diff --git a/apps/app/src/actions/files/upload-file.ts b/apps/app/src/actions/files/upload-file.ts
index 0aea6a67a..185d81928 100644
--- a/apps/app/src/actions/files/upload-file.ts
+++ b/apps/app/src/actions/files/upload-file.ts
@@ -2,6 +2,10 @@
 
 import { BUCKET_NAME, s3Client } from '@/app/s3';
 import { logger } from '@/utils/logger';
+
+// This log will run as soon as the module is loaded.
+logger.info('[uploadFile] Module loaded.');
+
 import { GetObjectCommand, PutObjectCommand } from '@aws-sdk/client-s3';
 import { getSignedUrl } from '@aws-sdk/s3-request-presigner';
 import { AttachmentEntityType, AttachmentType, db } from '@db';
diff --git a/apps/app/src/app/s3.ts b/apps/app/src/app/s3.ts
index 0c519803a..86b045a56 100644
--- a/apps/app/src/app/s3.ts
+++ b/apps/app/src/app/s3.ts
@@ -20,13 +20,24 @@ if (!APP_AWS_ACCESS_KEY_ID || !APP_AWS_SECRET_ACCESS_KEY || !BUCKET_NAME || !APP
 
 // Create a single S3 client instance
 // Add null checks or assertions if the checks above don't guarantee non-null values
-export const s3Client = new S3Client({
-  region: APP_AWS_REGION!,
-  credentials: {
-    accessKeyId: APP_AWS_ACCESS_KEY_ID!,
-    secretAccessKey: APP_AWS_SECRET_ACCESS_KEY!,
-  },
-});
+
+export const s3Client = new S3Client(
+  // If we are on Vercel, we MUST provide explicit credentials.
+  process.env.VERCEL === '1'
+    ? {
+        region: APP_AWS_REGION!,
+        credentials: {
+          accessKeyId: APP_AWS_ACCESS_KEY_ID!,
+          secretAccessKey: APP_AWS_SECRET_ACCESS_KEY!,
+        },
+      }
+    : // For any other environment (like AWS ECS or local dev),
+      // we only need to provide the region. The AWS SDK will
+      // automatically find the credentials from the environment.
+      {
+        region: APP_AWS_REGION!,
+      },
+);
 
 // Ensure BUCKET_NAME is exported and non-null checked if needed elsewhere explicitly
 if (!BUCKET_NAME && process.env.NODE_ENV === 'production') {
diff --git a/apps/portal/src/utils/s3.ts b/apps/portal/src/utils/s3.ts
index 827f7f297..e4c4a0d4e 100644
--- a/apps/portal/src/utils/s3.ts
+++ b/apps/portal/src/utils/s3.ts
@@ -21,13 +21,23 @@ if (!APP_AWS_ACCESS_KEY_ID || !APP_AWS_SECRET_ACCESS_KEY || !BUCKET_NAME || !APP
 
 // Create a single S3 client instance
 // Add null checks or assertions if the checks above don't guarantee non-null values
-export const s3Client = new S3Client({
-  region: APP_AWS_REGION!,
-  credentials: {
-    accessKeyId: APP_AWS_ACCESS_KEY_ID!,
-    secretAccessKey: APP_AWS_SECRET_ACCESS_KEY!,
-  },
-});
+export const s3Client = new S3Client(
+  // If we are on Vercel, we MUST provide explicit credentials.
+  process.env.VERCEL === '1'
+    ? {
+        region: APP_AWS_REGION!,
+        credentials: {
+          accessKeyId: APP_AWS_ACCESS_KEY_ID!,
+          secretAccessKey: APP_AWS_SECRET_ACCESS_KEY!,
+        },
+      }
+    : // For any other environment (like AWS ECS or local dev),
+      // we only need to provide the region. The AWS SDK will
+      // automatically find the credentials from the environment.
+      {
+        region: APP_AWS_REGION!,
+      },
+);
 
 // Ensure BUCKET_NAME is exported and non-null checked if needed elsewhere explicitly
 if (!BUCKET_NAME && process.env.NODE_ENV === 'production') {