diff --git a/tier-s3.go b/tier-s3.go
index 06c2a8c7..231dec40 100644
--- a/tier-s3.go
+++ b/tier-s3.go
@@ -1,5 +1,5 @@
 //
-// Copyright (c) 2015-2022 MinIO, Inc.
+// Copyright (c) 2015-2023 MinIO, Inc.
 //
 // This file is part of MinIO Object Storage stack
 //
@@ -23,14 +23,17 @@ package madmin
 
 // TierS3 represents the remote tier configuration for AWS S3 compatible backend.
 type TierS3 struct {
-	Endpoint     string `json:",omitempty"`
-	AccessKey    string `json:",omitempty"`
-	SecretKey    string `json:",omitempty"`
-	Bucket       string `json:",omitempty"`
-	Prefix       string `json:",omitempty"`
-	Region       string `json:",omitempty"`
-	StorageClass string `json:",omitempty"`
-	AWSRole      bool   `json:",omitempty"`
+	Endpoint                    string `json:",omitempty"`
+	AccessKey                   string `json:",omitempty"`
+	SecretKey                   string `json:",omitempty"`
+	Bucket                      string `json:",omitempty"`
+	Prefix                      string `json:",omitempty"`
+	Region                      string `json:",omitempty"`
+	StorageClass                string `json:",omitempty"`
+	AWSRoleWebIdentityTokenFile string `json:",omitempty"`
+	AWSRoleARN                  string `json:",omitempty"`
+	AWSRoleSessionName          string `json:",omitempty"`
+	AWSRoleDurationSeconds      int    `json:",omitempty"`
 }
 
 // S3Options supports NewTierS3 to take variadic options
@@ -68,10 +71,34 @@ func S3StorageClass(storageClass string) func(s3 *TierS3) error {
 	}
 }
 
-// S3AWSRole helper to use optional AWS Role to NewTierS3
-func S3AWSRole() func(s3 *TierS3) error {
+// S3AWSRoleWebIdentityTokenFile helper to use optional AWS Role token file to NewTierS3
+func S3AWSRoleWebIdentityTokenFile(tokenFile string) func(s3 *TierS3) error {
 	return func(s3 *TierS3) error {
-		s3.AWSRole = true
+		s3.AWSRoleWebIdentityTokenFile = tokenFile
+		return nil
+	}
+}
+
+// S3AWSRoleARN helper to use optional AWS RoleARN to NewTierS3
+func S3AWSRoleARN(roleARN string) func(s3 *TierS3) error {
+	return func(s3 *TierS3) error {
+		s3.AWSRoleARN = roleARN
+		return nil
+	}
+}
+
+// S3AWSRoleSessionName helper to use optional AWS RoleSessionName to NewTierS3
+func S3AWSRoleSessionName(roleSessionName string) func(s3 *TierS3) error {
+	return func(s3 *TierS3) error {
+		s3.AWSRoleSessionName = roleSessionName
+		return nil
+	}
+}
+
+// S3AWSRoleDurationSeconds helper to use optional token duration to NewTierS3
+func S3AWSRoleDurationSeconds(dsecs int) func(s3 *TierS3) error {
+	return func(s3 *TierS3) error {
+		s3.AWSRoleDurationSeconds = dsecs
 		return nil
 	}
 }
diff --git a/tier-s3_gen.go b/tier-s3_gen.go
index 420b3480..46bdf12a 100644
--- a/tier-s3_gen.go
+++ b/tier-s3_gen.go
@@ -66,10 +66,28 @@ func (z *TierS3) DecodeMsg(dc *msgp.Reader) (err error) {
 				err = msgp.WrapError(err, "StorageClass")
 				return
 			}
-		case "AWSRole":
-			z.AWSRole, err = dc.ReadBool()
+		case "AWSRoleWebIdentityTokenFile":
+			z.AWSRoleWebIdentityTokenFile, err = dc.ReadString()
 			if err != nil {
-				err = msgp.WrapError(err, "AWSRole")
+				err = msgp.WrapError(err, "AWSRoleWebIdentityTokenFile")
+				return
+			}
+		case "AWSRoleARN":
+			z.AWSRoleARN, err = dc.ReadString()
+			if err != nil {
+				err = msgp.WrapError(err, "AWSRoleARN")
+				return
+			}
+		case "AWSRoleSessionName":
+			z.AWSRoleSessionName, err = dc.ReadString()
+			if err != nil {
+				err = msgp.WrapError(err, "AWSRoleSessionName")
+				return
+			}
+		case "AWSRoleDurationSeconds":
+			z.AWSRoleDurationSeconds, err = dc.ReadInt()
+			if err != nil {
+				err = msgp.WrapError(err, "AWSRoleDurationSeconds")
 				return
 			}
 		default:
@@ -85,9 +103,9 @@ func (z *TierS3) DecodeMsg(dc *msgp.Reader) (err error) {
 
