diff --git a/pkg/apis/externaldns/types.go b/pkg/apis/externaldns/types.go
index af4b87de3..4b1ea1591 100644
--- a/pkg/apis/externaldns/types.go
+++ b/pkg/apis/externaldns/types.go
@@ -86,7 +86,7 @@ type Config struct {
 	AWSZoneTagFilter                   []string
 	AWSAssumeRole                      string
 	AWSProfiles                        []string
-	AWSAssumeRoleExternalID            string
+	AWSAssumeRoleExternalID            string `secure:"yes"`
 	AWSBatchChangeSize                 int
 	AWSBatchChangeSizeBytes            int
 	AWSBatchChangeSizeValues           int
diff --git a/provider/aws/config.go b/provider/aws/config.go
index bbfca9e97..5908150e7 100644
--- a/provider/aws/config.go
+++ b/provider/aws/config.go
@@ -102,7 +102,8 @@ func newV2Config(awsConfig AWSSessionConfig) (awsv2.Config, error) {
 		stsSvc := sts.NewFromConfig(cfg)
 		var assumeRoleOpts []func(*stscredsv2.AssumeRoleOptions)
 		if awsConfig.AssumeRoleExternalID != "" {
-			logrus.Infof("Assuming role: %s with external id %s", awsConfig.AssumeRole, awsConfig.AssumeRoleExternalID)
+			logrus.Infof("Assuming role %s with external id", awsConfig.AssumeRole)
+			logrus.Debugf("External id: %s", awsConfig.AssumeRoleExternalID)
 			assumeRoleOpts = []func(*stscredsv2.AssumeRoleOptions){
 				func(opts *stscredsv2.AssumeRoleOptions) {
 					opts.ExternalID = &awsConfig.AssumeRoleExternalID