diff --git a/Aws/DynamoDb/Core.hs b/Aws/DynamoDb/Core.hs
--- a/Aws/DynamoDb/Core.hs
+++ b/Aws/DynamoDb/Core.hs
@@ -119,12 +119,15 @@
 import qualified Data.ByteString.Base16       as Base16
 import qualified Data.ByteString.Base64       as Base64
 import qualified Data.ByteString.Char8        as B
+import qualified Data.CaseInsensitive         as CI
 import           Data.Conduit
 import           Data.Conduit.Attoparsec      (sinkParser)
 import           Data.Default
+import           Data.Function                (on)
 import qualified Data.HashMap.Strict          as HM
 import           Data.Int
 import           Data.IORef
+import           Data.List
 import qualified Data.Map                     as M
 import           Data.Maybe
 import           Data.Monoid
@@ -766,14 +769,13 @@
       , sqAuthorization = Just auth
       , sqContentType = Just "application/x-amz-json-1.0"
       , sqContentMd5 = Nothing
-      , sqAmzHeaders = [ ("X-Amz-Target", dyApiVersion <> target)
-                       , ("X-Amz-Date", sigTime)
-                       ]
+      , sqAmzHeaders = amzHeaders ++ maybe [] (\tok -> [("x-amz-security-token",tok)]) (iamToken credentials)
       , sqOtherHeaders = []
       , sqBody = Just $ HTTP.RequestBodyLBS bodyLBS
       , sqStringToSign = canonicalRequest
       }
     where
+        credentials = signatureCredentials sd
 
         Region{..} = ddbcRegion di
         host = rUri
@@ -783,24 +785,25 @@
         bodyLBS = A.encode body
         bodyHash = Base16.encode $ toBytes (hashlazy bodyLBS :: Digest SHA256)
 
-        canonicalRequest = B.concat [ "POST\n"
-                                    , "/\n"
-                                    , "\n" -- query string
-                                    , "content-type:application/x-amz-json-1.0\n"
-                                    , "host:"
-                                    , host
-                                    , "\n"
-                                    , "x-amz-date:"
-                                    , sigTime
-                                    , "\n"
-                                    , "x-amz-target:"
-                                    , dyApiVersion
-                                    , target
-                                    , "\n"
-                                    , "\n" -- end headers
-                                    , "content-type;host;x-amz-date;x-amz-target\n"
-                                    , bodyHash
-                                    ]
+        -- for some reason AWS doesn't want the x-amz-security-token in the canonical request
+        amzHeaders = [ ("x-amz-date", sigTime)
+                     , ("x-amz-target", dyApiVersion <> target)
+                     ]
+
+        canonicalHeaders = sortBy (compare `on` fst) $ amzHeaders ++
+                           [("host", host),
+                            ("content-type", "application/x-amz-json-1.0")]
+
+        canonicalRequest = B.concat $ intercalate ["\n"] (
+                                    [ ["POST"]
+                                    , ["/"]
+                                    , [] -- query string
+                                    ] ++
+                                    map (\(a,b) -> [CI.foldedCase a,":",b]) canonicalHeaders ++
+                                    [ [] -- end headers
+                                    , intersperse ";" (map (CI.foldedCase . fst) canonicalHeaders)
+                                    , [bodyHash]
+                                    ])
 
         auth = authorizationV4 sd HmacSHA256 rName "dynamodb"
                                "content-type;host;x-amz-date;x-amz-target"
diff --git a/Aws/Sqs/Core.hs b/Aws/Sqs/Core.hs
--- a/Aws/Sqs/Core.hs
+++ b/Aws/Sqs/Core.hs
@@ -191,7 +191,7 @@
                        ("SignatureMethod", Just("HmacSHA256")), ("SignatureVersion",Just("2")), ("Version",Just("2012-11-05"))
 
                        ])
-      
+
       expires = AbsoluteExpires $ sqsDefaultExpiry `addUTCTime` signatureTime
 
       expiresString = formatTime defaultTimeLocale "%FT%TZ" (fromAbsoluteTimeInfo expires)
@@ -205,7 +205,7 @@
 
       signedQuery = expandedQuery ++ (HTTP.simpleQueryToQuery $ makeAuthQuery)
 
-      makeAuthQuery = [("Signature", sig)]
+      makeAuthQuery = [("Signature", sig)] ++ maybe [] (\x -> [("x-amz-security-token", x)]) (iamToken signatureCredentials)
 
 sqsResponseConsumer :: HTTPResponseConsumer a
                     -> IORef SqsMetadata
diff --git a/README.org b/README.org
--- a/README.org
+++ b/README.org
@@ -90,6 +90,9 @@
 
 ** 0.10 series
 
+- 0.10.1
+  - support STS / IAM temporary credentials in all services
+
 - 0.10
   - [EXPERIMENTAL!] DynamoDB: support for creating/updating/querying and scanning items
   - SQS: complete overhaul to support 2012-11-05 features
diff --git a/aws.cabal b/aws.cabal
--- a/aws.cabal
+++ b/aws.cabal
@@ -1,5 +1,5 @@
 Name:                aws
-Version:             0.10
+Version:             0.10.1
 Synopsis:            Amazon Web Services (AWS) for Haskell
 Description:         Bindings for Amazon Web Services (AWS), with the aim of supporting all AWS services. To see a high level overview of the library, see the README at <https://github.com/aristidb/aws/blob/master/README.org>.
 Homepage:            http://github.com/aristidb/aws
@@ -20,7 +20,7 @@
 Source-repository this
   type: git
   location: https://github.com/aristidb/aws.git
-  tag: 0.10
+  tag: 0.10.1
 
 Source-repository head
   type: git
