Skip to content

Bedrock SigV4 authentication broken after v1.0.90 (Claude Code 2.1.96 / Agent SDK 0.2.96) #1193

Open
Open
Bedrock SigV4 authentication broken after v1.0.90 (Claude Code 2.1.96 / Agent SDK 0.2.96)#1193
Labels
bugSomething isn't workingp1Showstopper bug preventing substantial subset of users from using the product, or incorrect docsprovider:bedrockAWS Bedrock API
@Tocyuki

Description

@Tocyuki
Tocyuki
opened on Apr 8, 2026

Describe the bug

After the v1 floating tag was updated to v1.0.90 (commit 26ddc358, bumping Claude Code to 2.1.96 and Agent SDK to 0.2.96) on 2026-04-08 at 04:43 UTC, all Bedrock-authenticated workflows fail with a 403 authentication error.

The Authorization header sent to the Bedrock API is not using AWS SigV4 signing format. Instead of AWS4-HMAC-SHA256 Credential=... Signature=... SignedHeaders=..., a bare base64 string is sent.

Error message:

Failed to authenticate. API Error: 403 Authorization header requires 'Credential' parameter.
Authorization header requires 'Signature' parameter.
Authorization header requires 'SignedHeaders' parameter.
(Hashed with SHA-256 and encoded with Base64) Authorization=cQ4NvdQimYUQF6TWcmXs0EbxtO23QVJZkqGmqPqAElg=

The SDK initialization line in the error trace shows new Anthropic({ apiKey, dangerouslyAllowBrowser: true }), suggesting the regular Anthropic client is being used instead of the Bedrock client despite use_bedrock: "true".

To Reproduce

  1. Set up a reusable workflow using anthropics/claude-code-action@v1 with use_bedrock: "true"
  2. Configure AWS credentials via OIDC (aws-actions/configure-aws-credentials@v6)
  3. Trigger the workflow after 2026-04-08 04:43 UTC (when v1 tag was updated)
  4. Observe 403 authentication error

Expected behavior

The action should use AWS SigV4 signing when use_bedrock: "true" is set, as it did in v1.0.89 and earlier.

Evidence of regression

Run time (UTC) Result v1 tag version
04:42:28 ✅ Success Pre-update (v1.0.89)
04:59:05 ❌ Failure Post-update (v1.0.90)
05:03:06 ❌ Failure Post-update (v1.0.90)
05:33:14 ✅ Success Pinned to v1.0.89 (workaround)

Multiple workflow types (auto-triage, code-review) are affected.

Workflow yml file

- name: Configure AWS credentials
  uses: aws-actions/configure-aws-credentials@v6
  with:
    role-to-assume: ${{ inputs.aws_role_arn }}
    aws-region: ${{ inputs.aws_region }}

- name: Run Claude
  uses: anthropics/claude-code-action@v1
  with:
    use_bedrock: "true"
    track_progress: false
    github_token: ${{ secrets.GITHUB_TOKEN }}
    prompt: ${{ inputs.prompt }}
    claude_args: >-
      ${{ inputs.model != '' && format('--model {0}', inputs.model) || '' }}
      --allowedTools
      Read,
      Glob,
      LS

API Provider

  • AWS Bedrock

Workaround

Pin to @v1.0.89:

uses: anthropics/claude-code-action@v1.0.89

Additional context

  • The v1 tag was moved to commit 26ddc358 ("chore: bump Claude Code to 2.1.96 and Agent SDK to 0.2.96") at 04:43 UTC
  • AWS credentials are confirmed valid (the "Configure AWS credentials" OIDC step succeeds)
  • The ANTHROPIC_API_KEY env var is shown as empty in the runner logs, which is expected for Bedrock mode
  • The v1.0.90 release notes mention only MCP timeout forwarding and a security fix, but the underlying Claude Code / Agent SDK bump appears to be the cause

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugSomething isn't workingp1Showstopper bug preventing substantial subset of users from using the product, or incorrect docsprovider:bedrockAWS Bedrock API

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions