fix: let IAM credentials take precedence over stored Bedrock API key

lgarceau768 · claude · lgarceau768 · commit 3516f990eba9 · 2026-04-28T13:51:58.000-04:00
When a user has configured AWS IAM credentials (access keys or a profile)
for Bedrock, a stored API key in auth.json would still be written into
AWS_BEARER_TOKEN_BEDROCK and forced through bearer-token auth by
@ai-sdk/amazon-bedrock, overriding the credential chain entirely and
failing with "Please make sure your API Key is valid" on every request.

Co-Authored-By: Claude Sonnet 4.6 &lt;noreply@anthropic.com&gt;
diff --git a/packages/opencode/src/provider/provider.ts b/packages/opencode/src/provider/provider.ts
@@ -262,7 +262,8 @@ function custom(dep: CustomDep): Record<string, CustomLoader> {
       const awsBearerToken = iife(() => {
         const envToken = process.env.AWS_BEARER_TOKEN_BEDROCK
         if (envToken) return envToken
-        if (auth?.type === "api") {
+        // Only treat stored auth key as a bearer token when no IAM credentials exist.
+        if (auth?.type === "api" && !awsAccessKeyId && !profile) {
           process.env.AWS_BEARER_TOKEN_BEDROCK = auth.key
           return auth.key
         }
