diff --git a/src/core/execute.c b/src/core/execute.c
index b803edb1450..04dcf4b4274 100644
--- a/src/core/execute.c
+++ b/src/core/execute.c
@@ -3423,6 +3423,11 @@ static int setup_credentials(
                 _exit(EXIT_FAILURE);
         }
 
+        /* If the credentials dir is empty and not a mount point, then there's no point in having it. Let's
+         * try to remove it. This matters in particular if we created the dir as mount point but then didn't
+         * actually end up mounting anything on it. In that case we'd rather have ENOENT than EACCESS being
+         * seen by users when trying access this inode. */
+        (void) rmdir(p);
         return 0;
 }
 
diff --git a/src/core/namespace.c b/src/core/namespace.c
index 1d19685d2ea..2fcc096217d 100644
--- a/src/core/namespace.c
+++ b/src/core/namespace.c
@@ -2385,6 +2385,7 @@ int setup_namespace(
                                 .mode = BIND_MOUNT,
                                 .read_only = true,
                                 .source_const = creds_path,
+                                .ignore = true,
                         };
                 } else {
                         /* If our service has no credentials store configured, then make the whole