From 133b62f9f61b9e5772e444e795151601cd73abdf Mon Sep 17 00:00:00 2001
From: Timothy Carambat <rambat1010@gmail.com>
Date: Thu, 8 Jan 2026 17:06:49 -0800
Subject: [PATCH] patch AWS credential issue in docker context (#4842)

path AWS credential issue in docker context
---
 .github/workflows/dev-build.yaml              |  2 +-
 server/utils/AiProviders/bedrock/index.js     | 59 ++++++++++++-------
 server/utils/AiProviders/bedrock/utils.js     | 14 +++--
 .../utils/agents/aibitat/providers/bedrock.js | 10 +++-
 server/utils/agents/index.js                  |  9 +--
 5 files changed, 58 insertions(+), 36 deletions(-)

diff --git a/.github/workflows/dev-build.yaml b/.github/workflows/dev-build.yaml
index 8c077a9c..c436fd9e 100644
--- a/.github/workflows/dev-build.yaml
+++ b/.github/workflows/dev-build.yaml
@@ -6,7 +6,7 @@ concurrency:
 
 on:
   push:
-    branches: ['upgrade-yt-scraper'] # put your current branch to create a build. Core team only.
+    branches: ['4841-aws-bedrock-api-key'] # put your current branch to create a build. Core team only.
     paths-ignore:
       - '**.md'
       - 'cloud-deployments/*'
diff --git a/server/utils/AiProviders/bedrock/index.js b/server/utils/AiProviders/bedrock/index.js
index 8b72b75a..2106b36c 100644
--- a/server/utils/AiProviders/bedrock/index.js
+++ b/server/utils/AiProviders/bedrock/index.js
@@ -414,15 +414,11 @@ class AWSBedrockLLM {
             `Bedrock Converse API Error (getChatCompletion): ${e.message}`,
             e
           );
-          if (
-            e.name === "ValidationException" &&
-            e.message.includes("maximum tokens")
-          ) {
-            throw new Error(
-              `AWSBedrock::getChatCompletion failed. Model ${this.model} rejected maxTokens value of ${maxTokensToSend}. Check model documentation for its maximum output token limit and set AWS_BEDROCK_LLM_MAX_OUTPUT_TOKENS if needed. Original error: ${e.message}`
-            );
-          }
-          throw new Error(`AWSBedrock::getChatCompletion failed. ${e.message}`);
+          AWSBedrockLLM.errorToHumanReadable(e, {
+            model: this.model,
+            maxTokens: maxTokensToSend,
+            method: "getChatCompletion",
+          });
         })
     );
 
@@ -502,18 +498,11 @@ class AWSBedrockLLM {
         `Bedrock Converse API Error (streamGetChatCompletion setup): ${e.message}`,
         e
       );
-      if (
-        e.name === "ValidationException" &&
-        e.message.includes("maximum tokens")
-      ) {
-        throw new Error(
-          `AWSBedrock::streamGetChatCompletion failed during setup. Model ${this.model} rejected maxTokens value of ${maxTokensToSend}. Check model documentation for its maximum output token limit and set AWS_BEDROCK_LLM_MAX_OUTPUT_TOKENS if needed. Original error: ${e.message}`
-        );
-      }
-
-      throw new Error(
-        `AWSBedrock::streamGetChatCompletion failed during setup. ${e.message}`
-      );
+      AWSBedrockLLM.errorToHumanReadable(e, {
+        model: this.model,
+        maxTokens: maxTokensToSend,
+        method: "streamGetChatCompletion",
+      });
     }
   }
 
