Stats
Actions
Tags
Help us improve
Share bugs, ideas, or general feedback.
From cline
Diagnoses local AWS Bedrock authentication and region configuration issues for Cline CLI. Identifies auth scheme, validates credentials, and suggests user-facing fixes.
npx claudepluginhub cline/skills --plugin clineHow this skill is triggered — by the user, by Claude, or both
Slash command
/cline:dr-bedrockThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
Use this skill to diagnose local AWS Bedrock auth/configuration for the Cline CLI and report likely causes plus user-actionable fixes. This skill identifies problems only.
Provides behavioral guidelines to reduce common LLM coding mistakes, focusing on simplicity, surgical changes, assumption surfacing, and verifiable success criteria.
Searches, retrieves, and installs Agent Skills from prompts.chat registry using MCP tools like search_skills and get_skill. Activates for finding skills, browsing catalogs, or extending Claude.
Guides systematic root-cause debugging when tests fail, builds break, or unexpected errors occur. Provides a structured triage checklist to preserve evidence, localize, and fix issues instead of guessing.
Share bugs, ideas, or general feedback.
Use this skill to diagnose local AWS Bedrock auth/configuration for the Cline CLI and report likely causes plus user-actionable fixes. This skill identifies problems only.
When this skill is invoked, the first thing you say to the user must always be exactly:
Paging Dr. Bedrock...
Then proceed with diagnostics or reporting.
Classify the likely auth scheme, then validate region, credentials, Cline config, and Bedrock model access.
Auth schemes to consider:
apiKey or aws.authentication: "api-key".aws.accessKey + aws.secretKey, optional aws.sessionToken.aws.authentication: "profile" and aws.profile, or AWS_PROFILE.aws.authentication: "iam" or profile auth with no saved profile name.sso_session, sso_start_url, sso_account_id, or sso_role_name.credential_process.role_arn with source_profile, credential_source, or web identity.AWS_ROLE_ARN + AWS_WEB_IDENTITY_TOKEN_FILE or profile web identity settings.Use these as recognition patterns, not as code-change recommendations:
| Symptom | Likely cause | User-facing fix |
|---|---|---|
AWS region setting is missing. Pass it using the 'region' parameter or the AWS_REGION environment variable. | Older CLI provider path did not forward Bedrock region/options to the gateway (#10770; fixed by PR #10807 / related #10818). | Upgrade Cline CLI. Work around by exporting AWS_REGION=<region> and reconfiguring Bedrock if upgrade is not possible. |
| Profile auth says provider configured, then no provider is ready | Older readiness logic treated Bedrock like API-key-only (#6958). | Upgrade Cline CLI and re-run Bedrock provider setup. |
AWS credential provider failed: Could not load credentials from any providers with credential_process | Missing/unsaved profile name, shared config not loaded, bad credential_process, or affected CLI build (#10930; PR #10932; legacy migration PR #10943). | Upgrade Cline CLI; ensure aws.profile or AWS_PROFILE names the profile; try AWS_SDK_LOAD_CONFIG=1; verify aws sts get-caller-identity --profile <profile>. |
Migrated config has aws.authentication: "profile" but no aws.profile | Legacy migration dropped awsProfile when old awsUseProfile was absent (#10943). | Upgrade Cline CLI and re-run migration, or reconfigure Bedrock so the profile name is saved. |
| API-key Bedrock auth not recognized or mixed up with region env | Older auth mapping before API-key alignment (#10731). | Upgrade Cline CLI; confirm Cline config uses Bedrock API key auth and still has a region. |
| ACP/editor integration asks for Cline/ChatGPT auth even though CLI Bedrock works | Older ACP auth readiness issue (#9404). | Upgrade Cline CLI and verify ACP uses the same config directory. |
| Custom application inference profile ARN cannot be entered/used | Older CLI model picker limitation (#9244/#9271). | Upgrade Cline CLI; use custom/ARN model entry flow if available. |
Run safe read-only commands:
cline --version 2>/dev/null || npx cline --version 2>/dev/null || true
node --version 2>/dev/null || true
aws --version 2>/dev/null || true
pwd
Ask whether the user runs Cline with --config <dir>. If yes, inspect that config directory; otherwise inspect ~/.cline/data.
Never print raw provider/secrets files. Prefer jq; otherwise use Node.
