diff --git a/config/config.go b/config/config.go
index ec37a53e..5109a9ee 100644
--- a/config/config.go
+++ b/config/config.go
@@ -107,6 +107,7 @@ var (
 	S3Region                  string
 	S3Endpoint                string
 	S3AssumeRoleArn           string
+	S3AssumeRoleExternalID    string
 	S3MultiRegion             bool
 	S3DecryptionClientEnabled bool
 
@@ -303,6 +304,7 @@ func Reset() {
 	S3Region = ""
 	S3Endpoint = ""
 	S3AssumeRoleArn = ""
+	S3AssumeRoleExternalID = ""
 	S3MultiRegion = false
 	S3DecryptionClientEnabled = false
 	GCSEnabled = false
@@ -514,6 +516,7 @@ func Configure() error {
 	configurators.String(&S3Region, "IMGPROXY_S3_REGION")
 	configurators.String(&S3Endpoint, "IMGPROXY_S3_ENDPOINT")
 	configurators.String(&S3AssumeRoleArn, "IMGPROXY_S3_ASSUME_ROLE_ARN")
+	configurators.String(&S3AssumeRoleExternalID, "IMGPROXY_S3_ASSUME_ROLE_EXTERNAL_ID")
 	configurators.Bool(&S3MultiRegion, "IMGPROXY_S3_MULTI_REGION")
 	configurators.Bool(&S3DecryptionClientEnabled, "IMGPROXY_S3_USE_DECRYPTION_CLIENT")
 
diff --git a/transport/s3/s3.go b/transport/s3/s3.go
index 7afec0e1..3bfdbf43 100644
--- a/transport/s3/s3.go
+++ b/transport/s3/s3.go
@@ -66,7 +66,11 @@ func New() (http.RoundTripper, error) {
 	}
 
 	if len(config.S3AssumeRoleArn) != 0 {
-		creds := stscreds.NewAssumeRoleProvider(sts.NewFromConfig(conf), config.S3AssumeRoleArn)
+		creds := stscreds.NewAssumeRoleProvider(sts.NewFromConfig(conf), config.S3AssumeRoleArn, func(o *stscreds.AssumeRoleOptions) {
+			if len(config.S3AssumeRoleExternalID) != 0 {
+				o.ExternalID = aws.String(config.S3AssumeRoleExternalID)
+			}
+		})
 		conf.Credentials = creds
 	}