diff --git a/pkg/storage/s3.go b/pkg/storage/s3.go
index c3175a68..72718ad2 100644
--- a/pkg/storage/s3.go
+++ b/pkg/storage/s3.go
@@ -138,6 +138,7 @@ func (s *S3) Connect(ctx context.Context) error {
 		)
 		// inherit IRSA and try assume role https://github.com/Altinity/clickhouse-backup/issues/1191
 		if s.Config.AssumeRoleARN != "" && s.Config.AssumeRoleARN != awsRoleARN {
+			awsConfig.Credentials = aws.NewCredentialsCache(awsConfig.Credentials)
 			stsClient = sts.NewFromConfig(awsConfig)
 			awsConfig.Credentials = stscreds.NewAssumeRoleProvider(stsClient, s.Config.AssumeRoleARN)
 		}
@@ -157,6 +158,10 @@ func (s *S3) Connect(ctx context.Context) error {
 		}
 	}
 
+	if awsConfig.Credentials != nil {
+		awsConfig.Credentials = aws.NewCredentialsCache(awsConfig.Credentials)
+	}
+
 	if s.Config.Debug {
 		awsConfig.Logger = newS3Logger(log.Logger)
 		awsConfig.ClientLogMode = aws.LogRetries | aws.LogRequest | aws.LogResponse
diff --git a/test/integration/keeperTLS_test.go b/test/integration/keeperTLS_test.go
index 94e7fafb..d7b3bce5 100644
--- a/test/integration/keeperTLS_test.go
+++ b/test/integration/keeperTLS_test.go
@@ -51,10 +51,11 @@ func TestKeeperTLS(t *testing.T) {
 	// clean and restore
 	r.NoError(env.dropDatabase(dbName, false))
 	env.queryWithNoError(r, fmt.Sprintf("DROP USER IF EXISTS %s %s", rbacUser, onCluster))
+	env.ch.Close()
 	env.DockerExecNoError(r, "clickhouse-backup", "clickhouse-backup", "-c", "/etc/clickhouse-backup/config-s3.yml", "restore", "--rbac", backupName)
 
 	// wait for restart after RBAC restore and check
-	env.connectWithWait(t, r, 500*time.Millisecond, 1*time.Second, 2*time.Minute)
+	env.connectWithWait(t, r, 5*time.Second, 1*time.Second, 2*time.Minute)
 	var rowCount, userCount uint64
 	r.NoError(env.ch.SelectSingleRowNoCtx(&rowCount, fmt.Sprintf("SELECT count() FROM %s.%s", dbName, tableName)))
 	r.Equal(uint64(100), rowCount)