openclaw
diff --git a/‎CHANGELOG.md‎
Lines changed: 1 addition & 0 deletions b/‎CHANGELOG.md‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎extensions/amazon-bedrock/aws-credential-refresh.ts‎
Lines changed: 42 additions & 0 deletions b/‎extensions/amazon-bedrock/aws-credential-refresh.ts‎
Lines changed: 42 additions & 0 deletions
diff --git a/‎extensions/amazon-bedrock/discovery.ts‎
Lines changed: 4 additions & 0 deletions b/‎extensions/amazon-bedrock/discovery.ts‎
Lines changed: 4 additions & 0 deletions
diff --git a/‎extensions/amazon-bedrock/embedding-provider.ts‎
Lines changed: 16 additions & 10 deletions b/‎extensions/amazon-bedrock/embedding-provider.ts‎
Lines changed: 16 additions & 10 deletions
@@ -145,6 +145,7 @@ Docs: https://docs.openclaw.ai
 - CLI backends: keep versioned OAuth identity matches reusable when auth profile ids rotate, so Claude CLI sessions do not reset and lose continuity during same-account OAuth refresh/profile alias changes. Fixes #78541.
 - Model providers: normalize APNG sniffed PNG uploads, preserve Gemini 3 tool-call thought-signature replay with documented fallback signatures, accept legacy `__env__:VAR` custom-provider keys, and repair snake_case tool-call transcript sanitization. Fixes #51881, #48915, #77566, and #42858.
 - Telegram/models: parse provider ids containing dots in `/models` callback buttons so `hf.co` model lists render as inline keyboard buttons. Fixes #38745.
+- Amazon Bedrock: refresh shared AWS profile/config file credentials before Bedrock model, discovery, and embedding requests so long-running Gateway processes pick up renewed profile credentials without restart. Fixes #77551.
 - Anthropic: reject uppercase provider-prefixed forward-compat model ids locally instead of sending malformed dynamic ids upstream. Fixes #73715.
 - OpenAI/embeddings: pass configured output dimensionality through single and batched embedding requests so memory embedding indexes can request smaller vectors. Fixes #55126.
 - CLI/infer: normalize HEIC/HEIF image files to JPEG before model-run requests, avoiding providers that reject Apple image container formats. Fixes #50081.
 
@@ -0,0 +1,42 @@
+type SharedIniFileLoader = {
+  loadSharedConfigFiles(init?: { ignoreCache?: boolean }): Promise<unknown>;
+};
+
+let sharedIniFileLoaderForTest: SharedIniFileLoader | null | undefined;
+
+function hasStaticAwsCredentialEnv(env: NodeJS.ProcessEnv): boolean {
+  return Boolean(env.AWS_ACCESS_KEY_ID && env.AWS_SECRET_ACCESS_KEY);
+}
+
+export function shouldRefreshAwsSharedConfigCacheForBedrock(env: NodeJS.ProcessEnv): boolean {
+  if (env.AWS_BEDROCK_SKIP_AUTH === "1" || env.AWS_BEARER_TOKEN_BEDROCK) {
+    return false;
+  }
+  return !hasStaticAwsCredentialEnv(env);
+}
+
+async function loadSharedIniFileLoader(): Promise<SharedIniFileLoader> {
+  if (sharedIniFileLoaderForTest !== undefined) {
+    if (!sharedIniFileLoaderForTest) {
+      throw new Error("AWS shared INI file loader unavailable");
+    }
+    return sharedIniFileLoaderForTest;
+  }
+  return (await import("@smithy/shared-ini-file-loader")) as SharedIniFileLoader;
+}
+
+export async function refreshAwsSharedConfigCacheForBedrock(
+  env: NodeJS.ProcessEnv = process.env,
+): Promise<void> {
+  if (!shouldRefreshAwsSharedConfigCacheForBedrock(env)) {
+    return;
+  }
+  const loader = await loadSharedIniFileLoader();
+  await loader.loadSharedConfigFiles({ ignoreCache: true });
+}
+
+export function setAwsSharedIniFileLoaderForTest(
+  loader: SharedIniFileLoader | null | undefined,
+): void {
+  sharedIniFileLoaderForTest = loader;
+}
@@ -14,6 +14,7 @@ import {
   normalizeLowercaseStringOrEmpty,
   normalizeOptionalLowercaseString,
 } from "openclaw/plugin-sdk/text-runtime";
+import { refreshAwsSharedConfigCacheForBedrock } from "./aws-credential-refresh.js";
 import { resolveBedrockConfigApiKey } from "./discovery-shared.js";
 
 const log = createSubsystemLogger("bedrock-discovery");
@@ -481,6 +482,9 @@ export async function discoverBedrockModels(params: {
     ? createInjectedClientDiscoverySdk()
     : await loadBedrockDiscoverySdk();
   const clientFactory = params.clientFactory ?? ((region: string) => sdk.createClient(region));
+  if (!params.clientFactory) {
+    await refreshAwsSharedConfigCacheForBedrock();
+  }
   const client = clientFactory(params.region);
 
   const discoveryPromise = (async () => {
 
@@ -5,6 +5,7 @@ import {
   type MemoryEmbeddingProviderCreateOptions,
 } from "openclaw/plugin-sdk/memory-core-host-engine-embeddings";
 import { normalizeLowercaseStringOrEmpty } from "openclaw/plugin-sdk/text-runtime";
+import { refreshAwsSharedConfigCacheForBedrock } from "./aws-credential-refresh.js";
 
 // ---------------------------------------------------------------------------
 // Types & constants
@@ -263,7 +264,6 @@ export async function createBedrockEmbeddingProvider(
 ): Promise<{ provider: MemoryEmbeddingProvider; client: BedrockEmbeddingClient }> {
   const client = resolveBedrockEmbeddingClient(options);
   const { BedrockRuntimeClient, InvokeModelCommand } = await loadSdk();
-  const sdk = new BedrockRuntimeClient({ region: client.region });
   const spec = resolveSpec(client.model);
   const family = spec?.family ?? inferFamily(client.model);
 
@@ -275,15 +275,21 @@ export async function createBedrockEmbeddingProvider(
   });
 
   const invoke = async (body: string): Promise<string> => {
-    const res = await sdk.send(
-      new InvokeModelCommand({
-        modelId: client.model,
-        body,
-        contentType: "application/json",
-        accept: "application/json",
-      }),
-    );
-    return new TextDecoder().decode(res.body);
+    await refreshAwsSharedConfigCacheForBedrock();
+    const sdk = new BedrockRuntimeClient({ region: client.region });
+    try {
+      const res = await sdk.send(
+        new InvokeModelCommand({
+          modelId: client.model,
+          body,
+          contentType: "application/json",
+          accept: "application/json",
+        }),
+      );
+      return new TextDecoder().decode(res.body);
+    } finally {
+      sdk.destroy();
+    }
   };
 
   const isCohere = family === "cohere-v3" || family === "cohere-v4";