diff --git a/credentials/credential.go b/credentials/credential.go
index 76e96a8..5ffe6a1 100644
--- a/credentials/credential.go
+++ b/credentials/credential.go
@@ -259,7 +259,7 @@ func NewCredential(config *Config) (credential Credential, err error) {
 		credential = fromCredentialsProvider("ecs_ram_role", provider)
 	case "ram_role_arn":
 		var credentialsProvider providers.CredentialsProvider
-		if config.SecurityToken != nil {
+		if config.SecurityToken != nil && *config.SecurityToken != "" {
 			credentialsProvider, err = providers.NewStaticSTSCredentialsProviderBuilder().
 				WithAccessKeyId(tea.StringValue(config.AccessKeyId)).
 				WithAccessKeySecret(tea.StringValue(config.AccessKeySecret)).
diff --git a/credentials/credential_test.go b/credentials/credential_test.go
index c41f71c..6243914 100644
--- a/credentials/credential_test.go
+++ b/credentials/credential_test.go
@@ -210,6 +210,18 @@ func TestNewCredentialWithRAMRoleARN(t *testing.T) {
 	cred, err = NewCredential(config)
 	assert.Nil(t, err)
 	assert.NotNil(t, cred)
+
+	// empty security token should ok
+	config.SetSecurityToken("")
+	cred, err = NewCredential(config)
+	assert.Nil(t, err)
+	assert.NotNil(t, cred)
+
+	// with sts should ok
+	config.SetSecurityToken("securitytoken")
+	cred, err = NewCredential(config)
+	assert.Nil(t, err)
+	assert.NotNil(t, cred)
 }
 
 func TestNewCredentialWithBearerToken(t *testing.T) {