fix: let IAM credentials take precedence over stored Bedrock API key

[lgarceau768]

Summary

Fixes the Forbidden: {"Message":"Authentication failed: Please make sure your API Key is valid."} error that every Bedrock request hits when a stored API key exists in auth.json alongside working AWS IAM credentials (e.g. SSO-exported access keys).

Root cause

@ai-sdk/amazon-bedrock@4.0.96 gives absolute precedence to bearer-token auth: any non-empty value in options.apiKey or process.env.AWS_BEARER_TOKEN_BEDROCK forces the SDK into bearer mode and skips the credential chain entirely, regardless of what credentialProvider is passed.

The amazon-bedrock custom provider loader in provider.ts would take any auth.type === "api" entry stored in ~/.local/share/opencode/auth.json and unconditionally write it to AWS_BEARER_TOKEN_BEDROCK. A stale or invalid Bedrock API key stored at any point (e.g. via the Settings UI) would then be forced onto every request, even when AWS_ACCESS_KEY_ID / AWS_PROFILE were set and valid.

Fix

Only treat a stored auth key as a bearer token when no IAM credentials (access key or profile) are available. When IAM creds are present, they should drive the credential chain as intended.

- if (auth?.type === "api") {
+ // Only treat stored auth key as a bearer token when no IAM credentials exist.
+ if (auth?.type === "api" && !awsAccessKeyId && !profile) {
    process.env.AWS_BEARER_TOKEN_BEDROCK = auth.key
    return auth.key
  }

Test plan

• Reproduced the 403 with a stale API key in auth.json + valid SSO credentials in the env
• Verified opencode run "say hi" succeeds against Bedrock after the fix
• Verified the TUI (opencode-work) successfully streams from us.anthropic.claude-sonnet-4-6 and global.anthropic.claude-haiku-4-5-20251001-v1:0 after the fix
• Confirmed that clearing AWS_BEARER_TOKEN_BEDROCK from the environment + starting a fresh terminal resolves the issue even with the old binary — proving the diagnosis

Related

Anyone who hit this should also check launchctl getenv AWS_BEARER_TOKEN_BEDROCK on macOS — an old bearer token can linger in the user's launchd session and needs launchctl unsetenv AWS_BEARER_TOKEN_BEDROCK to clear.

🤖 Generated with Claude Code

[github-actions]

Thanks for your contribution!

This PR doesn't have a linked issue. All PRs must reference an existing issue.

Please:

1. Open an issue describing the bug/feature (if one doesn't exist)
2. Add Fixes #<number> or Closes #<number> to this PR description

See CONTRIBUTING.md for details.

[github-actions]

This PR doesn't fully meet our contributing guidelines and PR template.

What needs to be fixed:

• PR description is missing required template sections. Please use the PR template.

Please edit this PR description to address the above within 2 hours, or it will be automatically closed.

If you believe this was flagged incorrectly, please let a maintainer know.

[lgarceau768]

This may occur for folks leveraging multiple tools, i.e. OpenWork, Claude application (configured to bedrock), & OpenCode