Merge pull request #2820 from trycompai/fix/govcloud-session-token-ignore

tofikwest · web-flow · commit ff1f86d6edf0 · 2026-05-11T15:46:35.000-04:00
fix(cloud-security): ignore unused GovCloud session token
diff --git a/apps/api/.env.example b/apps/api/.env.example
@@ -58,4 +58,5 @@ SECURITY_HUB_ROLE_ASSUMER_ARN=
 SECURITY_HUB_GOVCLOUD_ROLE_ASSUMER_ARN=
 SECURITY_HUB_GOVCLOUD_ACCESS_KEY_ID=
 SECURITY_HUB_GOVCLOUD_SECRET_ACCESS_KEY=
-SECURITY_HUB_GOVCLOUD_SESSION_TOKEN=
+# Optional: only set when using temporary GovCloud credentials. Leave unset for long-lived IAM user keys.
+# SECURITY_HUB_GOVCLOUD_SESSION_TOKEN=
diff --git a/apps/api/src/cloud-security/aws-partition.utils.spec.ts b/apps/api/src/cloud-security/aws-partition.utils.spec.ts
@@ -57,12 +57,11 @@ describe('aws partition utils', () => {
   it('uses explicit GovCloud base credentials when configured', () => {
     process.env.SECURITY_HUB_GOVCLOUD_ACCESS_KEY_ID = 'AKIAGOV';
     process.env.SECURITY_HUB_GOVCLOUD_SECRET_ACCESS_KEY = 'secret';
-    process.env.SECURITY_HUB_GOVCLOUD_SESSION_TOKEN = 'token';
+    process.env.SECURITY_HUB_GOVCLOUD_SESSION_TOKEN = 'placeholder';
 
     expect(getAwsBaseCredentials('aws-us-gov')).toEqual({
       accessKeyId: 'AKIAGOV',
       secretAccessKey: 'secret',
-      sessionToken: 'token',
     });
     expect(getAwsBaseCredentials('aws')).toBeUndefined();
 
diff --git a/apps/api/src/cloud-security/aws-partition.utils.ts b/apps/api/src/cloud-security/aws-partition.utils.ts
@@ -41,7 +41,6 @@ export function getAwsBaseCredentials(
   return {
     accessKeyId,
     secretAccessKey,
-    sessionToken: process.env.SECURITY_HUB_GOVCLOUD_SESSION_TOKEN,
   };
 }
 

Original file line number	Diff line number	Diff line change
`@@ -41,7 +41,6 @@ export function getAwsBaseCredentials(`
`41`	`41`	`return {`
`42`	`42`	`accessKeyId,`
`43`	`43`	`secretAccessKey,`
`44`		`- sessionToken: process.env.SECURITY_HUB_GOVCLOUD_SESSION_TOKEN,`
`45`	`44`	`};`
`46`	`45`	`}`
`47`	`46`