diff --git a/src/lib/import.js b/src/lib/import.js
index 7a6f91ce..64d21c68 100644
--- a/src/lib/import.js
+++ b/src/lib/import.js
@@ -22,12 +22,21 @@ async function importConsoleConfig (consoleConfigFileOrBuffer, flags) {
   const loadFunc = skipValidation ? loadConfigFile : loadAndValidateConfigFile
   const config = loadFunc(consoleConfigFileOrBuffer).values
 
-  const serviceClientId = getServiceApiKey(config, useJwt)
+  const serviceClientId = getServiceApiKey(config, useJwt) // = client_id, legacy
   const oauthS2SCredential = getOAuthS2SCredential(config)
 
   let extraEnvVars
   if (typeof oauthS2SCredential === 'object') {
-    extraEnvVars = { [SERVICE_API_KEY_ENV]: serviceClientId, [IMS_OAUTH_S2S_ENV]: JSON.stringify(oauthS2SCredential) }
+    // unpack oauthS2S json into IMS_OAUTH_S2S_* env vars
+    const oauthS2SEnv = Object.entries(oauthS2SCredential).reduce((acc, [key, value]) => {
+      if (Array.isArray(value)) {
+        value = JSON.stringify(value) // stringify arrays e.g. scopes to be consistent with AIO_* vars behavior
+      }
+      acc[`${IMS_OAUTH_S2S_ENV}_${key.toUpperCase()}`] = value
+      return acc
+    }, {})
+
+    extraEnvVars = { [SERVICE_API_KEY_ENV]: serviceClientId, ...oauthS2SEnv }
   } else {
     extraEnvVars = { [SERVICE_API_KEY_ENV]: serviceClientId }
   }
diff --git a/test/commands/lib/import.test.js b/test/commands/lib/import.test.js
index 4d9ca884..93693641 100644
--- a/test/commands/lib/import.test.js
+++ b/test/commands/lib/import.test.js
@@ -34,7 +34,7 @@ test('exports', () => {
 })
 
 describe('importConsoleConfig', () => {
-  test('with oauth_server_to_server credentials, adds IMS_OAUTH_S2S to env vars', async () => {
+  test('with oauth_server_to_server credentials, unpacks IMS_OAUTH_S2S_* env vars', async () => {
     const configContent = fixtureFile('oauths2s/valid.config.json')
     // The file is read twice: once by importConsoleConfig (loadFunc) and once by importConfigJson
     fs.readFileSync.mockReturnValue(configContent)
@@ -44,17 +44,17 @@ describe('importConsoleConfig', () => {
     expect(config).toBeDefined()
     expect(config.project.name).toEqual('TestProject123')
 
-    // Check that writeFile was called with the IMS_OAUTH_S2S_ENV variable
     const envWriteCall = fs.writeFile.mock.calls.find(call => call[0].endsWith('.env'))
     expect(envWriteCall).toBeDefined()
-    expect(envWriteCall[1]).toContain(SERVICE_API_KEY_ENV)
-    expect(envWriteCall[1]).toContain(IMS_OAUTH_S2S_ENV)
-
-    // Verify the IMS_OAUTH_S2S value contains expected credential data
     const envContent = envWriteCall[1]
-    expect(envContent).toContain('"client_id":"CXCXCXCXCXCXCXCXC"')
-    expect(envContent).toContain('"client_secret":"SFSFSFSFSFSFSFSFSFSFSFSFSFS"')
-    expect(envContent).toContain('"org_id":"XOXOXOXOXOXOX@AdobeOrg"')
+    expect(envContent).toContain(SERVICE_API_KEY_ENV)
+    expect(envContent).toContain(IMS_OAUTH_S2S_ENV)
+
+    // Credential is unpacked into IMS_OAUTH_S2S_* vars
+    expect(envContent).toContain('IMS_OAUTH_S2S_CLIENT_ID=CXCXCXCXCXCXCXCXC')
+    expect(envContent).toContain('IMS_OAUTH_S2S_CLIENT_SECRET=SFSFSFSFSFSFSFSFSFSFSFSFSFS')
+    expect(envContent).toContain('IMS_OAUTH_S2S_ORG_ID=XOXOXOXOXOXOX@AdobeOrg')
+    expect(envContent).toContain('IMS_OAUTH_S2S_SCOPES=["openid","AdobeID"]') // stringified array
   })
 
   test('with jwt credentials only, does not add IMS_OAUTH_S2S to env vars', async () => {