Issue Station
Sign In
Tools hereToolbox

hermes - 💡(How to fix) Fix Bedrock+Claude: wizard accepts Bearer-only setup, runtime fails on missing IAM + picker shows unroutable us./global. profiles in EU region

Official PRs (…)
ON THIS PAGE

Recommended Tools

×6

Utilities matched from this issue’s tags and category — try them while you read without losing context.

GitHub issue graph ai analysis

Paste a GitHub issue URL. We fetch that issue, discover linked issues from bodies/comments/timeline, collect linked pull requests, and produce a structured English report.

The report is written in English Markdown for sharing and archival.

Helpful · Quick feedback

Loading…

Two related bugs in the hermes model → AWS Bedrock flow:

  1. Wizard accepts AWS_BEARER_TOKEN_BEDROCK as sufficient credentials for Claude on Bedrock, but the runtime then fails with RuntimeError: could not resolve credentials from session because Hermes routes Claude through the AnthropicBedrock SDK, which only signs with SigV4 IAM — not Bearer.
  2. The model picker offers us.anthropic.* and global.anthropic.* inference profiles even when bedrock.region is eu-central-2, and us.anthropic.claude-sonnet-4-6 is the hardcoded top recommendation. Selecting one produces a config that AWS will reject from the EU endpoint regardless of credentials.

Root Cause

  1. Wizard accepts AWS_BEARER_TOKEN_BEDROCK as sufficient credentials for Claude on Bedrock, but the runtime then fails with RuntimeError: could not resolve credentials from session because Hermes routes Claude through the AnthropicBedrock SDK, which only signs with SigV4 IAM — not Bearer.
  2. The model picker offers us.anthropic.* and global.anthropic.* inference profiles even when bedrock.region is eu-central-2, and us.anthropic.claude-sonnet-4-6 is the hardcoded top recommendation. Selecting one produces a config that AWS will reject from the EU endpoint regardless of credentials.

Fix Action

Workaround

Add to ~/.hermes/<profile>/.env:

AWS_ACCESS_KEY_ID=AKIA...
AWS_SECRET_ACCESS_KEY=...

Keep AWS_BEARER_TOKEN_BEDROCK — both coexist (Anthropic SDK uses IAM, boto3 for non-Anthropic Bedrock and mantle uses Bearer). Then manually edit:

model:
  default: eu.anthropic.claude-sonnet-4-6   # not us.*

Happy to PR if there's interest.

This issue was drafted in collaboration with Claude Opus 4.7 after a 3-hour debugging session that traced the full code path. Empirical evidence (working direct boto3 calls, exact file:line pointers, observed wizard behavior) all verified on the reporter's machine.

Code Example

if is_anthropic_bedrock_model(_current_model):
    runtime = {
        "provider": "bedrock",
        "api_mode": "anthropic_messages",
        ...
        "bedrock_anthropic": True,
    }

---

credentials = session.get_credentials()
if not credentials:
    raise RuntimeError("could not resolve credentials from session")

---

AWS_ACCESS_KEY_ID=AKIA...
AWS_SECRET_ACCESS_KEY=...

---

model:
  default: eu.anthropic.claude-sonnet-4-6   # not us.*
RAW_BUFFERClick to expand / collapse

Summary

Two related bugs in the hermes model → AWS Bedrock flow:

  1. Wizard accepts AWS_BEARER_TOKEN_BEDROCK as sufficient credentials for Claude on Bedrock, but the runtime then fails with RuntimeError: could not resolve credentials from session because Hermes routes Claude through the AnthropicBedrock SDK, which only signs with SigV4 IAM — not Bearer.
  2. The model picker offers us.anthropic.* and global.anthropic.* inference profiles even when bedrock.region is eu-central-2, and us.anthropic.claude-sonnet-4-6 is the hardcoded top recommendation. Selecting one produces a config that AWS will reject from the EU endpoint regardless of credentials.

