diff --git a/README.md b/README.md
index d896144..9f6e2f3 100644
--- a/README.md
+++ b/README.md
@@ -169,6 +169,11 @@ Release process:
 1. upload using: `VERSION=x.y.z APIKEY=abc... make upload`
 1. test installing the rock from LuaRocks
 
+### 1.3.4 (13-Sep-2023)
+
+- fix: remove more module-level uses of config.global
+  [83](https://github.com/Kong/lua-resty-aws/pull/83)
+
 ### 1.3.3 (13-Sep-2023)
 
 - fix: don't invoke region detection code on the module toplevel and advise against trying to.
diff --git a/src/resty/aws/credentials/CredentialProviderChain.lua b/src/resty/aws/credentials/CredentialProviderChain.lua
index c659270..f54bd05 100644
--- a/src/resty/aws/credentials/CredentialProviderChain.lua
+++ b/src/resty/aws/credentials/CredentialProviderChain.lua
@@ -8,7 +8,7 @@ local CredentialProviderChain = setmetatable({}, Super)
 CredentialProviderChain.__index = CredentialProviderChain
 
 
-local AWS_EC2_METADATA_DISABLED = require("resty.aws.config").global.AWS_EC2_METADATA_DISABLED
+local aws_config = require("resty.aws.config")
 
 
 CredentialProviderChain.defaultProviders = {} do
@@ -36,7 +36,7 @@ CredentialProviderChain.defaultProviders = {} do
   add_if_exists("RemoteCredentials") -- since "ECSCredentials" doesn't exist? and for ECS RemoteCredentials is used???
   add_if_exists("ProcessCredentials")
   add_if_exists("TokenFileWebIdentityCredentials")
-  if AWS_EC2_METADATA_DISABLED then
+  if aws_config.global.AWS_EC2_METADATA_DISABLED then
     ngx.log(ngx.DEBUG, "AWS_EC2_METADATA_DISABLED is set, skipping EC2MetadataCredentials provider")
   else
     add_if_exists("EC2MetadataCredentials")
diff --git a/src/resty/aws/credentials/EnvironmentCredentials.lua b/src/resty/aws/credentials/EnvironmentCredentials.lua
index 75a2e95..082b3db 100644
--- a/src/resty/aws/credentials/EnvironmentCredentials.lua
+++ b/src/resty/aws/credentials/EnvironmentCredentials.lua
@@ -2,6 +2,9 @@
 -- @classmod EnvironmentCredentials
 
 
+local aws_config = require("resty.aws.config")
+
+
 -- Create class
 local Super = require "resty.aws.credentials.Credentials"
 local EnvironmentCredentials = setmetatable({}, Super)
@@ -33,7 +36,7 @@ end
 -- updates credentials.
 -- @return success, or nil+err
 function EnvironmentCredentials:refresh()
-  local global_config = require("resty.aws.config").global
+  local global_config = aws_config.global
 
   local access = os.getenv(self.envPrefix .. "_ACCESS_KEY_ID") or global_config[self.envPrefix .. "_ACCESS_KEY_ID"]
   if not access then
diff --git a/src/resty/aws/credentials/RemoteCredentials.lua b/src/resty/aws/credentials/RemoteCredentials.lua
index 09b919e..ecc1859 100644
--- a/src/resty/aws/credentials/RemoteCredentials.lua
+++ b/src/resty/aws/credentials/RemoteCredentials.lua
@@ -25,21 +25,19 @@ local FullUri do
     return t
   end
 
-  local global_config = require("resty.aws.config").global
+  local aws_config = require("resty.aws.config")
 
-  local ENV_RELATIVE_URI = global_config.AWS_CONTAINER_CREDENTIALS_RELATIVE_URI
-  local ENV_FULL_URI = global_config.AWS_CONTAINER_CREDENTIALS_FULL_URI
   local FULL_URI_UNRESTRICTED_PROTOCOLS = makeset { "https" }
   local FULL_URI_ALLOWED_PROTOCOLS = makeset { "http", "https" }
   local FULL_URI_ALLOWED_HOSTNAMES = makeset { "localhost", "127.0.0.1" }
   local RELATIVE_URI_HOST = '169.254.170.2'
 
   local function getFullUri()
-    if ENV_RELATIVE_URI then
-      return 'http://' .. RELATIVE_URI_HOST .. ENV_RELATIVE_URI
+    if aws_config.global.AWS_CONTAINER_CREDENTIALS_RELATIVE_URI then
+      return 'http://' .. RELATIVE_URI_HOST .. aws_config.global.AWS_CONTAINER_CREDENTIALS_RELATIVE_URI
 
-    elseif ENV_FULL_URI then
-      local parsed_url = url.parse(ENV_FULL_URI)
+    elseif aws_config.global.AWS_CONTAINER_CREDENTIALS_FULL_URI then
+      local parsed_url = url.parse(aws_config.global.AWS_CONTAINER_CREDENTIALS_FULL_URI)
 
       if not FULL_URI_ALLOWED_PROTOCOLS[parsed_url.scheme] then
         return nil, 'Unsupported protocol, must be one of '
@@ -55,7 +53,7 @@ local FullUri do
                   .. parsed_url.host .. ' requested.'
       end
 
-      return ENV_FULL_URI
+      return aws_config.global.AWS_CONTAINER_CREDENTIALS_FULL_URI
 
     else
       return nil, 'Environment variable AWS_CONTAINER_CREDENTIALS_RELATIVE_URI or '
diff --git a/src/resty/aws/credentials/TokenFileWebIdentityCredentials.lua b/src/resty/aws/credentials/TokenFileWebIdentityCredentials.lua
index 9fa0c70..2c15381 100644
--- a/src/resty/aws/credentials/TokenFileWebIdentityCredentials.lua
+++ b/src/resty/aws/credentials/TokenFileWebIdentityCredentials.lua
@@ -4,11 +4,7 @@
 local readfile = require("pl.utils").readfile
 local lom = require("lxp.lom")
 
-
-local global_config = require("resty.aws.config").global
-local AWS_ROLE_ARN = global_config.role_arn
-local AWS_WEB_IDENTITY_TOKEN_FILE = global_config.web_identity_token_file
-local AWS_ROLE_SESSION_NAME = global_config.role_session_name or "session@lua-resty-aws"
+local aws_config = require("resty.aws.config")
 
 
 -- Create class
@@ -29,14 +25,14 @@ function TokenFileWebIdentityCredentials:new(opts)
 
   opts = opts or {}
   self.token_file = assert(
-    opts.token_file or AWS_WEB_IDENTITY_TOKEN_FILE,
+    opts.token_file or aws_config.global.AWS_WEB_IDENTITY_TOKEN_FILE,
     "either 'opts.token_file' or environment variable 'AWS_WEB_IDENTITY_TOKEN_FILE' must be set"
   )
   self.role_arn = assert(
-    opts.role_arn or AWS_ROLE_ARN,
+    opts.role_arn or aws_config.global.AWS_ROLE_ARN,
     "either 'opts.role_arn' or environment variable 'AWS_ROLE_ARN' must be set"
   )
-  self.session_name = opts.session_name or AWS_ROLE_SESSION_NAME
+  self.session_name = opts.session_name or aws_config.global.AWS_ROLE_SESSION_NAME
 
   return self
 end