diff --git a/modules/bastion/iam.tf b/modules/bastion/iam.tf
index 65eaef5..7bdc611 100644
--- a/modules/bastion/iam.tf
+++ b/modules/bastion/iam.tf
@@ -64,6 +64,13 @@ resource "aws_iam_role_policy" "bastion_host_iam_role" {
           "ssm:GetParameter"
         ],
         "Resource" : "arn:aws:ssm:*:*:parameter/AmazonCloudWatch-*"
+      },
+      {
+        "Effect" : "Allow",
+        "Action" : [
+          "secretsmanager:GetSecretValue"
+        ],
+        "Resource" : "arn:aws:secretsmanager:*:*:secret:*"
       }
     ]
   })