diff --git a/hadoop-tools/hadoop-aws/src/main/java/org/apache/hadoop/fs/s3a/Constants.java b/hadoop-tools/hadoop-aws/src/main/java/org/apache/hadoop/fs/s3a/Constants.java
index 078ffaa471..6bf4b73651 100644
--- a/hadoop-tools/hadoop-aws/src/main/java/org/apache/hadoop/fs/s3a/Constants.java
+++ b/hadoop-tools/hadoop-aws/src/main/java/org/apache/hadoop/fs/s3a/Constants.java
@@ -94,6 +94,11 @@ private Constants() {
   public static final String ASSUMED_ROLE_ARN =
       "fs.s3a.assumed.role.arn";
 
+  /**
+   * external id for assume role request: {@value}.
+   */
+  public static final String ASSUMED_ROLE_EXTERNAL_ID = "fs.s3a.assumed.role.external.id";
+
   /**
    * Session name for the assumed role, must be valid characters according
    * to the AWS APIs: {@value}.
diff --git a/hadoop-tools/hadoop-aws/src/main/java/org/apache/hadoop/fs/s3a/auth/AssumedRoleCredentialProvider.java b/hadoop-tools/hadoop-aws/src/main/java/org/apache/hadoop/fs/s3a/auth/AssumedRoleCredentialProvider.java
index c2ac8fe4c8..ce20684fec 100644
--- a/hadoop-tools/hadoop-aws/src/main/java/org/apache/hadoop/fs/s3a/auth/AssumedRoleCredentialProvider.java
+++ b/hadoop-tools/hadoop-aws/src/main/java/org/apache/hadoop/fs/s3a/auth/AssumedRoleCredentialProvider.java
@@ -125,6 +125,7 @@ public AssumedRoleCredentialProvider(@Nullable URI fsUri, Configuration conf)
     duration = conf.getTimeDuration(ASSUMED_ROLE_SESSION_DURATION,
         ASSUMED_ROLE_SESSION_DURATION_DEFAULT, TimeUnit.SECONDS);
     String policy = conf.getTrimmed(ASSUMED_ROLE_POLICY, "");
+    String externalId = conf.getTrimmed(ASSUMED_ROLE_EXTERNAL_ID, "");
 
     LOG.debug("{}", this);
 
@@ -132,6 +133,10 @@ public AssumedRoleCredentialProvider(@Nullable URI fsUri, Configuration conf)
         AssumeRoleRequest.builder().roleArn(arn).roleSessionName(sessionName)
             .durationSeconds((int) duration);
 
+    if (StringUtils.isNotEmpty(externalId)) {
+      requestBuilder.externalId(externalId);
+    }
+
     if (StringUtils.isNotEmpty(policy)) {
       LOG.debug("Scope down policy {}", policy);
       requestBuilder.policy(policy);
diff --git a/hadoop-tools/hadoop-aws/src/site/markdown/tools/hadoop-aws/assumed_roles.md b/hadoop-tools/hadoop-aws/src/site/markdown/tools/hadoop-aws/assumed_roles.md
index 065a757f21..ba1bc4b362 100644
--- a/hadoop-tools/hadoop-aws/src/site/markdown/tools/hadoop-aws/assumed_roles.md
+++ b/hadoop-tools/hadoop-aws/src/site/markdown/tools/hadoop-aws/assumed_roles.md
@@ -153,6 +153,14 @@ Here are the full set of configuration options.
   </description>
 </property>
 
+<property>
+  <name>fs.s3a.assumed.role.external.id</name>
+  <value>arbitrary value, specific by user in AWS console</value>
+  <description>
+    External id for assumed role, it's an optional configuration. "https://aws.amazon.com/cn/blogs/security/how-to-use-external-id-when-granting-access-to-your-aws-resources/"
+  </description>
+</property>
+
 <property>
   <name>fs.s3a.assumed.role.policy</name>
   <value/>