diff --git a/.circleci/config.yml b/.circleci/config.yml
index 1ecab1ad7..cd9b4ef29 100644
--- a/.circleci/config.yml
+++ b/.circleci/config.yml
@@ -2,7 +2,7 @@ version: 2.1
 
 orbs:
   docker-buildx: sensu/docker-buildx@1.1.1
-  aws-ecr: circleci/aws-ecr@8.1.2
+  aws-ecr: circleci/aws-ecr@8.2.1
   win: circleci/windows@5.0
 
 executors:
@@ -316,6 +316,9 @@ jobs:
           aws-access-key-id: << parameters.aws-access-key-id >>
           aws-secret-access-key: << parameters.aws-secret-access-key >>
           public-registry: << parameters.public-registry >>
+          # `registry-id`` field is required, although we don't need it (used for private registry).
+          # We give it a non-empty env variable name to bypass the `ecr-login` empty check.
+          registry-id: TAG
       - run:
           name: Make and push images
           command: |
@@ -338,17 +341,17 @@ jobs:
         default: shuttle.internal
       postgres-password:
         description: "Shuttle shared postgres password"
-        type: string
+        type: env_var_name
       mongodb-password:
         description: "Shuttle shared mongodb password"
-        type: string
+        type: env_var_name
       production:
         description: "Push and deploy to production"
         type: boolean
         default: false
     steps:
     - checkout
-    - run: 
+    - run:
         name: Set git tag in bash_env
         command: |
           echo TAG=$(git describe --tags --abbrev=0) >> $BASH_ENV
@@ -362,15 +365,25 @@ jobs:
         name: Deploy images
         command: |
           DOCKER_HOST=ssh://ec2-user@master.<< parameters.ssh-host >> USE_TLS=enable PROD=<< parameters.production >> DD_API_KEY=$DD_API_KEY \
-          POSTGRES_PASSWORD=<< parameters.postgres-password >> \
-          MONGO_INITDB_ROOT_PASSWORD=<< parameters.mongodb-password >> \
+          POSTGRES_PASSWORD=${<< parameters.postgres-password >>} \
+          MONGO_INITDB_ROOT_PASSWORD=${<< parameters.mongodb-password >>} \
           TAG=$TAG \
           make deploy
-    - run:
-        name: Pull new deployer image
-        command: |
-          [[ << parameters.production >> == true ]] && ssh ec2-user@controller.<< parameters.ssh-host >> "docker pull public.ecr.aws/shuttle-prod/deployer:$TAG" || \
-          ssh ec2-user@controller.<< parameters.ssh-host >> "docker pull public.ecr.aws/shuttle-dev/deployer:$TAG"
+    - when:
+        condition: << parameters.production >>
+        steps:
+          - run:
+              name: Pull new deployer image on prod
+              command: |
+                ssh ec2-user@controller.<< parameters.ssh-host >> "docker pull public.ecr.aws/shuttle/deployer:$TAG"
+    - when:
+        condition:
+          not: << parameters.production >>
+        steps:
+          - run:
+              name: Pull new deployer image on dev
+              command: |
+                ssh ec2-user@controller.<< parameters.ssh-host >> "docker pull public.ecr.aws/shuttle-dev/deployer:$TAG"
   build-binaries-linux:
     machine:
       image: << parameters.image >>
@@ -592,7 +605,6 @@ jobs:
           name: Crate publishing in order
           command: |
             cargo publish --manifest-path << parameters.path >>/Cargo.toml
-
 workflows:
   ci:
     jobs:
@@ -663,8 +675,8 @@ workflows:
               only: main
       - build-and-push:
           name: build-and-push-unstable
-          aws-access-key-id: AWS_ACCESS_KEY_ID
-          aws-secret-access-key: AWS_SECRET_ACCESS_KEY
+          aws-access-key-id: DEV_AWS_ACCESS_KEY_ID
+          aws-secret-access-key: DEV_AWS_SECRET_ACCESS_KEY
           production: false
           requires:
             - approve-push-unstable