diff --git a/builtin/credential/aws-ec2/path_login.go b/builtin/credential/aws-ec2/path_login.go
index 45a64b74a..d880914b5 100644
--- a/builtin/credential/aws-ec2/path_login.go
+++ b/builtin/credential/aws-ec2/path_login.go
@@ -127,7 +127,7 @@ func validateMetadata(clientNonce, pendingTime string, storedIdentity *whitelist
 	//
 	// This is a weak criterion and hence the `allow_instance_migration` option
 	// should be used with caution.
-	if subtle.ConstantTimeCompare([]byte(clientNonce), []byte(storedIdentity.ClientNonce)) == 0 {
+	if subtle.ConstantTimeCompare([]byte(clientNonce), []byte(storedIdentity.ClientNonce)) != 1 {
 		if !roleEntry.AllowInstanceMigration {
 			return fmt.Errorf("client nonce mismatch")
 		}