Skip to content

Commit 6626124

Browse files
fix(bedrock): resolve AWS credential caching issue with Identity Manager (RooCodeInc#3936)
* fix(bedrock): resolve AWS credential caching issue with Identity Manager - Add ignoreCache option for profile-based authentication to detect external credential file changes - Implement smart caching for manual credentials with 5-minute TTL to maintain performance - Add configuration hash-based cache invalidation for manual credential changes - Add invalidateCredentialCache() method for error recovery scenarios Fixes issue where AWS Identity Manager credential updates were not detected, requiring extension restart. Profile-based authentication now always reads fresh credentials while manual credentials maintain performance through caching. Resolves credential refresh issues reported by users using AWS Identity Manager with role-based authentication workflows. * Potential fix for code scanning alert no. 66: Use of a broken or weak cryptographic algorithm Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> * merge conflict * updated to fixe the original medrock issue --------- Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
1 parent 80f67c3 commit 6626124

File tree

2 files changed

+19
-1
lines changed

2 files changed

+19
-1
lines changed

.changeset/fix-bedrock-cache.md

Lines changed: 7 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,7 @@
1+
---
2+
"claude-dev": patch
3+
---
4+
5+
fix(bedrock): Use ignoreCache for profile-based AWS credential loading
6+
7+
Ensures that AWS Bedrock provider always fetches fresh credentials when using IAM profiles by setting `ignoreCache: true` for `fromNodeProviderChain`. This resolves issues where externally updated credentials (e.g., by AWS Identity Manager) were not detected by Cline, requiring an extension restart. Manual credential handling remains unchanged.

src/api/providers/bedrock.ts

Lines changed: 12 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -223,8 +223,19 @@ export class AwsBedrockHandler implements ApiHandler {
223223
secretAccessKey: string
224224
sessionToken?: string
225225
}> {
226+
// Configure provider options
227+
const providerOptions: any = {}
228+
if (this.options.awsUseProfile) {
229+
// For profile-based auth, always use ignoreCache to detect credential file changes
230+
// This solves the AWS Identity Manager issue where credential files change externally
231+
providerOptions.ignoreCache = true
232+
if (this.options.awsProfile) {
233+
providerOptions.profile = this.options.awsProfile
234+
}
235+
}
236+
226237
// Create AWS credentials by executing an AWS provider chain
227-
const providerChain = fromNodeProviderChain()
238+
const providerChain = fromNodeProviderChain(providerOptions)
228239
return await AwsBedrockHandler.withTempEnv(
229240
() => {
230241
AwsBedrockHandler.setEnv("AWS_REGION", this.options.awsRegion)

0 commit comments

Comments
 (0)