diff --git a/.secrets.baseline b/.secrets.baseline
index 319bbf6..2019df4 100644
--- a/.secrets.baseline
+++ b/.secrets.baseline
@@ -3,7 +3,7 @@
     "files": "go.sum|^.secrets.baseline$",
     "lines": null
   },
-  "generated_at": "2025-10-04T04:39:36Z",
+  "generated_at": "2025-10-05T04:39:36Z",
   "plugins_used": [
     {
       "name": "AWSKeyDetector"
diff --git a/main.tf b/main.tf
index 26c336f..e8a94ce 100644
--- a/main.tf
+++ b/main.tf
@@ -65,7 +65,7 @@ resource "ibm_iam_authorization_policy" "kms_policy" {
   count                    = local.create_kms_auth_policy
   source_service_name      = "messages-for-rabbitmq"
   source_resource_group_id = var.resource_group_id
-  roles                    = ["Reader"]
+  roles                    = ["Reader", "Authorization Delegator"] # Authorization Delegator role required for backup encryption key
   description              = "Allow all RabbitMQ instances in the resource group ${var.resource_group_id} to read the ${local.kms_service} key ${local.kms_key_id} from the instance GUID ${local.kms_key_instance_guid}"
   resource_attributes {
     name     = "serviceName"
@@ -110,7 +110,7 @@ resource "ibm_iam_authorization_policy" "backup_kms_policy" {
   count                    = local.create_backup_kms_auth_policy
   source_service_name      = "messages-for-rabbitmq"
   source_resource_group_id = var.resource_group_id
-  roles                    = ["Reader"]
+  roles                    = ["Reader", "Authorization Delegator"] # Authorization Delegator role required for backup encryption key
   description              = "Allow all RabbitMQ instances in the Resource Group ${var.resource_group_id} to read the ${local.backup_kms_service} key ${local.backup_kms_key_id} from the instance GUID ${local.backup_kms_key_instance_guid}"
   resource_attributes {
     name     = "serviceName"
diff --git a/solutions/fully-configurable/main.tf b/solutions/fully-configurable/main.tf
index 16494ba..7ced642 100644
--- a/solutions/fully-configurable/main.tf
+++ b/solutions/fully-configurable/main.tf
@@ -120,7 +120,7 @@ resource "ibm_iam_authorization_policy" "kms_policy" {
   source_service_account   = local.account_id
   source_service_name      = "messages-for-rabbitmq"
   source_resource_group_id = module.resource_group.resource_group_id
-  roles                    = ["Reader"]
+  roles                    = ["Reader", "Authorization Delegator"] # Authorization Delegator role required for backup encryption key
   description              = "Allow all RabbitMQ instances in the resource group ${module.resource_group.resource_group_id} in the account ${local.account_id} to read the ${local.kms_service} key ${local.kms_key_id} from the instance GUID ${local.kms_instance_guid}"
   resource_attributes {
     name     = "serviceName"
@@ -168,7 +168,7 @@ resource "ibm_iam_authorization_policy" "backup_kms_policy" {
   source_service_account   = local.account_id
   source_service_name      = "messages-for-rabbitmq"
   source_resource_group_id = module.resource_group.resource_group_id
-  roles                    = ["Reader"]
+  roles                    = ["Reader", "Authorization Delegator"] # Authorization Delegator role required for backup encryption key
   description              = "Allow all RabbitMQ instances in the resource group ${module.resource_group.resource_group_id} in the account ${local.account_id} to read the ${local.backup_kms_service} key ${local.backup_kms_key_id} from the instance GUID ${local.backup_kms_instance_guid}"
   resource_attributes {
     name     = "serviceName"