Environment

  • hermes-agent 0.14.0, boto3 1.42.89, anthropic SDK on Bedrock
  • macOS 25.3.0, Python 3.11
  • Region: eu-central-2 (Zurich)
  • Auth: AWS_BEARER_TOKEN_BEDROCK only, no IAM, no ~/.aws/credentials

Repro

  1. .env: AWS_BEARER_TOKEN_BEDROCK=<valid>, AWS_REGION=eu-central-2. No IAM keys.
  2. hermes model → AWS Bedrock. Wizard does not prompt for IAM — the Bearer is accepted as sufficient.
  3. Picker shows live model list including us.anthropic.*, global.anthropic.*, eu.anthropic.*. Top recommendation: us.anthropic.claude-sonnet-4-6.
  4. Accept default → config saved with model.default: us.anthropic.claude-sonnet-4-6, base_url: https://bedrock-runtime.eu-central-2.amazonaws.com.
  5. First message → 3× could not resolve credentials from session, then hard fail.

What proves the Bearer is fine

Direct boto3.client("bedrock-runtime", region_name="eu-central-2").converse(modelId="eu.anthropic.claude-sonnet-4-6", ...) from the same venv with the same env var returns in ~1.4s. Streaming converse_stream also works. The token is valid for Anthropic on Bedrock in Zurich — Hermes just doesn't use that path for Claude.

Root cause (bug 1)

hermes_cli/runtime_provider.py:1421-1432 unconditionally forces api_mode="anthropic_messages" for any is_anthropic_bedrock_model(...):

if is_anthropic_bedrock_model(_current_model):
    runtime = {
        "provider": "bedrock",
        "api_mode": "anthropic_messages",
        ...
        "bedrock_anthropic": True,
    }

That routes to agent/agent_init.py:524build_anthropic_bedrock_client(region)anthropic/lib/bedrock/_auth.py:63-65:

credentials = session.get_credentials()
if not credentials:
    raise RuntimeError("could not resolve credentials from session")

session.get_credentials() here is the SigV4 chain — it does not consider AWS_BEARER_TOKEN_BEDROCK.

Meanwhile agent/bedrock_adapter.py:243-244 counts Bearer as valid credentials, so has_aws_credentials() returns True and the wizard's pre-flight passes silently.

Root cause (bug 2)

_RECOMMENDED in hermes_cli/main.py:5051-5061 hardcodes us.anthropic.* / us.amazon.* regardless of configured region. The picker's deduplication and sort logic doesn't filter us.* / eu.* / ap.* profiles by region prefix, so cross-region inference profiles surface in the wrong-region pickers — but only eu.* actually routes from a Zurich endpoint.

Suggested fixes

  1. Credential-aware wizard. When the selected model is_anthropic_bedrock_model(...) AND boto3.Session().get_credentials() returns None, prompt for AWS_ACCESS_KEY_ID + AWS_SECRET_ACCESS_KEY in the wizard — same pattern the Marketplace path already uses for the Bearer at main.py:4884. Or raise an AuthError with a clear message stating Claude on Bedrock needs SigV4.
  2. Region-scoped model list. In _model_flow_bedrock (main.py:5020+), filter the live model list by region prefix: us-* regions → keep us.* + global.*, eu-* regions → keep eu.* + global.*, ap-* regions → keep ap.* + global.*. Same logic for _RECOMMENDED sorting.

Workaround

Add to ~/.hermes/<profile>/.env:

AWS_ACCESS_KEY_ID=AKIA...
AWS_SECRET_ACCESS_KEY=...

Keep AWS_BEARER_TOKEN_BEDROCK — both coexist (Anthropic SDK uses IAM, boto3 for non-Anthropic Bedrock and mantle uses Bearer). Then manually edit:

model:
  default: eu.anthropic.claude-sonnet-4-6   # not us.*

Happy to PR if there's interest.

This issue was drafted in collaboration with Claude Opus 4.7 after a 3-hour debugging session that traced the full code path. Empirical evidence (working direct boto3 calls, exact file:line pointers, observed wizard behavior) all verified on the reporter's machine.

Vote matrix · Quick signals

Works
Did the solution work? Tap to confirm.
Easy Fix
Was it a quick fix?
Time Saver
Did it save you time?
Blocking
Was it severely blocking?
Common Issue
Are others likely hitting this too?
Flaky / Intermittent
Is it intermittent?
Verified / Reproducible
Can you reproduce it reliably?
Loading…
#api#logging issue#authentication issue#prompt issue#agent setup

Still need to ship something?

×6

Another batch ranked right after the header list — different links, same matching logic.

Back to top recommendations

TRENDING

hermes - 💡(How to fix) Fix Bedrock+Claude: wizard accepts Bearer-only setup, runtime fails on missing IAM + picker shows unroutable us./global. profiles in EU region