diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
index a223a74..e418e76 100644
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@@ -1,6 +1,6 @@
 repos:
   - repo: https://github.com/antonbabenko/pre-commit-terraform
-    rev: v1.104.0
+    rev: v1.104.1
     hooks:
       - id: terraform_fmt
       - id: terraform_docs
diff --git a/modules/hybrid-node-role/main.tf b/modules/hybrid-node-role/main.tf
index 1d14f41..71e89aa 100644
--- a/modules/hybrid-node-role/main.tf
+++ b/modules/hybrid-node-role/main.tf
@@ -93,17 +93,44 @@ resource "aws_iam_role" "this" {
 data "aws_iam_policy_document" "this" {
   count = var.create ? 1 : 0
 
-  statement {
-    actions = [
-      "ssm:DeregisterManagedInstance",
-      "ssm:DescribeInstanceInformation",
-    ]
+  dynamic "statement" {
+    for_each = var.enable_ira ? [] : [1]
+
+    content {
+      sid       = "AllowDeregisterOwnInstance"
+      actions   = ["ssm:DeregisterManagedInstance"]
+      resources = ["arn:${local.partition}:ssm:*:*:managed-instance/*"]
+
+      condition {
+        test     = "ArnLike"
+        variable = "ssm:SourceInstanceARN"
+        values   = ["arn:${local.partition}:ssm:*:*:managed-instance/*"]
+      }
+    }
+  }
 
-    resources = ["*"]
+  dynamic "statement" {
+    for_each = var.enable_ira ? [] : [1]
+
+    content {
+      sid       = "AllowDescribeInstances"
+      actions   = ["ssm:DescribeInstanceInformation"]
+      resources = ["*"]
+
+      condition {
+        test     = "ArnLike"
+        variable = "ssm:SourceInstanceARN"
+        values   = ["arn:${local.partition}:ssm:*:*:managed-instance/*"]
+      }
+    }
   }
 
   statement {
-    actions   = ["eks:DescribeCluster"]
+    sid = "DescribeEKSCluster"
+    actions = [
+      "eks:DescribeCluster",
+      "eks:ListAccessEntries",
+    ]
     resources = var.cluster_arns
   }