diff --git a/discovery/aws/ec2.go b/discovery/aws/ec2.go
index 539cd84c4f..5fb92559ba 100644
--- a/discovery/aws/ec2.go
+++ b/discovery/aws/ec2.go
@@ -197,7 +197,6 @@ func (d *EC2Discovery) ec2Client(ctx context.Context) (ec2Client, error) {
 	if d.ec2 != nil {
 		return d.ec2, nil
 	}
-	credProvider := credentials.NewStaticCredentialsProvider(d.cfg.AccessKey, string(d.cfg.SecretKey), "")
 
 	// Build the HTTP client from the provided HTTPClientConfig.
 	httpClient, err := config.NewClientFromConfig(d.cfg.HTTPClientConfig, "ec2_sd")
@@ -205,14 +204,25 @@ func (d *EC2Discovery) ec2Client(ctx context.Context) (ec2Client, error) {
 		return nil, err
 	}
 
-	// Build the AWS config with the provided region and credentials.
-	cfg, err := awsConfig.LoadDefaultConfig(
-		ctx,
+	// Build the AWS config with the provided region.
+	configOptions := []func(*awsConfig.LoadOptions) error{
 		awsConfig.WithRegion(d.cfg.Region),
-		awsConfig.WithCredentialsProvider(credProvider),
-		awsConfig.WithSharedConfigProfile(d.cfg.Profile),
 		awsConfig.WithHTTPClient(httpClient),
-	)
+	}
+
+	// Only set static credentials if both access key and secret key are provided.
+	// Otherwise, let the AWS SDK use its default credential chain (environment variables, IAM role, etc.).
+	if d.cfg.AccessKey != "" && d.cfg.SecretKey != "" {
+		credProvider := credentials.NewStaticCredentialsProvider(d.cfg.AccessKey, string(d.cfg.SecretKey), "")
+		configOptions = append(configOptions, awsConfig.WithCredentialsProvider(credProvider))
+	}
+
+	// Set the profile if provided.
+	if d.cfg.Profile != "" {
+		configOptions = append(configOptions, awsConfig.WithSharedConfigProfile(d.cfg.Profile))
+	}
+
+	cfg, err := awsConfig.LoadDefaultConfig(ctx, configOptions...)
 	if err != nil {
 		return nil, fmt.Errorf("could not create aws config: %w", err)
 	}
diff --git a/discovery/aws/lightsail.go b/discovery/aws/lightsail.go
index 5c356c8c45..0220c0ef24 100644
--- a/discovery/aws/lightsail.go
+++ b/discovery/aws/lightsail.go
@@ -161,22 +161,31 @@ func (d *LightsailDiscovery) lightsailClient(ctx context.Context) (*lightsail.Cl
 		return d.lightsail, nil
 	}
 
-	credProvider := credentials.NewStaticCredentialsProvider(d.cfg.AccessKey, string(d.cfg.SecretKey), "")
-
 	// Build the HTTP client from the provided HTTPClientConfig.
 	httpClient, err := config.NewClientFromConfig(d.cfg.HTTPClientConfig, "lightsail_sd")
 	if err != nil {
 		return nil, err
 	}
 
-	// Build the AWS config with the provided region and credentials.
-	cfg, err := awsConfig.LoadDefaultConfig(
-		ctx,
+	// Build the AWS config with the provided region.
+	configOptions := []func(*awsConfig.LoadOptions) error{
 		awsConfig.WithRegion(d.cfg.Region),
-		awsConfig.WithCredentialsProvider(credProvider),
-		awsConfig.WithSharedConfigProfile(d.cfg.Profile),
 		awsConfig.WithHTTPClient(httpClient),
-	)
+	}
+
+	// Only set static credentials if both access key and secret key are provided.
+	// Otherwise, let the AWS SDK use its default credential chain (environment variables, IAM role, etc.).
+	if d.cfg.AccessKey != "" && d.cfg.SecretKey != "" {
+		credProvider := credentials.NewStaticCredentialsProvider(d.cfg.AccessKey, string(d.cfg.SecretKey), "")
+		configOptions = append(configOptions, awsConfig.WithCredentialsProvider(credProvider))
+	}
+
+	// Set the profile if provided.
+	if d.cfg.Profile != "" {
+		configOptions = append(configOptions, awsConfig.WithSharedConfigProfile(d.cfg.Profile))
+	}
+
+	cfg, err := awsConfig.LoadDefaultConfig(ctx, configOptions...)
 	if err != nil {
 		return nil, fmt.Errorf("could not create aws config: %w", err)
 	}