diff --git a/.secrets.baseline b/.secrets.baseline
index 10bc567a..7948c2b2 100644
--- a/.secrets.baseline
+++ b/.secrets.baseline
@@ -3,7 +3,7 @@
     "files": "go.sum|^.secrets.baseline$",
     "lines": null
   },
-  "generated_at": "2025-10-04T04:36:16Z",
+  "generated_at": "2025-10-05T04:36:16Z",
   "plugins_used": [
     {
       "name": "AWSKeyDetector"
diff --git a/main.tf b/main.tf
index fdc5e3da..2f5b1658 100644
--- a/main.tf
+++ b/main.tf
@@ -70,7 +70,7 @@ resource "ibm_iam_authorization_policy" "kms_policy" {
   count                    = local.create_kms_auth_policy
   source_service_name      = "databases-for-postgresql"
   source_resource_group_id = var.resource_group_id
-  roles                    = ["Reader"]
+  roles                    = ["Reader", "Authorization Delegator"] # Authorization Delegator role required for backup encryption key
   description              = "Allow all PostgreSQL instances in the resource group ${var.resource_group_id} to read the ${local.kms_service} key ${local.kms_key_id} from the instance GUID ${local.kms_key_instance_guid}"
   resource_attributes {
     name     = "serviceName"
@@ -116,7 +116,7 @@ resource "ibm_iam_authorization_policy" "backup_kms_policy" {
   count                    = local.create_backup_kms_auth_policy
   source_service_name      = "databases-for-postgresql"
   source_resource_group_id = var.resource_group_id
-  roles                    = ["Reader"]
+  roles                    = ["Reader", "Authorization Delegator"] # Authorization Delegator role required for backup encryption key
   description              = "Allow all PostgreSQL instances in the Resource Group ${var.resource_group_id} to read the ${local.backup_kms_service} key ${local.backup_kms_key_id} from the instance GUID ${local.backup_kms_key_instance_guid}"
   resource_attributes {
     name     = "serviceName"
diff --git a/solutions/fully-configurable/main.tf b/solutions/fully-configurable/main.tf
index c3e1cf2c..f001c261 100644
--- a/solutions/fully-configurable/main.tf
+++ b/solutions/fully-configurable/main.tf
@@ -120,7 +120,7 @@ resource "ibm_iam_authorization_policy" "kms_policy" {
   source_service_account   = local.account_id
   source_service_name      = "databases-for-postgresql"
   source_resource_group_id = module.resource_group.resource_group_id
-  roles                    = ["Reader"]
+  roles                    = ["Reader", "Authorization Delegator"] # Authorization Delegator role required for backup encryption key
   description              = "Allow all PostgreSQL instances in the resource group ${module.resource_group.resource_group_id} in the account ${local.account_id} to read the ${local.kms_service} key ${local.kms_key_id} from the instance GUID ${local.kms_instance_guid}"
   resource_attributes {
     name     = "serviceName"
@@ -168,7 +168,7 @@ resource "ibm_iam_authorization_policy" "backup_kms_policy" {
   source_service_account   = local.account_id
   source_service_name      = "databases-for-postgresql"
   source_resource_group_id = module.resource_group.resource_group_id
-  roles                    = ["Reader"]
+  roles                    = ["Reader", "Authorization Delegator"] # Authorization Delegator role required for backup encryption key
   description              = "Allow all PostgreSQL instances in the resource group ${module.resource_group.resource_group_id} in the account ${local.account_id} to read the ${local.backup_kms_service} key ${local.backup_kms_key_id} from the instance GUID ${local.backup_kms_instance_guid}"
   resource_attributes {
     name     = "serviceName"