claude-code
claude-code copied to clipboard
Published
3 weeks ago
•
anthropics
anthropics
[BUG] VS Code Extension gets stuck in infinite loop after streaming 403 fallback with AWS Bedrock SCP denial
Preflight Checklist
- [x] I have searched existing issues and this hasn't been reported yet
- [x] This is a single bug report (please file separate reports for different bugs)
- [x] I am using the latest version of Claude Code
What's Wrong?
Title: VS Code Extension gets stuck in infinite loop after streaming 403 fallback with AWS Bedrock SCP denial
Environment
- VS Code Extension Version: 2.0.28
- Platform: Windows (Git Bash)
- Claude Code CLI: Works perfectly with identical configuration
- AWS Provider: Bedrock with SCP that denies bedrock:InvokeModelWithResponseStream but allows bedrock:InvokeModel
Configuration
VS Code settings.json:
"claudeCode.environmentVariables": [
{
"name": "CLAUDE_CODE_USE_BEDROCK",
"value": true
},
{
"name": "AWS_PROFILE",
"value": "<profile name here>"
},
{
"name": "AWS_REGION",
"value": "us-east-1"
},
{
"name": "ANTHROPIC_MODEL",
"value": "us.anthropic.claude-sonnet-4-5-20250929-v1:0"
},
{
"name": "CLAUDE_CODE_SUBAGENT_MODEL",
"value": "us.anthropic.claude-sonnet-4-5-20250929-v1:0"
}
]
~/.claude/settings.json (CLI - works perfectly):
{
"awsAuthRefresh": "aws sso login --profile <profile name here>",
"env": {
"AWS_REGION": "us-east-1",
"CLAUDE_CODE_USE_BEDROCK": "1",
"AWS_PROFILE": "<profile name here>",
"ANTHROPIC_MODEL": "us.anthropic.claude-sonnet-4-5-20250929-v1:0",
"CLAUDE_CODE_SUBAGENT_MODEL": "us.anthropic.claude-sonnet-4-5-20250929-v1:0"
}
}
Expected Behavior
Extension should fall back to non-streaming mode gracefully when streaming is denied by SCP, just like the CLI
does.
Actual Behavior
Extension gets stuck in an infinite spinning state with no response displayed to the user.
Logs
[ERROR] Error streaming, falling back to non-streaming mode: 403
{"Message":"User:
arn:aws:sts::533267389385:assumed-role/AWSReservedSSO_Q2Administrator_3da3ef4ae82483b1/[email protected]
is not authorized to perform: bedrock:InvokeModelWithResponseStream
on resource: arn:aws:bedrock:::foundation-model/anthropic.claude-sonnet-4-5-20250929-v1:0
with an explicit deny in a service control policy"}
[DEBUG] Stream started - received first chunk
[DEBUG] Shell snapshot created successfully (2333 bytes)
[DEBUG] Fetching AWS caller identity for AWS auth refresh command
[DEBUG] Fetched AWS caller identity, skipping AWS auth refresh command
[DEBUG] Fetching AWS caller identity for AWS auth refresh command
[DEBUG] Fetched AWS caller identity, skipping AWS auth refresh command
[DEBUG] Fetching AWS caller identity for AWS auth refresh command
...
(repeats indefinitely every ~5-10 seconds)
Key Observations
1. Extension successfully falls back to non-streaming mode
2. Extension receives first chunk of data successfully
3. Extension then gets stuck in infinite loop fetching AWS caller identity
4. CLI works perfectly with identical AWS credentials, profile, region, and model
5. This appears to be a bug in how the extension handles the non-streaming fallback after streaming is denied
Impact
VS Code extension is completely unusable for organizations with AWS SCPs that restrict streaming API calls, even
though the CLI works fine and non-streaming fallback is technically successful.
Workaround
Currently forced to use CLI instead of VS Code extension.
### What Should Happen?
Extension should be able to respond to a query.
### Error Messages/Logs
```shell
2025-10-29 15:21:50.715 [info] Received message from webview:
{"type":"request","requestId":"9jw939fs0r7","request":{"type":"rename_tab","title":"What is today?"}}
[... initialization logs ...]
