diff --git a/changelog/23.0/23.0.0/summary.md b/changelog/23.0/23.0.0/summary.md
index 3be034ba1fa..db83795372e 100644
--- a/changelog/23.0/23.0.0/summary.md
+++ b/changelog/23.0/23.0.0/summary.md
@@ -7,9 +7,11 @@
         - [Metrics](#deleted-metrics)
     - **[New Metrics](#new-metrics)**
         - [VTGate](#new-vtgate-metrics)
-        - **[VTTablet](#minor-changes-vttablet)**
-            - [CLI Flags](#flags-vttablet)
-            - [Managed MySQL configuration defaults to caching-sha2-password](#mysql-caching-sha2-password)
+    - **[Topology](#minor-changes-topo)**
+        - [`--consul_auth_static_file` requires 1 or more credentials](#consul_auth_static_file-check-creds)
+    - **[VTTablet](#minor-changes-vttablet)**
+        - [CLI Flags](#flags-vttablet)
+        - [Managed MySQL configuration defaults to caching-sha2-password](#mysql-caching-sha2-password)
 
 ## <a id="minor-changes"/>Minor Changes</a>
 
@@ -32,6 +34,12 @@
 |:-----------------------:|:---------------:|:-----------------------------------------------------------------------------------:|:-------------------------------------------------------:|
 | `TransactionsProcessed` | `Shard`, `Type` | Counts transactions processed at VTGate by shard distribution and transaction type. | [#18171](https://github.com/vitessio/vitess/pull/18171) |
 
+### <a id="minor-changes-topo"/>Topology</a>
+
+#### <a id="consul_auth_static_file-check-creds"/>`--consul_auth_static_file` requires 1 or more credentials</a>
+
+The `--consul_auth_static_file` flag used in several components now requires that 1 or more credentials can be loaded from the provided json file.
+
 ### <a id="minor-changes-vttablet"/>VTTablet</a>
 
 #### <a id="flags-vttablet"/>CLI Flags</a>
@@ -48,4 +56,4 @@ This change specifically affects the replication user. If you have a user config
 ALTER USER 'vt_repl'@'%' IDENTIFIED WITH caching_sha2_password BY 'your-existing-password';
 ```
 
-In future Vitess versions, the `mysql_native_password` authentication plugin will be disabled for managed MySQL instances.
\ No newline at end of file
+In future Vitess versions, the `mysql_native_password` authentication plugin will be disabled for managed MySQL instances.
diff --git a/go/vt/topo/consultopo/server.go b/go/vt/topo/consultopo/server.go
index b0f096726a7..70448349927 100644
--- a/go/vt/topo/consultopo/server.go
+++ b/go/vt/topo/consultopo/server.go
@@ -30,6 +30,7 @@ import (
 	"github.com/spf13/pflag"
 
 	"vitess.io/vitess/go/vt/log"
+	"vitess.io/vitess/go/vt/proto/vtrpc"
 	"vitess.io/vitess/go/vt/servenv"
 	"vitess.io/vitess/go/vt/topo"
 	"vitess.io/vitess/go/vt/utils"
@@ -93,6 +94,10 @@ func getClientCreds() (creds map[string]*ClientAuthCred, err error) {
 		err = vterrors.Wrapf(err, "Error parsing consul-auth-static-file")
 		return creds, err
 	}
+	if len(creds) == 0 {
+		err = vterrors.New(vtrpc.Code_FAILED_PRECONDITION, "Found no credentials in consul_auth_static_file")
+		return creds, err
+	}
 	return creds, nil
 }
 
diff --git a/go/vt/topo/consultopo/server_flaky_test.go b/go/vt/topo/consultopo/server_flaky_test.go
index a987336dd01..3a3a6ad3205 100644
--- a/go/vt/topo/consultopo/server_flaky_test.go
+++ b/go/vt/topo/consultopo/server_flaky_test.go
@@ -26,11 +26,10 @@ import (
 	"testing"
 	"time"
 
-	"vitess.io/vitess/go/vt/log"
-
 	"github.com/hashicorp/consul/api"
 
 	"vitess.io/vitess/go/testfiles"
+	"vitess.io/vitess/go/vt/log"
 	"vitess.io/vitess/go/vt/topo"
 	"vitess.io/vitess/go/vt/topo/test"
 
@@ -297,25 +296,42 @@ func TestConsulTopoWithAuthFailure(t *testing.T) {
 
 	consulAuthClientStaticFile = tmpFile.Name()
 
-	jsonConfig := "{\"global\":{\"acl_token\":\"badtoken\"}}"
-	if err := os.WriteFile(tmpFile.Name(), []byte(jsonConfig), 0600); err != nil {
-		t.Fatalf("couldn't write temp file: %v", err)
-	}
+	// check valid, empty json causes error
+	{
+		jsonConfig := "{}"
+		if err := os.WriteFile(tmpFile.Name(), []byte(jsonConfig), 0600); err != nil {
+			t.Fatalf("couldn't write temp file: %v", err)
+		}
 
-	// Create the server on the new root.
-	ts, err := topo.OpenServer("consul", serverAddr, path.Join("globalRoot", topo.GlobalCell))
-	if err != nil {
-		t.Fatalf("OpenServer() failed: %v", err)
+		// Create the server on the new root.
+		_, err := topo.OpenServer("consul", serverAddr, path.Join("globalRoot", topo.GlobalCell))
+		if err == nil {
+			t.Fatal("Expected OpenServer() to return an error due to bad config, got nil")
+		}
 	}
 
-	// Attempt to Create the CellInfo.
-	err = ts.CreateCellInfo(context.Background(), test.LocalCellName, &topodatapb.CellInfo{
-		ServerAddress: serverAddr,
-		Root:          path.Join("globalRoot", test.LocalCellName),
-	})
+	// check bad token causes error
+	{
+		jsonConfig := "{\"global\":{\"acl_token\":\"badtoken\"}}"
+		if err := os.WriteFile(tmpFile.Name(), []byte(jsonConfig), 0600); err != nil {
+			t.Fatalf("couldn't write temp file: %v", err)
+		}
+
+		// Create the server on the new root.
+		ts, err := topo.OpenServer("consul", serverAddr, path.Join("globalRoot", topo.GlobalCell))
+		if err != nil {
+			t.Fatalf("OpenServer() failed: %v", err)
+		}
+
+		// Attempt to Create the CellInfo.
+		err = ts.CreateCellInfo(context.Background(), test.LocalCellName, &topodatapb.CellInfo{
+			ServerAddress: serverAddr,
+			Root:          path.Join("globalRoot", test.LocalCellName),
+		})
 
-	want := "Failed request: ACL not found"
-	if err == nil || err.Error() != want {
-		t.Errorf("Expected CreateCellInfo to fail: got  %v, want %s", err, want)
+		want := "Failed request: ACL not found"
+		if err == nil || err.Error() != want {
+			t.Errorf("Expected CreateCellInfo to fail: got  %v, want %s", err, want)
+		}
 	}
 }