Bedrock credential errors
Bedrock credential issues account for ~80% of first-time setup failures. This page maps every error message to the cause and fix.
"Could not load credentials from any providers"
The AWS SDK couldn't find credentials anywhere — env vars, profile, IMDS, ECS metadata, all empty.
Fix: pick one credential source and configure it.
| You're on | Use |
|---|---|
| Developer laptop | authentication/aws-sso.md |
| EC2 / Fargate / EKS | authentication/aws-iam-role.md |
| Static keys (legacy) | authentication/aws-iam-keys.md |
"ExpiredToken" / "The security token included in the request is expired"
You're using AWS SSO and your session has expired (default 12h).
aws sso login --profile <your-profile>Then fully restart the surface (CLI: just rerun; VS Code: Cmd+Shift+P → Reload Window; Desktop: Cmd+Q and reopen). Existing process won't pick up the new tokens.
"AccessDeniedException: not authorized to perform: bedrock:InvokeModel"
Your role/principal lacks Bedrock permission. Attach this policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"bedrock:InvokeModel",
"bedrock:InvokeModelWithResponseStream"
],
"Resource": [
"arn:aws:bedrock:*::foundation-model/*",
"arn:aws:bedrock:*:*:inference-profile/us.anthropic.claude-*"
]
}
]
}The two ARN forms in the resource list are both required:
foundation-model/*— for direct model callsinference-profile/us.anthropic.claude-*— for the cross-region inference profiles InsightWorker uses by default
"ResourceNotFoundException: model not found"
The model ID in BEDROCK_MODEL doesn't exist or isn't enabled in your region.
aws bedrock list-inference-profiles --region $AWS_REGIONIf the model you want isn't listed:
- AWS Console → Bedrock → Model access — request access for the Anthropic family (instant approval for most models)
- Confirm region —
us.anthropic.*profiles only work in US regions - For non-US, drop the
us.prefix:BEDROCK_MODEL=anthropic.claude-sonnet-4-5-...
"ValidationException: Operation not allowed - your account is not enabled for this model"
Same as above but raised by the runtime instead of the catalog API. Same fix: enable model access in the AWS console.
"Region not configured"
AWS_REGION is unset. Add to ~/.insightworker/.env:
AWS_REGION=us-east-1".env has AWS_ACCESS_KEY_ID but I want to use SSO"
If AWS_ACCESS_KEY_ID is set in the environment, the SDK uses it and never falls through to your SSO profile. Comment it out:
# AWS_ACCESS_KEY_ID=AKIA...
# AWS_SECRET_ACCESS_KEY=...
# This makes the SDK fall through to:
AWS_PROFILE=my-sso-profile
AWS_REGION=us-east-1This is the most common subtle SSO failure — a stale static key shadowing the SSO profile.
"Could not assume role" (only when using IAM role assumption)
Your principal is allowed to call sts:AssumeRole on the role, but the role's trust policy doesn't allow your principal back. Check the target role's trust relationship — should include your user/role ARN as a Principal.
SDK retries hide the real error
If you see the same error 3 times before the agent gives up, that's the loop detector kicking in (see permissions-and-safety/loop-detector.md). The first error message is the real one — read what's before the loop-detector message.
Debug logging
Enable AWS SDK debug logs:
# ~/.insightworker/.env
AWS_SDK_LOAD_CONFIG=1
AWS_LOG_LEVEL=DEBUGRun a small request and read the log. The SDK reports which credential provider it tried, in what order, and what it found.
See also
- authentication/aws-sso.md — SSO setup
- authentication/aws-iam-role.md — instance-role setup
- providers/bedrock.md — Bedrock-specific config
Source: docs/troubleshooting/bedrock-credentials.md in the public repo. Open a PR with corrections.