diff --git a/aws/SDK_CHANGELOG.md b/aws/SDK_CHANGELOG.md
index 913312df5e0c35a1ba5c4b1303db00380b621196..711c17755983a43ba1e077284706c7f170a9d725 100644
--- a/aws/SDK_CHANGELOG.md
+++ b/aws/SDK_CHANGELOG.md
@@ -12,6 +12,7 @@ vNext (Month Day, Year)
 - Fix http-body dependency version (smithy-rs#883, aws-sdk-rust#305)
 - [Added a new example showing how to set all currently supported timeouts](./sdk/examples/setting_timeouts/src/main.rs)
 - Add a new check so that the SDK doesn't emit an irrelevant `$HOME` dir warning when running in a Lambda (aws-sdk-rust#307)
+- :bug: Don't capture empty session tokens from the `AWS_SESSION_TOKEN` environment variable (aws-sdk-rust#316, smithy-rs#906)
 - Add docs.rs metadata section to all crates to document all features
 
 **Breaking changes**
diff --git a/aws/rust-runtime/aws-config/src/environment/credentials.rs b/aws/rust-runtime/aws-config/src/environment/credentials.rs
index 53e09fe7f198132943cb1d327468c43aeb099c5c..aff4c05ee4834202228d84fb5804dd1937fffd14 100644
--- a/aws/rust-runtime/aws-config/src/environment/credentials.rs
+++ b/aws/rust-runtime/aws-config/src/environment/credentials.rs
@@ -29,7 +29,15 @@ impl EnvironmentVariableCredentialsProvider {
             .get("AWS_SECRET_ACCESS_KEY")
             .or_else(|_| self.env.get("SECRET_ACCESS_KEY"))
             .map_err(to_cred_error)?;
-        let session_token = self.env.get("AWS_SESSION_TOKEN").ok();
+        let session_token = self
+            .env
+            .get("AWS_SESSION_TOKEN")
+            .ok()
+            .map(|token| match token.trim() {
+                s if s.is_empty() => None,
+                s => Some(s.to_string()),
+            })
+            .flatten();
         Ok(Credentials::new(
             access_key,
             secret_key,
@@ -127,6 +135,26 @@ mod test {
         assert_eq!(creds.secret_access_key(), "secret");
     }
 
+    #[test]
+    fn empty_token_env_var() {
+        for token_value in &["", " "] {
+            let provider = make_provider(&[
+                ("AWS_ACCESS_KEY_ID", "access"),
+                ("AWS_SECRET_ACCESS_KEY", "secret"),
+                ("AWS_SESSION_TOKEN", token_value),
+            ]);
+
+            let creds = provider
+                .provide_credentials()
+                .now_or_never()
+                .unwrap()
+                .expect("valid credentials");
+            assert_eq!(creds.access_key_id(), "access");
+            assert_eq!(creds.secret_access_key(), "secret");
+            assert_eq!(creds.session_token(), None);
+        }
+    }
+
     #[test]
     fn secret_key_fallback() {
         let provider = make_provider(&[