Issue Station
Sign In
Tools hereToolbox

openclaw - ✅(Solved) Fix [Bug] v2026.4.5 regression: "No API key found for amazon-bedrock" with auth: aws-sdk (instance role) [2 pull requests, 1 participants]

Official PRs (…)
ON THIS PAGE

Recommended Tools

×6

Utilities matched from this issue’s tags and category — try them while you read without losing context.

GitHub issue graph ai analysis

Paste a GitHub issue URL. We fetch that issue, discover linked issues from bodies/comments/timeline, collect linked pull requests, and produce a structured English report.

The report is written in English Markdown for sharing and archival.

Helpful · Quick feedback

Loading…
GitHub stats
openclaw/openclaw#62995Fetched 2026-04-09 07:59:42
View on GitHub
Comments
0
Participants
1
Timeline
6
Reactions
0
Author
ddynwzh1992ddynwzh1992
Participants
ddynwzh1992ddynwzh1992
Assignees
vincentkocvincentkoc
Timeline (top)
cross-referenced ×2labeled ×2assigned ×1referenced ×1

After upgrading to OpenClaw 2026.4.5, the embedded agent fails with:

No API key found for amazon-bedrock. Use /login or set an API key environment variable.

This worked correctly on 2026.3.13 with the same configuration. Downgrading to 2026.3.13 resolves the issue.

Error Message

Error Log The error originates from pi-coding-agent's provider logic, suggesting the embedded agent runtime is not respecting the auth: aws-sdk configuration and instead looking for an explicit API key.

Root Cause

After upgrading to OpenClaw 2026.4.5, the embedded agent fails with:

No API key found for amazon-bedrock. Use /login or set an API key environment variable.

This worked correctly on 2026.3.13 with the same configuration. Downgrading to 2026.3.13 resolves the issue.

Fix Action

Fix / Workaround

  1. Set up OpenClaw on EC2 with IAM instance role that has Bedrock permissions
  2. Configure amazon-bedrock provider with "auth": "aws-sdk"
  3. Upgrade to 2026.4.5
  4. Send a message to the bot

PR fix notes

PR #68: Fix reset script to restore .env for Bedrock IAM auth

Description (problem / solution / changelog)

Summary

The Reset Configuration script in TROUBLESHOOTING.md recreates openclaw.json but does not restore ~/.openclaw/.env, which is required for OpenClaw 2026.4.5+ to discover IAM credentials from EC2 instance metadata (IMDS).

Without this file, users who reset their config hit:

No API key found for amazon-bedrock.
Use /login or set an API key environment variable.

This PR adds the .env restore step to match what the CloudFormation template already writes during initial deployment (clawdbot-bedrock.yaml, line 796).

What changed in OpenClaw v2026.4.5+

OpenClaw v2026.4.5 switched its model engine to pi-coding-agent, which introduced breaking changes for Bedrock auth on EC2:

  • "auth": "aws-sdk" in openclaw.json is no longer read — auth is now resolved purely via environment variables
  • AWS_PROFILE env var is required — the new runtime checks for AWS_PROFILE, AWS_ACCESS_KEY_ID, or AWS_BEARER_TOKEN_BEDROCK before falling through to the SDK credential chain. On EC2 with IAM instance roles, none of these are set by default, so auth fails (openclaw/openclaw#62995)
  • "api": "bedrock-converse-stream" is still required — without it, v2026.4.5 defaults to raw HTTP calls instead of the AWS SDK converse stream API, causing "LLM request timed out" errors
  • "baseUrl" is still required — removing it causes config validation failure
  • ~/.openclaw/.env is the durable fix — this file is loaded by the gateway systemd service via EnvironmentFile= and survives gateway reinstalls and upgrades

Setting AWS_PROFILE=default tells the AWS SDK to resolve credentials via the default credential chain, which includes IMDS (EC2 instance profile). This is documented in the official OpenClaw Bedrock provider docs under "EC2 Instance Roles".

