diff --git a/_releaser/Dockerfile b/_releaser/Dockerfile
index ec6ee2a4e6..54be23c84f 100644
--- a/_releaser/Dockerfile
+++ b/_releaser/Dockerfile
@@ -24,7 +24,6 @@ FROM base AS netlify-remove
 ARG NETLIFY_SITE_NAME
 RUN --mount=type=bind,from=releaser,source=/out/releaser,target=/usr/bin/releaser \
   --mount=type=secret,id=NETLIFY_AUTH_TOKEN \
-  NETLIFY_AUTH_TOKEN=$(cat /run/secrets/NETLIFY_AUTH_TOKEN) \
   releaser netlify remove
 
 FROM base AS netlify-deploy
@@ -33,10 +32,7 @@ RUN --mount=type=bind,from=sitedir,target=/site \
   --mount=type=bind,from=releaser,source=/out/releaser,target=/usr/bin/releaser \
   --mount=type=secret,id=NETLIFY_AUTH_TOKEN \
   --mount=type=secret,id=NETLIFY_ACCOUNT_SLUG \
-  NETLIFY_AUTH_TOKEN=$(cat /run/secrets/NETLIFY_AUTH_TOKEN) \
-  NETLIFY_ACCOUNT_SLUG=$(cat /run/secrets/NETLIFY_ACCOUNT_SLUG) \
-  NETLIFY_DIR=/site \
-  releaser netlify deploy
+  NETLIFY_DIR=/site releaser netlify deploy
 
 FROM base AS aws-s3-update-config
 ARG AWS_REGION
@@ -46,8 +42,6 @@ RUN --mount=type=bind,target=. \
   --mount=type=bind,from=releaser,source=/out/releaser,target=/usr/bin/releaser \
   --mount=type=secret,id=AWS_ACCESS_KEY_ID \
   --mount=type=secret,id=AWS_SECRET_ACCESS_KEY \
-  AWS_ACCESS_KEY_ID=$(cat /run/secrets/AWS_ACCESS_KEY_ID) \
-  AWS_SECRET_ACCESS_KEY=$(cat /run/secrets/AWS_SECRET_ACCESS_KEY) \
   releaser aws s3-update-config
 
 FROM base AS aws-lambda-invoke
@@ -56,6 +50,4 @@ ARG AWS_LAMBDA_FUNCTION
 RUN --mount=type=bind,from=releaser,source=/out/releaser,target=/usr/bin/releaser \
   --mount=type=secret,id=AWS_ACCESS_KEY_ID \
   --mount=type=secret,id=AWS_SECRET_ACCESS_KEY \
-  AWS_ACCESS_KEY_ID=$(cat /run/secrets/AWS_ACCESS_KEY_ID) \
-  AWS_SECRET_ACCESS_KEY=$(cat /run/secrets/AWS_SECRET_ACCESS_KEY) \
   releaser aws lambda-invoke
diff --git a/_releaser/aws.go b/_releaser/aws.go
index 315c3b4086..7469b26c5b 100644
--- a/_releaser/aws.go
+++ b/_releaser/aws.go
@@ -7,6 +7,7 @@ import (
 	"log"
 
 	"github.com/aws/aws-sdk-go/aws"
+	"github.com/aws/aws-sdk-go/aws/credentials"
 	"github.com/aws/aws-sdk-go/aws/session"
 	"github.com/aws/aws-sdk-go/service/lambda"
 	"github.com/aws/aws-sdk-go/service/s3"
@@ -36,8 +37,9 @@ func (s *AwsS3UpdateConfigCmd) Run() error {
 	}
 
 	sess, err := session.NewSession(&aws.Config{
-		Region: aws.String(s.Region)},
-	)
+		Credentials: awsCredentials(),
+		Region:      aws.String(s.Region),
+	})
 
 	svc := s3.New(sess)
 
@@ -67,7 +69,8 @@ func (s *AwsLambdaInvokeCmd) Run() error {
 	svc := lambda.New(session.Must(session.NewSessionWithOptions(session.Options{
 		SharedConfigState: session.SharedConfigEnable,
 	})), &aws.Config{
-		Region: aws.String(s.Region),
+		Credentials: awsCredentials(),
+		Region:      aws.String(s.Region),
 	})
 
