diff --git a/pkg/credentials/assume_role.go b/pkg/credentials/assume_role.go
index 107a11b14..12ed08427 100644
--- a/pkg/credentials/assume_role.go
+++ b/pkg/credentials/assume_role.go
@@ -94,6 +94,8 @@ type STSAssumeRoleOptions struct {
 	AccessKey string
 	SecretKey string
 
+	Policy string // Optional to assign a policy to the assumed role
+
 	Location        string // Optional commonly needed with AWS STS.
 	DurationSeconds int    // Optional defaults to 1 hour.
 
@@ -157,6 +159,9 @@ func getAssumeRoleCredentials(clnt *http.Client, endpoint string, opts STSAssume
 	} else {
 		v.Set("DurationSeconds", strconv.Itoa(defaultDurationSeconds))
 	}
+	if opts.Policy != "" {
+		v.Set("Policy", opts.Policy)
+	}
 
 	u, err := url.Parse(endpoint)
 	if err != nil {