2025-10-29 15:21:51.947 [info] From claude: [ERROR] Error streaming, falling back to non-streaming mode: 403
{"Message":"User:
arn:aws:sts::123456789012:assumed-role/AWSReservedSSO_MyCompanyAdministrator_abc123/[email protected] is not
authorized to perform: bedrock:InvokeModelWithResponseStream on resource:
arn:aws:bedrock:::foundation-model/anthropic.claude-sonnet-4-5-20250929-v1:0 with an explicit deny in a service
control policy"}
2025-10-29 15:21:53.778 [info] From claude: [DEBUG] Stream started - received first chunk
2025-10-29 15:21:55.394 [info] From claude: [DEBUG] Shell snapshot created successfully (2333 bytes)
[... repeated AWS caller identity fetches ...]
2025-10-29 15:25:00.684 [info] From claude: [ERROR] Error in non-streaming fallback: 403 {"Message":"User:
arn:aws:sts::123456789012:assumed-role/AWSReservedSSO_MyCompanyAdministrator_abc123/[email protected] is not
authorized to perform: bedrock:InvokeModel on resource:
arn:aws:bedrock:::foundation-model/anthropic.claude-sonnet-4-5-20250929-v1:0 with an explicit deny in a service
control policy"}
Did something change? Is the extension working now?
> No the extension is not working.
● Got it. Here's the anonymized version of that full log for your GitHub issue:
2025-10-29 15:21:50.715 [info] Received message from webview:
{"type":"request","requestId":"9jw939fs0r7","request":{"type":"rename_tab","title":"What is today?"}}
2025-10-29 15:21:50.779 [info] From claude: [DEBUG] Writing to temp file:
C:\Users\UserName\.claude.json.tmp.40848.1761765710778
2025-10-29 15:21:50.780 [info] From claude: [DEBUG] Preserving file permissions: 100666
2025-10-29 15:21:50.830 [info] From claude: [DEBUG] Temp file written successfully, size: 85961 bytes
2025-10-29 15:21:50.831 [info] From claude: [DEBUG] Applied original permissions to temp file
[DEBUG] Renaming C:\Users\UserName\.claude.json.tmp.40848.1761765710778 to C:\Users\UserName\.claude.json
2025-10-29 15:21:50.832 [info] From claude: [DEBUG] File C:\Users\UserName\.claude.json written atomically
2025-10-29 15:21:50.844 [info] From claude: [DEBUG] Slash commands included in SlashCommand tool:
[DEBUG] Skills and commands included in Skill tool:
2025-10-29 15:21:51.947 [info] From claude: [ERROR] Error streaming, falling back to non-streaming mode: 403
{"Message":"User:
arn:aws:sts::123456789012:assumed-role/AWSReservedSSO_MyCompanyAdministrator_abc123/[email protected] is not
authorized to perform: bedrock:InvokeModelWithResponseStream on resource:
arn:aws:bedrock:::foundation-model/anthropic.claude-sonnet-4-5-20250929-v1:0 with an explicit deny in a service
control policy"}
2025-10-29 15:21:53.045 [info] From claude: [DEBUG] Fetching AWS caller identity for AWS auth refresh command
2025-10-29 15:21:53.729 [info] From claude: [DEBUG] Fetched AWS caller identity, skipping AWS auth refresh command
2025-10-29 15:21:53.778 [info] From claude: [DEBUG] Stream started - received first chunk
2025-10-29 15:21:53.893 [info] From claude: [DEBUG] Stream started - received first chunk
2025-10-29 15:21:55.324 [info] From claude: [DEBUG] Fetching AWS caller identity for AWS auth refresh command
2025-10-29 15:21:55.394 [info] From claude: [DEBUG] Shell snapshot created successfully (2333 bytes)
2025-10-29 15:21:56.036 [info] From claude: [DEBUG] Fetched AWS caller identity, skipping AWS auth refresh command
2025-10-29 15:21:56.219 [info] From claude: [DEBUG] Getting matching hook commands for SubagentStop with query:
undefined
[DEBUG] Found 0 hook matchers in settings
[DEBUG] Matched 0 unique hooks for query "no match query" (0 before deduplication)
2025-10-29 15:21:57.295 [info] From claude: [DEBUG] Getting matching hook commands for SubagentStop with query:
undefined
[DEBUG] Found 0 hook matchers in settings
[DEBUG] Matched 0 unique hooks for query "no match query" (0 before deduplication)
2025-10-29 15:21:58.722 [info] From claude: [DEBUG] Fetching AWS caller identity for AWS auth refresh command
2025-10-29 15:21:59.315 [info] From claude: [DEBUG] Fetched AWS caller identity, skipping AWS auth refresh command
