diff --git a/google/auth/aws.py b/google/auth/aws.py
index 8e6c6789c..c640568b8 100644
--- a/google/auth/aws.py
+++ b/google/auth/aws.py
@@ -530,9 +530,10 @@ def _get_metadata_security_credentials(
             google.auth.exceptions.RefreshError: If an error occurs while
                 retrieving the AWS security credentials.
         """
-        headers = {"Content-Type": "application/json"}
         if imdsv2_session_token is not None:
-            headers["X-aws-ec2-metadata-token"] = imdsv2_session_token
+            headers = {"X-aws-ec2-metadata-token": imdsv2_session_token}
+        else:
+            headers = None
 
         response = request(
             url="{}/{}".format(self._security_credentials_url, role_name),
diff --git a/tests/test_aws.py b/tests/test_aws.py
index 1fd78e191..b6b1ca231 100644
--- a/tests/test_aws.py
+++ b/tests/test_aws.py
@@ -1306,7 +1306,7 @@ def test_retrieve_subject_token_success_temp_creds_no_environment_vars(
         self.assert_aws_metadata_request_kwargs(
             request.call_args_list[2][1],
             "{}/{}".format(SECURITY_CREDS_URL, self.AWS_ROLE),
-            {"Content-Type": "application/json"},
+            None,
         )
 
         # Retrieve subject_token again. Region should not be queried again.
@@ -1329,7 +1329,7 @@ def test_retrieve_subject_token_success_temp_creds_no_environment_vars(
         self.assert_aws_metadata_request_kwargs(
             new_request.call_args_list[1][1],
             "{}/{}".format(SECURITY_CREDS_URL, self.AWS_ROLE),
-            {"Content-Type": "application/json"},
+            None,
         )
 
     @mock.patch("google.auth._helpers.utcnow")
@@ -1394,7 +1394,6 @@ def test_retrieve_subject_token_success_temp_creds_no_environment_vars_idmsv2(
             request.call_args_list[4][1],
             "{}/{}".format(SECURITY_CREDS_URL, self.AWS_ROLE),
             {
-                "Content-Type": "application/json",
                 "X-aws-ec2-metadata-token": self.AWS_IMDSV2_SESSION_TOKEN,
             },
         )
@@ -1431,7 +1430,6 @@ def test_retrieve_subject_token_success_temp_creds_no_environment_vars_idmsv2(
             new_request.call_args_list[2][1],
             "{}/{}".format(SECURITY_CREDS_URL, self.AWS_ROLE),
             {
-                "Content-Type": "application/json",
                 "X-aws-ec2-metadata-token": self.AWS_IMDSV2_SESSION_TOKEN,
             },
         )
@@ -1488,7 +1486,6 @@ def test_retrieve_subject_token_success_temp_creds_environment_vars_missing_secr
             request.call_args_list[2][1],
             "{}/{}".format(SECURITY_CREDS_URL, self.AWS_ROLE),
             {
-                "Content-Type": "application/json",
                 "X-aws-ec2-metadata-token": self.AWS_IMDSV2_SESSION_TOKEN,
             },
         )
@@ -1545,7 +1542,6 @@ def test_retrieve_subject_token_success_temp_creds_environment_vars_missing_acce
             request.call_args_list[2][1],
             "{}/{}".format(SECURITY_CREDS_URL, self.AWS_ROLE),
             {
-                "Content-Type": "application/json",
                 "X-aws-ec2-metadata-token": self.AWS_IMDSV2_SESSION_TOKEN,
             },
         )
@@ -1596,7 +1592,6 @@ def test_retrieve_subject_token_success_temp_creds_environment_vars_missing_cred
             request.call_args_list[2][1],
             "{}/{}".format(SECURITY_CREDS_URL, self.AWS_ROLE),
             {
-                "Content-Type": "application/json",
                 "X-aws-ec2-metadata-token": self.AWS_IMDSV2_SESSION_TOKEN,
             },
         )
@@ -1684,7 +1679,6 @@ def test_retrieve_subject_token_success_ipv6(self, utcnow):
             request.call_args_list[4][1],
             "{}/{}".format(SECURITY_CREDS_URL_IPV6, self.AWS_ROLE),
             {
-                "Content-Type": "application/json",
                 "X-aws-ec2-metadata-token": self.AWS_IMDSV2_SESSION_TOKEN,
             },
         )