diff --git a/dspace-api/src/main/java/org/dspace/storage/bitstore/S3BitStoreService.java b/dspace-api/src/main/java/org/dspace/storage/bitstore/S3BitStoreService.java
index cc1a5b9496e2..7f3e69a8b0cc 100644
--- a/dspace-api/src/main/java/org/dspace/storage/bitstore/S3BitStoreService.java
+++ b/dspace-api/src/main/java/org/dspace/storage/bitstore/S3BitStoreService.java
@@ -83,6 +83,7 @@
 public class S3BitStoreService extends BaseBitStoreService {
     protected static final String DEFAULT_BUCKET_PREFIX = "dspace-asset-";
     protected static final Gson GSON = new GsonBuilder().serializeNulls().setPrettyPrinting().create();
+    public static final String REGEX_SECRET = "^(.{3})(.*)(.{3})$";
     // Prefix indicating a registered bitstream
     protected final String REGISTERED_FLAG = "-R";
     /**
@@ -272,8 +273,8 @@ protected static Supplier<AWSStaticCredentialsProvider> getAwsCredentialsSupplie
         BasicAWSCredentials credentials = new BasicAWSCredentials(awsAccessKey, awsSecretKey);
         log.info(
             "AmazonS3Client credentials - accessKey: {}, secretKey: {}",
-            credentials.getAWSAccessKeyId().replaceFirst("^(.{3})(.*)(.{3})$", "$1***$3"),
-            credentials.getAWSSecretKey().replaceFirst("^(.{3})(.*)(.{3})$", "$1***$3")
+            credentials.getAWSAccessKeyId().replaceFirst(REGEX_SECRET, "$1***$3"),
+            credentials.getAWSSecretKey().replaceFirst(REGEX_SECRET, "$1***$3")
         );
         return getAwsCredentialsSupplier(credentials);
     }
@@ -289,9 +290,10 @@ protected static Supplier<AWSStaticCredentialsProvider> getBasicCredentialsSuppl
     ) {
         BasicSessionCredentials credentials = new BasicSessionCredentials(awsAccessKey, awsSecretKey, awsSessionToken);
         log.info(
-            "AmazonS3Client credentials - accessKey: {}, secretKey: {}",
-            credentials.getAWSAccessKeyId().replaceFirst("^(.{3})(.*)(.{3})$", "$1***$3"),
-            credentials.getAWSSecretKey().replaceFirst("^(.{3})(.*)(.{3})$", "$1***$3")
+            "AmazonS3Client credentials - accessKey: {}, secretKey: {}, awsSessionToken: {}",
+            credentials.getAWSAccessKeyId().replaceFirst(REGEX_SECRET, "$1***$3"),
+            credentials.getAWSSecretKey().replaceFirst(REGEX_SECRET, "$1***$3"),
+            credentials.getSessionToken().replaceFirst(REGEX_SECRET, "$1***$3")
         );
         return getAwsCredentialsSupplier(credentials);
     }
@@ -345,9 +347,15 @@ public void init() throws IOException {
         try {
             Supplier<? extends AWSCredentialsProvider> awsCredentialsSupplier;
             if (StringUtils.isNotBlank(getAwsAccessKey()) && StringUtils.isNotBlank(getAwsSecretKey())) {
-                log.warn("Use local defined S3 credentials");
-                awsCredentialsSupplier = getBasicCredentialsSupplier(getAwsAccessKey(), getAwsSecretKey(),
-                    getAwsSessionToken());
+                if (StringUtils.isNotBlank(getAwsSessionToken())) {
+                    log.warn("Use local S3 credentials with session token");
+                    awsCredentialsSupplier =
+                        getBasicCredentialsSupplier(getAwsAccessKey(), getAwsSecretKey(), getAwsSessionToken());
+                } else {
+                    log.warn("Use local S3 credentials with access and secret keys");
+                    awsCredentialsSupplier =
+                        getAwsCredentialsSupplier(getAwsAccessKey(), getAwsSecretKey());
+                }
             } else {
                 log.info("Use an IAM role or aws environment credentials");
                 awsCredentialsSupplier = DefaultAWSCredentialsProviderChain::new;