References

Changed files

  • TROUBLESHOOTING.md (modified, +4/-0)

PR #69: Add upgrade guide: v2026.3.24 → v2026.4.5

Description (problem / solution / changelog)

Summary

Adds UPGRADE.md documenting how to upgrade existing v2026.3.24 deployments to v2026.4.5, covering the breaking changes in Bedrock authentication and configuration.

  • In-place upgrade (recommended): Step-by-step guide that preserves chat history, channel connections, skills, and config
  • Fresh install: Redeploy with OpenClawVersion=2026.4.5 — warns about data loss implications
  • Troubleshooting: Covers the four most common errors encountered during upgrade
  • Rollback: Steps to revert to v2026.3.24 if needed

Context

The clawdbot-bedrock.yaml template already supports deploying v2026.4.5 with the modern plugin-based config (plugins.entries.amazon-bedrock) and IMDS auth workaround (AWS_PROFILE=default). However, there is no documentation for users who deployed with the default v2026.3.24 and want to upgrade in-place. This is the most common upgrade path since a fresh install destroys all user data (chat history, channel connections, SOUL.md, etc.).

Key v2026.4.5 breaking changes documented

  • "auth": "aws-sdk" in openclaw.json is now ignored — auth resolved via env vars
  • AWS_PROFILE=default is required for EC2 IMDS credential discovery (openclaw/openclaw#62995)
  • --ignore-scripts must NOT be used on ARM64 (needs @buape/carbon for Discord)
  • "api": "bedrock-converse-stream" must remain in legacy config (without it, raw HTTP calls cause timeouts)
  • Modern plugin config (plugins.entries) is the recommended migration target

Test plan

  • Verify in-place upgrade steps on a v2026.3.24 Graviton instance
  • Verify fresh install steps with OpenClawVersion=2026.4.5
  • Confirm rollback steps restore v2026.3.24 functionality
  • Test troubleshooting commands for each error scenario

Changed files

  • UPGRADE.md (added, +257/-0)

Code Example

{
  "models": {
    "providers": {
      "amazon-bedrock": {
        "baseUrl": "https://bedrock-runtime.us-west-2.amazonaws.com",
        "auth": "aws-sdk",
        "api": "bedrock-converse-stream",
        "models": [
          {
            "id": "global.anthropic.claude-opus-4-6-v1",
            "contextWindow": 200000,
            "maxTokens": 8192
          }
        ]
      }
    }
  },
  "env": {
    "vars": {
      "CLAUDE_CODE_USE_BEDROCK": "1",
      "AWS_REGION": "us-west-2"
    }
  }
}


### Steps to reproduce

1. Set up OpenClaw on EC2 with IAM instance role that has Bedrock permissions
2. Configure amazon-bedrock provider with "auth": "aws-sdk"
3. Upgrade to 2026.4.5
4. Send a message to the bot

### Expected behavior

can message agent

### Actual behavior

Error Log

agent/embedded failoverReason: auth
rawErrorPreview: "No API key found for amazon-bedrock.\n\nUse /login or set an API key environment variable. See .../pi-coding-agent/docs/providers.md"

The error originates from pi-coding-agent's provider logic, suggesting the embedded agent runtime is not respecting the auth: aws-sdk configuration and instead looking for an explicit API key.


### OpenClaw version

2026.4.5

### Operating system

ubuntu22

### Install method

_No response_

### Model

bedrock/anthropic/claude-opus-4-6-v1

### Provider / routing chain

openclaw - > bedrock

### Additional provider/model setup details

_No response_

### Logs, screenshots, and evidence
RAW_BUFFERClick to expand / collapse

Bug type

Regression (worked before, now fails)

Beta release blocker

No

Summary

Description

After upgrading to OpenClaw 2026.4.5, the embedded agent fails with:

No API key found for amazon-bedrock. Use /login or set an API key environment variable.

