diff --git a/examples/cluster-roles/read-only/README.md b/examples/cluster-roles/read-only/README.md
new file mode 100644
index 0000000..63e3828
--- /dev/null
+++ b/examples/cluster-roles/read-only/README.md
@@ -0,0 +1,24 @@
+# read-only 
+
+This contains two files.
+
+* read-only.tf
+
+Place this into the `cluster-roles` directory.  Then run `tf-apply`.
+
+* main.tf
+
+Create a directory for the specific IAM (SAML) role, like `r-ditd-readonly`, and place this file
+inside it.  Initialize the `tf-run` environment.  Then process `tf-run.sh apply`.
+
+Note, change the `aws_role_name` value accordingly.
+
+```script
+cd cluster-roles
+mkdir r-ditd-readonly
+cd r-ditd-readonly
+cp EXAMPLEDIR/cluster-roles/read-only/main.tf .
+cp ../region.tf .
+tf-run.sh init
+tf-run.sh apply
+```
diff --git a/examples/cluster-roles/read-only/main.tf b/examples/cluster-roles/read-only/main.tf
new file mode 100644
index 0000000..35bc790
--- /dev/null
+++ b/examples/cluster-roles/read-only/main.tf
@@ -0,0 +1,23 @@
+locals {
+  aws_auth_users = []
+  aws_auth_roles = [
+    {
+      rolearn      = ""
+      aws_rolename = "r-ditd-readonly"
+      username     = "eks-readonly"
+      groups       = ["eks-console-restricted-access"]
+    },
+  ]
+}
+
+module "awsauth" {
+  source = "git@github.e.it.census.gov:terraform-modules/aws-eks.git//patch-aws-auth"
+
+  region         = local.region
+  profile        = var.profile
+  cluster_name   = var.cluster_name
+  aws_auth_users = local.aws_auth_users
+  aws_auth_roles = local.aws_auth_roles
+
+  keep_temporary_files = false
+}
diff --git a/examples/cluster-roles/read-only/read-only.tf b/examples/cluster-roles/read-only/read-only.tf
new file mode 100644
index 0000000..4dcf6a7
--- /dev/null
+++ b/examples/cluster-roles/read-only/read-only.tf
@@ -0,0 +1,54 @@
+# from https://stackoverflow.com/questions/60277163/read-only-user-gets-full-access
+
+resource "kubernetes_cluster_role" "read_only" {
+  metadata {
+    name = format("%v-cluster-role", var.read_only_name)
+  }
+
+  rule {
+    api_groups = [""]
+    resources  = ["*"]
+    verbs      = ["get", "list", "watch"]
+  }
+
+  rule {
+    api_groups = ["extensions"]
+    resources  = ["*"]
+    verbs      = ["get", "list", "watch"]
+  }
+
+  rule {
+    api_groups = ["apps"]
+    resources  = ["*"]
+    verbs      = ["get", "list", "watch"]
+  }
+
+}
+
+resource "kubernetes_cluster_role_binding" "read_only" {
+  metadata {
+    name = format("%v-clusterrole-binding", var.read_only_name)
+  }
+  role_ref {
+    api_group = "rbac.authorization.k8s.io"
+    kind      = "ClusterRole"
+    name      = format("%v-cluster-role", var.read_only_name)
+  }
+  subject {
+    kind      = "User"
+    name      = var.read_only_name
+    api_group = "rbac.authorization.k8s.io"
+  }
+  #  subject {
+  #    kind      = "Group"
+  #    name      = "system:masters"
+  #    api_group = "rbac.authorization.k8s.io"
+  #  }
+}
+
+
+variable "read_only_name" {
+  description = "Read-only Role Name"
+  type        = string
+  default     = "eks-readonly"
+}