fix: allow Bedrock provider to use AWS SDK default credential chain

[majiayu000]

Summary

Make Bedrock credentials optional so the provider falls back to AWS SDK's default credential chain (env vars, IAM role, ~/.aws/credentials, etc.) when explicit keys are not provided.

Fixes #3694

Type of Change

• Bug fix
• New feature
• Breaking change
• Documentation
• Other: ___________

Testing

• Unit tests added in apps/sim/providers/bedrock/index.test.ts covering:
  • Explicit credentials passed through correctly
  • No credentials → SDK default chain (no credentials in client config)
  • Partial credentials (key only / secret only) → throws clear error
  • Custom region forwarded correctly
• All existing tests continue to pass

Checklist

• Code follows project style guidelines
• Self-reviewed my changes
• Tests added/updated and passing
• No new warnings introduced
• I confirm that I have read and agree to the terms outlined in the Contributor License Agreement (CLA)

Screenshots/Videos

N/A — backend-only change, no UI impact.

[vercel]

@majiayu000 is attempting to deploy a commit to the Sim Team on Vercel.

A member of the Team first needs to authorize it.

[cursor]

PR Summary

Medium Risk
Changes how Bedrock credentials are validated and passed to the AWS SDK, which could affect authentication behavior in production if misconfigured. Scope is limited and covered by new unit tests for explicit/implicit/partial credential cases.

Overview
Allows the Bedrock provider to run without explicit access keys, relying on the AWS SDK default credential chain when bedrockAccessKeyId/bedrockSecretKey are omitted.

Updates request validation to reject partial credentials (only one of the two keys) and only includes credentials in BedrockRuntimeClient config when both are present; the Agent block UI now marks these fields as optional with updated placeholders. Adds apps/sim/providers/bedrock/index.test.ts to cover explicit credentials, default-chain usage, partial-credential errors, and custom region forwarding.

^{Written by Cursor Bugbot for commit e67b9df. This will update automatically on new commits. Configure here.}

[greptile-apps]

Greptile Summary

This PR makes AWS Bedrock credentials optional in the provider, allowing the AWS SDK's default credential chain (environment variables, IAM roles, ~/.aws/credentials, etc.) to be used when explicit keys are not supplied.

Key changes:

• providers/bedrock/index.ts: Removes the hard mandatory-credential guards and replaces them with a partial-credential XOR check — if only one of bedrockAccessKeyId / bedrockSecretKey is provided the call throws a clear error; if neither is provided, BedrockRuntimeClient is instantiated without a credentials field, which lets the SDK resolve credentials through its default chain.
• blocks/blocks/agent.ts: Marks both AWS credential fields required: false and updates their placeholder text to communicate the optional / fallback behavior to the user.
• providers/bedrock/index.test.ts: New test suite covering all four credential scenarios (both, neither, key-only, secret-only) and a custom region case.

Confidence Score: 5/5

• Safe to merge — the logic is correct, the guard against partial credentials is sound, and UI fields are kept consistent with the backend change.
• The change is small, focused, and well-tested. The XOR guard prevents silent misconfigurations (only one key supplied). Omitting credentials from the SDK client config is the standard pattern for delegating to the default credential chain. All existing tests still pass and new tests cover the four credential scenarios. The only notes are minor style suggestions (using the SDK's own config type, hardening a mock return value) that don't affect correctness.
• No files require special attention.

Important Files Changed

Filename	Overview
apps/sim/providers/bedrock/index.ts	Core logic change: removes mandatory credential checks and adds conditional credential config — only passes explicit credentials to BedrockRuntimeClient when both keys are present, otherwise omits credentials so the AWS SDK default chain is used. The partial-credential XOR guard is correct and is placed before the try block (consistent with the original pattern). Minor: the inline clientConfig type could reference the SDK's own type.
apps/sim/blocks/blocks/agent.ts	UI field changes: bedrockAccessKeyId and bedrockSecretKey are now required: false with updated placeholder text, consistent with the backend change making credentials optional.
apps/sim/providers/bedrock/index.test.ts	New test file covering credential handling: explicit creds, no creds, partial creds (both XOR cases), and custom region. The prepareToolsWithUsageControl mock returns undefined by default which would cause a TypeError if any future test exercises the tools path — minor gap but doesn't affect the current test suite.

Flowchart

%%{init: {'theme': 'neutral'}}%%
flowchart TD
    A[executeRequest called] --> B{bedrockAccessKeyId\nprovided?}
    B -- Yes --> C{bedrockSecretKey\nprovided?}
    B -- No --> D{bedrockSecretKey\nprovided?}
    C -- Yes --> E[Build clientConfig\nwith explicit credentials]
    C -- No --> F[Throw Error:\nboth keys must be\nprovided together]
    D -- Yes --> F
    D -- No --> G[Build clientConfig\nwithout credentials]
    E --> H[new BedrockRuntimeClient\nwith credentials]
    G --> I[new BedrockRuntimeClient\nno credentials → AWS SDK\ndefault credential chain]
    H --> J[Send request to Bedrock]
    I --> J

Loading

_{Last reviewed commit: "fix: clean up bedroc..."}