diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index 18924ce3..4af6f94c 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -27,10 +27,24 @@ workflow:
 .ecr_login: &ecr_login |
   AWS_CLI_ENV_ARGS=""
   AWS_CLI_ENV_ARGS="$AWS_CLI_ENV_ARGS -e AWS_REGION=$AWS_REGION"
-  AWS_CLI_ENV_ARGS="$AWS_CLI_ENV_ARGS -e AWS_ACCESS_KEY_ID=${AWS_ACCESS_KEY_ID:-}"
-  AWS_CLI_ENV_ARGS="$AWS_CLI_ENV_ARGS -e AWS_SECRET_ACCESS_KEY=${AWS_SECRET_ACCESS_KEY:-}"
-  if [ -n "${AWS_SESSION_TOKEN:-}" ]; then
-    AWS_CLI_ENV_ARGS="$AWS_CLI_ENV_ARGS -e AWS_SESSION_TOKEN=$AWS_SESSION_TOKEN"
+
+  HAS_ACCESS_KEY="false"
+  HAS_SECRET_KEY="false"
+  if [ -n "${AWS_ACCESS_KEY_ID:-}" ]; then
+    HAS_ACCESS_KEY="true"
+  fi
+  if [ -n "${AWS_SECRET_ACCESS_KEY:-}" ]; then
+    HAS_SECRET_KEY="true"
+  fi
+
+  if [ "$HAS_ACCESS_KEY" = "true" ] && [ "$HAS_SECRET_KEY" = "true" ]; then
+    AWS_CLI_ENV_ARGS="$AWS_CLI_ENV_ARGS -e AWS_ACCESS_KEY_ID=$AWS_ACCESS_KEY_ID"
+    AWS_CLI_ENV_ARGS="$AWS_CLI_ENV_ARGS -e AWS_SECRET_ACCESS_KEY=$AWS_SECRET_ACCESS_KEY"
+    if [ -n "${AWS_SESSION_TOKEN:-}" ]; then
+      AWS_CLI_ENV_ARGS="$AWS_CLI_ENV_ARGS -e AWS_SESSION_TOKEN=$AWS_SESSION_TOKEN"
+    fi
+  elif [ "$HAS_ACCESS_KEY" = "true" ] || [ "$HAS_SECRET_KEY" = "true" ] || [ -n "${AWS_SESSION_TOKEN:-}" ]; then
+    echo "WARN: Incomplete AWS_* env vars detected; ignoring injected AWS credentials for ECR login."
   fi
 
   PASS="$(docker run --rm $AWS_CLI_ENV_ARGS public.ecr.aws/aws-cli/aws-cli:latest \