diff --git a/auth_approle_terraform_incus.tf b/auth_approle_terraform_incus.tf
index b6a30f9..393faff 100644
--- a/auth_approle_terraform_incus.tf
+++ b/auth_approle_terraform_incus.tf
@@ -4,6 +4,7 @@ resource "vault_approle_auth_backend_role" "terraform_incus" {
   token_policies = [
     "default_access",
     "incus",
+    "terraform_puppet_cert",
   ]
   token_ttl     = 60
   token_max_ttl = 120
diff --git a/policies.tf b/policies.tf
index 891de5c..8479aad 100644
--- a/policies.tf
+++ b/policies.tf
@@ -15,6 +15,7 @@ locals {
     "policies/kv/service/glauth/services",
     "policies/kv/service/incus",
     "policies/kv/service/packer",
+    "policies/kv/service/puppet/certificates",
     "policies/kv/service/puppetapi",
     "policies/kv/service/terraform",
   ]
diff --git a/policies/kv/service/puppet/certificates/terraform_puppet_cert.hcl b/policies/kv/service/puppet/certificates/terraform_puppet_cert.hcl
new file mode 100644
index 0000000..6a31417
--- /dev/null
+++ b/policies/kv/service/puppet/certificates/terraform_puppet_cert.hcl
@@ -0,0 +1,6 @@
+path "kv/data/service/puppet/certificates/terraform" {
+    capabilities = ["read"]
+}
+path "kv/data/service/puppet/certificates/ca" {
+    capabilities = ["read"]
+}