Skip to content

fix(bedrock): fix unreachable credential validation in WithConfig#290

Open
MaxwellCalkin wants to merge 1 commit intoanthropics:mainfrom
MaxwellCalkin:fix/bedrock-credential-validation
Open

fix(bedrock): fix unreachable credential validation in WithConfig#290
MaxwellCalkin wants to merge 1 commit intoanthropics:mainfrom
MaxwellCalkin:fix/bedrock-credential-validation

Conversation

@MaxwellCalkin
Copy link
Copy Markdown

@MaxwellCalkin MaxwellCalkin commented Mar 8, 2026

Summary

  • The credential validation error in bedrock.WithConfig is unreachable dead code due to a logic error in the if/else-if chain
  • The else if branch checks cfg.BearerAuthTokenProvider == nil, but it can only execute when the outer if cfg.BearerAuthTokenProvider == nil was false — meaning BearerAuthTokenProvider is NOT nil, making the nested nil check always false
  • As a result, users who call WithConfig without any credentials (no bearer token, no AWS_BEARER_TOKEN_BEDROCK env var, no cfg.Credentials) silently proceed instead of getting the intended "expected AWS credentials to be set" error, eventually hitting a nil pointer panic during SigV4 signing
  • The fix restructures the check so validation runs after both the bearer token provider and env var fallback have been exhausted

Before (broken):

if cfg.BearerAuthTokenProvider == nil {
    if token := os.Getenv("AWS_BEARER_TOKEN_BEDROCK"); token != "" {
        cfg.BearerAuthTokenProvider = NewStaticBearerTokenProvider(token)
    }
} else if cfg.BearerAuthTokenProvider == nil && cfg.Credentials == nil {
    // ^^^ UNREACHABLE: else-if only runs when BearerAuthTokenProvider != nil
    credentialErr = fmt.Errorf("expected AWS credentials to be set")
}

After (fixed):

if cfg.BearerAuthTokenProvider == nil {
    if token := os.Getenv("AWS_BEARER_TOKEN_BEDROCK"); token != "" {
        cfg.BearerAuthTokenProvider = NewStaticBearerTokenProvider(token)
    } else if cfg.Credentials == nil {
        credentialErr = fmt.Errorf("expected AWS credentials to be set")
    }
}

Test plan

  • Verify that calling bedrock.WithConfig(aws.Config{}) (no credentials set, no env var) now returns the "expected AWS credentials to be set" error
  • Verify that setting AWS_BEARER_TOKEN_BEDROCK env var still works correctly
  • Verify that passing cfg.Credentials still works correctly
  • Verify that passing cfg.BearerAuthTokenProvider directly still works correctly

🤖 Generated with Claude Code

@MaxwellCalkin @claude
fix(bedrock): fix unreachable credential validation in WithConfig
d159146 
The credential validation check in WithConfig was unreachable dead code.
The if/else-if structure was:

    if cfg.BearerAuthTokenProvider == nil {
        // try env var
    } else if cfg.BearerAuthTokenProvider == nil && cfg.Credentials == nil {
        // set error
    }

The else-if branch only executes when BearerAuthTokenProvider is NOT nil
(since the if-branch handles the nil case), but then immediately checks
if it IS nil — a condition that can never be true. This means users who
call WithConfig without any credentials (no bearer token provider, no
AWS_BEARER_TOKEN_BEDROCK env var, and no AWS credentials) would not
receive the expected error. Instead, the request would proceed and fail
later with an opaque nil pointer error during SigV4 signing.

The fix moves the credential check into the existing if-block as a
nested else-if, so it executes when BearerAuthTokenProvider is nil AND
the env var fallback is also not available.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@MaxwellCalkin MaxwellCalkin requested a review from a team as a code owner March 8, 2026 21:44
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@MaxwellCalkin