diff --git a/api-reference/server/services/llm/aws.mdx b/api-reference/server/services/llm/aws.mdx
index bc57b3e9..8803bb0f 100644
--- a/api-reference/server/services/llm/aws.mdx
+++ b/api-reference/server/services/llm/aws.mdx
@@ -74,18 +74,17 @@ Before using AWS Bedrock LLM services, you need:
 </ParamField>
 
 <ParamField path="aws_access_key" type="str" default="None">
-  AWS access key ID. If `None`, uses the `AWS_ACCESS_KEY_ID` environment
-  variable or default credential chain.
+  AWS access key ID. If `None`, falls back to environment variables and the
+  default boto3 credential chain (instance profiles, IRSA, ECS task roles, SSO,
+  etc.).
 </ParamField>
 
 <ParamField path="aws_secret_key" type="str" default="None">
-  AWS secret access key. If `None`, uses the `AWS_SECRET_ACCESS_KEY` environment
-  variable or default credential chain.
+  AWS secret access key. Same fallback behaviour as `aws_access_key`.
 </ParamField>
 
 <ParamField path="aws_session_token" type="str" default="None">
-  AWS session token for temporary credentials. If `None`, uses the
-  `AWS_SESSION_TOKEN` environment variable.
+  AWS session token for temporary credentials.
 </ParamField>
 
 <ParamField path="aws_region" type="str" default="None">
@@ -208,7 +207,7 @@ await task.queue_frame(
 
 ## Notes
 
-- **Credential chain**: If `aws_access_key` and `aws_secret_key` are not provided, the service falls back to environment variables and then the standard AWS credential chain (IAM roles, instance profiles, etc.).
+- **Credential resolution**: Credentials are resolved via a fallback chain: explicit parameters → environment variables (`AWS_ACCESS_KEY_ID`, `AWS_SECRET_ACCESS_KEY`) → boto3 credential provider chain (instance profiles, IRSA, ECS task roles, SSO, credential files). Services running with IAM roles no longer need to export static credentials.
 - **No-op tool handling**: AWS Bedrock requires at least one tool to be defined when tool content exists in the conversation. The service automatically adds a placeholder tool when needed to prevent API errors.
 - **Model-specific parameters**: Some models (e.g., Claude Sonnet 4.5) don't allow certain parameter combinations. The service only includes explicitly set parameters in the inference config to avoid conflicts.
 - **Retry behavior**: When `retry_on_timeout=True`, the first attempt uses the `retry_timeout_secs` timeout. If it times out, a second attempt is made with no timeout limit.
diff --git a/api-reference/server/services/stt/aws.mdx b/api-reference/server/services/stt/aws.mdx
index 4e6c150d..ef14edc7 100644
--- a/api-reference/server/services/stt/aws.mdx
+++ b/api-reference/server/services/stt/aws.mdx
@@ -66,17 +66,17 @@ Before using AWS Transcribe STT services, you need:
 ## Configuration
 
 <ParamField path="api_key" type="str" default="None">
-  AWS secret access key. If `None`, uses `AWS_SECRET_ACCESS_KEY` environment
-  variable.
+  AWS secret access key. If `None`, falls back to environment variables and the
+  default boto3 credential chain (instance profiles, IRSA, ECS task roles, SSO,
+  etc.).
 </ParamField>
 
 <ParamField path="aws_access_key_id" type="str" default="None">
-  AWS access key ID. If `None`, uses `AWS_ACCESS_KEY_ID` environment variable.
+  AWS access key ID. Same fallback behaviour as `api_key`.
 </ParamField>
 
 <ParamField path="aws_session_token" type="str" default="None">
-  AWS session token for temporary credentials. If `None`, uses
-  `AWS_SESSION_TOKEN` environment variable.
+  AWS session token for temporary credentials.
 </ParamField>
 
 <ParamField path="region" type="str" default="None">
diff --git a/api-reference/server/services/tts/aws.mdx b/api-reference/server/services/tts/aws.mdx
index 06eb5249..133285c6 100644
--- a/api-reference/server/services/tts/aws.mdx
+++ b/api-reference/server/services/tts/aws.mdx
@@ -69,13 +69,13 @@ Before using AWS Polly TTS services, you need:
 ### AWSPollyTTSService
 
 <ParamField path="api_key" type="str" default="None">
-  AWS secret access key. If `None`, uses the `AWS_SECRET_ACCESS_KEY` environment
-  variable.
+  AWS secret access key. If `None`, falls back to environment variables and the
+  default boto3 credential chain (instance profiles, IRSA, ECS task roles, SSO,
+  etc.).
 </ParamField>
 
 <ParamField path="aws_access_key_id" type="str" default="None">
-  AWS access key ID. If `None`, uses the `AWS_ACCESS_KEY_ID` environment
-  variable.
+  AWS access key ID. Same fallback behaviour as `api_key`.
 </ParamField>
 
 <ParamField path="aws_session_token" type="str" default="None">