diff --git a/internal/jujuclient/dial.go b/internal/jujuclient/dial.go
index c1dfdc835..f63e3a4b6 100644
--- a/internal/jujuclient/dial.go
+++ b/internal/jujuclient/dial.go
@@ -120,6 +120,11 @@ func (d *Dialer) Dial(ctx context.Context, ctl *dbmodel.Controller, modelTag nam
 		}
 	}
 
+	if username == "" || password == "" {
+		zapctx.Error(ctx, "empty username or password")
+		return nil, errors.E(op, errors.CodeNotFound, "missing controller username or password")
+	}
+
 	args := jujuparams.LoginRequest{
 		AuthTag:       names.NewUserTag(username).String(),
 		Credentials:   password,
diff --git a/service.go b/service.go
index 0d2b0be1d..e4260b380 100644
--- a/service.go
+++ b/service.go
@@ -292,23 +292,13 @@ func NewService(ctx context.Context, p Params) (*Service, error) {
 	if err != nil {
 		return nil, errors.E(op, err)
 	}
-	vs, err := newVaultStore(ctx, p)
-	if err != nil {
-		zapctx.Error(ctx, "Vault Store error", zap.Error(err))
+
+	if err := s.setupSecretStore(ctx, p); err != nil {
 		return nil, errors.E(op, err)
 	}
-	if vs != nil {
-		s.jimm.CredentialStore = vs
-	} else {
-		// Only enable Postgres storage for secrets if explictly enabled.
-		if _, ok := os.LookupEnv("INSECURE_SECRET_STORAGE"); ok {
-			zapctx.Warn(ctx, "using plaintext postgres for secret storage")
-			s.jimm.CredentialStore = &s.jimm.Database
-		}
-	}
 
 	s.jimm.Dialer = &jujuclient.Dialer{
-		ControllerCredentialsStore: vs,
+		ControllerCredentialsStore: s.jimm.CredentialStore,
 	}
 	if !p.DisableConnectionCache {
 		s.jimm.Dialer = jimm.CacheDialer(s.jimm.Dialer)
@@ -472,6 +462,28 @@ func newAuthenticator(ctx context.Context, db *db.Database, client *ofgaClient.O
 	}, nil
 }
 
+func (s *Service) setupSecretStore(ctx context.Context, p Params) error {
+	const op = errors.Op("newSecretStore")
+	vs, err := newVaultStore(ctx, p)
+	if err != nil {
+		zapctx.Error(ctx, "Vault Store error", zap.Error(err))
+		return errors.E(op, err)
+	}
+	if vs != nil {
+		s.jimm.CredentialStore = vs
+	} else {
+		// Only enable Postgres storage for secrets if explictly enabled.
+		if _, ok := os.LookupEnv("INSECURE_SECRET_STORAGE"); ok {
+			zapctx.Warn(ctx, "using plaintext postgres for secret storage")
+			s.jimm.CredentialStore = &s.jimm.Database
+		}
+	}
+	if s.jimm.CredentialStore == nil {
+		return errors.E(op, "no credential store setup")
+	}
+	return nil
+}
+
 func newVaultStore(ctx context.Context, p Params) (jimmcreds.CredentialStore, error) {
 	if p.VaultSecretFile == "" {
 		return nil, nil