bedrock-discovery ignores env.vars and AWS credentials from config

[hsiaoa]

Description

openclaw status runs bedrock-discovery which always fails with AccessDeniedException: Authentication failed: Please make sure your API Key is valid. even though:

1. The Bedrock providers in openclaw.json use "auth": "aws-sdk" and the correct credentials are configured
2. The same credentials work perfectly via AWS CLI (aws bedrock list-foundation-models)
3. The LaunchAgent gateway plist has the correct env vars and Bedrock models work fine in actual sessions

Steps to Reproduce

1. Configure Bedrock providers with "auth": "aws-sdk" in openclaw.json
2. Set AWS_PROFILE, AWS_ACCESS_KEY_ID, and AWS_SECRET_ACCESS_KEY in env.vars
3. Run openclaw status

[bedrock-discovery] Failed to list models: AccessDeniedException: Authentication failed: Please make sure your API Key is valid.
[bedrock-discovery] Failed to list models: AccessDeniedException: Authentication failed: Please make sure your API Key is valid.

(Two errors = two Bedrock providers, ap-northeast-1 and us-east-1)

What I've tried

• Setting AWS_PROFILE={profile} in openclaw.json env.vars ❌
• Setting AWS_ACCESS_KEY_ID + AWS_SECRET_ACCESS_KEY directly in env.vars ❌
• Passing env vars explicitly in the shell: AWS_PROFILE={profile} openclaw status ❌
• Setting AWS_DEFAULT_PROFILE={profile} in the shell ❌

All of the above have no effect. The discovery subprocess appears to ignore both shell environment variables and env.vars from the config.

Verification that credentials work

$ AWS_PROFILE={profile} aws sts get-caller-identity
{
    "UserId": "{ID}"",
    "Account": "{ID}",
    "Arn": "arn:aws:iam::{ID}"user/{ID}""
}

$ AWS_PROFILE={profile} aws bedrock list-foundation-models --region {region}--query 'modelSummaries | length(@)'
62

$ AWS_PROFILE={profile} aws bedrock list-foundation-models --region {region}---query 'modelSummaries | length(@)'
124

IAM user has bedrock:ListFoundationModels permission in both regions.

Impact

• Cosmetic only — actual Bedrock model usage in sessions works fine (gateway LaunchAgent has correct env vars)
• The error message is noisy and shows on every openclaw status / openclaw gateway install invocation

Expected Behavior

bedrock-discovery should resolve AWS credentials using the standard AWS SDK credential chain, respecting:

1. env.vars from openclaw.json
2. Shell environment variables (AWS_PROFILE, AWS_ACCESS_KEY_ID, etc.)
3. ~/.aws/credentials profiles

Environment

• OpenClaw: 2026.3.1 (also reproduced on 2026.2.24 and 2026.2.26)
• OS: macOS 26.3 (arm64)
• Node: 25.2.1
• Auth mode: aws-sdk (IAM access keys, not ABSK bearer tokens)