diff --git a/ops/terraform/env/mgmt/github-actions-iam.tf b/ops/terraform/env/mgmt/github-actions-iam.tf
index a2faab859f..02aa145ebb 100644
--- a/ops/terraform/env/mgmt/github-actions-iam.tf
+++ b/ops/terraform/env/mgmt/github-actions-iam.tf
@@ -403,6 +403,14 @@ resource "aws_iam_policy" "github_actions_ci_ops" {
           ]
           Resource = "*"
         },
+        {
+          Sid    = "AllowPolicyManagementOfAllKeys"
+          Effect = "Allow"
+          Action = [
+            "kms:PutKeyPolicy",
+          ]
+          Resource = "*"
+        },
         {
           Sid    = "AllowSNS"
           Effect = "Allow"
@@ -427,7 +435,8 @@ resource "aws_iam_policy" "github_actions_ci_ops" {
           Action = [
             "iam:Get*",
             "iam:List*",
-            "iam:DeletePolicyVersion"
+            "iam:DeletePolicyVersion",
+            "iam:CreatePolicyVersion"
           ]
           Resource = "*"
         },