[Bug] sdk@0.2.96 Bedrock SigV4 regression: 403 auth failure with standard AWS instance profile credentials
Description
claude-agent-sdk@0.2.96 (shipped with claude-code-action@v1 on 2026-04-08) broke Bedrock authentication for setups using standard AWS instance profile credentials (SigV4). All requests to Bedrock fail with 403 authentication_failed.
The release notes for v2.1.96 mention a fix for this regression, but it only covers AWS_BEARER_TOKEN_BEDROCK and CLAUDE_CODE_SKIP_BEDROCK_AUTH auth paths — the standard SigV4 path remains broken.
Error
Failed to authenticate. API Error: 403 Authorization header requires 'Credential' parameter.
Authorization header requires 'Signature' parameter.
Authorization header requires 'SignedHeaders' parameter.
(Hashed with SHA-256 and encoded with Base64) Authorization=cQ4NvdQimYUQF6TWcmXs0EbxtO23QVJZkqGmqPqAElg=
Environment
claude-agent-sdk:0.2.96claude-code-action:@v1(commit26ddc358)- Auth method: AWS instance profile (SigV4) via
CLAUDE_CODE_USE_BEDROCK=1 - Runner: self-hosted on EC2 with instance profile attached
- AWS region:
us-west-2
Steps to reproduce
- Use
claude-code-action@v1withuse_bedrock: true - Authenticate via EC2 instance profile (no
AWS_BEARER_TOKEN_BEDROCK, noCLAUDE_CODE_SKIP_BEDROCK_AUTH) - Run any prompt — all requests fail with the 403 above
Expected behavior
Requests are signed with AWS Signature V4 using the instance profile credentials, as they were in sdk@0.2.92.
Regression history
| Version | Behavior |
|---------|----------|
| sdk@0.2.92 | ✅ Works |
| sdk@0.2.94 | ❌ Broken — regression introduced alongside Mantle support |
| sdk@0.2.96 | ❌ Still broken — fix only covers Bearer/skip-auth paths |
Workaround
Pinning claude-code-action to commit 1eddb334 (sdk@0.2.92) restores correct behavior.
Related
- Related to #44944 (same root cause, different auth path)
This issue has 2 comments on GitHub. Read the full discussion on GitHub ↗