BedrockKnowledgeBaseVectorStoreAutoConfiguration ignores existing AwsCredentialsProvider bean #5768
Description
Bug description
When using Spring Cloud AWS for credential management (spring.cloud.aws.credentials), the Bedrock Converse chat model works correctly but the Bedrock Knowledge Base vector store fails with SdkClientException: Unable to load credentials
it's look like BedrockKnowledgeBaseVectorStoreAutoConfiguration creates its BedrockAgentRuntimeClient and ignore AwsCredentialsProvider
Environment
- Spring AI: 2.0.0-M4
- Spring Boot: 3.x
- Spring Cloud AWS 4.0.1
Steps to reproduce
- Configure Spring Cloud AWS credentials:
spring:
cloud:
aws:
credentials:
access-key: <key>
secret-key: <secret>
ai:
bedrock:
converse:
chat:
options:
model: eu.anthropic.claude-opus-4-6-v1
vectorstore:
bedrock-knowledge-base:
knowledge-base-id: <id>
region: eu-central-2
- Use both ChatClient (Bedrock Converse) and VectorStore (Bedrock Knowledge Base) in the same application.
- Do not set AWS_ACCESS_KEY_ID / AWS_SECRET_ACCESS_KEY environment variables or any other SDK-level credential source
- Call an endpoint that triggers a Knowledge Base similarity search.
Expected behavior
The Knowledge Base vector store should use the same AwsCredentialsProvider bean as the Converse chat model, since both are Bedrock integrations within the same application context.
Minimal Complete Reproducible example
@Configuration
public class AiConfiguration {
@Bean
public ChatClient chatClient(ChatClient.Builder builder, VectorStore vectorStore) {
return builder
// if you comment this, it's working fine
.defaultAdvisors(
QuestionAnswerAdvisor.builder(vectorStore)
.searchRequest(SearchRequest.builder().topK(5).build())
.build()
)
.build();
}
}
@RestController
public class ChatController {
private final ChatClient chatClient;
@PostMapping("/chat")
public String chat(@RequestBody String message) {
// This fails with SdkClientException on the Knowledge Base similarity search
// even though the Converse chat model credentials work fine
return chatClient.prompt().user(message).call().content();
}
}
Workaround
Define a custom BedrockAgentRuntimeClient bean that injects the existing AwsCredentialsProvider:
@Bean
public BedrockAgentRuntimeClient bedrockAgentRuntimeClient(AwsCredentialsProvider credentialsProvider) {
return BedrockAgentRuntimeClient.builder()
.region(Region.EU_CENTRAL_2)
.credentialsProvider(credentialsProvider)
.build();
}