diff --git a/ChangeLog.md b/ChangeLog.md
index 53eeefb6..1164d077 100644
--- a/ChangeLog.md
+++ b/ChangeLog.md
@@ -1,6 +1,7 @@
 # v2.4.13
 BUG FIXES
 - fix object_disk.CopyObject during restore to allow use properly S3 endpoint
+- fix AWS IRSA environments handler, fix [798](https://github.com/Altinity/clickhouse-backup/issues/798)
 
 # v2.4.12
 BUG FIXES
diff --git a/pkg/storage/s3.go b/pkg/storage/s3.go
index e217f92b..1e86718e 100644
--- a/pkg/storage/s3.go
+++ b/pkg/storage/s3.go
@@ -116,22 +116,18 @@ func (s *S3) Connect(ctx context.Context) error {
 	if s.Config.Region != "" {
 		awsConfig.Region = s.Config.Region
 	}
+	// AWS IRSA handling, look https://github.com/Altinity/clickhouse-backup/issues/798
 	awsRoleARN := os.Getenv("AWS_ROLE_ARN")
-	if s.Config.AssumeRoleARN != "" || awsRoleARN != "" {
-		stsClient := sts.NewFromConfig(awsConfig)
-		if awsRoleARN != "" {
-			awsConfig.Credentials = stscreds.NewAssumeRoleProvider(stsClient, awsRoleARN)
-		} else {
-			awsConfig.Credentials = stscreds.NewAssumeRoleProvider(stsClient, s.Config.AssumeRoleARN)
-		}
-	}
-
 	awsWebIdentityTokenFile := os.Getenv("AWS_WEB_IDENTITY_TOKEN_FILE")
+	stsClient := sts.NewFromConfig(awsConfig)
 	if awsRoleARN != "" && awsWebIdentityTokenFile != "" {
-		stsClient := sts.NewFromConfig(awsConfig)
 		awsConfig.Credentials = stscreds.NewWebIdentityRoleProvider(
 			stsClient, awsRoleARN, stscreds.IdentityTokenFile(awsWebIdentityTokenFile),
 		)
+	} else if awsRoleARN != "" {
+		awsConfig.Credentials = stscreds.NewAssumeRoleProvider(stsClient, awsRoleARN)
+	} else if s.Config.AssumeRoleARN != "" {
+		awsConfig.Credentials = stscreds.NewAssumeRoleProvider(stsClient, s.Config.AssumeRoleARN)
 	}
 
 	if s.Config.AccessKey != "" && s.Config.SecretKey != "" {