claude-code icon indicating copy to clipboard operation
claude-code copied to clipboard
Published 1 month ago verified publisher icon anthropics

[DOCS] awsCredentialExport seems to have lower priority than credentials stored in .aws/credentials

Open bzakdd opened this issue 3 months ago • 4 comments

Documentation Type

Unclear/confusing documentation

Documentation Location

https://code.claude.com/docs/en/amazon-bedrock

Section/Topic

advanced-credential-configuration

Current Documentation

The documentation currently says:

awsCredentialExport: Only use this if you cannot modify .aws and must directly return credentials. Output is captured silently (not shown to the user).

To me it suggests that when awsCredentialExport is used and .aws/credentials is ignored.

What's Wrong or Missing?

However from my experiments it seems that awsCredentialExport is ignored and credentials from .aws/credentials are applied. There is a debug log:

2025-11-19T15:10:14.815Z [DEBUG] Fetching AWS caller identity for credential export command
2025-11-19T15:10:15.001Z [DEBUG] Fetched AWS caller identity, skipping AWS credential export command

which strongly suggests that if credentials are defined then awsCredentialExport is ignored.

Claude version:

$ claude --version
2.0.42 (Claude Code)

Additionally same issue applies to the AWS credentials passed via environment variables (though it is not mentioned here).

Suggested Improvement

The documentation should:

  • Indicate that current AWS credentials have higher priority
  • Have instructions how to configure Claude to ignore credentials that are configured in the system, both in .aws and in environment variables AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY, to use awsCredentialExport

Impact

High - Prevents users from using a feature

Additional Context

I have AWS credentials configured for a user that doesn't have permissions to use Bedrock. I want to use awsCredentialExport to assume role which has limited Bedrock permissions. Currently to do it I need to:

  • Create special AWS profile without credentials
  • Configure .claude/settings.json to undefine AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY
  • Undefine AWS_PROFILE variable (because it is passed to the command in awsCredentialExport and I don't want that to happen)

bzakdd avatar Nov 19 '25 15:11 bzakdd

This issue has been inactive for 30 days. If the issue is still occurring, please comment to let us know. Otherwise, this issue will be automatically closed in 30 days for housekeeping purposes.

github-actions[bot] avatar Dec 20 '25 10:12 github-actions[bot]

This issue is still occurring.

bzakdd avatar Dec 22 '25 14:12 bzakdd

Is there a workaround for this? I want to have default AWS credentials in .aws for everything else and then use this pathway for specifying which AWS credentials claude code should use for calling bedrock (they are different).

Any ideas on a workaround would be helpful!

friedmud avatar Jan 02 '26 19:01 friedmud

Alternatively, it would be excellent to be able to set CLAUDE_CODE_AWS_PROFILE (or other AWS environment variables) that only claude code would use.

This idea was noted here: https://github.com/anthropics/claude-code/issues/148 - but that was auto-closed (IMO it should be reopened).

friedmud avatar Jan 02 '26 19:01 friedmud

This issue has been automatically closed due to 60 days of inactivity. If you're still experiencing this issue, please open a new issue with updated information.

github-actions[bot] avatar Feb 03 '26 10:02 github-actions[bot]

This issue was closed incorrectly despite recent human comments. This behavior of the bot is reported at https://github.com/anthropics/claude-code/issues/16497. Please upvote that issue, so maybe it gets noticed.

marcindulak avatar Feb 05 '26 12:02 marcindulak

This issue has been automatically locked since it was closed and has not had any activity for 7 days. If you're experiencing a similar issue, please file a new issue and reference this one if it's relevant.

github-actions[bot] avatar Feb 13 '26 14:02 github-actions[bot]