diff --git a/CHANGELOG.v2.alpha.md b/CHANGELOG.v2.alpha.md
index 4280ad430bc56..c937b3a65832b 100644
--- a/CHANGELOG.v2.alpha.md
+++ b/CHANGELOG.v2.alpha.md
@@ -2,6 +2,8 @@
 
 All notable changes to this project will be documented in this file. See [standard-version](https://github.com/conventional-changelog/standard-version) for commit guidelines.
 
+## [2.173.2-alpha.0](https://github.com/aws/aws-cdk/compare/v2.173.1-alpha.0...v2.173.2-alpha.0) (2024-12-17)
+
 ## [2.173.1-alpha.0](https://github.com/aws/aws-cdk/compare/v2.173.0-alpha.0...v2.173.1-alpha.0) (2024-12-14)
 
 ## [2.173.0-alpha.0](https://github.com/aws/aws-cdk/compare/v2.172.0-alpha.0...v2.173.0-alpha.0) (2024-12-11)
diff --git a/CHANGELOG.v2.md b/CHANGELOG.v2.md
index c188a43ac5618..bfe3129111fe4 100644
--- a/CHANGELOG.v2.md
+++ b/CHANGELOG.v2.md
@@ -2,6 +2,14 @@
 
 All notable changes to this project will be documented in this file. See [standard-version](https://github.com/conventional-changelog/standard-version) for commit guidelines.
 
+## [2.173.2](https://github.com/aws/aws-cdk/compare/v2.173.1...v2.173.2) (2024-12-17)
+
+
+### Bug Fixes
+
+* **cli:** allow credential plugins to return `null` for `expiration` ([#32554](https://github.com/aws/aws-cdk/issues/32554)) ([e59b1db](https://github.com/aws/aws-cdk/commit/e59b1db4d8da5fc11d0e3beeb136593440100325))
+* **cli:** doesn't support plugins that return initially empty credentials ([#32552](https://github.com/aws/aws-cdk/issues/32552)) ([7ee9b90](https://github.com/aws/aws-cdk/commit/7ee9b909695aca317a11aad16ca983dcc6d6f85a))
+
 ## [2.173.1](https://github.com/aws/aws-cdk/compare/v2.173.0...v2.173.1) (2024-12-14)
 
 
diff --git a/packages/aws-cdk/lib/api/aws-auth/credential-plugins.ts b/packages/aws-cdk/lib/api/aws-auth/credential-plugins.ts
index c587e0fc20040..b2047bd3fbbfb 100644
--- a/packages/aws-cdk/lib/api/aws-auth/credential-plugins.ts
+++ b/packages/aws-cdk/lib/api/aws-auth/credential-plugins.ts
@@ -165,7 +165,7 @@ function isV3Provider(x: PluginProviderResult): x is SDKv3CompatibleCredentialPr
 }
 
 function isV2Credentials(x: PluginProviderResult): x is SDKv2CompatibleCredentials {
-  return !!(x && typeof x === 'object' && x.accessKeyId && (x as SDKv2CompatibleCredentials).getPromise);
+  return !!(x && typeof x === 'object' && (x as SDKv2CompatibleCredentials).getPromise);
 }
 
 function isV3Credentials(x: PluginProviderResult): x is SDKv3CompatibleCredentials {
diff --git a/packages/aws-cdk/lib/api/aws-auth/provider-caching.ts b/packages/aws-cdk/lib/api/aws-auth/provider-caching.ts
index 0fe68a1a637c6..22e4b357e191d 100644
--- a/packages/aws-cdk/lib/api/aws-auth/provider-caching.ts
+++ b/packages/aws-cdk/lib/api/aws-auth/provider-caching.ts
@@ -20,5 +20,5 @@ export function makeCachingProvider(provider: AwsCredentialIdentityProvider): Aw
 
 export function credentialsAboutToExpire(token: AwsCredentialIdentity) {
   const expiryMarginSecs = 5;
-  return token.expiration !== undefined && token.expiration.getTime() - Date.now() < expiryMarginSecs * 1000;
+  return !!token.expiration && token.expiration.getTime() - Date.now() < expiryMarginSecs * 1000;
 }
diff --git a/packages/aws-cdk/test/api/plugin/credential-plugin.test.ts b/packages/aws-cdk/test/api/plugin/credential-plugin.test.ts
index f665dc179db9c..af5f6012ed09d 100644
--- a/packages/aws-cdk/test/api/plugin/credential-plugin.test.ts
+++ b/packages/aws-cdk/test/api/plugin/credential-plugin.test.ts
@@ -1,4 +1,5 @@
 import { CredentialPlugins } from '../../../lib/api/aws-auth/credential-plugins';
+import { credentialsAboutToExpire } from '../../../lib/api/aws-auth/provider-caching';
 import { CredentialProviderSource, Mode, SDKv3CompatibleCredentials } from '../../../lib/api/plugin/credential-provider-source';
 import { PluginHost, markTesting } from '../../../lib/api/plugin/plugin';
 
@@ -104,6 +105,26 @@ test('plugin can return V2 compatible credential-provider', async () => {
   expect(getPromise).toHaveBeenCalled();
 });
 
+test('plugin can return V2 compatible credential-provider with initially empty keys', async () => {
+  // GIVEN
+  mockCredentialFunction(() => Promise.resolve({
+    accessKeyId: '',
+    secretAccessKey: '',
+    expired: false,
+    getPromise() {
+      this.accessKeyId = 'keyid';
+      return Promise.resolve({});
+    },
+  }));
+
+  // WHEN
+  const creds = await fetchNow();
+
+  await expect(creds).toEqual(expect.objectContaining({
+    accessKeyId: 'keyid',
+  }));
+});
+
 test('plugin must not return something that is not a credential', async () => {
   // GIVEN
   mockCredentialFunction(() => Promise.resolve({
@@ -114,6 +135,15 @@ test('plugin must not return something that is not a credential', async () => {
   await expect(fetchNow()).rejects.toThrow(/Plugin returned a value that/);
 });
 
+test('token expiration is allowed to be null', () => {
+  expect(credentialsAboutToExpire({
+    accessKeyId: 'key',
+    secretAccessKey: 'secret',
+    // This is not allowed according to the `.d.ts` contract, but it can happen in reality
+    expiration: null as any,
+  })).toEqual(false);
+});
+
 function mockCredentialFunction(p: CredentialProviderSource['getProvider']) {
   mockCredentialPlugin({
     name: 'test',
diff --git a/version.v2.json b/version.v2.json
index 31d52cf7acfd4..e4c6ace5a1c12 100644
--- a/version.v2.json
+++ b/version.v2.json
@@ -1,4 +1,4 @@
 {
-  "version": "2.173.1",
-  "alphaVersion": "2.173.1-alpha.0"
+  "version": "2.173.2",
+  "alphaVersion": "2.173.2-alpha.0"
 }
\ No newline at end of file