diff --git a/plugins/cloud-aws/src/main/java/org/elasticsearch/cloud/aws/AwsS3Service.java b/plugins/cloud-aws/src/main/java/org/elasticsearch/cloud/aws/AwsS3Service.java
index 709476c380382..0fcc8426936af 100644
--- a/plugins/cloud-aws/src/main/java/org/elasticsearch/cloud/aws/AwsS3Service.java
+++ b/plugins/cloud-aws/src/main/java/org/elasticsearch/cloud/aws/AwsS3Service.java
@@ -64,5 +64,5 @@ final class REPOSITORY_S3 {
 
     AmazonS3 client(String endpoint, String protocol, String region, String account, String key);
 
-    AmazonS3 client(String endpoint, String protocol, String region, String account, String key, Integer maxRetries);
+    AmazonS3 client(String endpoint, String protocol, String region, String account, String key, String token, Integer maxRetries);
 }
diff --git a/plugins/cloud-aws/src/main/java/org/elasticsearch/cloud/aws/InternalAwsS3Service.java b/plugins/cloud-aws/src/main/java/org/elasticsearch/cloud/aws/InternalAwsS3Service.java
index 624cea4ff970e..61b68d612b4bc 100644
--- a/plugins/cloud-aws/src/main/java/org/elasticsearch/cloud/aws/InternalAwsS3Service.java
+++ b/plugins/cloud-aws/src/main/java/org/elasticsearch/cloud/aws/InternalAwsS3Service.java
@@ -57,16 +57,16 @@ public synchronized AmazonS3 client() {
         String endpoint = getDefaultEndpoint();
         String account = settings.get(CLOUD_S3.KEY, settings.get(CLOUD_AWS.KEY));
         String key = settings.get(CLOUD_S3.SECRET, settings.get(CLOUD_AWS.SECRET));
-        return getClient(endpoint, null, account, key, null);
+        return getClient(endpoint, null, account, key, null, null);
     }
 
     @Override
     public AmazonS3 client(String endpoint, String protocol, String region, String account, String key) {
-        return client(endpoint, protocol, region, account, key, null);
+        return client(endpoint, protocol, region, account, key, null, null);
     }
 
     @Override
-    public synchronized AmazonS3 client(String endpoint, String protocol, String region, String account, String key, Integer maxRetries) {
+    public synchronized AmazonS3 client(String endpoint, String protocol, String region, String account, String key, String token, Integer maxRetries) {
         if (region != null && endpoint == null) {
             endpoint = getEndpoint(region);
             logger.debug("using s3 region [{}], with endpoint [{}]", region, endpoint);
@@ -78,11 +78,11 @@ public synchronized AmazonS3 client(String endpoint, String protocol, String reg
             key = settings.get(CLOUD_S3.SECRET, settings.get(CLOUD_AWS.SECRET));
         }
 
-        return getClient(endpoint, protocol, account, key, maxRetries);
+        return getClient(endpoint, protocol, account, key, token, maxRetries);
     }
 
 
-    private synchronized AmazonS3 getClient(String endpoint, String protocol, String account, String key, Integer maxRetries) {
+    private synchronized AmazonS3 getClient(String endpoint, String protocol, String account, String key, String token, Integer maxRetries) {
         Tuple<String, String> clientDescriptor = new Tuple<String, String>(endpoint, account);
         AmazonS3Client client = clients.get(clientDescriptor);
         if (client != null) {
@@ -149,7 +149,7 @@ private synchronized AmazonS3 getClient(String endpoint, String protocol, String
             );
         } else {
             credentials = new AWSCredentialsProviderChain(
-                    new StaticCredentialsProvider(new BasicAWSCredentials(account, key))
+                    new StaticCredentialsProvider(getCredentials(account, key, token))
             );
         }
         client = new AmazonS3Client(credentials, clientConfiguration);
@@ -161,6 +161,13 @@ private synchronized AmazonS3 getClient(String endpoint, String protocol, String
         return client;
     }
 
+    private AWSCredentials getCredentials(String account, String key, String token) {
+        return token == null ?
+            new BasicAWSCredentials(account, key)
+            :
+            new BasicSessionCredentials(account, key, token);
+    }
+
     private String getDefaultEndpoint() {
         String endpoint = null;
         if (settings.get(CLOUD_S3.ENDPOINT) != null) {
diff --git a/plugins/cloud-aws/src/main/java/org/elasticsearch/repositories/s3/S3Repository.java b/plugins/cloud-aws/src/main/java/org/elasticsearch/repositories/s3/S3Repository.java
index f9bda2d471344..85217cefafa65 100644
--- a/plugins/cloud-aws/src/main/java/org/elasticsearch/repositories/s3/S3Repository.java
+++ b/plugins/cloud-aws/src/main/java/org/elasticsearch/repositories/s3/S3Repository.java
@@ -128,8 +128,14 @@ public S3Repository(RepositoryName name, RepositorySettings repositorySettings,
         logger.debug("using bucket [{}], region [{}], endpoint [{}], protocol [{}], chunk_size [{}], server_side_encryption [{}], buffer_size [{}], max_retries [{}], cannedACL [{}], storageClass [{}]",
                 bucket, region, endpoint, protocol, chunkSize, serverSideEncryption, bufferSize, maxRetries, cannedACL, storageClass);
 
-        blobStore = new S3BlobStore(settings, s3Service.client(endpoint, protocol, region, repositorySettings.settings().get("access_key"), repositorySettings.settings().get("secret_key"), maxRetries),
-                bucket, region, serverSideEncryption, bufferSize, maxRetries, cannedACL, storageClass);
+        blobStore = new S3BlobStore(
+            settings,
+            s3Service.client(endpoint, protocol, region,
+                repositorySettings.settings().get("access_key"),
+                repositorySettings.settings().get("secret_key"),
+                repositorySetttings.settings().get("security_token"),
+                maxRetries),
+            bucket, region, serverSideEncryption, bufferSize, maxRetries, cannedACL, storageClass);
 
         String basePath = repositorySettings.settings().get("base_path", settings.get(REPOSITORY_S3.BASE_PATH));
         if (Strings.hasLength(basePath)) {
diff --git a/plugins/cloud-aws/src/test/java/org/elasticsearch/cloud/aws/TestAwsS3Service.java b/plugins/cloud-aws/src/test/java/org/elasticsearch/cloud/aws/TestAwsS3Service.java
index 92e4d72ac27ef..3e70e6d352326 100644
--- a/plugins/cloud-aws/src/test/java/org/elasticsearch/cloud/aws/TestAwsS3Service.java
+++ b/plugins/cloud-aws/src/test/java/org/elasticsearch/cloud/aws/TestAwsS3Service.java
@@ -60,8 +60,8 @@ public synchronized AmazonS3 client(String endpoint, String protocol, String reg
     }
 
     @Override
-    public synchronized AmazonS3 client(String endpoint, String protocol, String region, String account, String key, Integer maxRetries) {
-        return cachedWrapper(super.client(endpoint, protocol, region, account, key, maxRetries));
+    public synchronized AmazonS3 client(String endpoint, String protocol, String region, String account, String key, String token, Integer maxRetries) {
+        return cachedWrapper(super.client(endpoint, protocol, region, account, key, null, maxRetries));
     }
 
     private AmazonS3 cachedWrapper(AmazonS3 client) {