diff --git a/modules/fscloud/README.md b/modules/fscloud/README.md
index 092e038c..2c640fa3 100644
--- a/modules/fscloud/README.md
+++ b/modules/fscloud/README.md
@@ -59,6 +59,7 @@ No resources.
| [secrets\_manager\_name](#input\_secrets\_manager\_name) | The name to give the Secrets Manager instance. | `string` | n/a | yes |
| [service\_plan](#input\_service\_plan) | The Secrets Manager plan to provision. | `string` | `"standard"` | no |
| [skip\_en\_iam\_authorization\_policy](#input\_skip\_en\_iam\_authorization\_policy) | Set to true to skip the creation of an IAM authorization policy that permits all Secrets Manager instances (scoped to the resource group) an 'Event Source Manager' role to the given Event Notifications instance passed in the `existing_en_instance_crn` input variable. In addition, no policy is created if `enable_event_notification` is set to false. | `bool` | `false` | no |
+| [skip\_iam\_authorization\_policy](#input\_skip\_iam\_authorization\_policy) | Whether to skip the creation of the IAM authorization policies required to enable the IAM credentials engine. If set to false, policies will be created that grants the Secrets Manager instance 'Operator' access to the IAM identity service, and 'Groups Service Member Manage' access to the IAM groups service. | `bool` | `false` | no |
| [skip\_kms\_iam\_authorization\_policy](#input\_skip\_kms\_iam\_authorization\_policy) | Set to true to skip the creation of an IAM authorization policy that permits all Secrets Manager instances in the resource group to read the encryption key from the KMS instance. If set to false, pass in a value for the KMS instance in the `existing_kms_instance_crn` variable. If a value is specified for `ibmcloud_kms_api_key`, the policy is created in the KMS account. | `bool` | `false` | no |
| [sm\_tags](#input\_sm\_tags) | The list of resource tags that you want to associate with your Secrets Manager instance. | `list(string)` | `[]` | no |
diff --git a/modules/fscloud/main.tf b/modules/fscloud/main.tf
index 5cda0cb2..47b6ba57 100644
--- a/modules/fscloud/main.tf
+++ b/modules/fscloud/main.tf
@@ -12,6 +12,7 @@ module "secrets_manager" {
existing_kms_instance_guid = var.existing_kms_instance_guid
enable_event_notification = var.enable_event_notification
existing_en_instance_crn = var.existing_en_instance_crn
+ skip_iam_authorization_policy = var.skip_iam_authorization_policy
skip_en_iam_authorization_policy = var.skip_en_iam_authorization_policy
skip_kms_iam_authorization_policy = var.skip_kms_iam_authorization_policy
kms_key_crn = var.kms_key_crn
diff --git a/modules/fscloud/variables.tf b/modules/fscloud/variables.tf
index 53d9841e..9a116957 100644
--- a/modules/fscloud/variables.tf
+++ b/modules/fscloud/variables.tf
@@ -35,6 +35,12 @@ variable "existing_sm_instance_crn" {
default = null
}
+variable "skip_iam_authorization_policy" {
+ type = bool
+ description = "Whether to skip the creation of the IAM authorization policies required to enable the IAM credentials engine. If set to false, policies will be created that grants the Secrets Manager instance 'Operator' access to the IAM identity service, and 'Groups Service Member Manage' access to the IAM groups service."
+ default = false
+}
+
variable "skip_kms_iam_authorization_policy" {
type = bool
description = "Set to true to skip the creation of an IAM authorization policy that permits all Secrets Manager instances in the resource group to read the encryption key from the KMS instance. If set to false, pass in a value for the KMS instance in the `existing_kms_instance_crn` variable. If a value is specified for `ibmcloud_kms_api_key`, the policy is created in the KMS account."