diff --git a/codebuild/main.tf b/codebuild/main.tf
index 2c40dbc..bc37e87 100644
--- a/codebuild/main.tf
+++ b/codebuild/main.tf
@@ -57,6 +57,9 @@ data "aws_iam_policy_document" "ghe_runner_deploy" {
       "secretsmanager:UpdateSecret",
       "secretsmanager:DeleteSecret",
       "secretsmanager:TagResource",
+      "secretsmanager:GetResourcePolicy",
+      "secretsmanager:PutResourcePolicy",
+      "secretsmanager:DeleteResourcePolicy",
     ]
     # The ghe-runner module stores tokens under this prefix
     resources = [