diff --git a/policies.tf b/policies.tf
index 9cd0816..3c65ee1 100644
--- a/policies.tf
+++ b/policies.tf
@@ -47,16 +47,22 @@ data "aws_iam_policy_document" "task_execution_permissions" {
   }
 }
 
+data "aws_kms_key" "secretsmanager_key" {
+  key_id = "${var.repository_credentials_kms_key}"
+}
+
 data "aws_iam_policy_document" "read_repository_credentials" {
   statement {
     effect = "Allow"
 
     resources = [
       "${var.repository_credentials}",
+      "${data.aws_kms_key.secretsmanager_key.arn}",
     ]
 
     actions = [
       "secretsmanager:GetSecretValue",
+      "kms:Decrypt",
     ]
   }
 }
diff --git a/variables.tf b/variables.tf
index 5b29dfd..5adec0d 100644
--- a/variables.tf
+++ b/variables.tf
@@ -113,6 +113,11 @@ variable "repository_credentials" {
   description = "name or ARN of a secrets manager secret (arn:aws:secretsmanager:region:aws_account_id:secret:secret_name)"
 }
 
+variable "repository_credentials_kms_key" {
+  default     = "alias/aws/secretsmanager"
+  description = "key id, key ARN, alias name or alias ARN of the key that encrypted the repository credentials"
+}
+
 locals {
   # if the variable is set, create the fragment based on the variable value
   # if not, just return a empty string to not mess up the json