fix(cli): doesn't support plugins that return initially empty credentials (#32552)

Plugins that return V2 credentials objects, return credentials that are self-refreshing. Those credentials can start out empty, which is perfectly valid.

We shouldn't reject them if they are.


----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

Author: rix0rrr

packages/aws-cdk/lib/api/aws-auth/credential-plugins.ts

@@ -165,7 +165,7 @@ function isV3Provider(x: PluginProviderResult): x is SDKv3CompatibleCredentialPr
 }
 
 function isV2Credentials(x: PluginProviderResult): x is SDKv2CompatibleCredentials {
-  return !!(x && typeof x === 'object' && x.accessKeyId && (x as SDKv2CompatibleCredentials).getPromise);
+  return !!(x && typeof x === 'object' && (x as SDKv2CompatibleCredentials).getPromise);
 }
 
 function isV3Credentials(x: PluginProviderResult): x is SDKv3CompatibleCredentials {

packages/aws-cdk/test/api/plugin/credential-plugin.test.ts

@@ -104,6 +104,26 @@ test('plugin can return V2 compatible credential-provider', async () => {
   expect(getPromise).toHaveBeenCalled();
 });
 
+test('plugin can return V2 compatible credential-provider with initially empty keys', async () => {
+  // GIVEN
+  mockCredentialFunction(() => Promise.resolve({
+    accessKeyId: '',
+    secretAccessKey: '',
+    expired: false,
+    getPromise() {
+      this.accessKeyId = 'keyid';
+      return Promise.resolve({});
+    },
+  }));
+
+  // WHEN
+  const creds = await fetchNow();
+
+  await expect(creds).toEqual(expect.objectContaining({
+    accessKeyId: 'keyid',
+  }));
+});
+
 test('plugin must not return something that is not a credential', async () => {
   // GIVEN
   mockCredentialFunction(() => Promise.resolve({