diff --git a/packages/aws-cdk/lib/api/aws-auth/sdk-provider.ts b/packages/aws-cdk/lib/api/aws-auth/sdk-provider.ts
index 6ea65afece5e7..6b7522e4e09f2 100644
--- a/packages/aws-cdk/lib/api/aws-auth/sdk-provider.ts
+++ b/packages/aws-cdk/lib/api/aws-auth/sdk-provider.ts
@@ -208,7 +208,7 @@ export class SdkProvider {
           throw new Error('Unable to resolve AWS credentials (setup with "aws configure")');
         }
 
-        return new SDK(creds, this.defaultRegion, this.sdkOptions).currentAccount();
+        return await new SDK(creds, this.defaultRegion, this.sdkOptions).currentAccount();
       } catch (e) {
         debug('Unable to determine the default AWS account:', e);
         return undefined;
diff --git a/packages/aws-cdk/test/api/sdk-provider.test.ts b/packages/aws-cdk/test/api/sdk-provider.test.ts
index 3865925a7299a..518cc80660654 100644
--- a/packages/aws-cdk/test/api/sdk-provider.test.ts
+++ b/packages/aws-cdk/test/api/sdk-provider.test.ts
@@ -27,6 +27,7 @@ const defaultCredOptions = {
 let uid: string;
 let pluginQueried = false;
 let defaultEnv: cxapi.Environment;
+let getCallerIdentityError: Error | null = null;
 
 beforeEach(() => {
   uid = `(${uuid.v4()})`;
@@ -34,7 +35,7 @@ beforeEach(() => {
   logging.setLogLevel(logging.LogLevel.TRACE);
 
   SDKMock.mock('STS', 'getCallerIdentity', (cb: AwsCallback<AWS.STS.GetCallerIdentityResponse>) => {
-    return cb(null, {
+    return cb(getCallerIdentityError, {
       Account: `${uid}the_account_#`,
       UserId: 'you!',
       Arn: 'arn:aws-here:iam::12345:role/test',
@@ -473,6 +474,35 @@ test('assume fails with unsupported credential_source', async () => {
   expect(account?.accountId).toEqual(undefined);
 });
 
+test('defaultAccount returns undefined if STS call fails', async () => {
+  // GIVEN
+  process.env.AWS_ACCESS_KEY_ID = `${uid}akid`;
+  process.env.AWS_SECRET_ACCESS_KEY = 'sekrit';
+  getCallerIdentityError = new Error('Something is wrong here');
+
+  // WHEN
+  const provider = await SdkProvider.withAwsCliCompatibleDefaults({
+    ...defaultCredOptions,
+  });
+
+  // THEN
+  await expect(provider.defaultAccount()).resolves.toBe(undefined);
+});
+
+test('plugins are still queried even if current credentials are expired', async () => {
+  // GIVEN
+  process.env.AWS_ACCESS_KEY_ID = `${uid}akid`;
+  process.env.AWS_SECRET_ACCESS_KEY = 'sekrit';
+  getCallerIdentityError = new Error('Something is wrong here');
+
+  // WHEN
+  const provider = await SdkProvider.withAwsCliCompatibleDefaults({ ...defaultCredOptions });
+  await provider.forEnvironment({ ...defaultEnv, account: `${uid}plugin_account_#` }, Mode.ForReading);
+
+  // THEN
+  expect(pluginQueried).toEqual(true);
+});
+
 /**
  * Strip shared whitespace from the start of lines
  */