@@ -733,6 +722,34 @@ class AWSBedrockLLM {
     const messageArray = this.constructPrompt(promptArgs);
     return await messageArrayCompressor(this, messageArray, rawHistory);
   }
+
+  static errorToHumanReadable(
+    error,
+    options = { method: "chat", model: "unknown", maxTokens: "unknown" }
+  ) {
+    if (
+      error.name === "ValidationException" &&
+      error.message.includes("maximum tokens")
+    ) {
+      throw new Error(
+        `AWSBedrock::${options.method} failed during setup. Model ${options.model} rejected maxTokens value of ${options.maxTokens}. Check model documentation for its maximum output token limit and set AWS_BEDROCK_LLM_MAX_OUTPUT_TOKENS if needed. Original error: ${error.message}`
+      );
+    }
+
+    if (
+      error.name === "CredentialsProviderError" &&
+      error.message.includes("Could not load credentials from any providers")
+    ) {
+      throw new Error(
+        `AWSBedrock::${options.method} authentication failed. AWS Bedrock requires a discoverable IAM credentials to be available in the environment (AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY) or by resolving credentials from ~/.aws/credentials or ~/.aws/config files. Original error: ${error.message}`
+      );
+    }
+
+    // Generic error
+    throw new Error(
+      `AWSBedrock::${options.method} failed during setup. ${error.message}`
+    );
+  }
 }
 
 module.exports = {
diff --git a/server/utils/AiProviders/bedrock/utils.js b/server/utils/AiProviders/bedrock/utils.js
index dff6d3b3..3dc1ef68 100644
--- a/server/utils/AiProviders/bedrock/utils.js
+++ b/server/utils/AiProviders/bedrock/utils.js
@@ -70,11 +70,15 @@ function createBedrockRuntimeClient(authMethod, credentials) {
   const clientOpts = {
     region: process.env.AWS_BEDROCK_LLM_REGION,
   };
-  if (authMethod === "apiKey") {
-    clientOpts.token = credentials;
-    clientOpts.authSchemePreference = ["httpBearerAuth"];
-  } else {
-    clientOpts.credentials = credentials;
+
+  switch (authMethod) {
+    case "apiKey":
+      clientOpts.token = credentials;
+      clientOpts.authSchemePreference = ["httpBearerAuth"];
+      break;
+    default:
+      clientOpts.credentials = credentials;
+      break;
   }
   return new BedrockRuntimeClient(clientOpts);
 }
diff --git a/server/utils/agents/aibitat/providers/bedrock.js b/server/utils/agents/aibitat/providers/bedrock.js
index ce608d11..d4bb7d26 100644
--- a/server/utils/agents/aibitat/providers/bedrock.js
+++ b/server/utils/agents/aibitat/providers/bedrock.js
@@ -3,6 +3,7 @@ const {
   getBedrockAuthMethod,
   createBedrockChatClient,
 } = require("../../../AiProviders/bedrock/utils.js");
+const { AWSBedrockLLM } = require("../../../AiProviders/bedrock/index.js");
 const Provider = require("./ai-provider.js");
 const InheritMultiple = require("./helpers/classes.js");
 const UnTooled = require("./helpers/untooled.js");
@@ -33,6 +34,10 @@ class AWSBedrockProvider extends InheritMultiple([Provider, UnTooled]) {
     this.verbose = true;
   }
 
+  get supportsAgentStreaming() {
+    return false;
+  }
+
   /**
    * Gets the credentials for the AWS Bedrock LLM based on the authentication method provided.
    * @returns {object} The credentials object.
@@ -136,7 +141,10 @@ class AWSBedrockProvider extends InheritMultiple([Provider, UnTooled]) {
         cost: 0,
       };
     } catch (error) {
-      throw error;
+      AWSBedrockLLM.errorToHumanReadable(error, {
+        method: "complete",
+        model: this.model,
+      });
     }
   }
 
diff --git a/server/utils/agents/index.js b/server/utils/agents/index.js
index 3ae8a734..038496cc 100644
--- a/server/utils/agents/index.js
+++ b/server/utils/agents/index.js
@@ -139,14 +139,7 @@ class AgentHandler {
           );
         break;
       case "bedrock":
-        if (
-          !process.env.AWS_BEDROCK_LLM_ACCESS_KEY_ID ||
-          !process.env.AWS_BEDROCK_LLM_ACCESS_KEY ||
-          !process.env.AWS_BEDROCK_LLM_REGION
-        )
-          throw new Error(
-            "AWS Bedrock Access Keys and region must be provided to use agents."
-          );
+        // No validations since there are many possible authentication methods
         break;
       case "fireworksai":
         if (!process.env.FIREWORKS_AI_LLM_API_KEY)