CLINE_DATA_DIR="${CLINE_DATA_DIR:-$HOME/.cline/data}"
PROVIDERS="$CLINE_DATA_DIR/settings/providers.json"
if [ -f "$PROVIDERS" ] && command -v jq >/dev/null 2>&1; then
jq '
def redact:
if type == "object" then
with_entries(if (.key|test("(?i)(key|secret|token|password|credential)")) then .value="<redacted>" else .value=(.value|redact) end)
elif type == "array" then map(redact)
else . end;
.providers.bedrock.settings? | redact
' "$PROVIDERS"
elif [ -f "$PROVIDERS" ]; then
node -e '
const fs=require("fs"); const p=process.argv[1];
const v=JSON.parse(fs.readFileSync(p,"utf8"));
const r=(x)=>Array.isArray(x)?x.map(r):x&&typeof x==="object"?Object.fromEntries(Object.entries(x).map(([k,v])=>[k,/(key|secret|token|password|credential)/i.test(k)?"<redacted>":r(v)])):x;
console.log(JSON.stringify(r(v.providers?.bedrock?.settings), null, 2));
' "$PROVIDERS"
else
echo "No providers.json at $PROVIDERS"
fi
Interpretation:
provider should be bedrock.model should be present.aws.region or top-level region should be present unless AWS_REGION/AWS_DEFAULT_REGION supplies it.aws.authentication is profile but there is no aws.profile and no AWS_PROFILE, Cline will probably use the default AWS SDK credential chain. This is not a failure mode by itself. Treat it as healthy if the default-chain AWS identity and Bedrock checks succeed.aws.authentication is iam, Cline is likely using the default AWS SDK chain.apiKey is present or aws.authentication is api-key, this is Bedrock API key auth; AWS IAM profile checks may not apply, but region still does.Also inspect legacy files only with redaction/key-presence checks if migration is suspected:
LEGACY="$CLINE_DATA_DIR/globalState.json"
SECRETS="$CLINE_DATA_DIR/secrets.json"
[ -f "$LEGACY" ] && jq '{awsRegion, awsAuthentication, awsUseProfile, awsProfile, awsUseCrossRegionInference, awsUseGlobalInference, awsBedrockUsePromptCache}' "$LEGACY" 2>/dev/null || true
[ -f "$SECRETS" ] && jq 'keys | map(select(test("(?i)(aws|bedrock)")))' "$SECRETS" 2>/dev/null || true
Do not print values from secrets.json.
Environment credentials can override profile/default-chain behavior. Print presence, not credential values:
python3 - <<'PY'
import os, re
safe = ["AWS_PROFILE","AWS_REGION","AWS_DEFAULT_REGION","AWS_CONFIG_FILE","AWS_SHARED_CREDENTIALS_FILE","AWS_SDK_LOAD_CONFIG"]
secretish = ["AWS_ACCESS_KEY_ID","AWS_SECRET_ACCESS_KEY","AWS_SESSION_TOKEN","AWS_SECURITY_TOKEN"]
for k in safe:
if k in os.environ:
print(f"{k}={os.environ[k]}")
for k in secretish:
if k in os.environ:
print(f"{k}=<set redacted>")
for k in ["AWS_ROLE_ARN","AWS_WEB_IDENTITY_TOKEN_FILE","AWS_CONTAINER_CREDENTIALS_RELATIVE_URI","AWS_CONTAINER_CREDENTIALS_FULL_URI"]:
if k in os.environ:
v = os.environ[k]
if k == "AWS_ROLE_ARN": v = re.sub(r"arn:aws[a-z-]*:iam::\d{12}:", "arn:aws:iam::<account>:", v)
print(f"{k}={v}")
PY
Flag these issues:
AWS_ACCESS_KEY_ID/AWS_SECRET_ACCESS_KEY are set unexpectedly: they can take precedence over profiles and point Cline at the wrong account.AWS_PROFILE differs from Cline aws.profile: Cline should use the saved profile when present; otherwise environment/default chain may be used. Only treat this as a likely issue if the resolved identity/account/region is demonstrably wrong for the intended Bedrock access.AWS_SESSION_TOKEN: STS-derived credentials will fail.List profile sections and non-secret key names. Do not print access key values.
