diff --git a/manifests/profile.pp b/manifests/profile.pp
index 3d4f018..c600789 100644
--- a/manifests/profile.pp
+++ b/manifests/profile.pp
@@ -32,6 +32,11 @@
 # [$source_profile]
 #   The profile to use for credentials to assume the specified role
 #
+# [credential_source]
+#   Used within EC2 instances or EC2 containers to specify where the AWS CLI can find credentials
+#   to use to assume the role you specified with the role_arn parameter.
+#   You cannot specify both source_profile and credential_source in the same profile.
+#
 # [$role_session_name]
 #   An identifier for the assumed role session
 #
@@ -70,6 +75,7 @@
   $aws_secret_access_key = undef,
   $role_arn              = undef,
   $source_profile        = undef,
+  $credential_source     = undef,
   $role_session_name     = undef,
   $aws_region            = 'us-east-1',
   $profile_name          = 'default',
@@ -108,6 +114,14 @@
     $group_real = $group
   }
 
+  if ($source_profile != undef and $credential_source != undef) {
+    fail("aws cli profile cannot contain both source_profile and credential_source config option")
+  }
+  $valid_credential_sources = ['Environment', 'Ec2InstanceMetadata', 'EcsContainer']
+  if (!$credential_source in $valid_credential_sources) {
+    fail("credential_source config option can contain only $valid_credential_sources")
+  }
+
   # ensure $homedir/.aws is available
   if !defined(File["${homedir_real}/.aws"]) {
     file { "${homedir_real}/.aws":
diff --git a/templates/config_concat.erb b/templates/config_concat.erb
index 83cde6c..aafda2b 100644
--- a/templates/config_concat.erb
+++ b/templates/config_concat.erb
@@ -11,6 +11,9 @@ role_arn=<%= @role_arn %>
 <% if @source_profile -%>
 source_profile=<%= @source_profile %>
 <% end -%>
+<% if @credential_source -%>
+credential_source=<%= @credential_source %>
+<% end -%>
 <% if @role_session_name -%>
 role_session_name=<%= @role_session_name %>
 <% end -%>