diff --git a/cmd/main.go b/cmd/main.go
index fb4b3f8b..9b67c54d 100644
--- a/cmd/main.go
+++ b/cmd/main.go
@@ -176,10 +176,12 @@ func main() {
 		ocpHostURL := strings.TrimSuffix(ctrlConfig.OPAControlPlaneConfig.Address, "/")
 		opaControlPlaneClient = ocp.New(ocpHostURL, ctrlConfig.OPAControlPlaneConfig.Token)
 
-		s3Client, err = s3.NewClient(*ctrlConfig.UserCredentialHandler.S3)
-		if err != nil {
-			log.Error(err, "unable to create S3 client")
-			exit(err)
+		if ctrlConfig.UserCredentialHandler != nil && ctrlConfig.UserCredentialHandler.S3 != nil {
+			s3Client, err = s3.NewClient(*ctrlConfig.UserCredentialHandler.S3)
+			if err != nil {
+				log.Error(err, "unable to create S3 client")
+				exit(err)
+			}
 		}
 	}
 
diff --git a/internal/controller/styra/system_controller.go b/internal/controller/styra/system_controller.go
index 6be49041..c2ea33a5 100644
--- a/internal/controller/styra/system_controller.go
+++ b/internal/controller/styra/system_controller.go
@@ -628,6 +628,11 @@ func (r *SystemReconciler) reconcileOPASecret(
 ) (ctrl.Result, bool, error) {
 	log.Info("Reconciling OPA secret")
 
+	if r.Config.UserCredentialHandler == nil || r.Config.UserCredentialHandler.S3 == nil {
+		log.Info("No UserCredentialHandler configured, don't create secret")
+		return ctrl.Result{}, false, nil
+	}
+
 	reconcileS3CredentialsStart := time.Now()
 	s3CredentialsRead, result, err := r.reconcileS3Credentials(
 		ctx, log, system, uniqueName, secretName)