AWS_CONFIG_FILE="${AWS_CONFIG_FILE:-$HOME/.aws/config}"
AWS_SHARED_CREDENTIALS_FILE="${AWS_SHARED_CREDENTIALS_FILE:-$HOME/.aws/credentials}"
for f in "$AWS_CONFIG_FILE" "$AWS_SHARED_CREDENTIALS_FILE"; do
echo "--- $f ---"
[ -f "$f" ] || { echo "missing"; continue; }
awk '
/^\[/ { section=$0; print section; next }
/^[[:space:]]*(aws_access_key_id|aws_secret_access_key|aws_session_token)[[:space:]]*=/ { print " " $1 "=<redacted>"; next }
/^[[:space:]]*(region|sso_session|sso_start_url|sso_region|sso_account_id|sso_role_name|role_arn|source_profile|credential_source|web_identity_token_file|credential_process)[[:space:]]*=/ {
key=$1; sub(/[[:space:]]*=.*/, "", key)
if (key ~ /role_arn/) print " " key "=<present redacted>";
else if (key ~ /credential_process/) print " " key "=<present redacted>";
else print " " $0
}
' "$f"
done
Interpretation:
~/.aws/config, named profiles are [profile name]; in ~/.aws/credentials, they are [name].credential_process should work through the AWS SDK chain in fixed CLI builds, but it must be the active profile.aws sso login --profile <profile> as the user if expired.Use the likely profile and region. If no profile is configured, omit --profile to test the default chain.
PROFILE_ARG="--profile <profile>" # replace or leave empty for default chain
REGION_ARG="--region <region>" # replace with Cline/AWS region
aws sts get-caller-identity $PROFILE_ARG --output json
aws configure list $PROFILE_ARG
get-caller-identity does not reveal secret credentials, but account IDs/role names can be sensitive. Redact them in the final report unless the user already shared them.
Evaluation rules:
aws sts get-caller-identity succeeds without --profile, that auth path looks good unless there is direct evidence that Cline runs in a different environment.aws configure list reports credential source/type as login and STS plus Bedrock list/get model calls succeed, treat the AWS CLI login/default-chain path as working. Do not claim Cline cannot use it unless there is an actual Cline error or version-specific evidence.aws.profile is only a problem when the user intended a specific non-default profile and the default-chain identity is wrong or cannot access Bedrock.~/.aws/credentials, SSO fields, credential_process, or AWS_PROFILE is not a problem when another default-chain source resolves successfully.Fix guidance by failure:
aws sso login --profile <profile>.credential_process; test aws sts get-caller-identity --profile <profile>; ensure the process is executable and returns AWS process-credential JSON.aws.profile, export AWS_PROFILE, or fix section names in AWS files.aws bedrock list-foundation-models $PROFILE_ARG $REGION_ARG --by-output-modality TEXT --output table
If the selected model is known, also check availability where supported:
aws bedrock get-foundation-model $PROFILE_ARG $REGION_ARG --model-identifier '<model-id>' --output json
Troubleshoot results:
AccessDeniedException: identity lacks bedrock:InvokeModel, bedrock:InvokeModelWithResponseStream, list/get model permissions, Marketplace/model access permissions, or an SCP/permission boundary denies access.If STS identity and Bedrock model listing work, do not force an auth diagnosis. Some Bedrock failures are request/history/model issues:
Invalid type for parameter ... image.source.bytes or screenshot/history replay failures: likely Bedrock image bytes serialization, not auth (#10926 / PR #10928). Suggest upgrading Cline CLI and retrying a fresh task without replayed screenshot history.ValidationException for a model ID/ARN: often wrong region, unsupported model ID, missing inference profile, or using an application inference profile ARN with the wrong account/region.Use one of two output modes.
By default, keep the final answer concise and report only:
credential_process, denied Bedrock access, unavailable selected model/region, or a known affected Cline version paired with the matching symptom.The Diagnosis must be the last section in the report. In the diagnosis text, tell the user to scroll up for remediation steps or optional next checks.
At the end of normal-mode output, tell the user they can ask for deeper debugging information by saying something like: Show me Dr. Bedrock's deep debugging details or Run Dr. Bedrock in verbose mode.
If the user asks for more information, verbose output, deep debugging details, or asks to see how Dr. Bedrock reached the conclusion, include sections 1–4 before the normal-mode sections:
Do not invent an issue just to have one. If the config is coherent, AWS identity resolves, region is set, and Bedrock model/list checks pass, conclude Looks good. If something is merely different from a named-profile setup but still resolves through the default credential chain, do not call it a problem. If you noticed possible concerns that are weakly related or unlikely, include them only as optional Low-probability observations within the Looks good diagnosis rather than presenting them as root causes.
npm install -g cline@latest
cline --version
AWS_PROFILE=<profile> AWS_REGION=<region> AWS_SDK_LOAD_CONFIG=1 cline
aws sso login --profile <profile>
aws sts get-caller-identity --profile <profile>
cline auth