diff --git a/builtin/credential/aws/path_config_identity.go b/builtin/credential/aws/path_config_identity.go
index eb3ef6e5339e..7974f29caebe 100644
--- a/builtin/credential/aws/path_config_identity.go
+++ b/builtin/credential/aws/path_config_identity.go
@@ -32,6 +32,7 @@ var (
 			"inferred_aws_region",
 			"inferred_entity_id",
 			"inferred_entity_type",
+			"inferred_hostname",
 		},
 	}
 
diff --git a/builtin/credential/aws/path_login.go b/builtin/credential/aws/path_login.go
index a7c1905ba4cc..a0e5a96505ce 100644
--- a/builtin/credential/aws/path_login.go
+++ b/builtin/credential/aws/path_login.go
@@ -1456,6 +1456,7 @@ func (b *backend) pathLoginUpdateIam(ctx context.Context, req *logical.Request,
 
 	inferredEntityType := ""
 	inferredEntityID := ""
+	inferredHostname := ""
 	if roleEntry.InferredEntityType == ec2EntityType {
 		instance, err := b.validateInstance(ctx, req.Storage, entity.SessionInfo, roleEntry.InferredAWSRegion, callerID.Account)
 		if err != nil {
@@ -1482,6 +1483,7 @@ func (b *backend) pathLoginUpdateIam(ctx context.Context, req *logical.Request,
 
 		inferredEntityType = ec2EntityType
 		inferredEntityID = entity.SessionInfo
+		inferredHostname = *instance.PrivateDnsName
 	}
 
 	auth := &logical.Auth{
@@ -1496,6 +1498,7 @@ func (b *backend) pathLoginUpdateIam(ctx context.Context, req *logical.Request,
 			"inferred_entity_id":  inferredEntityID,
 			"inferred_aws_region": roleEntry.InferredAWSRegion,
 			"account_id":          entity.AccountNumber,
+			"inferred_hostname":   inferredHostname,
 		},
 		DisplayName: entity.FriendlyName,
 		Alias: &logical.Alias{
@@ -1517,6 +1520,7 @@ func (b *backend) pathLoginUpdateIam(ctx context.Context, req *logical.Request,
 		"inferred_entity_id":   inferredEntityID,
 		"inferred_aws_region":  roleEntry.InferredAWSRegion,
 		"account_id":           entity.AccountNumber,
+		"inferred_hostname":    inferredHostname,
 	}); err != nil {
 		b.Logger().Warn(fmt.Sprintf("unable to set alias metadata due to %s", err))
 	}
diff --git a/builtin/credential/aws/path_login_test.go b/builtin/credential/aws/path_login_test.go
index fe4a3a766b72..b5b567960767 100644
--- a/builtin/credential/aws/path_login_test.go
+++ b/builtin/credential/aws/path_login_test.go
@@ -408,6 +408,7 @@ func TestBackend_pathLogin_IAMHeaders(t *testing.T) {
 				"inferred_aws_region",
 				"inferred_entity_id",
 				"inferred_entity_type",
+				"inferred_hostname",
 			},
 			"ec2_alias": "role_id",
 			"ec2_metadata": []string{
@@ -614,6 +615,7 @@ func TestBackend_pathLogin_IAMRoleResolution(t *testing.T) {
 				"inferred_aws_region",
 				"inferred_entity_id",
 				"inferred_entity_type",
+				"inferred_hostname",
 			},
 			"ec2_alias": "role_id",
 			"ec2_metadata": []string{
diff --git a/changelog/25418.txt b/changelog/25418.txt
new file mode 100644
index 000000000000..7bee2fa79b65
--- /dev/null
+++ b/changelog/25418.txt
@@ -0,0 +1,4 @@
+
+```release-note:improvement
+auth/aws: Add inferred_hostname metadata for IAM AWS authentication method.
+```