diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
index 030a10b..c829118 100644
--- a/.github/workflows/main.yml
+++ b/.github/workflows/main.yml
@@ -9,9 +9,13 @@ jobs:
     runs-on: ubuntu-latest
     container:
       image: hashicorp/terraform:1.5.7
+    env:
+      TF_PLUGIN_CACHE_DIR: /github/home/.terraform.d/plugin-cache
     steps:
       - name: Checkout
         uses: actions/checkout@v3
+      - name: Create Plugin Cache Dir
+        run: mkdir -p $TF_PLUGIN_CACHE_DIR
       - name: Check format
         run: terraform fmt -diff=true -check=true
       - name: Validate
diff --git a/eks-service-account-iam-role/main.tf b/eks-service-account-iam-role/main.tf
index 3e8137e..2438a3e 100644
--- a/eks-service-account-iam-role/main.tf
+++ b/eks-service-account-iam-role/main.tf
@@ -52,6 +52,18 @@ data "aws_iam_policy_document" "assume_role" {
       values   = local.all_service_accounts
     }
   }
+
+  dynamic "statement" {
+    for_each = length(var.trusted_role_arns) > 0 ? [1] : []
+    content {
+      effect = "Allow"
+      principals {
+        type        = "AWS"
+        identifiers = var.trusted_role_arns
+      }
+      actions = ["sts:AssumeRole"]
+    }
+  }
 }
 
 resource "aws_iam_role_policy" "main" {
diff --git a/eks-service-account-iam-role/vars.tf b/eks-service-account-iam-role/vars.tf
index 0bbaab7..895527b 100644
--- a/eks-service-account-iam-role/vars.tf
+++ b/eks-service-account-iam-role/vars.tf
@@ -60,3 +60,9 @@ variable "add_policy" {
 variable "id" {
   default = ""
 }
+
+variable "trusted_role_arns" {
+  type        = list(string)
+  description = "List of AWS IAM Role ARNs that can assume this role"
+  default     = []
+}
diff --git a/validate.sh b/validate.sh
index 801cdb1..fe6ebb9 100755
--- a/validate.sh
+++ b/validate.sh
@@ -12,5 +12,6 @@ for dir in $dirs; do
     cd $dir
     terraform init
     terraform validate
+    rm -rf .terraform
     cd - > /dev/null
 done