diff --git a/src/domains/ioweb-common/02_security.tf b/src/domains/ioweb-common/02_security.tf
index d92eefd3a..21736886b 100644
--- a/src/domains/ioweb-common/02_security.tf
+++ b/src/domains/ioweb-common/02_security.tf
@@ -42,3 +42,55 @@ resource "azurerm_key_vault_access_policy" "adgroup_developers" {
   storage_permissions     = []
   certificate_permissions = ["Get", "List", "Update", "Create", "Import", "Delete", "Restore", "Recover", ]
 }
+
+# Access policy for CD pipeline
+
+data "azuread_service_principal" "github_action_iac_cd" {
+  display_name = "github-pagopa-io-infra-prod-cd"
+}
+
+resource "azurerm_key_vault_access_policy" "github_action_iac_cd_kv" {
+  key_vault_id = module.key_vault.id
+  tenant_id    = data.azurerm_client_config.current.tenant_id
+  object_id    = data.azuread_service_principal.github_action_iac_cd.object_id
+
+  secret_permissions      = ["Get", "List", "Set", ]
+  storage_permissions     = []
+  certificate_permissions = ["SetIssuers", "DeleteIssuers", "Purge", "List", "Get", "ManageContacts", ]
+}
+
+resource "azurerm_key_vault_access_policy" "github_action_iac_cd_kv_common" {
+  key_vault_id = module.key_vault_common.id
+  tenant_id    = data.azurerm_client_config.current.tenant_id
+  object_id    = data.azuread_service_principal.github_action_iac_cd.object_id
+
+  secret_permissions      = ["Get", "List", "Set", ]
+  storage_permissions     = []
+  certificate_permissions = ["SetIssuers", "DeleteIssuers", "Purge", "List", "Get", "ManageContacts", ]
+}
+
+# Access policy for CI pipeline
+
+data "azuread_service_principal" "github_action_iac_ci" {
+  display_name = "github-pagopa-io-infra-prod-ci"
+}
+
+resource "azurerm_key_vault_access_policy" "github_action_iac_ci_kv" {
+  key_vault_id = module.key_vault.id
+  tenant_id    = data.azurerm_client_config.current.tenant_id
+  object_id    = data.azuread_service_principal.github_action_iac_ci.object_id
+
+  secret_permissions      = ["Get", "List", ]
+  storage_permissions     = []
+  certificate_permissions = ["Get", "List", ]
+}
+
+resource "azurerm_key_vault_access_policy" "github_action_iac_ci_kv_common" {
+  key_vault_id = module.key_vault_common.id
+  tenant_id    = data.azurerm_client_config.current.tenant_id
+  object_id    = data.azuread_service_principal.github_action_iac_ci.object_id
+
+  secret_permissions      = ["Get", "List", ]
+  storage_permissions     = []
+  certificate_permissions = ["Get", "List", ]
+}