 // EncodeMsg implements msgp.Encodable
 func (z *TierS3) EncodeMsg(en *msgp.Writer) (err error) {
-	// map header, size 8
+	// map header, size 11
 	// write "Endpoint"
-	err = en.Append(0x88, 0xa8, 0x45, 0x6e, 0x64, 0x70, 0x6f, 0x69, 0x6e, 0x74)
+	err = en.Append(0x8b, 0xa8, 0x45, 0x6e, 0x64, 0x70, 0x6f, 0x69, 0x6e, 0x74)
 	if err != nil {
 		return
 	}
@@ -156,14 +174,44 @@ func (z *TierS3) EncodeMsg(en *msgp.Writer) (err error) {
 		err = msgp.WrapError(err, "StorageClass")
 		return
 	}
-	// write "AWSRole"
-	err = en.Append(0xa7, 0x41, 0x57, 0x53, 0x52, 0x6f, 0x6c, 0x65)
+	// write "AWSRoleWebIdentityTokenFile"
+	err = en.Append(0xbb, 0x41, 0x57, 0x53, 0x52, 0x6f, 0x6c, 0x65, 0x57, 0x65, 0x62, 0x49, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x74, 0x79, 0x54, 0x6f, 0x6b, 0x65, 0x6e, 0x46, 0x69, 0x6c, 0x65)
+	if err != nil {
+		return
+	}
+	err = en.WriteString(z.AWSRoleWebIdentityTokenFile)
+	if err != nil {
+		err = msgp.WrapError(err, "AWSRoleWebIdentityTokenFile")
+		return
+	}
+	// write "AWSRoleARN"
+	err = en.Append(0xaa, 0x41, 0x57, 0x53, 0x52, 0x6f, 0x6c, 0x65, 0x41, 0x52, 0x4e)
+	if err != nil {
+		return
+	}
+	err = en.WriteString(z.AWSRoleARN)
 	if err != nil {
+		err = msgp.WrapError(err, "AWSRoleARN")
 		return
 	}
-	err = en.WriteBool(z.AWSRole)
+	// write "AWSRoleSessionName"
+	err = en.Append(0xb2, 0x41, 0x57, 0x53, 0x52, 0x6f, 0x6c, 0x65, 0x53, 0x65, 0x73, 0x73, 0x69, 0x6f, 0x6e, 0x4e, 0x61, 0x6d, 0x65)
 	if err != nil {
-		err = msgp.WrapError(err, "AWSRole")
+		return
+	}
+	err = en.WriteString(z.AWSRoleSessionName)
+	if err != nil {
+		err = msgp.WrapError(err, "AWSRoleSessionName")
+		return
+	}
+	// write "AWSRoleDurationSeconds"
+	err = en.Append(0xb6, 0x41, 0x57, 0x53, 0x52, 0x6f, 0x6c, 0x65, 0x44, 0x75, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x53, 0x65, 0x63, 0x6f, 0x6e, 0x64, 0x73)
+	if err != nil {
+		return
+	}
+	err = en.WriteInt(z.AWSRoleDurationSeconds)
+	if err != nil {
+		err = msgp.WrapError(err, "AWSRoleDurationSeconds")
 		return
 	}
 	return
@@ -172,9 +220,9 @@ func (z *TierS3) EncodeMsg(en *msgp.Writer) (err error) {
 // MarshalMsg implements msgp.Marshaler
 func (z *TierS3) MarshalMsg(b []byte) (o []byte, err error) {
 	o = msgp.Require(b, z.Msgsize())
-	// map header, size 8
+	// map header, size 11
 	// string "Endpoint"
-	o = append(o, 0x88, 0xa8, 0x45, 0x6e, 0x64, 0x70, 0x6f, 0x69, 0x6e, 0x74)
+	o = append(o, 0x8b, 0xa8, 0x45, 0x6e, 0x64, 0x70, 0x6f, 0x69, 0x6e, 0x74)
 	o = msgp.AppendString(o, z.Endpoint)
 	// string "AccessKey"
 	o = append(o, 0xa9, 0x41, 0x63, 0x63, 0x65, 0x73, 0x73, 0x4b, 0x65, 0x79)
@@ -194,9 +242,18 @@ func (z *TierS3) MarshalMsg(b []byte) (o []byte, err error) {
 	// string "StorageClass"
 	o = append(o, 0xac, 0x53, 0x74, 0x6f, 0x72, 0x61, 0x67, 0x65, 0x43, 0x6c, 0x61, 0x73, 0x73)
 	o = msgp.AppendString(o, z.StorageClass)
-	// string "AWSRole"
-	o = append(o, 0xa7, 0x41, 0x57, 0x53, 0x52, 0x6f, 0x6c, 0x65)
-	o = msgp.AppendBool(o, z.AWSRole)
+	// string "AWSRoleWebIdentityTokenFile"
+	o = append(o, 0xbb, 0x41, 0x57, 0x53, 0x52, 0x6f, 0x6c, 0x65, 0x57, 0x65, 0x62, 0x49, 0x64, 0x65, 0x6e, 0x74, 0x69, 0x74, 0x79, 0x54, 0x6f, 0x6b, 0x65, 0x6e, 0x46, 0x69, 0x6c, 0x65)
+	o = msgp.AppendString(o, z.AWSRoleWebIdentityTokenFile)
+	// string "AWSRoleARN"
+	o = append(o, 0xaa, 0x41, 0x57, 0x53, 0x52, 0x6f, 0x6c, 0x65, 0x41, 0x52, 0x4e)
+	o = msgp.AppendString(o, z.AWSRoleARN)
+	// string "AWSRoleSessionName"
+	o = append(o, 0xb2, 0x41, 0x57, 0x53, 0x52, 0x6f, 0x6c, 0x65, 0x53, 0x65, 0x73, 0x73, 0x69, 0x6f, 0x6e, 0x4e, 0x61, 0x6d, 0x65)
+	o = msgp.AppendString(o, z.AWSRoleSessionName)
+	// string "AWSRoleDurationSeconds"
+	o = append(o, 0xb6, 0x41, 0x57, 0x53, 0x52, 0x6f, 0x6c, 0x65, 0x44, 0x75, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x53, 0x65, 0x63, 0x6f, 0x6e, 0x64, 0x73)
+	o = msgp.AppendInt(o, z.AWSRoleDurationSeconds)
 	return
 }
 
