[BUG]
Preflight Checklist
- [x] I have searched existing issues and this hasn't been reported yet
- [x] This is a single bug report (please file separate reports for different bugs)
- [x] I am using the latest version of Claude Code
What's Wrong?
What's wrong
After upgrading to Claude Code 2.1.207, every Bedrock request fails immediately with:
API Error: UnauthorizedException: Session token not found or invalid
Downgrading to 2.1.206 in the same shell, with no other changes, restores working
behaviour. Nothing changed in AWS config, IAM, or environment variables. The AWS CLI
works fine from the same shell with the same credentials, so this is isolated to
Claude Code.
What Should Happen?
Request succeeds, as it does via the AWS CLI and as it does on 2.1.206.
Error Messages/Logs
[DEBUG] Fetched AWS caller identity, skipping AWS auth refresh command
[DEBUG] [API:auth] AWS credential resolve done in 897ms
[DEBUG] [API:timing] dispatching to bedrock model=eu.anthropic.claude-sonnet-4-6
[DEBUG] [API:auth] resolving default AWS provider chain (region: eu-west-2)
[ERROR] API error (attempt 1/11): UnauthorizedException: Session token not found or invalid
Steps to Reproduce
aws sso login --profile <corporate-sso-profile>- Confirm the same credentials, network and model work outside Claude Code:
aws bedrock-runtime invoke-model \
--model-id eu.anthropic.claude-sonnet-4-6 \
--region eu-west-2 \
--body '{"anthropic_version":"bedrock-2023-05-31","max_tokens":10,"messages":[{"role":"user","content":"hi"}]}' \
--cli-binary-format raw-in-base64-out /dev/stdout
This succeeds.
- Run
claudeon 2.1.207 with CLAUDE_CODE_USE_BEDROCK=1 and AWS_PROFILE set. - Send any prompt. Fails with UnauthorizedException on all 11 retries.
Claude Model
Opus
Is this a regression?
Yes, this worked in a previous version
Last Working Version
2.1.206
Claude Code Version
2.1.207
Platform
AWS Bedrock
Operating System
Windows
Terminal/Shell
Windows Terminal
Additional Information
Environment
- Claude Code: 2.1.207 (broken), 2.1.206 (works)
- Install method: native binary
- OS: Ubuntu on WSL2
- Provider: Amazon Bedrock (CLAUDE_CODE_USE_MANTLE not set)
- Auth: corporate AWS SSO profile via IAM Identity Center (AWS_PROFILE)
- Region: eu-west-2
- Models tried: eu.anthropic.claude-opus-4-8[1m], eu.anthropic.claude-opus-4-7,
eu.anthropic.claude-sonnet-4-6 — all fail identically
Expected
Request succeeds, as it does via the AWS CLI and as it does on 2.1.206.
Actual
UnauthorizedException: Session token not found or invalid, on every attempt.
What has been ruled out
- Credentials: debug log shows "Fetched AWS caller identity, skipping AWS auth
refresh command" immediately before each failed attempt. STS resolves fine.
- Credential chain / profile resolution: exporting static creds via
aws configure export-credentials --format env and unsetting AWS_PROFILE
produces the identical error.
- Model / inference profile: three different models fail identically.
- Network, TLS interception, IAM, model access: the AWS CLI call in step 2 succeeds
from the same shell.
- Auto mode / afk-mode beta: setting
"disableAutoMode": truein ~/.claude/settings.json
stops the beta being sent (confirmed — no afk-mode lines in --debug output, and
the gate reports disabledBySettings=true, canEnterAuto=false). The error persists.
- Version: 2.1.206 works, 2.1.207 does not. Clean bisect.
Two observations that may help narrow this down:
- The failure returns in ~45-90ms, while the STS call in the same session takes
~900ms. The request appears to be rejected before completing a normal round trip
to eu-west-2.
- "UnauthorizedException: Session token not found or invalid" is not the wording
Bedrock InvokeModel returns for invalid SigV4 credentials (that is a 403,
"The security token included in the request is invalid"). This suggests the
request is reaching a different endpoint or auth path than expected.
Suspected cause
The 2.1.207 release notes include:
"Fixed Bedrock repeatedly requesting fresh AWS SSO credentials from IAM Identity
Center on every API request"
This changes the exact auth path in use here (Bedrock + AWS SSO via IAM Identity
Center), and is the only 2.1.207 change that touches it.
The other Bedrock-facing change in 2.1.207 — auto mode becoming default-on, which the
debug log confirms was sending the afk-mode beta to Bedrock on every request — has been
ruled out by direct test (see above).
Workaround
Downgrade to 2.1.206 and disable the auto-updater so the native install doesn't
pull 2.1.207 back in:
curl -fsSL https://claude.ai/install.sh | bash -s 2.1.206
export DISABLE_AUTOUPDATER=1
Bedrock requests work again immediately, with no other changes.
Possibly related
- #45000 / #45004 — 2.1.94 Bedrock auth regression (bearer-token path)
- #4229 — older SSO profile credential resolution issue
This issue has 2 comments on GitHub. Read the full discussion on GitHub ↗