diff --git a/README.md b/README.md
index af9eb35..aa15a70 100644
--- a/README.md
+++ b/README.md
@@ -81,6 +81,12 @@ useful for production environments.
 If your certificate is not expiring soon, but you need to issue a new one
 anyways, the `--force-issue` flag can be provided.
 
+If you would like to specify a profile to use (see http://boto3.readthedocs.io/en/latest/guide/configuration.html),
+provide the profile name with the `--profile-name` argument.
+
+If you would like to specify an aws keys (see http://boto3.readthedocs.io/en/latest/guide/configuration.html),
+provide them with the `--aws-access-key-id`, `--aws-secret-access-key`, and the optional `--aws-session-token` arguments.
+
 If you're into [Docker](https://www.docker.com/), there is an automatically
 built image of `letsencrypt-aws` available as
 [`alexgaynor/letsencrypt-aws`](https://hub.docker.com/r/alexgaynor/letsencrypt-aws/).
diff --git a/letsencrypt-aws.py b/letsencrypt-aws.py
index 0fb5a71..71ecbad 100644
--- a/letsencrypt-aws.py
+++ b/letsencrypt-aws.py
@@ -481,14 +481,47 @@ def cli():
         "expiration."
     )
 )
-def update_certificates(persistent=False, force_issue=False):
+@click.option(
+    "--aws-access-key-id", type=str, help=(
+        "Specify an aws access key id (must also use --aws-secret-access-key)"
+    )
+)
+@click.option(
+    "--aws-secret-access-key", type=str, help=(
+        "Specify an aws secret access key (must also use --aws-access-key-id)"
+    )
+)
+@click.option(
+    "--aws-session-token", type=str, help=(
+        """Optional AWS session token
+           (must use both --aws-secret-access-key and --aws-access-key-id)"""
+    )
+)
+@click.option(
+    "--profile-name", type=str, help=(
+        """Specify a profile to use for Boto.
+           See http://boto3.readthedocs.io/en/latest/guide/configuration.html
+           for more information"""
+    )
+)
+def update_certificates(persistent=False, force_issue=False,
+                        profile_name=None, aws_access_key_id=None,
+                        aws_secret_access_key=None, aws_session_token=None):
     logger = Logger()
     logger.emit("startup")
 
     if persistent and force_issue:
         raise ValueError("Can't specify both --persistent and --force-issue")
 
-    session = boto3.Session()
+    if aws_access_key_id or aws_secret_access_key or aws_session_token:
+        if aws_access_key_id is None or aws_secret_access_key is None:
+            raise ValueError("""You need to provide both --aws-access-key-id
+                                and --aws-secret-access-key""")
+
+    session = boto3.Session(profile_name=profile_name,
+                            aws_access_key_id=aws_access_key_id,
+                            aws_secret_access_key=aws_secret_access_key,
+                            aws_session_token=aws_session_token)
     s3_client = session.client("s3")
     elb_client = session.client("elb")
     route53_client = session.client("route53")