SubBlockConfig } from '@/blocks/types'
 import {
   getHostedModels,
@@ -8,9 +9,12 @@ import {
 } from '@/providers/models'
 import { useProvidersStore } from '@/stores/providers/store'
 
-const VERTEX_MODELS = getProviderModels('vertex')
-const BEDROCK_MODELS = getProviderModels('bedrock')
-const AZURE_MODELS = [...getProviderModels('azure-openai'), ...getProviderModels('azure-anthropic')]
+export const VERTEX_MODELS = getProviderModels('vertex')
+export const BEDROCK_MODELS = getProviderModels('bedrock')
+export const AZURE_MODELS = [
+  ...getProviderModels('azure-openai'),
+  ...getProviderModels('azure-anthropic'),
+]
 
 /**
  * Returns model options for combobox subblocks, combining all provider sources.
@@ -105,6 +109,16 @@ function shouldRequireApiKeyForModel(model: string): boolean {
     return false
   }
 
+  if (
+    isAzureConfigured &&
+    (normalizedModel.startsWith('azure/') ||
+      normalizedModel.startsWith('azure-openai/') ||
+      normalizedModel.startsWith('azure-anthropic/') ||
+      AZURE_MODELS.some((m) => m.toLowerCase() === normalizedModel))
+  ) {
+    return false
+  }
+
   if (normalizedModel.startsWith('vllm/')) {
     return false
   }
@@ -158,14 +172,29 @@ export function getProviderCredentialSubBlocks(): SubBlockConfig[] {
       title: 'Google Cloud Account',
       type: 'oauth-input',
       serviceId: 'vertex-ai',
-      requiredScopes: ['https://www.googleapis.com/auth/cloud-platform'],
+      canonicalParamId: 'vertexCredential',
+      mode: 'basic',
+      requiredScopes: getScopesForService('vertex-ai'),
       placeholder: 'Select Google Cloud account',
       required: true,
       condition: {
         field: 'model',
         value: VERTEX_MODELS,
       },
     },
+    {
+      id: 'vertexManualCredential',
+      title: 'Google Cloud Account',
+      type: 'short-input',
+      canonicalParamId: 'vertexCredential',
+      mode: 'advanced',
+      placeholder: 'Enter credential ID',
+      required: true,
+      condition: {
+        field: 'model',
+        value: VERTEX_MODELS,
+      },
+    },
     {
       id: 'apiKey',
       title: 'API Key',
@@ -183,6 +212,7 @@ export function getProviderCredentialSubBlocks(): SubBlockConfig[] {
       password: true,
       placeholder: 'https://your-resource.services.ai.azure.com',
       connectionDroppable: false,
+      hideWhenEnvSet: 'NEXT_PUBLIC_AZURE_CONFIGURED',
       condition: {
         field: 'model',
         value: AZURE_MODELS,
@@ -194,6 +224,7 @@ export function getProviderCredentialSubBlocks(): SubBlockConfig[] {
       type: 'short-input',
       placeholder: 'Enter API version',
       connectionDroppable: false,
+      hideWhenEnvSet: 'NEXT_PUBLIC_AZURE_CONFIGURED',
       condition: {
         field: 'model',
         value: AZURE_MODELS,
@@ -203,6 +234,7 @@ export function getProviderCredentialSubBlocks(): SubBlockConfig[] {
       id: 'vertexProject',
       title: 'Vertex AI Project',
       type: 'short-input',
+      password: true,
       placeholder: 'your-gcp-project-id',
       connectionDroppable: false,
       required: true,
@@ -231,6 +263,7 @@ export function getProviderCredentialSubBlocks(): SubBlockConfig[] {
       placeholder: 'Enter your AWS Access Key ID',
       connectionDroppable: false,
       required: true,
+      hideWhenEnvSet: 'NEXT_PUBLIC_BEDROCK_DEFAULT_CREDENTIALS',
       condition: {
         field: 'model',
         value: BEDROCK_MODELS,
@@ -244,6 +277,7 @@ export function getProviderCredentialSubBlocks(): SubBlockConfig[] {
       placeholder: 'Enter your AWS Secret Access Key',
       connectionDroppable: false,
       required: true,
+      hideWhenEnvSet: 'NEXT_PUBLIC_BEDROCK_DEFAULT_CREDENTIALS',
       condition: {
         field: 'model',
         value: BEDROCK_MODELS,