2025-10-29 15:22:04.775 [info] From claude: [DEBUG] Fetching AWS caller identity for AWS auth refresh command
2025-10-29 15:22:05.488 [info] From claude: [DEBUG] Fetched AWS caller identity, skipping AWS auth refresh command
2025-10-29 15:22:15.159 [info] From claude: [DEBUG] Fetching AWS caller identity for AWS auth refresh command
2025-10-29 15:22:15.806 [info] From claude: [DEBUG] Fetched AWS caller identity, skipping AWS auth refresh command
2025-10-29 15:22:36.059 [info] From claude: [DEBUG] Fetching AWS caller identity for AWS auth refresh command
2025-10-29 15:22:36.612 [info] From claude: [DEBUG] Fetched AWS caller identity, skipping AWS auth refresh command
2025-10-29 15:23:10.107 [info] From claude: [DEBUG] Fetching AWS caller identity for AWS auth refresh command
2025-10-29 15:23:10.786 [info] From claude: [DEBUG] Fetched AWS caller identity, skipping AWS auth refresh command
2025-10-29 15:23:43.827 [info] From claude: [DEBUG] Fetching AWS caller identity for AWS auth refresh command
2025-10-29 15:23:44.467 [info] From claude: [DEBUG] Fetched AWS caller identity, skipping AWS auth refresh command
2025-10-29 15:24:24.377 [info] From claude: [DEBUG] Fetching AWS caller identity for AWS auth refresh command
2025-10-29 15:24:25.130 [info] From claude: [DEBUG] Fetched AWS caller identity, skipping AWS auth refresh command
2025-10-29 15:24:59.308 [info] From claude: [DEBUG] Fetching AWS caller identity for AWS auth refresh command
2025-10-29 15:24:59.955 [info] From claude: [DEBUG] Fetched AWS caller identity, skipping AWS auth refresh command
2025-10-29 15:25:00.684 [info] From claude: [ERROR] Error in non-streaming fallback: 403 {"Message":"User:
arn:aws:sts::123456789012:assumed-role/AWSReservedSSO_MyCompanyAdministrator_abc123/[email protected] is not
authorized to perform: bedrock:InvokeModel on resource:
arn:aws:bedrock:::foundation-model/anthropic.claude-sonnet-4-5-20250929-v1:0 with an explicit deny in a service
control policy"}
2025-10-29 15:25:01.025 [info] From claude: [DEBUG] Getting matching hook commands for Stop with query: undefined
[DEBUG] Found 0 hook matchers in settings
[DEBUG] Matched 0 unique hooks for query "no match query" (0 before deduplication)
2025-10-29 15:27:10.648 [info] Closing Claude on channel: channelid
2025-10-29 15:27:10.654 [info] From claude: [DEBUG] Getting matching hook commands for SessionEnd with query:
undefined
[DEBUG] Found 0 hook matchers in settings
[DEBUG] Matched 0 unique hooks for query "no match query" (0 before deduplication)
2025-10-29 15:27:10.658 [info] From claude: [DEBUG] Cleaned up session snapshot:
C:\Users\UserName\.claude\shell-snapshots\snapshot-bash-1761765707029-dg7t38.sh
2025-10-29 15:27:10.688 [info] From claude: Claude Code process exited with code 1
2025-10-29 15:27:10.688 [info] Closing Claude on channel: channelid
2025-10-29 15:27:10.689 [error] Error from Claude (on channel channelid): Error: Claude Code process exited with
code 1
This shows the complete failure sequence:
1. Streaming blocked → fallback to non-streaming
2. Gets stuck in infinite caller identity loop (3+ minutes)
3. Finally fails with non-streaming also blocked
4. Process exits with error code 1
Steps to Reproduce
- Start VS Code with the aforementioned configuration.
- Ask a question like
What is today?
Claude Model
Sonnet (default)
Is this a regression?
I don't know
Last Working Version
No response
Claude Code Version
2.0.28 (Claude Code)
Platform
AWS Bedrock
Operating System
Windows
Terminal/Shell
Windows Terminal
Additional Information
No response
So it would appear if you add setting "claudeCode.selectedModel": "us.anthropic.claude-sonnet-4-5-20250929-v1:0" then it works as expected. Perhaps the extension should check of the env variable ANTHROPIC_MODEL is set then default to that if the selectedModel is not set or just have better logging of feedback so that you know this is required. That UX could be a better.
This issue has been inactive for 30 days. If the issue is still occurring, please comment to let us know. Otherwise, this issue will be automatically closed in 30 days for housekeeping purposes.
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}