 	_, err := svc.Invoke(&lambda.InvokeInput{
@@ -80,3 +83,17 @@ func (s *AwsLambdaInvokeCmd) Run() error {
 	log.Printf("INFO: lambda function %q invoked successfully\n", s.LambdaFunction)
 	return nil
 }
+
+func awsCredentials() *credentials.Credentials {
+	return credentials.NewChainCredentials(
+		[]credentials.Provider{
+			&credentials.StaticProvider{
+				Value: credentials.Value{
+					AccessKeyID:     getEnvOrSecret("AWS_ACCESS_KEY_ID"),
+					SecretAccessKey: getEnvOrSecret("AWS_SECRET_ACCESS_KEY"),
+					SessionToken:    getEnvOrSecret("AWS_SESSION_TOKEN"),
+				},
+			},
+		},
+	)
+}
diff --git a/_releaser/main.go b/_releaser/main.go
index cd1d03d3e3..abe59d6a30 100644
--- a/_releaser/main.go
+++ b/_releaser/main.go
@@ -2,6 +2,8 @@ package main
 
 import (
 	"log"
+	"os"
+	"path/filepath"
 
 	"github.com/alecthomas/kong"
 )
@@ -29,3 +31,15 @@ func main() {
 		}))
 	ctx.FatalIfErrorf(ctx.Run())
 }
+
+// getEnvOrSecret retrieves secret's value from secret file or env
+func getEnvOrSecret(name string) string {
+	if v, ok := os.LookupEnv(name); ok {
+		return v
+	}
+	b, err := os.ReadFile(filepath.Join("/run/secrets", name))
+	if err != nil {
+		return ""
+	}
+	return string(b)
+}
diff --git a/_releaser/netlify.go b/_releaser/netlify.go
index 4fa740e71c..81de13a6e5 100644
--- a/_releaser/netlify.go
+++ b/_releaser/netlify.go
@@ -23,8 +23,7 @@ type NetlifyCmd struct {
 }
 
 type netlifyGlobalFlags struct {
-	SiteName  string `kong:"name='site-name',env='NETLIFY_SITE_NAME'"`
-	AuthToken string `kong:"name='auth-token',env='NETLIFY_AUTH_TOKEN'"`
+	SiteName string `kong:"name='site-name',env='NETLIFY_SITE_NAME'"`
 }
 
 type NetlifyRemoveCmd struct {
@@ -33,7 +32,7 @@ type NetlifyRemoveCmd struct {
 
 func (s *NetlifyRemoveCmd) Run() error {
 	siteName := cleanSiteName(s.SiteName)
-	c := newNetlifyClient(s.AuthToken)
+	c := newNetlifyClient(getEnvOrSecret("NETLIFY_AUTH_TOKEN"))
 	site, err := c.getSite(siteName)
 	if err != nil {
 		return fmt.Errorf("failed to get site %q: %w", siteName, err)
@@ -47,8 +46,7 @@ func (s *NetlifyRemoveCmd) Run() error {
 
 type NetlifyDeployCmd struct {
 	netlifyGlobalFlags
-	AccountSlug string `kong:"name='account-slug',env='NETLIFY_ACCOUNT_SLUG'"`
-	PublishDir  string `kong:"name='publish-dir',env='NETLIFY_PUBLISH_DIR'"`
+	PublishDir string `kong:"name='publish-dir',env='NETLIFY_PUBLISH_DIR'"`
 }
 
 func (s *NetlifyDeployCmd) Run() error {
@@ -59,11 +57,11 @@ func (s *NetlifyDeployCmd) Run() error {
 	}
 
 	siteName := cleanSiteName(s.SiteName)
-	c := newNetlifyClient(s.AuthToken)
+	c := newNetlifyClient(getEnvOrSecret("NETLIFY_AUTH_TOKEN"))
 
 	site, err := c.CreateSite(c.ctx, &netlify.SiteSetup{
 		Site: netlify.Site{
-			AccountSlug: s.AccountSlug,
+			AccountSlug: getEnvOrSecret("NETLIFY_ACCOUNT_SLUG"),
 			Name:        siteName,
 		},
 	}, false)