diff --git a/CHANGELOG.md b/CHANGELOG.md
index a33288d..d2b0db7 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -294,3 +294,7 @@
     - bucket_key_enabled: default true
     - use_kms_encryptioon: default true
       may need to make default false as some services like NLB do not support the use of a CMK (use AES256 instead)
+
+* 2.4.8 -- 2023-09-28
+  - terraform-state
+    - add `sso_permissionset_names` for use of assume role by SSO roles
diff --git a/common/version.tf b/common/version.tf
index 994520b..5610dbc 100644
--- a/common/version.tf
+++ b/common/version.tf
@@ -1,3 +1,3 @@
 locals {
-  _module_version = "2.4.7"
+  _module_version = "2.4.8"
 }
diff --git a/terraform-state/README.md b/terraform-state/README.md
index ffec5e8..4f41e3d 100644
--- a/terraform-state/README.md
+++ b/terraform-state/README.md
@@ -36,6 +36,7 @@ module "tfstate_full" {
   tfstate_bucket        = "inf-tfstate-123456789012"
   tfstate_bucket_prefix = "inf-tfstate"
   tfstate_key_suffix    = "terraform.tfstate"
+  ## sso_permissionset_names =  [ "inf-terraform" ]
 
   # this is generally not needed and not recommended
   component_tags        = {
@@ -46,6 +47,8 @@ module "tfstate_full" {
   }
 }
 ```
+## sso\_permissionset\_names
+This is a list of SSO Permission set names, which turn into a role name, for which to allow an assume role into the `inf-terraform` role.
 
 ## Requirements
 
@@ -109,6 +112,7 @@ No modules.
 | <a name="input_kms_tfstate_key"></a> [kms\_tfstate\_key](#input\_kms\_tfstate\_key) | Terraform remote state KMS key alias | `string` | `"k-kms-inf-tfstate"` | no |
 | <a name="input_name"></a> [name](#input\_name) | Name suffix to use for policies, roles and groups (default: inf-terraform) | `string` | `"inf-terraform"` | no |
 | <a name="input_override_prefixes"></a> [override\_prefixes](#input\_override\_prefixes) | Override built-in prefixes by component (efs, s3, ebs, kms, role, policy, security-group). This should be used primarily for common infrastructure things | `map(string)` | `{}` | no |
+| <a name="input_sso_permissionset_names"></a> [sso\_permissionset\_names](#input\_sso\_permissionset\_names) | List of SSO Permissionset Names (aka, SSO roles) to allow to assume the role | `list(string)` | <pre>[<br>  "inf-terraform"<br>]</pre> | no |
 | <a name="input_tags"></a> [tags](#input\_tags) | AWS Tags to apply to appropriate resources (S3, KMS).  Do not include safeguard tags here, use the data\_safeguard field for such things. | `map(string)` | `{}` | no |
 | <a name="input_tfstate_bucket"></a> [tfstate\_bucket](#input\_tfstate\_bucket) | Terraform remote state S3 bucket | `string` | `""` | no |
 | <a name="input_tfstate_bucket_prefix"></a> [tfstate\_bucket\_prefix](#input\_tfstate\_bucket\_prefix) | Terraform remote state S3 bucket prefix, prepended to the AWS account ID to make the bucket name. | `string` | `"inf-tfstate"` | no |
diff --git a/terraform-state/main.tf b/terraform-state/main.tf
index abc2210..250b106 100644
--- a/terraform-state/main.tf
+++ b/terraform-state/main.tf
@@ -37,6 +37,7 @@
 *   tfstate_bucket        = "inf-tfstate-123456789012"
 *   tfstate_bucket_prefix = "inf-tfstate"
 *   tfstate_key_suffix    = "terraform.tfstate"
+*   ## sso_permissionset_names =  [ "inf-terraform" ]
 *
 *   # this is generally not needed and not recommended
 *   component_tags        = {
@@ -47,6 +48,9 @@
 *   }
 * }
 * ```
+* ## sso_permissionset_names
+* This is a list of SSO Permission set names, which turn into a role name, for which to allow an assume role into the `inf-terraform` role.
+*
 */
 
 locals {
diff --git a/terraform-state/role.tf b/terraform-state/role.tf
index 137f9a9..50b9cb5 100644
--- a/terraform-state/role.tf
+++ b/terraform-state/role.tf
@@ -3,9 +3,12 @@ locals {
   role_description            = format("Role to be assumed Terraform execution %v", var.name)
   role_managed_policies_names = ["AdministratorAccess"]
   role_managed_policies       = [for k, p in data.aws_iam_policy.role_managed_policies : p.arn]
+  sso_role_arn_formats = [
+    format("arn:%v:iam::%v:role/aws-reserved/sso.amazonaws.com/*/AWSReservedSSO_%%v_*", data.aws_arn.current.partition, data.aws_caller_identity.current.account_id),
+    format("arn:%v:iam::%v:role/aws-reserved/sso.amazonaws.com/AWSReservedSSO_%%v_*", data.aws_arn.current.partition, data.aws_caller_identity.current.account_id),
+  ]
 }
 
-
 data "aws_iam_policy" "role_managed_policies" {
   for_each = toset(local.role_managed_policies_names)
   name     = each.key
@@ -51,10 +54,22 @@ data "aws_iam_policy_document" "allow_sts" {
     effect  = "Allow"
     actions = ["sts:AssumeRole"]
     principals {
-      type = "AWS"
-      identifiers = [
-        format(local.iam_arn, "root"),
-      ]
+      type        = "AWS"
+      identifiers = [format(local.iam_arn, "root")]
+    }
+  }
+  statement {
+    sid     = "AllowSTSAssumeFromSSO"
+    effect  = "Allow"
+    actions = ["sts:AssumeRole"]
+    principals {
+      type        = "AWS"
+      identifiers = [format(local.iam_arn, "root")]
+    }
+    condition {
+      test     = "ArnLike"
+      variable = "aws:PrincipalArn"
+      values   = flatten([for p in var.sso_permissionset_names : [for f in local.sso_role_arn_formats : format(f, p)]])
     }
   }
 }
diff --git a/terraform-state/variables.tf b/terraform-state/variables.tf
index 32de381..7c24353 100644
--- a/terraform-state/variables.tf
+++ b/terraform-state/variables.tf
@@ -60,3 +60,9 @@ variable "bucket_key_enabled" {
   type        = bool
   default     = false
 }
+
+variable "sso_permissionset_names" {
+  description = "List of SSO Permissionset Names (aka, SSO roles) to allow to assume the role"
+  type        = list(string)
+  default     = ["inf-terraform"]
+}