Skip to content

fix(amazon-bedrock): avoid env AWS_SESSION_TOKEN with explicit static keys#14137

Open
turisanapo wants to merge 3 commits intovercel:mainfrom
turisanapo:fix/amazon-bedrock-session-token-env
Open

fix(amazon-bedrock): avoid env AWS_SESSION_TOKEN with explicit static keys#14137
turisanapo wants to merge 3 commits intovercel:mainfrom
turisanapo:fix/amazon-bedrock-session-token-env

Conversation

@turisanapo
Copy link
Copy Markdown
Contributor

@turisanapo turisanapo commented Apr 5, 2026
edited
Loading

Background

createAmazonBedrock merged explicit static accessKeyId / secretAccessKey with AWS_SESSION_TOKEN from the environment via loadOptionalSetting. On EKS IRSA (and similar), that token is for the workload—not the IAM user keys in options—so SigV4 fails with invalid security token (#14136).

The published docs also claimed that setting sessionToken: undefined avoids env defaults. undefined does not skip env in loadOptionalSetting (settingValue != null is false), which we confirmed manually (Hebo + fake AWS_SESSION_TOKEN). The bug is both implementation and documentation.

Summary

  • Code: When both accessKeyId and secretAccessKey are string options, sessionToken comes only from the sessionToken option (or omitted); AWS_SESSION_TOKEN is not read for that path. If either key is env-resolved, behavior is unchanged (AWS_SESSION_TOKEN still applies when needed).
  • Docs: Updated 08-amazon-bedrock.mdx: removed the incorrect sessionToken: undefined guidance; documented static keys vs env; pointed to credentialProvider for older releases / edge cases.
  • Changeset: Patch for @ai-sdk/amazon-bedrock; body mentions doc correction.

Manual Verification

  • pnpm build --filter=@ai-sdk/amazon-bedrock...
  • pnpm --filter=@ai-sdk/amazon-bedrock test:node
  • Manual: with AWS_SESSION_TOKEN=fake and real static keys in options, Bedrock request should succeed after this change (and docs match behavior).

Checklist

  • Tests have been added / updated (for bug fixes / features)
  • Documentation has been added / updated (for bug fixes / features)
  • A patch changeset for relevant packages has been added (for bug fixes / features - run pnpm changeset in the project root)
  • I have reviewed this pull request (self-review)

Future Work

None required.

Related Issues

Fixes #14136

@turisanapo
fix(amazon-bedrock): avoid env session token with explicit static keys
a9ef5cb 
When accessKeyId and secretAccessKey are both passed as options, resolve
sessionToken only from options — not AWS_SESSION_TOKEN — so workload
tokens (e.g. IRSA) are not mixed with IAM user keys.

Fixes vercel#14136

Made-with: Cursor
@turisanapo turisanapo mentioned this pull request Apr 5, 2026
Open
@tigent tigent bot added ai/provider related to a provider package. Must be assigned together with at least one `provider/*` label bug Something isn't working as documented provider/amazon-bedrock Issues related to the @ai-sdk/amazon-bedrock provider labels Apr 5, 2026
hebo-ci and others added 2 commits April 6, 2026 12:13
docs(amazon-bedrock): fix session token env guidance
5d493ef 
- Document that explicit static keys no longer merge AWS_SESSION_TOKEN
- Remove misleading sessionToken: undefined advice; note credentialProvider for older releases
- Extend changeset summary for docs

Made-with: Cursor
docs(amazon-bedrock): shorten session token guidance
81f04cc
@turisanapo turisanapo mentioned this pull request Apr 6, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

ai/provider related to a provider package. Must be assigned together with at least one `provider/*` label bug Something isn't working as documented provider/amazon-bedrock Issues related to the @ai-sdk/amazon-bedrock provider

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

@ai-sdk/amazon-bedrock: explicit accessKeyId/secretAccessKey should not merge AWS_SESSION_TOKEN from env

1 participant

@turisanapo