diff --git a/state/remote/s3.go b/state/remote/s3.go
index eb810eceb7db..36af551cb59a 100644
--- a/state/remote/s3.go
+++ b/state/remote/s3.go
@@ -66,7 +66,12 @@ func s3Factory(conf map[string]string) (Client, error) {
 		Token:         conf["token"],
 		Profile:       conf["profile"],
 		CredsFilename: conf["shared_credentials_file"],
+		AssumeRoleARN: conf["role_arn"],
 	})
+	if err != nil {
+		return nil, err
+	}
+
 	// Call Get to check for credential provider. If nothing found, we'll get an
 	// error, and we can present it nicely to the user
 	_, err = creds.Get()
diff --git a/website/source/docs/state/remote/s3.html.md b/website/source/docs/state/remote/s3.html.md
index d1a68b1625ec..a345533df376 100644
--- a/website/source/docs/state/remote/s3.html.md
+++ b/website/source/docs/state/remote/s3.html.md
@@ -98,3 +98,4 @@ The following configuration options or environment variables are supported:
    `~/.aws/credentials` will be used.
  * `token` - (Optional) Use this to set an MFA token. It can also be
    sourced from the `AWS_SESSION_TOKEN` environment variable.
+ * `role_arn` - (Optional) The role to be assumed