diff --git a/README.md b/README.md
index 45cbab9..7df1373 100644
--- a/README.md
+++ b/README.md
@@ -106,4 +106,27 @@ ACCOUNT_ID=<your account>
 
 echo -n $ECR_PASSWORD | docker login -u AWS --password-stdin https://$ACCOUNT_ID.dkr.ecr.$AWS_DEFAULT_REGION.amazonaws.com
 
+```
+## Using AWS Assumed Role instead of normal IAM credentials
+You can use the `aws sts assume-role` along with `jq` to utilize AWS assigned roles.  This allows for using centralized AWS account management and doesn't rely on AWS IAM accounts.
+
+Adding Cross Account Roles:
+https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_cross-account-with-roles.html
+
+If your assigned cross account role is `arn:aws:iam::0123456789:role/AdminCrossAccount`, you can run the rollowing commands:
+```
+AWS_DATA=$(aws sts assume-role --role-arn arn:aws:iam::0123456789:role/AdminCrossAccount  --role-session-name=ecs-deployer | jq '.Credentials')
+export AWS_ACCESS_KEY_ID=$(echo $AWS_DATA| jq -r '.AccessKeyId')
+export AWS_SECRET_ACCESS_KEY=$(echo $AWS_DATA| jq -r '.SecretAccessKey')
+export AWS_SESSION_TOKEN=$(echo $AWS_DATA| jq -r '.SessionToken')
+```
+You can then use the following sample docker commands.
+```
+docker run \
+    --env AWS_DEFAULT_REGION=$AWS_DEFAULT_REGION \
+    --env AWS_ACCESS_KEY_ID=$AWS_ACCESS_KEY_ID \
+    --env AWS_SECRET_ACCESS_KEY=$AWS_SECRET_ACCESS_KEY \
+    --env AWS_SESSION_TOKEN=$AWS_SESSION_TOKEN \
+    smithmicro/ecs:latest create-cluster
+unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY AWS_SESSION_TOKEN
 ```
\ No newline at end of file
diff --git a/ecs-roles-cf.json b/ecs-roles-cf.json
index e3ba6de..4e0b374 100644
--- a/ecs-roles-cf.json
+++ b/ecs-roles-cf.json
@@ -16,6 +16,13 @@
                             ],
                             "Resource": [
                                 "arn:aws:ssm:*:*:parameter/*"
+                                {
+                                    "Effect": "Allow",
+                                    "Action": [
+                                        "kms:Decrypt"
+                                    ],
+                                    "Resource": "arn:aws:kms:*:*:key/*"
+                                }
                             ]
                         }
                     ]