diff --git a/union-ai-admin/aws/gen/unionai-provisioner-role.template.yaml b/union-ai-admin/aws/gen/unionai-provisioner-role.template.yaml
index e9cd775..22422b4 100644
--- a/union-ai-admin/aws/gen/unionai-provisioner-role.template.yaml
+++ b/union-ai-admin/aws/gen/unionai-provisioner-role.template.yaml
@@ -78,6 +78,7 @@ Resources:
               - ec2:DeleteFlowLogs
               - ec2:CreateFlowLogs
               - ec2:CreateVpc
+              - ec2:AssociateVpcCidrBlock
               - ec2:ReleaseAddress
               - ec2:CreateTags
               - ec2:RunInstances
diff --git a/union-ai-admin/aws/script/generate.py b/union-ai-admin/aws/script/generate.py
index 8ad4784..6dc0610 100644
--- a/union-ai-admin/aws/script/generate.py
+++ b/union-ai-admin/aws/script/generate.py
@@ -546,6 +546,7 @@ def create_provisioner_policy(role_type):
                         Action("ec2", "DeleteFlowLogs"),
                         Action("ec2", "CreateFlowLogs"),
                         Action("ec2", "CreateVpc"),
+                        Action("ec2", "AssociateVpcCidrBlock"),
                         Action("ec2", "ReleaseAddress"),
                         Action("ec2", "CreateTags"),
                         Action("ec2", "RunInstances"),
diff --git a/union-ai-admin/aws/union-ai-admin-role.template.yaml b/union-ai-admin/aws/union-ai-admin-role.template.yaml
index d878832..3da7949 100644
--- a/union-ai-admin/aws/union-ai-admin-role.template.yaml
+++ b/union-ai-admin/aws/union-ai-admin-role.template.yaml
@@ -187,6 +187,7 @@ Resources:
               - 'ec2:DeleteVpc'
               - 'ec2:CreateSubnet'
               - 'ec2:DescribeVpcAttribute'
+              - 'ec2:AssociateVpcCidrBlock'
             Resource:
               - !Sub 'arn:aws:ec2:${AWS::Region}:${AWS::AccountId}:vpc/*'
           - Sid: VisualEditor9