What would you like to see?

The recent implementation of temporary credentials support in PR #2554 (fixing #2299) doesn't fully align with AWS SDK's standard credential provider chain behavior.

Current Behavior

The implementation appears to prioritize explicit credentials (access key, secret key, session token) over the standard AWS credential provider chain.

Expected Behavior

The AWS SDK should follow the standard credential provider chain where:

1. The SDK first attempts to use credentials from the container/instance profile (ECS task role, EC2 instance profile)
2. Only if that fails, it should fall back to other credential sources in the defined order:
   • Environment variables
   • Shared credentials file
   • Explicitly provided credentials

This is particularly important for containerized environments (like ECS) where best practice is to use task role credentials rather than long-term or even temporary explicit credentials.

Benefits of Following Standard Chain

1. Better security by defaulting to short-lived credentials from container/instance roles
2. Automatic credential rotation
3. Follows AWS security best practices
4. Consistent with how other AWS SDKs behave
5. No need to manually manage credentials in most AWS deployment scenarios

Proposed Solution

Update the Bedrock client initialization to:

1. First create the client without explicit credentials
2. Only fall back to explicit credentials if the automatic credential resolution fails
3. Maintain backward compatibility for cases where explicit credentials are needed