diff --git a/.forgejo/workflows/deploy-cfn.yml b/.forgejo/workflows/deploy-cfn.yml
index 7af6a3d..18cc6b8 100644
--- a/.forgejo/workflows/deploy-cfn.yml
+++ b/.forgejo/workflows/deploy-cfn.yml
@@ -33,15 +33,25 @@ jobs:
 
       - name: Check required AWS secrets
         run: |
-          for v in AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY AWS_SESSION_TOKEN AWS_DEFAULT_REGION; do
+          for v in AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY AWS_DEFAULT_REGION; do
             if [ -z "${!v}" ]; then
               echo "Missing required secret/env: $v"
               exit 1
             fi
           done
+          if [ -z "${AWS_SESSION_TOKEN}" ]; then
+            echo "AWS_SESSION_TOKEN is empty. Proceeding with long-lived access keys."
+          else
+            echo "AWS_SESSION_TOKEN is set. Proceeding with STS temporary credentials."
+          fi
 
       - name: Verify AWS identity
-        run: aws sts get-caller-identity
+        run: |
+          set -e
+          if ! aws sts get-caller-identity; then
+            echo "AWS authentication failed. If using STS creds, regenerate and update all 3 secrets: AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, AWS_SESSION_TOKEN."
+            exit 1
+          fi
 
       - name: Validate CFT
         run: |