diff --git a/packages/aws-cdk/lib/api/aws-auth/credential-plugins.ts b/packages/aws-cdk/lib/api/aws-auth/credential-plugins.ts
index c587e0fc20040..b2047bd3fbbfb 100644
--- a/packages/aws-cdk/lib/api/aws-auth/credential-plugins.ts
+++ b/packages/aws-cdk/lib/api/aws-auth/credential-plugins.ts
@@ -165,7 +165,7 @@ function isV3Provider(x: PluginProviderResult): x is SDKv3CompatibleCredentialPr
 }
 
 function isV2Credentials(x: PluginProviderResult): x is SDKv2CompatibleCredentials {
-  return !!(x && typeof x === 'object' && x.accessKeyId && (x as SDKv2CompatibleCredentials).getPromise);
+  return !!(x && typeof x === 'object' && (x as SDKv2CompatibleCredentials).getPromise);
 }
 
 function isV3Credentials(x: PluginProviderResult): x is SDKv3CompatibleCredentials {
diff --git a/packages/aws-cdk/test/api/plugin/credential-plugin.test.ts b/packages/aws-cdk/test/api/plugin/credential-plugin.test.ts
index f665dc179db9c..77fc97731e58d 100644
--- a/packages/aws-cdk/test/api/plugin/credential-plugin.test.ts
+++ b/packages/aws-cdk/test/api/plugin/credential-plugin.test.ts
@@ -104,6 +104,26 @@ test('plugin can return V2 compatible credential-provider', async () => {
   expect(getPromise).toHaveBeenCalled();
 });
 
+test('plugin can return V2 compatible credential-provider with initially empty keys', async () => {
+  // GIVEN
+  mockCredentialFunction(() => Promise.resolve({
+    accessKeyId: '',
+    secretAccessKey: '',
+    expired: false,
+    getPromise() {
+      this.accessKeyId = 'keyid';
+      return Promise.resolve({});
+    },
+  }));
+
+  // WHEN
+  const creds = await fetchNow();
+
+  await expect(creds).toEqual(expect.objectContaining({
+    accessKeyId: 'keyid',
+  }));
+});
+
 test('plugin must not return something that is not a credential', async () => {
   // GIVEN
   mockCredentialFunction(() => Promise.resolve({