Skip to content

bedrock-discovery ignores env.vars and AWS credentials from config #32290

Closed
#32295
Closed
bedrock-discovery ignores env.vars and AWS credentials from config#32290
#32295
@hsiaoa

Description

@hsiaoa
hsiaoa
opened on Mar 2, 2026

Description

openclaw status runs bedrock-discovery which always fails with AccessDeniedException: Authentication failed: Please make sure your API Key is valid. even though:

  1. The Bedrock providers in openclaw.json use "auth": "aws-sdk" and the correct credentials are configured
  2. The same credentials work perfectly via AWS CLI (aws bedrock list-foundation-models)
  3. The LaunchAgent gateway plist has the correct env vars and Bedrock models work fine in actual sessions

Steps to Reproduce

  1. Configure Bedrock providers with "auth": "aws-sdk" in openclaw.json
  2. Set AWS_PROFILE, AWS_ACCESS_KEY_ID, and AWS_SECRET_ACCESS_KEY in env.vars
  3. Run openclaw status
[bedrock-discovery] Failed to list models: AccessDeniedException: Authentication failed: Please make sure your API Key is valid.
[bedrock-discovery] Failed to list models: AccessDeniedException: Authentication failed: Please make sure your API Key is valid.

(Two errors = two Bedrock providers, ap-northeast-1 and us-east-1)

What I've tried

  • Setting AWS_PROFILE={profile} in openclaw.json env.vars
  • Setting AWS_ACCESS_KEY_ID + AWS_SECRET_ACCESS_KEY directly in env.vars
  • Passing env vars explicitly in the shell: AWS_PROFILE={profile} openclaw status
  • Setting AWS_DEFAULT_PROFILE={profile} in the shell ❌

All of the above have no effect. The discovery subprocess appears to ignore both shell environment variables and env.vars from the config.

Verification that credentials work

$ AWS_PROFILE={profile} aws sts get-caller-identity
{
    "UserId": "{ID}"",
    "Account": "{ID}",
    "Arn": "arn:aws:iam::{ID}"user/{ID}""
}

$ AWS_PROFILE={profile} aws bedrock list-foundation-models --region {region}--query 'modelSummaries | length(@)'
62

$ AWS_PROFILE={profile} aws bedrock list-foundation-models --region {region}---query 'modelSummaries | length(@)'
124

IAM user has bedrock:ListFoundationModels permission in both regions.

Impact

  • Cosmetic only — actual Bedrock model usage in sessions works fine (gateway LaunchAgent has correct env vars)
  • The error message is noisy and shows on every openclaw status / openclaw gateway install invocation

Expected Behavior

bedrock-discovery should resolve AWS credentials using the standard AWS SDK credential chain, respecting:

  1. env.vars from openclaw.json
  2. Shell environment variables (AWS_PROFILE, AWS_ACCESS_KEY_ID, etc.)
  3. ~/.aws/credentials profiles

Environment

  • OpenClaw: 2026.3.1 (also reproduced on 2026.2.24 and 2026.2.26)
  • OS: macOS 26.3 (arm64)
  • Node: 25.2.1
  • Auth mode: aws-sdk (IAM access keys, not ABSK bearer tokens)

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions