diff --git a/builtin/credential/aws/backend.go b/builtin/credential/aws/backend.go
index 8bcd62d2cbf6..d0fca69f8590 100644
--- a/builtin/credential/aws/backend.go
+++ b/builtin/credential/aws/backend.go
@@ -18,8 +18,10 @@ import (
 )
 
 const amzHeaderPrefix = "X-Amz-"
+
 var defaultAllowedSTSRequestHeaders = []string{
 	"X-Amz-Date",
+	"X-Amz-Credential",
 	"X-Amz-Security-Token",
 	"X-Amz-Algorithm",
 	"X-Amz-Signature",
diff --git a/builtin/credential/aws/path_config_client.go b/builtin/credential/aws/path_config_client.go
index dc380a74fdf2..4719f20055ce 100644
--- a/builtin/credential/aws/path_config_client.go
+++ b/builtin/credential/aws/path_config_client.go
@@ -3,13 +3,13 @@ package awsauth
 import (
 	"context"
 	"errors"
-	"github.com/hashicorp/vault/sdk/helper/strutil"
 	"net/http"
 	"net/textproto"
 	"strings"
 
 	"github.com/aws/aws-sdk-go/aws"
 	"github.com/hashicorp/vault/sdk/framework"
+	"github.com/hashicorp/vault/sdk/helper/strutil"
 	"github.com/hashicorp/vault/sdk/logical"
 )
 
@@ -336,7 +336,7 @@ type clientConfig struct {
 func (c *clientConfig) validateAllowedSTSHeaderValues(headers http.Header) error {
 	for k := range headers {
 		h := textproto.CanonicalMIMEHeaderKey(k)
-		if 	strings.HasPrefix(h, amzHeaderPrefix) &&
+		if strings.HasPrefix(h, amzHeaderPrefix) &&
 			!strutil.StrListContains(defaultAllowedSTSRequestHeaders, h) &&
 			!strutil.StrListContains(c.AllowedSTSHeaderValues, h) {
 			return errors.New("invalid request header: " + k)