diff --git a/README.md b/README.md
index a6cd891c..de594ecc 100644
--- a/README.md
+++ b/README.md
@@ -112,6 +112,7 @@ The precedence of configurations is as described below.
 |`--dynamodb-table` | `AWS_DYNAMODB_TABLE` | `aws.dynamodb-table` | AWS DynamoDB table for locks | - |
 |`--s3-bucket` | `AWS_BUCKET` | `aws.bucket` | AWS S3 bucket | - |
 |`--app-role-arn` | `APP_ROLE_ARN` | `aws.app-role-arn` | Role ARN to Assume | - |
+|`--aws-external-id` | `AWS_EXTERNAL_ID` | `aws.external-id` | External ID to use when assuming role | - |
 |`--key-prefix` | `AWS_KEY_PREFIX` | `aws.key-prefix` | AWS Key Prefix | - |
 |`--file-extension` | `AWS_FILE_EXTENSION` | `aws.file-extension` | File extension(s) of state files. Use multiple CLI flags or a comma separated list ENV variable | .tfstate |
 |`--base-url` | `TERRABOARD_BASE_URL` | `web.base-url` | Base URL | / |
diff --git a/config/config.go b/config/config.go
index f019da2a..685e24fa 100644
--- a/config/config.go
+++ b/config/config.go
@@ -45,6 +45,7 @@ type AWSConfig struct {
 	Endpoint      string         `long:"aws-endpoint" env:"AWS_ENDPOINT" yaml:"endpoint" description:"AWS endpoint."`
 	Region        string         `long:"aws-region" env:"AWS_REGION" yaml:"region" description:"AWS region."`
 	APPRoleArn    string         `long:"aws-role-arn" env:"APP_ROLE_ARN" yaml:"app-role-arn" description:"Role ARN to Assume."`
+	ExternalID    string         `long:"aws-external-id" env:"AWS_EXTERNAL_ID" yaml:"external-id" description:"External ID to use when assuming role."`
 }
 
 // TFEConfig stores the Terraform Enterprise configuration
diff --git a/state/aws.go b/state/aws.go
index 1bb9e855..b0f90dd5 100644
--- a/state/aws.go
+++ b/state/aws.go
@@ -35,7 +35,11 @@ func NewAWS(c *config.Config) AWS {
 
 	if len(c.AWS.APPRoleArn) > 0 {
 		log.Debugf("Using %s role", c.AWS.APPRoleArn)
-		creds := stscreds.NewCredentials(sess, c.AWS.APPRoleArn)
+		creds := stscreds.NewCredentials(sess, c.AWS.APPRoleArn, func(p *stscreds.AssumeRoleProvider) {
+			if c.AWS.ExternalID != "" {
+				p.ExternalID = aws_sdk.String(c.AWS.ExternalID)
+			}
+		})
 		awsConfig.WithCredentials(creds)
 	}