diff --git a/.github/workflows/deploy-dev.yml b/.github/workflows/deploy-dev.yml
index acca05c..d2916ab 100644
--- a/.github/workflows/deploy-dev.yml
+++ b/.github/workflows/deploy-dev.yml
@@ -16,6 +16,9 @@ jobs:
   deploy:
     name: Deploy to DEV
     uses: ./.github/workflows/deploy-reusable.yml
+    permissions:
+      id-token: write
+      contents: read
     with:
       aws_region: ${{ vars.AWS_REGION }}
       aws_role_arn: ${{ vars.AWS_ROLE_ARN_DEV }}
diff --git a/.github/workflows/deploy-prod.yml b/.github/workflows/deploy-prod.yml
index 4636f90..f43d08e 100644
--- a/.github/workflows/deploy-prod.yml
+++ b/.github/workflows/deploy-prod.yml
@@ -16,6 +16,9 @@ jobs:
   deploy:
     name: Deploy to PROD
     uses: ./.github/workflows/deploy-reusable.yml
+    permissions:
+      id-token: write
+      contents: read
     with:
       aws_region: ${{ vars.AWS_REGION }}
       aws_role_arn: ${{ vars.AWS_ROLE_ARN_PROD }}
diff --git a/.github/workflows/deploy-qa.yml b/.github/workflows/deploy-qa.yml
index 14983a6..d8b19c2 100644
--- a/.github/workflows/deploy-qa.yml
+++ b/.github/workflows/deploy-qa.yml
@@ -15,6 +15,9 @@ jobs:
   deploy:
     name: Deploy to QA
     uses: ./.github/workflows/deploy-reusable.yml
+    permissions:
+      id-token: write
+      contents: read
     with:
       aws_region: ${{ vars.AWS_REGION }}
       aws_role_arn: ${{ vars.AWS_ROLE_ARN_QA }}