diff --git a/builtin/logical/aws/client.go b/builtin/logical/aws/client.go
index d80e2940689f..9c600673d676 100644
--- a/builtin/logical/aws/client.go
+++ b/builtin/logical/aws/client.go
@@ -97,6 +97,7 @@ func (b *backend) getRootConfigs(ctx context.Context, s logical.Storage, clientT
 		}
 	}
 
+	opts := make([]awsutil.Option, 0)
 	if config.IdentityTokenAudience != "" {
 		ns, err := namespace.FromContext(ctx)
 		if err != nil {
@@ -115,6 +116,10 @@ func (b *backend) getRootConfigs(ctx context.Context, s logical.Storage, clientT
 		credsConfig.RoleSessionName = fmt.Sprintf("vault-aws-secrets-%s", sessionSuffix)
 		credsConfig.WebIdentityTokenFetcher = fetcher
 		credsConfig.RoleARN = config.RoleARN
+
+		// explicitly disable environment and shared credential providers when using Web Identity Token Fetcher
+		// enables WIF usage in environments that may use AWS Profiles or environment variables for other use-cases
+		opts = append(opts, awsutil.WithEnvironmentCredentials(false), awsutil.WithSharedCredentials(false))
 	}
 
 	if len(regions) == 0 {
@@ -132,7 +137,7 @@ func (b *backend) getRootConfigs(ctx context.Context, s logical.Storage, clientT
 		} else {
 			credsConfig.Region = fallbackRegion
 		}
-		creds, err := credsConfig.GenerateCredentialChain()
+		creds, err := credsConfig.GenerateCredentialChain(opts...)
 		if err != nil {
 			return nil, err
 		}
diff --git a/changelog/29982.txt b/changelog/29982.txt
new file mode 100644
index 000000000000..ee4e2f7ef31c
--- /dev/null
+++ b/changelog/29982.txt
@@ -0,0 +1,3 @@
+```release-note:bug
+secrets/aws: fix a bug where environment and shared credential providers were overriding the WIF configuration
+```
\ No newline at end of file