diff --git a/union-ai-admin/aws/union-ai-admin-role.template.yaml b/union-ai-admin/aws/union-ai-admin-role.template.yaml
index 3f313c0..020518b 100644
--- a/union-ai-admin/aws/union-ai-admin-role.template.yaml
+++ b/union-ai-admin/aws/union-ai-admin-role.template.yaml
@@ -170,6 +170,7 @@ Resources:
               - 'iam:TagOpenIDConnectProvider'
               - 'iam:UntagOpenIDConnectProvider'
               - 'iam:ListOpenIDConnectProviderTags'
+              - 'iam:UpdateOpenIDConnectProviderThumbprint'
             Resource:
               - !Sub 'arn:aws:iam::${AWS::AccountId}:oidc-provider/*'
           - Effect: Allow