diff --git a/modules/aws/vendor-access/files/provision2.json.tpl b/modules/aws/vendor-access/files/provision2.json.tpl
index 53f64df..89dbf68 100644
--- a/modules/aws/vendor-access/files/provision2.json.tpl
+++ b/modules/aws/vendor-access/files/provision2.json.tpl
@@ -100,7 +100,10 @@
       "Effect": "Allow",
       "Action": [
         "eks:TagResource",
-        "eks:UntagResource"
+        "eks:UntagResource",
+        "eks:AssociateAccessPolicy",
+        "eks:DisassociateAccessPolicy",
+        "eks:DeleteAccessEntry"
       ],
       "Resource": "*",
       "Condition": {