diff --git a/pkg/credentials/assume_role.go b/pkg/credentials/assume_role.go
index 1c73d1008..800c4a294 100644
--- a/pkg/credentials/assume_role.go
+++ b/pkg/credentials/assume_role.go
@@ -93,7 +93,8 @@ type STSAssumeRoleOptions struct {
 	AccessKey string
 	SecretKey string
 
-	Policy string // Optional to assign a policy to the assumed role
+	SessionToken string // Optional if the first request is made with temporary credentials.
+	Policy       string // Optional to assign a policy to the assumed role
 
 	Location        string // Optional commonly needed with AWS STS.
 	DurationSeconds int    // Optional defaults to 1 hour.
@@ -101,6 +102,7 @@ type STSAssumeRoleOptions struct {
 	// Optional only valid if using with AWS STS
 	RoleARN         string
 	RoleSessionName string
+	ExternalID      string
 }
 
 // NewSTSAssumeRole returns a pointer to a new
@@ -161,6 +163,9 @@ func getAssumeRoleCredentials(clnt *http.Client, endpoint string, opts STSAssume
 	if opts.Policy != "" {
 		v.Set("Policy", opts.Policy)
 	}
+	if opts.ExternalID != "" {
+		v.Set("ExternalId", opts.ExternalID)
+	}
 
 	u, err := url.Parse(endpoint)
 	if err != nil {
@@ -181,6 +186,9 @@ func getAssumeRoleCredentials(clnt *http.Client, endpoint string, opts STSAssume
 	}
 	req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
 	req.Header.Set("X-Amz-Content-Sha256", hex.EncodeToString(hash.Sum(nil)))
+	if opts.SessionToken != "" {
+		req.Header.Set("X-Amz-Security-Token", opts.SessionToken)
+	}
 	req = signer.SignV4STS(*req, opts.AccessKey, opts.SecretKey, opts.Location)
 
 	resp, err := clnt.Do(req)