diff --git a/main.tf b/main.tf
index eaaa502..4f1bd1b 100644
--- a/main.tf
+++ b/main.tf
@@ -74,6 +74,7 @@ locals {
     resourceRequirements   = var.resource_requirements
     restartPolicy          = local.restart_policy_without_null
     versionConsistency     = var.version_consistency
+    credentialSpecs        = var.credential_specs
   }
 
   container_definition_without_null = {
diff --git a/variables.tf b/variables.tf
index a906798..9d1d324 100644
--- a/variables.tf
+++ b/variables.tf
@@ -23,8 +23,9 @@ variable "container_memory_reservation" {
 # https://docs.aws.amazon.com/AmazonECS/latest/APIReference/API_ContainerDefinition.html
 variable "container_definition" {
   type = object({
-    command = optional(list(string))
-    cpu     = optional(number)
+    command         = optional(list(string))
+    cpu             = optional(number)
+    credentialSpecs = optional(list(string))
     dependsOn = optional(list(object({
       condition     = string
       containerName = string
@@ -370,6 +371,12 @@ variable "links" {
   default     = null
 }
 
+variable "credential_specs" {
+  type        = list(string)
+  description = "A list of ARNs in SSM or Amazon S3 to a credential spec (CredSpec) file that configures the container for Active Directory authentication. We recommend that you use this parameter instead of the dockerSecurityOptions. The maximum number of ARNs is 1."
+  default     = null
+}
+
 variable "user" {
   type        = string
   description = "The user to run as inside the container. Can be any of these formats: user, user:group, uid, uid:gid, user:gid, uid:group. The default (null) will use the container's configured `USER` directive or root if not set."