diff --git a/lib/ex_aws/auth.ex b/lib/ex_aws/auth.ex
index dec6b65d..858f9fec 100644
--- a/lib/ex_aws/auth.ex
+++ b/lib/ex_aws/auth.ex
@@ -2,6 +2,8 @@ defmodule ExAws.Auth do
   import ExAws.Auth.Utils
   alias Timex.DateFormat
 
+  @moduledoc false
+
   def headers(http_method, url, service, config, headers, body) do
     now = %{Timex.Date.now | ms: 0}
     headers = [
@@ -22,7 +24,13 @@ defmodule ExAws.Auth do
       now)
 
     [{"Authorization", auth_header} | headers ]
+    |> handle_temp_credentials(config)
+  end
+
+  def handle_temp_credentials(headers, %{security_token: token}) do
+    [{"X-Amz-Security-Token", token} | headers]
   end
+  def handle_temp_credentials(headers, _), do: headers
 
   def auth_header(access_key, secret_key, http_method, url, region, service, headers, body, now) do
     date  = DateFormat.format!(now, "%Y%m%d", :strftime)
diff --git a/lib/ex_aws/config.ex b/lib/ex_aws/config.ex
index 919cbcb0..a8537de5 100644
--- a/lib/ex_aws/config.ex
+++ b/lib/ex_aws/config.ex
@@ -37,25 +37,28 @@ defmodule ExAws.Config do
   def retrieve_runtime_config(%{config: config} = client) do
     new_config = config
     |> Enum.reduce(%{}, fn {k, v}, config ->
-      Map.put(config, k, retrieve_runtime_value(k, v, client))
+      case retrieve_runtime_value(v, client) do
+        %{} = result -> Map.merge(config, result)
+        value -> Map.put(config, k, value)
+      end
     end)
 
     %{client | config: new_config}
   end
 
-  def retrieve_runtime_value(_, {:system, env_key}, _) do
+  def retrieve_runtime_value({:system, env_key}, _) do
     System.get_env(env_key)
   end
-  def retrieve_runtime_value(k, :instance_role, client) do
+  def retrieve_runtime_value(:instance_role, client) do
     client
     |> ExAws.Config.AuthCache.get
-    |> Map.get(k)
+    |> Map.take([:access_key_id, :secret_access_key, :security_token])
   end
-  def retrieve_runtime_value(key, values, client) when is_list(values) do
+  def retrieve_runtime_value(values, client) when is_list(values) do
     values
-    |> Stream.map(&retrieve_runtime_value(key, &1, client))
+    |> Stream.map(&retrieve_runtime_value(&1, client))
     |> Enum.find(&(&1))
   end
-  def retrieve_runtime_value(_, value, _), do: value
+  def retrieve_runtime_value(value, _), do: value
 
 end
diff --git a/lib/ex_aws/instance_meta.ex b/lib/ex_aws/instance_meta.ex
index 40569cf0..3d3c108f 100644
--- a/lib/ex_aws/instance_meta.ex
+++ b/lib/ex_aws/instance_meta.ex
@@ -18,6 +18,7 @@ defmodule ExAws.InstanceMeta do
     %{
       access_key_id: result["AccessKeyId"],
       secret_access_key: result["SecretAccessKey"],
+      security_token: result["Token"],
       expiration: result["Expiration"]
     }
   end