diff --git a/terraform/gitlab/gitlab.tf.json.template.py b/terraform/gitlab/gitlab.tf.json.template.py
index 29e9065bb1..21520ca7b7 100644
--- a/terraform/gitlab/gitlab.tf.json.template.py
+++ b/terraform/gitlab/gitlab.tf.json.template.py
@@ -544,6 +544,30 @@ def remove_inconsequential_statements(statements: List[JSON]) -> List[JSON]:
                                 ]
                             }
                         ] if config.domain_name == 'dev.singlecell.gi.ucsc.edu' else [
+                            {
+                                "actions": [
+                                    "s3:PutObject",
+                                    "s3:GetObject",
+                                    "s3:ListBucket",
+                                    "s3:DeleteObject",
+                                    "s3:PutObjectAcl"
+                                ],
+                                "resources": [
+                                    "arn:aws:s3:::org-humancellatlas-data-portal-dcp2-prod/*",
+                                    "arn:aws:s3:::org-humancellatlas-data-browser-dcp2-prod/*",
+                                    "arn:aws:s3:::org-humancellatlas-data-browser-dcp2-prod",
+                                    "arn:aws:s3:::org-humancellatlas-data-portal-dcp2-prod"
+                                ]
+                            },
+                            {
+                                "actions": [
+                                    "cloudfront:CreateInvalidation"
+                                ],
+                                "resources": [
+                                    "arn:aws:cloudfront::122796619775:distribution/E1LYQC3LZXO7M3"
+                                ]
+                            }
+                        ] if config.domain_name == 'azul.data.humancellatlas.org' else [
                         ]
                     )
                 ]