Cloud routine environments silently changed AWS_* env handling twice (stripped, then platform-injected), breaking production workloads

Open 💬 0 comments Opened Jul 12, 2026 by jamkini

Summary

The session environment that Claude Code scheduled routines (cloud environments, kind anthropic_cloud) provide to tasks has changed its handling of standard AWS credential variables twice in five days, with no announcement, changelog entry, or documentation either time. The second change broke a production workload.

Timeline

Change 1 — observed 2026-07-07: User-defined AWS_ACCESS_KEY_ID / AWS_SECRET_ACCESS_KEY environment variables set in the cloud environment UI were silently stripped from the session env at task time. Workaround: we renamed our variables with a custom prefix and added startup code to map them back for boto3.

Change 2 — observed 2026-07-12 (worked as late as 2026-07-10 evening): The platform now injects its own AWS_ACCESS_KEY_ID (+ secret) into the task session env — credentials we did not define anywhere. Our mapping code deferred to a standard-named variable when present (correct under the Change-1 behavior), so boto3 sent the platform's injected key to real AWS S3 and every call failed:

  • HeadObject → bare 403 Forbidden (HEAD carries no error body)
  • PutObjectInvalidAccessKeyId: The AWS Access Key Id you provided does not exist in our records.

The IAM key configured in the environment UI was live and correct the whole time. Diagnosis required eliminating IAM policy changes, an unrelated infra deploy, and env-value corruption before concluding the platform itself was the variable source — precisely because nothing about this behavior is documented.

Impact

  • A scheduled weekend maintenance job (S3 data processing) failed outright; the same credentials feed weekday production automation, which would have failed identically on its next run.
  • Fixing it required a code change, PR, and merge on our side (explicitly-prefixed variables now always override standard names, plus dropping any injected AWS_SESSION_TOKEN).
  • Trust cost: users cannot run mission-critical scheduled workloads on an execution environment whose ambient credentials change without notice.

Requests

  1. Document the session-env contract for cloud environments: which variable names are reserved, stripped, or injected, and under what conditions.
  2. Do not make unannounced changes to that contract, full stop. Any change to which variables are stripped, injected, or reserved must be announced (changelog / release notes / email to affected environment owners) before rollout.

Environment

  • Claude Code scheduled routines, shared cloud environment (kind: anthropic_cloud)
  • Task runtime: Linux, tasks launched via uv run from a checked-out GitHub repo
  • Repro: define no AWS_* variables in the environment UI, run env | grep ^AWS in a routine task — observe platform-injected credentials that (a) are not valid against public AWS endpoints and (b) take precedence in the default boto3 credential chain.

View original on GitHub ↗