Environment variables are not being pulled by action

We have a step on a workflow that checks which release branch has triggered the workflow, and sets up the environment with different secrets:

- name: Determine deployment destination
        run: |
          case "${{ github.ref }}" in
            refs/heads/release/staging)
              IMAGE_SUFFIX="dev"
              KUBE_CONFIG_DATA="${{ secrets.DEV_KUBE_CONFIG_DATA }}"
              AWS_ACCESS_KEY_ID="${{ secrets.DEV_AWS_ACCESS_KEY_ID }}"
              AWS_SECRET_ACCESS_KEY="${{ secrets.DEV_AWS_SECRET_ACCESS_KEY }}"
              AWS_K8S_IAM_ROLE="${{ secrets.DEV_AWS_K8S_IAM_ROLE }}"
              ;;
            refs/heads/release/production)
              IMAGE_SUFFIX="prod"
              KUBE_CONFIG_DATA="${{ secrets.PROD_KUBE_CONFIG_DATA }}"
              AWS_ACCESS_KEY_ID="${{ secrets.PROD_AWS_ACCESS_KEY_ID }}"
              AWS_SECRET_ACCESS_KEY="${{ secrets.PROD_AWS_SECRET_ACCESS_KEY }}"
              AWS_K8S_IAM_ROLE="${{ secrets.PROD_AWS_K8S_IAM_ROLE }}"
              ;;
            refs/heads/release/second-production)
              IMAGE_SUFFIX="prod"
              KUBE_CONFIG_DATA="${{ secrets.PROD_KUBE_CONFIG_DATA }}"
              AWS_ACCESS_KEY_ID="${{ secrets.PROD_AWS_ACCESS_KEY_ID }}"
              AWS_SECRET_ACCESS_KEY="${{ secrets.PROD_AWS_SECRET_ACCESS_KEY }}"
              AWS_K8S_IAM_ROLE="${{ secrets.PROD_AWS_K8S_IAM_ROLE }}"
              ;;
          esac
          # IMAGE_SUFFIX determines if the image is ready for staging (-dev) or production (-prod).
          echo "IMAGE_SUFFIX=$IMAGE_SUFFIX" >> $GITHUB_ENV
          # KUBE_CONFIG_DATA contains the ~/.kube/config for the cluster being deployed to.
          echo "KUBE_CONFIG_DATA=$KUBE_CONFIG_DATA" >> $GITHUB_ENV
          # AWS_ variables contain credentials for authenticating with AWS prior to deploying.
          echo "AWS_ACCESS_KEY_ID=$AWS_ACCESS_KEY_ID" >> $GITHUB_ENV
          echo "AWS_SECRET_ACCESS_KEY=$AWS_SECRET_ACCESS_KEY" >> $GITHUB_ENV
          echo "AWS_K8S_IAM_ROLE=$AWS_K8S_IAM_ROLE" >> $GITHUB_ENV

Afterwards, we authenticate:

      - name: Authenticate in AWS
        uses: aws-actions/configure-aws-credentials@v1
        with:
          aws-access-key-id: ${{ env.AWS_ACCESS_KEY_ID }}
          aws-secret-access-key: ${{ env.AWS_SECRET_ACCESS_KEY }}
          role-to-assume: ${{ env.AWS_K8S_IAM_ROLE }}
          role-duration-seconds: 1200
          role-session-name: GHA-${{ github.sha }}
          aws-region: eu-west-1

But somehow, we’re getting that we’re using an invalid session token, but we know that if we access the secret directly, it works. So, it must be something linked to the way we are retrieving the environment variables.

What are we doing wrong?

Replying just for the sake of clarity if anyone else finds this issue.

On the authentication action, the env vars need to be quoted:

        uses: aws-actions/configure-aws-credentials@v1
        with:
          aws-access-key-id: '${{ env.AWS_ACCESS_KEY_ID }}'
          aws-secret-access-key: '${{ env.AWS_SECRET_ACCESS_KEY }}'
          role-to-assume: '${{ env.AWS_K8S_IAM_ROLE }}'
          role-duration-seconds: 1200
          role-session-name: 'GHA-${{ github.sha }}'
          aws-region: eu-west-1