aws
diff --git a/‎.changes/next-release/feature-AWSSDKforJavav2-2c52c12.json
+6 b/‎.changes/next-release/feature-AWSSDKforJavav2-2c52c12.json
+6
diff --git a/‎core/auth/src/main/java/software/amazon/awssdk/auth/credentials/InstanceProfileCredentialsProvider.java
+32-5 b/‎core/auth/src/main/java/software/amazon/awssdk/auth/credentials/InstanceProfileCredentialsProvider.java
+32-5
diff --git a/‎core/auth/src/main/java/software/amazon/awssdk/auth/credentials/internal/ProfileCredentialsUtils.java
+7-6 b/‎core/auth/src/main/java/software/amazon/awssdk/auth/credentials/internal/ProfileCredentialsUtils.java
+7-6
@@ -0,0 +1,6 @@
+{
+    "type": "feature",
+    "category": "AWS SDK for Java v2",
+    "contributor": "",
+    "description": "Adds setting to disable making EC2 Instance Metadata Service (IMDS) calls for credentials without a token header when prefetching a token does not work. This feature can be configured through environment variables (AWS_EC2_METADATA_V1_DISABLED), system property (aws.disableEc2MetadataV1) or AWS config file (ec2_metadata_v1_disabled). When you configure this setting to true, no calls without token headers will be made to IMDS."
+}
@@ -40,6 +40,7 @@
 import software.amazon.awssdk.profiles.ProfileFile;
 import software.amazon.awssdk.profiles.ProfileFileSupplier;
 import software.amazon.awssdk.profiles.ProfileFileSystemSetting;
+import software.amazon.awssdk.profiles.ProfileProperty;
 import software.amazon.awssdk.regions.util.HttpResourcesUtils;
 import software.amazon.awssdk.regions.util.ResourcesEndpointProvider;
 import software.amazon.awssdk.utils.Logger;
@@ -225,17 +226,15 @@ private String getToken(String imdsHostname) {
             return HttpResourcesUtils.instance().readResource(tokenEndpoint, "PUT");
         } catch (SdkServiceException e) {
             if (e.statusCode() == 400) {
+
                 throw SdkClientException.builder()
                                         .message("Unable to fetch metadata token.")
                                         .cause(e)
                                         .build();
             }
-
-            log.debug(() -> "Ignoring non-fatal exception while attempting to load metadata token from instance profile.", e);
-            return null;
+            return handleTokenErrorResponse(e);
         } catch (Exception e) {
-            log.debug(() -> "Ignoring non-fatal exception while attempting to load metadata token from instance profile.", e);
-            return null;
+            return handleTokenErrorResponse(e);
         }
     }
 
@@ -247,6 +246,34 @@ private URI getTokenEndpoint(String imdsHostname) {
         return URI.create(finalHost + TOKEN_RESOURCE);
     }
 
+    private String handleTokenErrorResponse(Exception e) {
+        if (isInsecureFallbackDisabled()) {
+            String message = String.format("Failed to retrieve IMDS token, and fallback to IMDS v1 is disabled via the %s "
+                                           + "environment variable and/or %s system property",
+                                           SdkSystemSetting.AWS_EC2_METADATA_V1_DISABLED.environmentVariable(),
+                                           SdkSystemSetting.AWS_EC2_METADATA_V1_DISABLED.property());
+            throw SdkClientException.builder()
+                                    .message(message)
+                                    .cause(e)
+                                    .build();
+        }
+        log.debug(() -> "Ignoring non-fatal exception while attempting to load metadata token from instance profile.", e);
+        return null;
+    }
+
+    private boolean isInsecureFallbackDisabled() {
+        return SdkSystemSetting.AWS_EC2_METADATA_V1_DISABLED.getBooleanValueOrThrow() ||
+               (profileFile != null && profileHasFallbackDisabled());
+    }
+
+    private boolean profileHasFallbackDisabled() {
+        return profileFile.get()
+                          .profile(profileName)
+                          .map(p -> p.properties().get(ProfileProperty.EC2_METADATA_V1_DISABLED))
+                          .map(Boolean::parseBoolean)
+                          .orElse(false);
+    }
+
     private String[] getSecurityCredentials(String imdsHostname, String metadataToken) {
         ResourcesEndpointProvider securityCredentialsEndpoint =
             new StaticResourcesEndpointProvider(URI.create(imdsHostname + SECURITY_CREDENTIALS_RESOURCE),
 
@@ -264,13 +264,14 @@ private AwsCredentialsProvider credentialSourceCredentialProvider(CredentialSour
             case EC2_INSTANCE_METADATA:
                 // The IMDS credentials provider should source the endpoint config properties from the currently active profile
                 Ec2MetadataConfigProvider configProvider = Ec2MetadataConfigProvider.builder()
-                        .profileFile(() -> profileFile)
-                        .profileName(name)
-                        .build();
-
+                                                                                    .profileFile(() -> profileFile)
+                                                                                    .profileName(name)
+                                                                                    .build();
                 return InstanceProfileCredentialsProvider.builder()
-                        .endpoint(configProvider.getEndpoint())
-                        .build();
+                                                         .endpoint(configProvider.getEndpoint())
+                                                         .profileFile(profileFile)
+                                                         .profileName(name)
+                                                         .build();
             case ENVIRONMENT:
                 return AwsCredentialsProviderChain.builder()
                     .addCredentialsProvider(SystemPropertyCredentialsProvider.create())