diff --git a/hadoop-tools/hadoop-aws/src/main/java/org/apache/hadoop/fs/s3a/auth/delegation/FullCredentialsTokenBinding.java b/hadoop-tools/hadoop-aws/src/main/java/org/apache/hadoop/fs/s3a/auth/delegation/FullCredentialsTokenBinding.java
index d80e780521..8df666470a 100644
--- a/hadoop-tools/hadoop-aws/src/main/java/org/apache/hadoop/fs/s3a/auth/delegation/FullCredentialsTokenBinding.java
+++ b/hadoop-tools/hadoop-aws/src/main/java/org/apache/hadoop/fs/s3a/auth/delegation/FullCredentialsTokenBinding.java
@@ -22,6 +22,8 @@
 import java.net.URI;
 import java.util.Optional;
 
+import com.google.common.base.Preconditions;
+
 import org.apache.hadoop.conf.Configuration;
 import org.apache.hadoop.fs.s3a.AWSCredentialProviderList;
 import org.apache.hadoop.fs.s3a.S3AUtils;
@@ -73,7 +75,6 @@ public FullCredentialsTokenBinding() {
   @Override
   protected void serviceStart() throws Exception {
     super.serviceStart();
-    loadAWSCredentials();
   }
 
   /**
@@ -116,6 +117,7 @@ private void loadAWSCredentials() throws IOException {
   @Override
   public AWSCredentialProviderList deployUnbonded() throws IOException {
     requireServiceStarted();
+    loadAWSCredentials();
     return new AWSCredentialProviderList(
         "Full Credentials Token Binding",
         new MarshalledCredentialProvider(
@@ -142,7 +144,8 @@ public AbstractS3ATokenIdentifier createTokenIdentifier(
       final EncryptionSecrets encryptionSecrets,
       final Text renewer) throws IOException {
     requireServiceStarted();
-
+    Preconditions.checkNotNull(
+        awsCredentials, "No AWS credentials to use for a delegation token");
     return new FullCredentialsTokenIdentifier(getCanonicalUri(),
         getOwnerText(),
         renewer,