Guard against stale and unresolved session tokens

liyu-ma · liyu-ma · commit bf5ba9b7c192 · 2026-04-22T23:41:16.000+10:00
Add validation to treat unresolved $(AWS_SESSION_TOKEN) literals as
empty, and unset aws_session_token when not applicable to prevent
stale tokens from persisting on self-hosted agents.
diff --git a/steps/cloud/aws/login.yml b/steps/cloud/aws/login.yml
@@ -15,7 +15,7 @@ steps:
       inlineScript: |
         echo "##vso[task.setvariable variable=AWS_ACCESS_KEY_ID;issecret=true]$AWS_ACCESS_KEY_ID"
         echo "##vso[task.setvariable variable=AWS_SECRET_ACCESS_KEY;issecret=true]$AWS_SECRET_ACCESS_KEY"
-        if [ -n "${AWS_SESSION_TOKEN:-}" ]; then
+        if [ -n "${AWS_SESSION_TOKEN:-}" ] && [ "${AWS_SESSION_TOKEN}" != '$(AWS_SESSION_TOKEN)' ]; then
           echo "##vso[task.setvariable variable=AWS_SESSION_TOKEN;issecret=true]$AWS_SESSION_TOKEN"
         fi
     displayName: 'Get login credentials'
@@ -26,8 +26,10 @@ steps:
 
     aws configure set aws_access_key_id "$AWS_ACCESS_KEY"
     aws configure set aws_secret_access_key "$AWS_SECRET_KEY"
-    if [ -n "${AWS_SESSION:-}" ]; then
+    if [ -n "${AWS_SESSION:-}" ] && [ "${AWS_SESSION}" != '$(AWS_SESSION_TOKEN)' ]; then
       aws configure set aws_session_token "$AWS_SESSION"
+    else
+      aws configure unset aws_session_token
     fi
     aws configure set default.region "$REGION"
     aws configure list