@@ -260,10 +317,28 @@ func (z *TierS3) UnmarshalMsg(bts []byte) (o []byte, err error) {
 				err = msgp.WrapError(err, "StorageClass")
 				return
 			}
-		case "AWSRole":
-			z.AWSRole, bts, err = msgp.ReadBoolBytes(bts)
+		case "AWSRoleWebIdentityTokenFile":
+			z.AWSRoleWebIdentityTokenFile, bts, err = msgp.ReadStringBytes(bts)
+			if err != nil {
+				err = msgp.WrapError(err, "AWSRoleWebIdentityTokenFile")
+				return
+			}
+		case "AWSRoleARN":
+			z.AWSRoleARN, bts, err = msgp.ReadStringBytes(bts)
+			if err != nil {
+				err = msgp.WrapError(err, "AWSRoleARN")
+				return
+			}
+		case "AWSRoleSessionName":
+			z.AWSRoleSessionName, bts, err = msgp.ReadStringBytes(bts)
+			if err != nil {
+				err = msgp.WrapError(err, "AWSRoleSessionName")
+				return
+			}
+		case "AWSRoleDurationSeconds":
+			z.AWSRoleDurationSeconds, bts, err = msgp.ReadIntBytes(bts)
 			if err != nil {
-				err = msgp.WrapError(err, "AWSRole")
+				err = msgp.WrapError(err, "AWSRoleDurationSeconds")
 				return
 			}
 		default:
@@ -280,6 +355,6 @@ func (z *TierS3) UnmarshalMsg(bts []byte) (o []byte, err error) {
 
 // Msgsize returns an upper bound estimate of the number of bytes occupied by the serialized message
 func (z *TierS3) Msgsize() (s int) {
-	s = 1 + 9 + msgp.StringPrefixSize + len(z.Endpoint) + 10 + msgp.StringPrefixSize + len(z.AccessKey) + 10 + msgp.StringPrefixSize + len(z.SecretKey) + 7 + msgp.StringPrefixSize + len(z.Bucket) + 7 + msgp.StringPrefixSize + len(z.Prefix) + 7 + msgp.StringPrefixSize + len(z.Region) + 13 + msgp.StringPrefixSize + len(z.StorageClass) + 8 + msgp.BoolSize
+	s = 1 + 9 + msgp.StringPrefixSize + len(z.Endpoint) + 10 + msgp.StringPrefixSize + len(z.AccessKey) + 10 + msgp.StringPrefixSize + len(z.SecretKey) + 7 + msgp.StringPrefixSize + len(z.Bucket) + 7 + msgp.StringPrefixSize + len(z.Prefix) + 7 + msgp.StringPrefixSize + len(z.Region) + 13 + msgp.StringPrefixSize + len(z.StorageClass) + 28 + msgp.StringPrefixSize + len(z.AWSRoleWebIdentityTokenFile) + 11 + msgp.StringPrefixSize + len(z.AWSRoleARN) + 19 + msgp.StringPrefixSize + len(z.AWSRoleSessionName) + 23 + msgp.IntSize
 	return
 }