diff --git a/src/agents/model-auth-env.provider-aliases.test.ts b/src/agents/model-auth-env.provider-aliases.test.ts
new file mode 100644
index 00000000000..3439bbe2bbd
--- /dev/null
+++ b/src/agents/model-auth-env.provider-aliases.test.ts
@@ -0,0 +1,83 @@
+import { beforeEach, describe, expect, it, vi } from "vitest";
+import { resolveEnvApiKey } from "./model-auth-env.js";
+
+const pluginMetadataMocks = vi.hoisted(() => {
+  const snapshot = {
+    index: {
+      plugins: [
+        {
+          pluginId: "external-cloud",
+          origin: "global",
+          enabled: true,
+          enabledByDefault: true,
+        },
+      ],
+    },
+    plugins: [
+      {
+        id: "external-cloud",
+        origin: "global",
+        providerAuthAliases: {
+          "cloud-alias": "external-cloud",
+        },
+        providerAuthEnvVars: {
+          "external-cloud": ["EXTERNAL_CLOUD_API_KEY"],
+        },
+      },
+    ],
+  };
+  return {
+    snapshot,
+    getCurrentPluginMetadataSnapshot: vi.fn(() => snapshot),
+    loadPluginMetadataSnapshot: vi.fn(() => snapshot),
+  };
+});
+
+vi.mock("../plugins/current-plugin-metadata-snapshot.js", () => ({
+  getCurrentPluginMetadataSnapshot: pluginMetadataMocks.getCurrentPluginMetadataSnapshot,
+}));
+
+vi.mock("../plugins/plugin-metadata-snapshot.js", () => ({
+  loadPluginMetadataSnapshot: pluginMetadataMocks.loadPluginMetadataSnapshot,
+}));
+
+vi.mock("../plugins/setup-registry.js", () => ({
+  resolvePluginSetupProvider: () => undefined,
+}));
+
+describe("resolveEnvApiKey provider auth aliases", () => {
+  beforeEach(() => {
+    pluginMetadataMocks.getCurrentPluginMetadataSnapshot.mockReset();
+    pluginMetadataMocks.getCurrentPluginMetadataSnapshot.mockReturnValue(
+      pluginMetadataMocks.snapshot,
+    );
+    pluginMetadataMocks.loadPluginMetadataSnapshot.mockReset();
+    pluginMetadataMocks.loadPluginMetadataSnapshot.mockReturnValue(pluginMetadataMocks.snapshot);
+  });
+
+  it("reuses the current scoped metadata snapshot while resolving provider auth aliases", () => {
+    expect(
+      resolveEnvApiKey(
+        "cloud-alias",
+        {
+          EXTERNAL_CLOUD_API_KEY: "secret",
+        } as NodeJS.ProcessEnv,
+        {
+          config: {},
+          workspaceDir: "/workspace",
+        },
+      ),
+    ).toEqual({
+      apiKey: "secret",
+      source: "env: EXTERNAL_CLOUD_API_KEY",
+    });
+    expect(pluginMetadataMocks.loadPluginMetadataSnapshot).not.toHaveBeenCalled();
+    expect(pluginMetadataMocks.getCurrentPluginMetadataSnapshot).toHaveBeenCalledWith({
+      config: {},
+      env: {
+        EXTERNAL_CLOUD_API_KEY: "secret",
+      },
+      workspaceDir: "/workspace",
+    });
+  });
+});
diff --git a/src/agents/model-auth-env.ts b/src/agents/model-auth-env.ts
index c3012c5f1ff..88bdcd6cc0b 100644
--- a/src/agents/model-auth-env.ts
+++ b/src/agents/model-auth-env.ts
@@ -102,14 +102,14 @@ export function resolveEnvApiKey(
   options: EnvApiKeyLookupOptions = {},
 ): EnvApiKeyResult | null {
   const normalizedProvider = normalizeProviderIdForAuth(provider);
-  const normalized = options.aliasMap
-    ? (options.aliasMap[normalizedProvider] ?? normalizedProvider)
-    : resolveProviderIdForAuth(provider, { env });
   const lookupParams = {
     config: options.config,
     workspaceDir: options.workspaceDir,
     env,
   };
+  const normalized = options.aliasMap
+    ? (options.aliasMap[normalizedProvider] ?? normalizedProvider)
+    : resolveProviderIdForAuth(provider, lookupParams);
   const candidateMap = options.candidateMap ?? resolveProviderEnvApiKeyCandidates(lookupParams);
   const authEvidenceMap = options.authEvidenceMap ?? resolveProviderEnvAuthEvidence(lookupParams);
   const applied = new Set(getShellEnvAppliedKeys());