diff --git a/roles/cloudformation-write-role.yaml b/roles/cloudformation-write-role.yaml
index c2bcb07..988649a 100644
--- a/roles/cloudformation-write-role.yaml
+++ b/roles/cloudformation-write-role.yaml
@@ -1,11 +1,6 @@
 AWSTemplateFormatVersion: '2010-09-09'
 Description: IAM Role for CloudFormation Write operations via AssumeRole
 
-Parameters:
-  AdminPrincipalArns:
-    Type: List<String>
-    Description: List of IAM Identity Center Role ARNs allowed to assume this role.
-
 Resources:
   CloudFormationWriteRole:
     Type: AWS::IAM::Role
@@ -17,7 +12,7 @@ Resources:
         Statement:
           - Effect: Allow
             Principal:
-              AWS: !Ref AdminPrincipalArns
+              AWS: !Sub arn:aws:iam::${AWS::AccountId}:role/aws-reserved/sso.amazonaws.com/${AWS::Region}/AWSReservedSSO_AdministratorWebHosting_42269022c2fff771
             Action: sts:AssumeRole
       Policies:
         - PolicyName: ECRImport
@@ -41,9 +36,11 @@ Resources:
                 Action:
                   - iam:CreateRole
                   - iam:DeleteRole
+                  - iam:UpdateRole
                   - iam:PutRolePolicy
                   - iam:DeleteRolePolicy
                   - iam:AttachRolePolicy
+                  - iam:UpdateAssumeRolePolicy
                   - iam:PassRole
                 Resource:
                   - !Sub arn:aws:iam::${AWS::AccountId}:role/*
@@ -58,6 +55,15 @@ Resources:
                   - iam:DeletePolicyVersion
                 Resource:
                   - !Sub arn:aws:iam::${AWS::AccountId}:policy/*
+        - PolicyName: UserPolicy
+          PolicyDocument:
+            Version: "2012-10-17"
+            Statement:
+              - Effect: Allow
+                Action:
+                  - iam:DeleteAccessKey
+                Resource:
+                  - !Sub arn:aws:iam::${AWS::AccountId}:user/*
         - PolicyName: SecretPolicies
           PolicyDocument:
             Version: "2012-10-17"