diff --git a/builtin/credential/aws-ec2/path_login.go b/builtin/credential/aws-ec2/path_login.go
index 12f32e8051..3ee95e0d89 100644
--- a/builtin/credential/aws-ec2/path_login.go
+++ b/builtin/credential/aws-ec2/path_login.go
@@ -413,11 +413,6 @@ func (b *backend) pathLoginUpdate(
 				"role_tag_max_ttl": rTagMaxTTL.String(),
 				"role":             roleName,
 				"ami_id":           identityDoc.AmiID,
-				// Echo the client nonce back. If nonce was not
-				// supplied to the endpoint, callers should
-				// extract out the nonce from this field for
-				// reauthentication requests.
-				"nonce": clientNonce,
 			},
 			LeaseOptions: logical.LeaseOptions{
 				Renewable: true,
@@ -426,6 +421,15 @@ func (b *backend) pathLoginUpdate(
 		},
 	}
 
+	// Return the nonce only if reauthentication is allowed
+	if !disallowReauthentication {
+		// Echo the client nonce back. If nonce was not
+		// supplied to the endpoint, callers should
+		// extract out the nonce from this field for
+		// reauthentication requests.
+		resp.Auth.Metadata["nonce"] = clientNonce
+	}
+
 	// Cap the TTL value.
 	shortestTTL := b.System().DefaultLeaseTTL()
 	if roleEntry.TTL > time.Duration(0) && roleEntry.TTL < shortestTTL {