From 3516f990eba9b863b9667428423761d6d893c184 Mon Sep 17 00:00:00 2001
From: Luke Garceau <ltgarc768@gmail.com>
Date: Tue, 28 Apr 2026 13:51:58 -0400
Subject: [PATCH] fix: let IAM credentials take precedence over stored Bedrock
 API key

When a user has configured AWS IAM credentials (access keys or a profile)
for Bedrock, a stored API key in auth.json would still be written into
AWS_BEARER_TOKEN_BEDROCK and forced through bearer-token auth by
@ai-sdk/amazon-bedrock, overriding the credential chain entirely and
failing with "Please make sure your API Key is valid" on every request.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 packages/opencode/src/provider/provider.ts | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/packages/opencode/src/provider/provider.ts b/packages/opencode/src/provider/provider.ts
index 802232eac18b..b3dc114a3cd8 100644
--- a/packages/opencode/src/provider/provider.ts
+++ b/packages/opencode/src/provider/provider.ts
@@ -262,7 +262,8 @@ function custom(dep: CustomDep): Record<string, CustomLoader> {
       const awsBearerToken = iife(() => {
         const envToken = process.env.AWS_BEARER_TOKEN_BEDROCK
         if (envToken) return envToken
-        if (auth?.type === "api") {
+        // Only treat stored auth key as a bearer token when no IAM credentials exist.
+        if (auth?.type === "api" && !awsAccessKeyId && !profile) {
           process.env.AWS_BEARER_TOKEN_BEDROCK = auth.key
           return auth.key
         }