fix(cli): failure to get credentials when session token is not set

packages/aws-cdk/lib/api/aws-auth/awscli-compatible.ts

@@ -182,7 +182,10 @@ function caBundlePathFromEnvironment(): string | undefined {
 function shouldPrioritizeEnv() {
   const id = process.env.AWS_ACCESS_KEY_ID || process.env.AMAZON_ACCESS_KEY_ID;
   const key = process.env.AWS_SECRET_ACCESS_KEY || process.env.AMAZON_SECRET_ACCESS_KEY;
-  process.env.AWS_SESSION_TOKEN = process.env.AWS_SESSION_TOKEN || process.env.AMAZON_SESSION_TOKEN;
+  const sessionToken = process.env.AWS_SESSION_TOKEN || process.env.AMAZON_SESSION_TOKEN;
+  if (sessionToken) {
+    process.env.AWS_SESSION_TOKEN = sessionToken;
+  }
 
   if (!!id && !!key) {
     process.env.AWS_ACCESS_KEY_ID = id;

packages/aws-cdk/test/api/aws-auth/awscli-compatible.test.ts

@@ -0,0 +1,52 @@
+import { AwsCliCompatible } from '../../../lib/api/aws-auth/awscli-compatible';
+
+describe('Session token', () => {
+  test('does not mess up with session token env variables if they are undefined', async () => {
+    process.env.AWS_ACCESS_KEY_ID = 'foo';
+    process.env.SECRET_ACCESS_KEY = 'bar';
+
+    // Making sure these variables are not defined
+    delete process.env.AWS_SESSION_TOKEN;
+    delete process.env.AMAZON_SESSION_TOKEN;
+
+    await AwsCliCompatible.credentialChainBuilder();
+
+    expect(process.env.AWS_SESSION_TOKEN).toBeUndefined();
+  });
+
+  test('preserves AWS_SESSION_TOKEN if it is defined', async () => {
+    process.env.AWS_ACCESS_KEY_ID = 'foo';
+    process.env.SECRET_ACCESS_KEY = 'bar';
+
+    process.env.AWS_SESSION_TOKEN = 'aaa';
+    delete process.env.AMAZON_SESSION_TOKEN;
+
+    await AwsCliCompatible.credentialChainBuilder();
+
+    expect(process.env.AWS_SESSION_TOKEN).toEqual('aaa');
+  });
+
+  test('assigns AWS_SESSION_TOKEN if it is not defined but AMAZON_SESSION_TOKEN is', async () => {
+    process.env.AWS_ACCESS_KEY_ID = 'foo';
+    process.env.SECRET_ACCESS_KEY = 'bar';
+
+    delete process.env.AWS_SESSION_TOKEN;
+    process.env.AMAZON_SESSION_TOKEN = 'aaa';
+
+    await AwsCliCompatible.credentialChainBuilder();
+
+    expect(process.env.AWS_SESSION_TOKEN).toEqual('aaa');
+  });
+
+  test('preserves AWS_SESSION_TOKEN if both are defined', async () => {
+    process.env.AWS_ACCESS_KEY_ID = 'foo';
+    process.env.SECRET_ACCESS_KEY = 'bar';
+
+    process.env.AWS_SESSION_TOKEN = 'aaa';
+    process.env.AMAZON_SESSION_TOKEN = 'bbb';
+
+    await AwsCliCompatible.credentialChainBuilder();
+
+    expect(process.env.AWS_SESSION_TOKEN).toEqual('aaa');
+  });
+});