diff --git a/README.md b/README.md
index ac4d0d9..397ed45 100644
--- a/README.md
+++ b/README.md
@@ -175,6 +175,13 @@ is set to 3600 seconds.
 A unique identifier that is used by third parties when assuming roles in
 their customers' accounts.
 
+**sts_http_proxy**
+
+Proxy url for proxying requests to amazon sts service api. This needs to be  set up independently from global http_proxy parameter
+for the use case in which requests to kinesis api are going via kinesis vpc endpoint but requests to sts api have to go via http proxy. 
+It should be added to assume_role_credentials configuration stanza in the next format:
+    sts_http_proxy http://[username:password]@hostname:port
+
 ### instance_profile_credentials
 
 Retrieve temporary security credentials via HTTP request. This is useful on
diff --git a/lib/fluent/plugin/kinesis_helper/client.rb b/lib/fluent/plugin/kinesis_helper/client.rb
index eeb9abc..40721c5 100644
--- a/lib/fluent/plugin/kinesis_helper/client.rb
+++ b/lib/fluent/plugin/kinesis_helper/client.rb
@@ -38,6 +38,8 @@ module ClientParams
           config_param :duration_seconds, :integer, default: nil
           desc "A unique identifier that is used by third parties when assuming roles in their customers' accounts."
           config_param :external_id, :string, default: nil, secret: true
+          desc "A http proxy url for requests to aws sts service"
+          config_param :sts_http_proxy, :string, default: nil, secret: true
         end
         config_section :instance_profile_credentials, multi: false do
           desc "Number of times to retry when retrieving credentials"
@@ -129,8 +131,12 @@ def setup_credentials
           credentials_options[:policy] = c.policy if c.policy
           credentials_options[:duration_seconds] = c.duration_seconds if c.duration_seconds
           credentials_options[:external_id] = c.external_id if c.external_id
-          if @region
-            credentials_options[:client] = Aws::STS::Client.new(region: @region)
+          if c.sts_http_proxy and @region
+              credentials_options[:client] = Aws::STS::Client.new(region: @region, http_proxy: c.sts_http_proxy)
+          elsif @region
+              credentials_options[:client] = Aws::STS::Client.new(region: @region)
+          elsif c.sts_http_proxy
+              credentials_options[:client] = Aws::STS::Client.new(http_proxy: c.sts_http_proxy)
           end
           options[:credentials] = Aws::AssumeRoleCredentials.new(credentials_options)
         when @instance_profile_credentials