From cce868ec24e3ec9ca22b61ddf75c27ed27310968 Mon Sep 17 00:00:00 2001
From: Tofik Hasanov <annexcies@gmail.com>
Date: Mon, 11 May 2026 15:43:44 -0400
Subject: [PATCH] fix(cloud-security): ignore unused govcloud session token

Co-authored-by: Cursor <cursoragent@cursor.com>
---
 apps/api/.env.example                                   | 3 ++-
 apps/api/src/cloud-security/aws-partition.utils.spec.ts | 3 +--
 apps/api/src/cloud-security/aws-partition.utils.ts      | 1 -
 3 files changed, 3 insertions(+), 4 deletions(-)

diff --git a/apps/api/.env.example b/apps/api/.env.example
index fedfeaf98..e2fea0ab1 100644
--- a/apps/api/.env.example
+++ b/apps/api/.env.example
@@ -58,4 +58,5 @@ SECURITY_HUB_ROLE_ASSUMER_ARN=
 SECURITY_HUB_GOVCLOUD_ROLE_ASSUMER_ARN=
 SECURITY_HUB_GOVCLOUD_ACCESS_KEY_ID=
 SECURITY_HUB_GOVCLOUD_SECRET_ACCESS_KEY=
-SECURITY_HUB_GOVCLOUD_SESSION_TOKEN=
+# Optional: only set when using temporary GovCloud credentials. Leave unset for long-lived IAM user keys.
+# SECURITY_HUB_GOVCLOUD_SESSION_TOKEN=
diff --git a/apps/api/src/cloud-security/aws-partition.utils.spec.ts b/apps/api/src/cloud-security/aws-partition.utils.spec.ts
index 5f9f31309..b6dadf07e 100644
--- a/apps/api/src/cloud-security/aws-partition.utils.spec.ts
+++ b/apps/api/src/cloud-security/aws-partition.utils.spec.ts
@@ -57,12 +57,11 @@ describe('aws partition utils', () => {
   it('uses explicit GovCloud base credentials when configured', () => {
     process.env.SECURITY_HUB_GOVCLOUD_ACCESS_KEY_ID = 'AKIAGOV';
     process.env.SECURITY_HUB_GOVCLOUD_SECRET_ACCESS_KEY = 'secret';
-    process.env.SECURITY_HUB_GOVCLOUD_SESSION_TOKEN = 'token';
+    process.env.SECURITY_HUB_GOVCLOUD_SESSION_TOKEN = 'placeholder';
 
     expect(getAwsBaseCredentials('aws-us-gov')).toEqual({
       accessKeyId: 'AKIAGOV',
       secretAccessKey: 'secret',
-      sessionToken: 'token',
     });
     expect(getAwsBaseCredentials('aws')).toBeUndefined();
 
diff --git a/apps/api/src/cloud-security/aws-partition.utils.ts b/apps/api/src/cloud-security/aws-partition.utils.ts
index ce0596b0c..3c30ad808 100644
--- a/apps/api/src/cloud-security/aws-partition.utils.ts
+++ b/apps/api/src/cloud-security/aws-partition.utils.ts
@@ -41,7 +41,6 @@ export function getAwsBaseCredentials(
   return {
     accessKeyId,
     secretAccessKey,
-    sessionToken: process.env.SECURITY_HUB_GOVCLOUD_SESSION_TOKEN,
   };
 }