This worked correctly on 2026.3.13 with the same configuration. Downgrading to 2026.3.13 resolves the issue.

Environment

  • OpenClaw version: 2026.4.5 (broken) / 2026.3.13 (works)
  • OS: Linux arm64 (AWS EC2)
  • Node: v22.22.1
  • Instance: EC2 with IAM instance role (Bedrock permissions confirmed via aws sts get-caller-identity)

Configuration (relevant parts)

{
  "models": {
    "providers": {
      "amazon-bedrock": {
        "baseUrl": "https://bedrock-runtime.us-west-2.amazonaws.com",
        "auth": "aws-sdk",
        "api": "bedrock-converse-stream",
        "models": [
          {
            "id": "global.anthropic.claude-opus-4-6-v1",
            "contextWindow": 200000,
            "maxTokens": 8192
          }
        ]
      }
    }
  },
  "env": {
    "vars": {
      "CLAUDE_CODE_USE_BEDROCK": "1",
      "AWS_REGION": "us-west-2"
    }
  }
}


### Steps to reproduce

1. Set up OpenClaw on EC2 with IAM instance role that has Bedrock permissions
2. Configure amazon-bedrock provider with "auth": "aws-sdk"
3. Upgrade to 2026.4.5
4. Send a message to the bot

### Expected behavior

can message agent

### Actual behavior

Error Log

agent/embedded failoverReason: auth
rawErrorPreview: "No API key found for amazon-bedrock.\n\nUse /login or set an API key environment variable. See .../pi-coding-agent/docs/providers.md"

The error originates from pi-coding-agent's provider logic, suggesting the embedded agent runtime is not respecting the auth: aws-sdk configuration and instead looking for an explicit API key.


### OpenClaw version

2026.4.5

### Operating system

ubuntu22

### Install method

_No response_

### Model

bedrock/anthropic/claude-opus-4-6-v1

### Provider / routing chain

openclaw - > bedrock

### Additional provider/model setup details

_No response_

### Logs, screenshots, and evidence

```shell

Impact and severity

No response

Additional information

No response

extent analysis

TL;DR

Downgrade to OpenClaw version 2026.3.13 to resolve the authentication issue with the amazon-bedrock provider.

Guidance

  • Verify that the IAM instance role has the necessary Bedrock permissions by running aws sts get-caller-identity and checking the permissions.
  • Check the OpenClaw configuration to ensure that the auth field is set to aws-sdk for the amazon-bedrock provider.
  • Consider setting the AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY environment variables as a temporary workaround, although this is not recommended for production environments.
  • Review the pi-coding-agent documentation to ensure that the provider logic is correctly configured and that the embedded agent runtime is respecting the auth: aws-sdk configuration.

Example

No code snippet is provided as the issue is related to configuration and authentication.

Notes

The issue seems to be related to a regression in OpenClaw version 2026.4.5, and downgrading to 2026.3.13 resolves the issue. However, this may not be a permanent solution, and further investigation is needed to determine the root cause of the problem.

Recommendation

Apply workaround: Downgrade to OpenClaw version 2026.3.13 until a fix is available for the authentication issue in version 2026.4.5. This is because downgrading to 2026.3.13 has been confirmed to resolve the issue, and it is a safer option until a permanent fix is available.

Vote matrix · Quick signals

Works
Did the solution work? Tap to confirm.
Easy Fix
Was it a quick fix?
Time Saver
Did it save you time?
Blocking
Was it severely blocking?
Common Issue
Are others likely hitting this too?
Flaky / Intermittent
Is it intermittent?
Verified / Reproducible
Can you reproduce it reliably?
Loading…

FAQ

Expected behavior

can message agent

#api#API rate limit#retriever error#indexing error#environment variable

Still need to ship something?

×6

Another batch ranked right after the header list — different links, same matching logic.

Back to top recommendations

TRENDING